The aim of this paper is to present an adaptive and cost-sensitive model to prevent security intrusions. In most automated intrusion response systems, response selection is performed locally based on current threat without using the knowledge of attacks history. Another challenge is that a group of responses are applied without any feedback mechanism to measure the response effect. We address these problems through retroactive-burst execution of responses and a Response Coordinator (RC) mechanism, the main contributions of this work. The retroactive-burst execution consists of several burst executions of responses with, at the end of each burst, a mechanism for measuring the effectiveness of the applied responses by the risk assessment component. The appropriate combination of responses must be considered for each burst execution to mitigate the progress of the attack without necessarily running the next round of responses, because of the impact on legitimate users. In the proposed model, there is a multilevel response mechanism. To indicate which level is appropriate to apply based on the retroactive-burst execution, we get help from a Response Coordinator mechanism. The applied responses can improve the health of Applications, Kernel, Local Services, Network Services, and Physical Status. Based on these indexes, the RC gives a general overview of an attacker’s goal in a distributed environment. 1. Introduction Multisteps cyberattacks are common problems in distributed systems. Many security tools or system loggers may be installed in distributed systems and monitor all events in the network. Security managers often have to process huge numbers of alerts per day produced by such tools [1]. The Linux Trace Toolkit next generation (LTTng) [2] is a powerful software tool that provides a detailed execution trace of the Linux operating system with low impact. Its counterpart, the User Space Tracer (UST) library, provides the same trace information from user mode for middle-ware and applications [3]. The Target Communication Framework (TCF) agent collects traces from multiple systems. After collecting all traces, we need a powerful tool to monitor the health of a large system continuously such that system anomalies can be promptly detected and handled appropriately. Intrusion Detection Systems (IDSs) are tools that monitor systems against malicious activities. We use network-based IDS (NIDS) to monitor the network and host-based IDS (HIDS) to locally monitor the health of a system. IDSs are divided into two categories: Anomaly-based and Signature-based [4,
References
[1]
F. Xiao, S. Jin, and X. Li, “A novel data mining-based method for alert reduction and analysis,” Journal of Networks, vol. 5, no. 1, pp. 88–97, 2010.
[2]
M. Desnoyers and M. Dagenais, “LTTng: tracing across execution layers, from the hypervisor to user-space,” in Proceedings of the Linux Symposium, Ottawa, Canada, 2008.
[3]
J. Blunck, M. Desnoyers, and P. M. Fournier, “Userspace application tracing with markers and tracepoints,” in Proceedings of the Linux Kongress, October 2009.
[4]
N. B. Anuar, H. Sallehudin, A. Gani, and O. Zakari, “Identifying false alarm for network intrusion detection system using hybrid data mining and decision tree,” Malaysian Journal of Computer Science, vol. 21, no. 2, pp. 101–115, 2008.
[5]
A. Lazarevic, L. Ertz, V. Kumar, A. Ozgur, and J. Srivastava, “A comparative study of anomaly detection schemes in network intrusion detection,” in Proceedings of the 3rd SIAM International Conference on Data Mining, 2003.
[6]
Yusof, Automated Signature Generation of Network Attacks [B.S. thesis], University Teknologi Malasia, 2009.
[7]
“Difference between signature based and anomaly based detection in IDS,” http://www.secguru.com/forum/difference.
[8]
C. P. Mu and Y. Li, “An intrusion response decision-making model based on hierarchical task network planning,” Expert Systems with Applications, vol. 37, no. 3, pp. 2465–2472, 2010.
[9]
Y. M. Chen and Y. Yang, “Policy management for network-based intrusion detection and prevention,” in Proceedings of the IEEE/IFIP Network Operations and Management Symposium, Application Sessions (NOMS '04), pp. 219–232, Seoul, South Korea, April 2004.
[10]
G. B. White, E. A. Fisch, and U. W. Pooch, “Cooperating security managers: a peer-based intrusion detection system,” IEEE Network, vol. 10, no. 1, pp. 20–23, 1996.
[11]
P. Porras and P. Neumann, “EMERALD: event monitoring enenabling responses to anomalous live disturbances,” in Proceedings of the National Information Systems Security Conference, 1997.
[12]
B. Foo, Y. S. Wu, Y. C. Mao, S. Bagchi, and E. Spafford, “ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment,” in Proceedings of the International Conference on Dependable Systems and Networks, pp. 508–517, July 2005.
[13]
A. Shameli-Sendi, N. Ezzati-Jivan, M. Jabbarifar, and M. Dagenais, “Intrusion response systems: survey and taxonomy,” International Journal of Computer Science and Network Security, vol. 12, no. 1, pp. 1–14, 2012.
[14]
N. Stakhanova, S. Basu, and J. Wong, “A cost-sensitive model for preemptive intrusion response systems,” in Proceedings of the 21st International Conference on Advanced Information Networking and Applications (AINA '07), pp. 428–435, Washington, DC, USA, May 2007.
[15]
W. Lee, W. Fan, M. Miller, S. J. Stolfo, and E. Zadok, “Toward cost-sensitive modeling for intrusion detection and response,” Journal of Computer Security, vol. 10, no. 1-2, pp. 5–22, 2002.
[16]
http://wiki.eclipse.org/DSDP/TCF.
[17]
https://help.ubuntu.com/community/AppArmor/.
[18]
http://www.nsa.gov/research/selinux/.
[19]
N. Ezzati-Jivan and M. Dagenais, “A stateful approach to generate synthetic events from kernel traces,” Advances in Software Engineering, vol. 2012, Article ID 140368, 12 pages, 2012.
[20]
H. Waly and B. Ktari, “A complete framework for kernel trace analysis,” in Proceedings of the 24th Canadian Cference on Electrical and Computer Engineering (CCECE '11), pp. 1426–1430, Niagara Falls, ON, Canada, May 2011.
[21]
N. Ezzati-Jivan and M. Dagenais, “A framework to compute statistics of system parameters from very large trace files,” ACM SIGOPS Operating Systems Review, vol. 47, no. 1, pp. 43–54, 2013.
[22]
H. Debar, D. Curry, and B. Feinstein, “The intrusion detection message exchange format,” http://www.ietf.org/rfc/rfc4765.txt.
