A Foresight Framework for Intrusion Response Systems in Computer Networks

Today, the number of alerts issued by network security systems has increased significantly and network administrators encounter new problems in handling the issued alerts and responding to them. As managing and responding to such a large number of alerts is difficult, alert management and intrusion response system (IRS) are the main part of the security protection systems including intrusion detection systems. The main task of alert management is to reveal the attack details to IRS. Subsequently, the appropriate responses are applied to reduce the attack damage and recover the compromised computer networks back to their normal operational mode. In the literature, researchers have investigated alert management techniques and IRS solutions separately, despite the fact that alert management is one of the basic requirements of response process and its outcome directly affects the IRS performance. Alert management design should provide the necessary information about the attacks to the response system according to its type and requirements. This information along with information from network resources present the current state of the network to IRS. However, if decisions taken by the response system is only based on the current network status, the total cost of the network will increase over the time. Therefore with a futuristic concept and considering the present available information and all possible coming states, decision making process in the response system can be improved. In this paper, using a futuristic approach we seek to propose optimal solutions for confronting already-occurred and future-probable attacks. To achieve this goal, the proposed framework contains two subsystems: attacks and alerts modeling, and response modeling. In the first subsystem, we analyze the IDS alerts to find the similarity and causality relationships. We also present a comprehensive approach for network attack forecasting to obtain some useful predictions about the future states of the network. In the second subsystem, the response analyzer presents a multilevel response model to categorize intrusion responses. It also provides a foresight model to estimate the response cost by considering IDS alerts, network dependencies, attack damage, response impact, and the probability of potential attacks. Finally, models are proposed to make the best decision based on available information about the present and all possible coming states. Simulation results for different scenarios show that the response system, with a prospective vision, steers the network toward desired states with reduced cost of attack and response.