Title :
RRE: A game-theoretic intrusion Response and Recovery Engine
Author :
Zonouz, Saman A. ; Khurana, Himanshu ; Sanders, William H. ; Yardley, Timothy M.
Author_Institution :
Univ. of Illinois at Urbana-Champaign, Urbana, IL, USA
fDate :
June 29 2009-July 2 2009
Abstract :
Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the Response and Recovery Engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. RRE applies attack-response trees to analyze undesired security events and their countermeasures using Boolean logic to combine lower-level attack consequences. In addition, RRE accounts for uncertainties in intrusion detection alert notifications. RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. Experimental results show that RRE, using Snort´s alerts, can protect large networks for which attack-response trees have more than 900 nodes.
Keywords :
Markov processes; search engines; security of data; stochastic games; trees (mathematics); Boolean logic; Markov decision process; Snort alerts; attack-response trees; game-theoretic intrusion response; networked computing systems; recovery engine; two-player Stackelberg stochastic game; Boolean functions; Computer networks; Detection algorithms; Engines; Face detection; Intrusion detection; Protection; Security; Stochastic processes; Uncertainty;
Conference_Titel :
Dependable Systems & Networks, 2009. DSN '09. IEEE/IFIP International Conference on
Conference_Location :
Lisbon
Print_ISBN :
978-1-4244-4422-9
Electronic_ISBN :
978-1-4244-4421-2
DOI :
10.1109/DSN.2009.5270307
