Measuring Intrusion Impacts for Rational Response: A State-based Approach

Although intrusion detection systems (IDSs) are playing significant roles in defending information systems against attacks, they can only partially reflect the true system states due to false alarms, low detection rate, inaccurate reports, and inappropriate responses. Automated response component built upon such systems therefore must consider the imperfect picture inferred from them and take actions accordingly. This paper presents a stat- based approach to measuring intrusion impacts on the basis of IDS reports, and analyzing costs and benefits of response polices supposed to be taken. Specifically, assuming the system evolves as a Markov process conditioned upon the current system state, imperfect observation and action, a partially observable Markov decision process to model the efficacy of IDSs (as well as alert correlation technology) as providing a probabilistic assessment of the state of system assets, and to maximize rewards (cost and benefit) by taking appropriate actions in response to the estimated states. The objective is to move the system towards more secure states with respect to particular security metrics. We use a real trace benchmark data to evaluate our approach, and demonstrate its promising performance.