An optimal metric-aware response selection strategy for intrusion response systems

Abstract

Due to the ever increasing number and variety of security incidents, incident management is an important and challenging aspect of operating indispensable services. Self-protection capabilities ensure service continuity by detecting and counteracting security incidents. Within this process, determining the set of countermeasures to be applied is essential. But detecting and analyzing security incidents in a complex network environment—especially under the pressure of an ongoing incident—is a challenge usually too complex for human comprehension and capabilities. As a consequence, often catastrophic and exaggerated actions are chosen when manually antagonizing security incidents. In this paper, we propose a novel approach towards automatic response selection to counteract security incidents in complex network environments and, by relieving network operators, increase network security. Our approach is based on defining response selection as a mathematical optimization problem and providing a proven optimal combination of countermeasures. Our approach pays respect to user-defined cost metrics for countermeasures and supports restrictions like conflicting countermeasures and resource restrictions in the network. To ensure the usability and scalability of our approach, we evaluate the performance and show the applicability in different network settings.