2nd International ICST Conference on Communications and Networking in China

Research Article

Measuring Intrusion Impacts for Rational Response: A State-based Approach

  • @INPROCEEDINGS{10.1109/CHINACOM.2007.4469391,
        author={Zonghua Zhang and Xiaodong Lin and Pin-Han Ho},
        title={Measuring Intrusion Impacts for Rational Response: A State-based Approach},
        proceedings={2nd International ICST Conference on Communications and Networking in China},
        publisher={IEEE},
        proceedings_a={CHINACOM},
        year={2008},
        month={3},
        keywords={Appropriate technology  Cost benefit analysis  Cost function  Hidden Markov models  Human factors  Information systems  Intrusion detection  Markov processes  Risk management  Security},
        doi={10.1109/CHINACOM.2007.4469391}
    }
    
  • Zonghua Zhang
    Xiaodong Lin
    Pin-Han Ho
    Year: 2008
    Measuring Intrusion Impacts for Rational Response: A State-based Approach
    CHINACOM
    IEEE
    DOI: 10.1109/CHINACOM.2007.4469391
Zonghua Zhang1, Xiaodong Lin1, Pin-Han Ho1
  • 1: University of Waterloo, Ontario, Canada

Abstract

Although intrusion detection systems (IDSs) are playing significant roles in defending information systems against attacks, they can only partially reflect the true system states due to false alarms, low detection rate, inaccurate reports, and inappropriate responses. Automated response component built upon such systems therefore must consider the imperfect picture inferred from them and take actions accordingly. This paper presents a statbased approach to measuring intrusion impacts on the basis of IDS reports, and analyzing costs and benefits of response polices supposed to be taken. Specifically, assuming the system evolves as a Markov process conditioned upon the current system state, imperfect observation and action, a partially observable markov decision process to model the efficacy of IDSs (as well as alert correlation technology) as providing a probabilistic assessment of the state of system assets, and to maximize rewards (cost and benefit) by taking appropriate actions in response to the estimated states. The objective is to move the system towards more secure states with respect to particular security metrics. We use a real trace benchmark data to evaluate our approach, and demonstrate its promising performance.