RRE: A game-theoretic intrusion Response and Recovery Engine for process control applications

Preserving the availability and integrity of process control systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this presentation, we propose a new approach to automated response called the response and recovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. RRE applies attack-response trees to analyze undesired security events and their countermeasures using Boolean logic to combine lower-level attack consequences. In addition, RRE accounts for uncertainties in intrusion detection alert notications. RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. Experimental results show that RRE, using Snort´s alerts, can protect large networks for which attack-response trees have more than 500 nodes.