Professional Documents
Culture Documents
Intrusion Response System
Intrusion Response System
www.elsevier.com/locate/jnca
PII: S1084-8045(15)00299-4
DOI: http://dx.doi.org/10.1016/j.jnca.2015.12.006
Reference: YJNCA1524
To appear in: Journal of Network and Computer Applications
Received date: 21 September 2015
Revised date: 17 December 2015
Accepted date: 23 December 2015
Cite this article as: Zakira Inayat, Abdullah Gani, Nor Badrul Anuar, Muhammad
Khuram Khan and Shahid Anwar, Intrusion Response Systems: Foundations,
Design, and Challenges, Journal of Network and Computer Applications,
http://dx.doi.org/10.1016/j.jnca.2015.12.006
This is a PDF file of an unedited manuscript that has been accepted for
publication. As a service to our customers we are providing this early version of
the manuscript. The manuscript will undergo copyediting, typesetting, and
review of the resulting galley proof before it is published in its final citable form.
Please note that during the production process errors may be discovered which
could affect the content, and all legal disclaimers that apply to the journal pertain.
Intrusion Response Systems: Foundations, Design, and Challenges
Zakira Inayat1, 2,*, Abdullah Gani1, 3, Nor Badrul Anuar3, Muhammad Khuram Khan4, Shahid Anwar5
1
Center for Mobile Cloud Computing Research (C4MCCR), University of Malaya, 50603 Kuala Lumpur, Malaysia
2
Department of Computer Science, University of Engineering and Technology Peshawar, Peshawar 2500, Pakistan
3
Faculty of Computer Science and Information Technology, University of Malaya, 50603 Kuala Lumpur, Malaysia
4
Center of Excellence in Information Assurance (CoEIA), King Saud University, Riyadh, Saudi Arabia
5
Faculty of Computer System and Software Engineering, Universiti Malaysia Pahang, 26300 Gambang, Malaysia
*
Email: Zakirainayat@uetpeshawar.edu.pk
Abstract
In the last few decades, various network attacks have emerged. This phenomenon requires serious consideration to address its extensive consequences. To
overcome the effects of network attacks, an appropriate intrusion detection system and a real-time intrusion response system are required. In this paper, we
present an IRS taxonomy based on design parameters to classify existing schemes. Furthermore, we investigate the essential response design parameters for IRS
to mitigate attacks in real time and obtain a robust output. The majority of existing schemes disregard the importance of semantic coherence and dynamic
response parameters in the response selection process. Therefore, most existing schemes produce inaccurate results by generating false alarms. These design
parameters are comprehensively discussed in this paper. We have qualitatively analyzed existing IRS schemes on the basis of the response design parameters.
Open research challenges are identified to highlight key research areas in this research domain.
Keywords: intrusion detection, intrusion response, semantic coherence, response design parameter
1 Introduction
For years, network security has been the focus of substantial research (Cisco, 2014). In the last few decades, humans have become increasingly technology-
dependent (e.g., use of the Internet for business, educational, and social activities). A number of security incidents, including threats to confidentiality, integrity,
and data availability, have occurred because of the excessive use of computer networks. The availability of computer networks and the integrity of data must be
secure enough from intrusions, which include denial of service (DoS) attacks, unauthorized access, spoofing attacks, and application layer attacks (Hansman
and Hunt, 2005, Hoque et al. , 2014). Moreover, the annual report published by the Computer Emergency Response Team (CERT) indicates that the rate of
intrusions is increasing every year (Cert, 2014). The Malaysian CERT in 2014 indicated a 50% increase in intrusions and reported more than 10,000 incidents
(MyCert-Report, 2014). These reports prove that the effect of intrusions is unavoidable. Thus, a security mechanism is needed to enforce the security policies
and overcome intrusions.
Security mechanisms, such as firewalls, authentication, cryptography, and access control are used as the first line of defense to security problems and issues
(Kruegel et al. , 2005, SANS institute 2003). However, these anti-threat applications are unable to detect internal intrusions and inadequately provide security
countermeasures. Therefore, various types of intrusion systems that originated from intrusion detection systems (IDSs), such as intrusion prevention systems
(IPSs) and intrusion response systems (IRSs), were developed to detect, prevent, and respond to intrusions (Anuar et al. , 2010). An IDS is a collection of
software or hardware resources that can detect, analyze, and report intrusions in a computing system. As an extension of IDS, an inline IDS or IPS detects and
prevents potential intrusions in real time (Scarfone and Mell, 2007a). However, IPS requires high-performance systems and are difficult to manage in analyzing
and preventing intrusions at the same time, particularly in a distributed environment. Thus, a security countermeasure that continuously monitors system
performance is needed to effectively identify and handle potential incidents. This countermeasure is called IRS.
On the basis of the level of automation, IRSs are classified into notification, manual, and automated response systems (Stakhanova et al. , 2007b). Despite the
significant emphasis given to IDS and IPS, the detection of intrusions will be useless without an appropriate response system to thwart intrusions. To the best of
our knowledge, three surveys (Shameli-Sendi et al. , 2014, Shameli-Sendi et al. , 2012, Stakhanova, Basu, 2007b) provide the classification of IRS and emphasize
the important aspects related to IRS and its security issues. These surveys classified IRS into two categories, such as automated and non-automated, on the basis
of their functionality. Furthermore, these surveys categorized IRS into cost-sensitive, adaptive, and non-adaptive IRS. In (Stakhanova, Basu, 2007b), the IRS
design is based on the degree of automation, time of response, cooperation ability, and response selection method are described. In (Shameli-Sendi, Ezzati-Jivan,
2012), it is stated that the efficient response design is associated with the cost-sensitivity of the response and the prediction of minimum damage cost based on
response cost. In (Shameli-Sendi, Cheriet, 2014), the author proposed a taxonomy for intrusion risk assessment (IRA) and presented integrating risk assessment
techniques. Consequently, existing surveys indicate that the effective coordination between intrusion response and risk assessment leads to an efficient
framework to manage uncertainty in IRS.
Many studies have been conducted on IRS design and classification. However, existing IRS designs employ a static approach in selecting an optimum response
option and lack semantics for intrusion alerts generated by the IDSs at distributed locations in the network (Mateos et al. , 2012). Instead of choosing a flexible
response metric, existing response systems (Mu and Li, 2010, Stakhanova et al. , 2007a) use static response metrics, such as static risk threshold metric, severity
metric, IDS confidence metric, and damage reduction metric. Consequently, the systems have difficulty in real time detection and response, false alarm
management, and uncertainty in IRS (Anuar et al. , 2008, Hubballi, 2014). Therefore, there is a need for IDS and IRS to dynamically adapt, so as to detect and
respond automatically. However, this paper proposes response design parameters for designing an efficient IRS, particularly in a distributed environment. The
addition of these response design parameters in existing IRS design will result in an automated IRS with no false-alarm rates, low uncertainty, and proficiency
to respond dynamically in real time. Thus, the contributions of this paper are as follows:
A detailed literature survey that analyzes the latest trends in IDS and IRS and highlights the challenges that exist in the design of existing IRS.
A taxonomy of the design attributes to enhance the design of IRS by proposing some essential response design metrics and identifying the main areas that
need to be improved in IRS design.
A comparative study based on the design metrics of IRS to prevent attacks, integrate new enhancements, and determine future research trends for experts
and general users.
The rest of this paper is organized as follows. Section 2 discusses the selected studies and classifies the earlier stage of IDS. Section 3 categorizes the selected
studies by presenting the contributions of the researcher about IRS. Section 4 presents the analysis of existing IRS based on the proposed design metrics. Section
5 presents the challenges in the current IRS and future direction. Finally, Sections 6 conclude our survey by comparing existing approaches and providing a
general design approach for IRS. Table 1 shows the list of acronyms.
Table 1
List of Acronyms
Symbols Description
AAIRS Adaptive Automated Intrusion Response System
AD Anomaly Detection
ADI Attack Damage Index
ACM Association for Computing Machinery
AIRS Automated Intrusion Response System
CCN Content Centric Networking
CIA Confidentiality, Integrity, Availability
CPS Cyber Physical System
CSM Cooperating Security Managers
DDoS Distributed Denial of Services
DIDS Distributed Intrusion Detection System
DoS Denial of Services
EMERALD Event Monitoring Enabling Responses to Anomalous Disturbance
FLIPS Feedback Learning Intrusion Prevention System
HIDS Host-Based Intrusion Detection System
HPMIDCPS Hierarchical performance model for intrusion detection in cyber-physical systems
IDS Intrusion Detection System
IDAR Intrusion Detection & Adaptive Response Mechanism
IEEE Institute of Electrical & Electronic Engineers
IoT Internet of Things
IPS Intrusion Prevention System
IRS Intrusion Response System
LS Local Subsystem
MANET Mobile Ad Hoc Network
MOVIH-IDS Mobile-Visualization Hybrid IDS
NBA Network-Based Analysis
NIDS Network-based Intrusion Detection System
NDN Name Data Networking
NetSTAT Network Statistical Analysis Tool
ORCEF Online response cost evaluation framework
PSO Particle Swarm Optimization
RMS Remote Management Subsystem
RBF Radial Basis Function
SD Signature-based Detection
SWRL Semantic Web Rule Language
TDI Topology Dependency Index
HIDS
Switch
Attacker
NIDS NIDS
Server
Switch
Subnet 2
HIDS HIDS
HIDS
c) In addition to the aforementioned traditional deployment approaches, other types of deployment approaches were developed, including distributed and
hybrid approaches (Figure 2). In the distributed approach, various IDS are combined as remote sensors to obtain reports about an intrusion to a centralized
authority. These remote sensors can be network based, host based, or a combination (hybrid) of both. DIDS (Huang et al. , 1999, Snapp et al. , 1991) is a
distributed and rule-based IDS and is the first system that integrates audit reports from many different hosts on a single network. DIDS combines
distributed and local host monitoring system to detect intrusions (Kholidy and Baiardi, 2012). The other type is the hybrid approach, which is composed of
both NIDS and HIDS approach (Butun, Morgera, 2014). It would be advantageous to integrate NIDS into host-based system, such that it would filter
notification and alerts to HIDS, controlled from the same central location. Figure 2 describes IDS based on the deployment approach, whether IDS monitor
intrusion in a host machine, network, in hybrid or in a distributed manner.
To examine the log file To monitor ,capture, and
Host-based Network-based
and real time usage of examine network
IDS IDS
the host transmitted traffic
Deployment
Approach
Represent attacks as a
State transition
sequence of state transition
analysis of the monitored system
The main differences between IPS, IDS, and IRS are as follows: IPS can prevent detected alerts before occurring; IDS is passive and generates alerts when an
intrusion is detected; IRSs automatically responds to intrusions by using reactive response, which is described in detail in Section 3. Among these systems, only
IDS is inadequate and unable to address the detected attacks without a proper prevention and response system. The current study shows that IDS was expanded
and updated to IDPS by adding an extra module of prevention (Scarfone and Mell, 2007b). Distributed intrusion detection and prevention (Haslum et al. , 2007)
is a real time and cost-sensitive IDPS that uses fuzzy logic for the real-time online risk assessment of intrusions. Table 2 presents the advantages and
disadvantages of the detection approach, deployment approach, and response option, which are explained in the above section.
Table 2
Classification of IDS Approaches
Dimension Approaches Pros Cons
Detection Anomaly-based - Detect unknown (zero-day) attacks - High false-positive rate
Approach
Signature- - Low false alarms - Misses unknown attacks
based - Low processor demand - Attack description must be
- Rely on predetermined pattern, stored and updated
thus deterministic and can be
customized for any system
Table 3 provides the classifications of IDS based on deployment, detection approach, and response options. Table 3 indicates that from 2001 onwards, many of
the existing IDSs have automated response (active) countermeasures and few IDSs have manual responses (passive).
Table 3
Classification of IDS based on deployment and detection and response approach
Year IDS Ref Deployment Detection Response
Approach Approach Option
1996 CSM (White et al. , 1996) HIDS Signature Active
3
Firewall
Response Actions
IDS
Intrusion Alerts
Response System
1
Possible Feedback loop
2
1 Attack
2 Analysis
Network
3 Notification
History
Database
IRS is defined as a security countermeasure (Chen and Yang, 2004) that is performed when an intrusive behavior occurs. Table 4 presents the existing IRS
based on their functionality.
Table 4
Intrusion Response Systems
Year IRS Ref Title of the paper Description
1996 CSM (White, Fisch, Cooperating security To develop a host-based distributed
1996) managers: A peer-based IDS and automated IDS
1997 EMERALD (Porras and EMERALD: Event To propose a distributed IDS for
Neumann, 1997) monitoring enabling response large-scale heterogeneous
to anomalous live computing environment
disturbances
2000 JiNao (Jou, Gong, Design and implementation of To propose a hybrid-based system
2000) a scalable IDS for the that responds to the distributed
protection of network attacks
infrastructure
2001 AAIRS (Carver, May Adaptive Agent-Based To present an IRS with responses
2001) Intrusion Response, Ph.D. that are based on the confidence
thesis metric and the success of the
previous response
2001 TBAIR (Wang et al. , Sleepy Watermark Tracing: To present a network-based
2001) An Active Network Based framework that provides highly
Intrusion Response accurate and real-time IRS
Framework
2002 Network (Toth and Evaluating the impact of To propose an evaluation algorithm
IRS Kruegel, 2002) automated intrusion response to compare intrusion severity and
mechanisms response cost
2003 Specificatio (Balepin, Using specification-based To present a service-dependency
n-based IRS Maltsev, 2003) intrusion detection for graph to evaluate the effects of
automated response. attacks
2005 ADEPTS (Foo, Wu, 2005) ADEPTS: adaptive intrusion To propose a distributed and
response using attack graphs adaptive response that evaluates the
in an e-commerce success or failure of the deployed
environment response using feedback mechanism
2006 FAIR (Papadaki and Achieving automated To propose a flexible response by
Furnell, 2006) intrusion response: a integrating intelligence and
prototype implementation. flexibility to the response decision
process
2006 FLIPS (Locasto et al. , Flips: Hybrid adaptive To offer a hybrid approach that are
2006) intrusion prevention. mostly applicable for host-based
IPS
2007 Cost- (Wang, Tseng, Cost-sensitive intrusion To develop a cost-sensitive model by
Sensitive 2007) responses for mobile ad hoc using TDI and ADI parameters to
model for networks reflect the damage cost and
MANET response cost
Year IRS Ref Title of the paper Description
2007 Stakhanova’ (Stakhanova, A Cost-Sensitive Model for To propose a cost-sensitive,
s IRS Basu, 2007a) Preemptive Intrusion preemptive, adaptive, and
Response Systems automated model
2009 AIDP (Nadeem and Adaptive intrusion detection To present AIDP by using an
Howarth, 2009) and prevention of denial of anomaly-based method
service attacks in MANET
2009 MOVIH- (Herrero, MOVIH-IDS: A mobile- To propose a highly scalable,
IDS Corchado, 2009) visualization hybrid IDS adaptive, and distributed IDS that
deploys a hybrid approach by using
an artificial neural network
2009 Strasburg’s (Strasburg, A framework for cost- To present a host based and cost-
IRS Stakhanova, sensitive assessment of sensitive framework
2009a) intrusion response selection.
2010 OrBAC (Kanoun et al. , Risk-aware framework for To propose a network model that
2010) activating and deactivating uses a risk-aware approach for
policy-based response response selection
2010 Kheir’s IRS (Kheir, A service-dependency model To propose a dependency graph in
Cuppens- for cost-sensitive intrusion evaluating confidentiality, integrity,
Boulahia, 2010) response and availability effects
2010 AIRS based (Lanchas, Ontologies-based automated To present an ontology-based AIRS
on González, 2010) intrusion response system to solve the problem of adaptability
ontologies and false alarms
2010 IDAM&IRS (Mu and Li, An intrusion response To balance the response impact and
2010) decision-making model based response effect in a set of responses
on hierarchical task network using risk index
planning
2011 ADRS (Zhang, Naït- Toward cost-sensitive self- To propose a decision-theoretic
Abdesselam, optimizing anomaly detection framework to systematically analyze
2011) and response in autonomic response cost in autonomic
networks networks
2012 Ontology- (Mateos, Definition of response metrics To dynamically interpret response
based AIRS Villagrá, 2012) for an ontology-based metrics in selecting optimum
Automated Intrusion response
Response Systems
2013 GIDP for (Nadeem and Protection of MANETs from a To propose an approach with a
MANETs Howarth, 2013) range of attacks using an fixed response by isolating the
intrusion detection and intruding node
prevention system
Year IRS Ref Title of the paper Description
2013 Retroactive- (Shameli-Sendi, A Retroactive-Burst To propose an adaptive and cost-
Burst Desfossez, 2013) Framework for Automated sensitive approach that utilizes a
Framework Intrusion Response System. risk assessment component to
measure the effectiveness of the
applied response
2014 IDAR (Nadeem and An intrusion detection & To present an adaptive response
Howarth, 2014) adaptive response mechanism that provides a flexible response
for MANETs instead of isolating the intruding
nodes
2015 ORCEF (Shameli-Sendi Online response cost To propose a framework for IRS
and Dagenais, evaluation framework for that dynamically evaluates the
2015) intrusion response system response cost based on the network
element and resource dependencies
Detection
Selection of the
Intrusion Response
appropriate
System
response
Mitigation
Active Passive
Adaptive-based Association-based
Although, today’s IDSs are highly automated, automated intrusion response support is still limited because of the high false alarm rate (Ho, Lai, 2012) and
selection of the best cost-sensitive response (Kheir et al. , 2009a). Table 5 describes the functionality and classification of automated IRS based on adaptive,
expert, and associative-based approach.
Table 5
Classification of Automated IRS
Automated IRS Year Ref Function
AAIRS 2001 (Carver, May 2001) Response option is based on dynamic
mapping.
ADEPTS 2005 (Foo, Wu, 2005) ADEPT uses the graph-based approach to
model the intrusions.
Stakhanova’s 2007 (Stakhanova, Basu, Cost-sensitive IRS that introduces the
Adaptive –
IRS 2007a) response goodness parameter to classify the
based System
success and failure of response.
AIRS based 2010 (Lanchas, González, Adaptive IRS reduces uncertainty in detection
on ontologies 2010) using semantic coherence.
IDAR 2014 (Nadeem and IDAR selects the response based on confidence
Howarth, 2014) level and severity of attacks.
Automated IRS Year Ref Function
CSM 1996 (White, Fisch, 1996) CSM calculates the level of services (LOS) for
each user.
EMERALD 1997 (Porras and EMERALD uses the threshold metric and
Neumann, 1997) severity metric to provide an automated
Expert-based response.
System FAIR 2006 (Papadaki and Analyzes the static and dynamic contexts of
Furnell, 2006) the attack using database.
IDAM&IRS 2010 (Mu and Li, 2010) The response is activated if the response static
threshold is greater than the risk threshold
metric.
Association- NetSTAT 1999 (Vigna and This framework represents attack signatures
based System Kemmerer, 1999) as state transition diagrams.
JiNao 2000 (Jou, Gong, 2000) A hybrid approach that uses rule-based
scheme to respond to known and unknown
attacks.
Network IRS 2002 (Toth and Kruegel, This IRS calculates the response cost in terms
2002) of the reduction of system capability and
system resources.
Figure 9 indicates a gradual improvement in the development of IRS in terms of automated, adaptive, and cost-sensitive IRS. The figure shows that few studies
were conducted on dynamic response metric and semantic coherence, which help IRS provide a real-time response without generating false alarms. These issues
in existing IRSs motivate the researchers to conduct future works in the same field of IRS. We conclude that AIRSs must be adaptive, cost-sensitive, proactive,
and semantically coherent to achieve low false alarm rates and high accuracy in IRS. Existing IRSs are lacking one or many of the aforementioned features. The
required designed parameter for a good IRS is discussed in detail in the following section.
Notification IRS Manual IRS Automated IRS
Manual IRS
2000 Adaptive IRS [Carver, 2000]
[N,A,2000] HIDS,
Response based on success of
distributed Hybrid JiNao Automated IRS [Jou,2000] previous response
(Cost-sensitive,Static Mapping)
Cost-Sensitive AIRS
2001
[Schnackenberg, 2001]
Reactive, Non-Adaptive, TBAIR [Wang, 2001]
Adaptive AIRS [Carver, 2001]
Static risk assessment Automated, Reactive, Non-
HIDS, Automated, Response
Adaptive, dynamic
adaptation to intrusive behavior
2002
Network IRS [Toth, 2002]
Manual IRS, Non-adaptive [Lee, 2002]
Cost-Sensitive, Reactive, Specification-based IRS Cost-Sensitive, Risk minimizing Model,
2003 Non adaptive [Balepin, 2003] Alarm confidence, Attack frequency
Cost-Sensitive, Reactive, Non-
Adaptive, Dynamic risk
assessment (Service dependy
2004 Graph)
Adaptive IRS
Strasburg’s IRS Automated AIDP [Herrero,2009],
2009 [Strasburg, 2009] [Nadeem,2009] Automated, IRS
HIDS, Reactive, Adaptive, Static response, NIDS High scalable, distributed,
Static risk assessment NIDS response using ANN
2010
Automated IRS
IDAM&IRS [Mu, 2010] Adaptive, Cost
[Lanchas, 2010]
Cost-Sensitive IRS [Kanoun, 2010] Cost Sensitive, Reactive, Non- sensitive IRS
Semantic Coherence, False
Proactive, Adaptive, Dynamic (Attack adaptive, Retroactive [Ikuomola, 2010]
Alarm Minimization
Graph-based) Kheir’s IRS [Kheir,2010] functional
2011 Proactive, Non- Adaptive, dependency graph
Dynamic (Service dependency for assessment of
Cost-Sensitive ADRS [Zhang, 2011] graph-based) response cost
Proactive, Retroactive, Adaptive,
Dynamic risk assessment
2012 Automated IRS
[Mateos, 2012]
Definition of dynamic
response metric
4.2 Review and analysis of IRS based on the proposed design parameters
This section describes the required design parameters for IRS and the similarities and differences of the selected parameter for IRS design based on the
attributes presented in the taxonomy. A comparison of existing IRS based on response design parameters is presented in Table 8. To the best of our knowledge,
these surveys provide a good classification of IRS (Shameli-Sendi, Cheriet, 2014,Shameli-Sendi, Ezzati-Jivan, 2012, Stakhanova, Basu, 2007b). However, no
previous taxonomy provides a complete description for designing a good automated IRS. Furthermore, the details of the proposed parameters are described in
the succeeding sections. We propose the following response parameters in designing automated IRS. The response parameters, which should be considered in
IRS design for any organization, include response nature, security policy, network performance, prediction ability, adjustment nature, response assessment,
semantic coherence, alarm confidence, scalability, and response metric policy. These parameters are defined in the following paragraph.
Response nature categorizes the response as static, dynamic, and cost-sensitive. Security policies differentiate the response options on the basis of its effect on
the confidentiality, integrity, or availability of data (Anwar S, 2015, da Silva, Martins, 2005). Network performance refers to the effect of the applied response
on the network. The prediction ability feature indicates whether the response should be activated before or after the intrusion. The adjustment nature specifies
the adaptive and non-adaptive nature of the response according to the nature of the attack. The response assessment attribute measures the response effect on
the basis of the most recently applied response result. The semantically coherent feature provides a distinct way to extract meaning from intrusion alerts. The
alarm confidence attribute assesses the degree of accuracy and indicates the IRS confidence level. Scalability implies that the IRS must be scalable to any
number of nodes in a network and can connect multiple IRS in such a way that they all work as a single unit to improve system performance. The response
metric policy attribute includes the static and dynamic response parameter. The dynamic response metric implies that the response metrics must be changed
according to the nature of attacks during response selection process. The studied surveys indicate that the current IRS applies the static approach to response
metrics during the response selection process upon encountering the problem of false alarms, non-adaptability, and uncertainty. These parameters are
described in detail in the following section, and a comparison of the parameters is given in Table 8.
4.2.1 Response Nature
According to response nature, existing IRS can be categorized into the following: a) static mapping, b) dynamic mapping, and c) cost-sensitive mapping. In these
three types, the researcher focuses on the cost-sensitive attribute compared with other features and proposes the design of a cost-sensitive IRS because static and
dynamic mapping do not consider the response cost during the response selection process. The cost-sensitive metric in designing response systems attempts to
balance intrusion damage and response cost in the response selection process (Lee, Fan, 2002). The response is activated when the intrusion damage is greater
than the response cost.
a) Static Mapping
Static mapping systems (Locasto, Wang, 2006, Schnackengerg et al. , 2001) map an alert to a pre-specified fixed response. These systems are easy to build.
However, these models are static in nature. Thus, the attacker can easily deceive the response system because response metrics can be predicted by the
attackers. Furthermore, this approach is inadequate for large and distributed global networks. Most existing automated IRS depend on the mapping of
attacks to a predefined response (Toth and Kruegel, 2002).
b) Dynamic Mapping
Dynamic mapping maps an alert to a predefined set of response options. These models provide flexibility to the response systems because these maps can be
adjusted according to the attack metrics. The optimum responses to an attack can vary on the basis of response metrics (i.e., severity, confidence, and
network policy) and the targeted host (Carver, May 2001). The optimum response is dynamically chosen from a set of responses according to the statistical
features of the attack. For example, priority is given to high-confidence and high-severity attacks over attacks with low confidence and severity. The dynamic
nature of this model provides security to the systems. However, this model unable to learn from attacks. Thus, the intelligence level of this model remains
constant until the next upgrade (Porras and Neumann, 1997).
c) Cost-Sensitive Mapping
The cost-sensitive response decision model is the only response system that attempts to balance the intrusion damage and response cost (Lee, Fan, 2002). The
optimal response is considered if the response cost is less than the damage cost (Stakhanova, Basu, 2007a, Wang, Tseng, 2007). These response systems are
the most attainable approach for the response selection process. Thus, the cost-sensitive parameter must be considered in designing any IRS. The selection of
intrusion response is not based on its ability to respond to attacks but based on its side effect on the target machine. Existing studies (Kheir, 2010) show that
a number of methods were developed to compare the intrusion cost and response cost, including the evaluation of the response cost based on the static and
dynamic approach and logical or functional dependency graph to assess intrusion or apply response cost (Jahnke et al. , 2007). For instance, response cost
was calculated (Ali. A Ghorbani, 2009) based on the intrusion detection cost, the damage cost of the attack, and the cost of the applied response on the
detected attacks.
Furthermore, the assessment of intrusion risk is very important in the cost-sensitive approach to minimize the performance cost of applying the optimum
response. Offline risk assessment and online risk assessment are two approaches that have been proposed to evaluate the intrusion damage and response
cost. The offline risk assessment is calculated on a static basis and used to evaluate all the resources in advance. Conversely, online risk assessment is
calculated on a dynamic basis to precisely measure the intrusion damage (Årnes et al. , 2005, Mu et al. , 2008, Wang, Tseng, 2007). Online risk assessment
and the need to update the cost factor over time are the two major challenges faced by the cost-sensitive approach.
Table 7 illustrates that online risks assessment approaches are categorized into three main types, namely, attack graph-based approaches, service-
dependency graph-based approaches, and non-graph-based approaches. The attack graph is used to identify attacks and their flow paths to all critical
resources in the network based on service vulnerability (Dantu et al. , 2004, Poolsappasit et al. , 2012). By contrast, the confidentiality, integrity, and
availability (CIA) of services are defined for each service in service-dependency graph-based approach (Kheir et al. , 2009b). In the dependency graph,
responses are mapped onto specific resources instead of being statically assigned to elementary attack steps. A non-graph-based approach is an interesting
approach that does not utilize a graph and CIA model for risk assessment. During the intrusion response selection processes, risk analysis is performed on
the basis of the information provided in the alert risk assessment component (Årnes, Sallhammar, 2005). Table 7 presents the annual risk assessment
approaches based on whether they use or do not use graphs to model the flow of attacks.
Table 7
Risk Assessment Approaches
Risk Assessment Year Ref Description
Approach
Attack graph- 2006 (Wang et al. , Helps an IDS by correlating output with the appropriate
based approach 2006) intensity.
2007 (Jahnke, Thul, A graph-based approach that models the effect of attacks
2007) and response.
2007 (Neuman) The graphs of the attack are used to detect the targets of
the attacks in a distributed environment.
Service- 2003 (Balepin, A cost-sensitive model to explain the automated response
dependency graph- Maltsev, 2003) by using a specification-based IDS and service-dependency
based approach graph.
2010 (Kheir, A cost-sensitive model based on a service-dependency
Cuppens- graph to evaluate the CIA effect.
Boulahia, 2010)
2015 (Patel, Taghavi, Dynamically evaluates the response cost against resource
2013) dependency, network elements, and number of online
users.
Non-graph-based 2002 (Lee, Fan, 2002) Cost-sensitive model is based on four response metrics:
approach operational cost, damage cost, response cost, and
development cost.
2007 (Strasburg et al. Intrusion response cost assessment methodology is
, 2009b) proposed based on response goodness, response potential
damage, and response operational cost.
2007 (Wang, Tseng, Calculates the response cost using the terms TDI and ADI.
2007)
2009 (Stakhanova, Compares response deployment cost utilizing an exploit
Basu, 2007a) graph and activates a response based on static cost metric.
Table 8
Comparison of existing IRS based on proposed design parameters
Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence
- Level of services
Availability, (LOS),
CSM (White, Dynami Non-
1996 Integrity, n/a Reactive Burst No Low n/a - suspicious level of
Fisch, 1996) c Adaptive
Confidentiality users
Table 8
Continued……
Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence
- Metric of benefit at
Stakhanova’s Cost- the lowest risk
IRS Integrity ,
2007 Sensitiv Midrate Proactive Adaptive Burst No Midrate N/A - Response damage
(Stakhanova, Availability
e reduction
Basu, 2007a)
Cost- Availability,
DIPS (Haslum, Non- N/A
2007 Sensitiv Integrity, Low Proactive Burst No High Yes
Abraham, 2007) Adaptive
e Confidentiality
Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence
MOVIH-IDS Availability,
Cost- N/A
(Herrero, 2009 Integrity, Midrate Proactive Adaptive Burst No Midrate Yes
Sensitive
Corchado, 2009) Confidentiality
Strasburg’s IRS - Intrusion damage
Cost-
(Strasburg, - Response goodness
2009 Sensitiv N/A n/a Reactive Adaptive Burst No High N/A
Stakhanova, - Severity and Likelihood
e
2009a) of intrusion
OrBAC
Cost- Availability,
(Kanoun,
2010 Sensitiv Integrity, Midrate Proactive Adaptive Burst No High Yes N/A
Cuppens-
e Confidentiality
Boulahia, 2010)
Kheir’s IRS
Cost- - Availability
(Kheir, Non-
2010 Sensitiv Availability Low Proactive Burst No Low N/A - Integrity
Cuppens- Adaptive
e - Confidentially impact
Boulahia, 2010)
AIRS based on
Cost- - Intrusion semantic
ontologies
2010 Sensitiv Availability High Proactive Adaptive Burst Yes High N/A - Importance of the
(Lanchas,
e compromised resources
González, 2010)
IDAM&IRS Cost-
(Mu and Li, Sensitiv
Non- - Current risk index
2010) 2010 e N/A Midrate Reactive Retroactive No Low Yes
Adaptive - Static risk threshold
Table 8
Continued……
Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence
ADRS (Zhang, 2011 Cost- Availability, Midrate Proactive Adaptive Retroactive No High - Computational cost
upto 100
Naït- Sensitiv Integrity, - Detection accuracy
Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence
Alert
Data Sets Correlation
Risk
Assessment Challenges for Real Time
and QoS Intrusion Response
Response System
6 Conclusion
For many years, developing a potential IRSs that repels the attacks remain a drastic challenge in IRS. The
state-of-the-art IDSs indicate that detection of intrusion will be useless without an appropriate response
system. The optimum response selection is based on the good designing of IRS. However, developing an
efficient response mechanism to completely thwart attacks is inherently complex because of the multiple
unknown factors that must be considered in designing IRS. This paper surveys existing IRSs design
parameters. The main findings of this paper is that, despite extensive research in this area, existing IRS are
lack the semantic of intrusion and use the static response metric instead of the dynamic approach, thus
generating more false alarms. In addition, the majority of adaptive IRSs lack efficient algorithms to update
the response history over time. The existing IRSs only consider static response of isolating the intruding node
and are unable to consider the dynamic response without isolating the intruding node. Consequently, the
network performance will be degraded by static response option. Furthermore, the risk assessment
component is missing, which is crucial to manage a false positive, response cost against damage cost, and
select an optimum response to thwart attacks. Significant work is in progress in developing state-of-the-art
IRSs. However, research work on designing a potential automated IRS is still in its infancy. We are still far
away from designing an appropriate automated IRS.
To meet the newly imposed IRS design requirements, we determine new and desirable parameters to improve
the IRS design to minimize attacks. This survey presents existing IDSs in terms of detection capability,
deployment approach, and response option, along with their classification. In addition, the design
specification and functionality of existing IRSs, as well as the missing parameters for the selection of a good
response option in these IRSs, have been discussed. Furthermore, new design parameters are proposed for
designing a good IRS. We also discussed some important factors, including alarm confidence, semantic
coherence, and dynamic response metric as desirable features in designing IRS. The main contribution of this
paper is the proposed response design parameters to improve the response mechanism for the decision-
making process of the response according to the statistical features of attacks. Finally, the challenges
encountered in designing a good IRS are discussed. In addition, recommendations of the proposed design
parameters are provided, along with future directions for this research, to aid researchers in the designing of
a good IRS.
Acknowledgments
This work is fully funded by the Malaysian Ministry of Higher Education under the University of Malaya
High Impact Research Grant UM.C/625/1/HIR/MOE/FCSIT/03.
7 References
Adetunmbi AO, Falaki SO, Adewale OS, Alese BK. Network intrusion detection based on rough set and k-
nearest neighbour. International Journal of Computing and ICT Research. 2008;2:60-6.
Ali. A Ghorbani WL, Mahbod Tavallaee. Network Intrusion Detection and Prevention:Concepts and
Techniques, Accessed on: books.google.com.my/books?isbn=0387887717. 2009.
Anantvalee T, Wu J. A survey on intrusion detection in mobile ad hoc networks. Wireless Network Security:
Springer; 2007. p. 159-80.
Anuar NB, Papadaki M, Furnell S, Clarke N. An investigation and survey of response options for Intrusion
Response Systems (IRSs). Information Security for South Africa (ISSA), 2010: IEEE; 2010. p. 1-8.
Anuar NB, Sallehudin H, Gani A, Zakari O. Identifying false alarm for network intrusion detection system
using hybrid data mining and decision tree. Malaysian journal of computer science. 2008;21:101-15.
Anwar S JZ. Response Option for Attacks Detected by Intrusion Detection System, The 4th International
Conference on Software Engineering and Computer System, . 2015;volume 4:7.
Anwar S, Zain JBM, Zulkipli MFB, Inayat Z. A Review Paper on Botnet and Botnet Detection Techniques in
Cloud Computing, ISCI 2014 – IEEE Symposium on Computers & Informatics. 2014:5.
Årnes A, Sallhammar K, Haslum K, Brekne T, Moe MEG, Knapskog SJ. Real-time risk assessment with
network sensors and intrusion detection systems. Computational Intelligence and Security: Springer; 2005.
p. 388-97.
Ashraf QM, Habaebi MH. Autonomic schemes for threat mitigation in Internet of Things. Journal of
Network and Computer Applications. 2015;49:112-27.
Asosheh A, Ramezani N. A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a
smart classification. WSEAS Transactions on Computers. 2008;7:281-90.
Azab M, Eltoweissy M. Defense as a service cloud for Cyber-Physical Systems. Collaborative Computing:
Networking, Applications and Worksharing (CollaborateCom), 2011 7th International Conference on: IEEE;
2011. p. 392-401.
Bace RG. Intrusion Detection, http://dl.acm.org/citation.cfm?id=347487, Book, ISBN:1-57870-185-6, 2002.
Balepin I, Maltsev S, Rowe J, Levitt K. Using specification-based intrusion detection for automated response.
Recent Advances in Intrusion Detection: Springer; 2003. p. 136-54.
Bonifaco J, Moreira E. An adaptive intrusion detection system using neural networks. Proceedings of the
IFIP SEC1997.
Butun I, Morgera SD, Sankar R. A survey of intrusion detection systems in wireless sensor networks.
Communications Surveys & Tutorials, IEEE. 2014;16:266-82.
Cansian AM, Moreira E, Carvalho A, Bonifacio J. Network intrusion detection using neural networks. Proc
Int Conf on Computational Intelligence and Multimedia Applications1997. p. 276-80.
Carver ACJ. Adaptive Agent-Based Intrusion Response, Ph.D. thesis, Texas A&M University, USA. May
2001.
Carver CA, Hill JM, Pooch UW. Limiting uncertainty in intrusion response. Proceedings of the 2001 IEEE
Workshop on Information Assurance and Security2001. p. 5-6.
Cert. CERT Statistics, http://www.cert.org/stats , 2014, Accessed on October 2014. 2014.
Chen Y-M, Yang Y. Policy management for network-based intrusion detection and prevention. Network
Operations and Management Symposium, 2004 NOMS 2004 IEEE/IFIP: IEEE; 2004. p. 219-32.
Choo K-KR. The cyber threat landscape: Challenges and future research directions. Computers & Security.
2011;30:719-31.
Cisco.http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/secure_my_business/
what_is_network_security/index.html, Accessed on October, 2014. 2014.
da Silva APR, Martins MH, Rocha BP, Loureiro AA, Ruiz LB, Wong HC. Decentralized intrusion detection
in wireless sensor networks. Proceedings of the 1st ACM international workshop on Quality of service &
security in wireless and mobile networks: ACM; 2005. p. 16-23.
Dantu R, Loper K, Kolan P. Risk management using behavior based attack graphs. Information
Technology: Coding and Computing, 2004 Proceedings ITCC 2004 International Conference on: IEEE; 2004.
p. 445-9.
Deris Stiawan MYI, Abdul Hanan Abdullah. , http://eprints.unsri.ac.id/73/1/2011_7_12_4212_4224.pdf, 2011,
Accessed on August 2014.
Eng PE, Haug M. Automatic response to intrusion detection, Thesis,. 2004:1-55.
Estevez-Tapiador JM, Garcia-Teodoro P, Diaz-Verdejo JE. Anomaly detection methods in wired networks: a
survey and taxonomy. Computer Communications. 2004;27:1569-84.
Feng L, Wang W, Zhu L, Zhang Y. Predicting intrusion goal using dynamic Bayesian network with transfer
probability estimation. Journal of Network and Computer Applications. 2009;32:721-32.
Foo B, Wu Y-S, Mao Y-C, Bagchi S, Spafford E. ADEPTS: adaptive intrusion response using attack graphs
in an e-commerce environment. Dependable Systems and Networks, 2005 DSN 2005 Proceedings
International Conference on: IEEE; 2005. p. 508-17.
Han J KM. Data Mining: Concepts and Techniques: Morgan kaufmann; Book, Southeast Asia Edition. 2006.
Hansman S, Hunt R. A taxonomy of network and computer attacks. Computers & Security. 2005;24:31-43.
Haslum K, Abraham A, Knapskog S. Dips: A framework for distributed intrusion prediction and prevention
using hidden markov models and online fuzzy risk assessment. Information Assurance and Security, 2007
IAS 2007 Third International Symposium on: IEEE; 2007. p. 183-90.
Herrero Á, Corchado E, Pellicer MA, Abraham A. MOVIH-IDS: A mobile-visualization hybrid intrusion
detection system. Neurocomputing. 2009;72:2775-84.
Ho C-Y, Lai Y-C, Chen I-W, Wang F-Y, Tai W-H. Statistical analysis of false positives and false negatives
from real traffic with intrusion detection/prevention systems. Communications Magazine, IEEE.
2012;50:146-54.
Hoque N, Bhuyan MH, Baishya RC, Bhattacharyya D, Kalita JK. Network attacks: Taxonomy, tools and
systems. Journal of Network and Computer Applications. 2014;40:307-24.
Huang M-Y, Jasper RJ, Wicks TM. A large scale distributed intrusion detection framework based on attack
strategy analysis. Computer Networks. 1999;31:2465-75.
Hubballi N, and Vinoth Suryanarayanan. . "False alarm minimization techniques in signature-based
intrusion detection systems: A survey.", Computer Communications 49 (2014): 1-17. Computer
Communications 49 (2014): 1-17. 2014;13:128.
Jahnke M, Thul C, Martini P. Graph based metrics for intrusion response measures in computer networks.
Local Computer Networks, 2007 LCN 2007 32nd IEEE Conference on: IEEE; 2007. p. 1035-42.
Jou Y, Gong F, Sargor C, Wu X, Wu S, Chang H, et al. Design and implementation of a scalable intrusion
detection system for the protection of network infrastructure. DARPA Information Survivability Conference
and Exposition, 2000 DISCEX'00 Proceedings: IEEE; 2000. p. 69-83.
Junqi W, Zhengbing H. Study of intrusion detection systems (IDSs) in network security. Wireless
Communications, Networking and Mobile Computing, 2008 WiCOM'08 4th International Conference on:
IEEE; 2008. p. 1-4.
Kanoun W, Cuppens-Boulahia N, Cuppens F, Dubus S. Risk-aware framework for activating and
deactivating policy-based response. Network and System Security (NSS), 2010 4th International Conference
on: IEEE; 2010. p. 207-15.
Karami A, Guerrero-Zapata M. An ANFIS-based cache replacement method for mitigating cache pollution
attacks in Named Data Networking. Computer Networks. 2015a;80:51-65.
Karami A, Guerrero-Zapata M. A fuzzy anomaly detection system based on hybrid pso-kmeans algorithm in
content-centric networks. Neurocomputing. 2015b;149:1253-69.
Karami A, Guerrero-Zapata M. A hybrid multiobjective rbf-pso method for mitigating dos attacks in named
data networking. Neurocomputing. 2015c;151:1262-82.
Khan N, Yaqoob I, Hashem IAT, Inayat Z, Mahmoud Ali WK, Alam M, et al. Big data: survey, technologies,
opportunities, and challenges. The Scientific World Journal. 2014a;2014.
Khan S, Shiraz M, Abdul Wahab AW, Gani A, Han Q, Bin Abdul Rahman Z. A comprehensive review on
adaptability of network forensics frameworks for mobile cloud computing. The Scientific World Journal.
2014b;2014.
Kheir N. Response policies and counter-measures : Management of service dependencies and intrusion and
reaction impacts, PhD Thesis. 2010;1:177-85.
Kheir N, Cuppens-Boulahia N, Cuppens F, Debar H. A service dependency model for cost-sensitive intrusion
response. Computer Security–ESORICS 2010: Springer; 2010. p. 626-42.
Kheir N, Debar H, Cuppens-Boulahia N, Cuppens F, Viinikka J. Cost evaluation for intrusion response using
dependency graphs. Network and Service Security, 2009 N2S'09 International Conference on: IEEE; 2009a.
p. 1-6.
Kheir N, Debar H, Cuppens F, Cuppens-Boulahia N, Viinikka J. A service dependency modeling framework
for policy-based response enforcement. Detection of Intrusions and Malware, and Vulnerability Assessment:
Springer; 2009b. p. 176-95.
Kholidy H, Baiardi F. CIDS: a framework for intrusion detection in cloud systems. Information Technology:
New Generations (ITNG), 2012 Ninth International Conference on: IEEE; 2012. p. 379-85.
Krontiris I, Benenson Z, Giannetsos T, Freiling FC, Dimitriou T. Cooperative intrusion detection in wireless
sensor networks. Wireless sensor networks: Springer; 2009. p. 263-78.
Kruegel C, Valeur F, Vigna G. Intrusion detection and correlation: challenges and solutions, book, vol 14, :
Springer Science & Business Media; 2005.
Kumar S, Spafford EH. A pattern matching model for misuse intrusion detection, In Proceedings of the
National Computer Security Conference, pages 11–21, Baltimore, MD,. 1994.
Laboratory L. http://www.ll.mit.edu/ideval/data/, Accessed on October 2014. 2000.
Lanchas VM, González VAV, Bueno FR. Ontologies-based automated intrusion response system.
Computational Intelligence in Security for Information Systems 2010: Springer; 2010. p. 99-106.
Lazarevic A, Kumar V, Srivastava J. Intrusion detection: A survey. Managing Cyber Threats: Springer;
2005. p. 19-78.
Lee W, Fan W, Miller M, Stolfo SJ, Zadok E. Toward cost-sensitive modeling for intrusion detection and
response. Journal of Computer Security. 2002;10:5-22.
Li W, Tian S. An ontology-based intrusion alerts correlation system. Expert Systems with Applications.
2010;37:7138-46.
Liao H-J LC-H, Lin Y-C, Tung K-Y. Intrusion detection system: A comprehensive review. Journal of
Network and Computer Applications. 2013;36:16-24. 2013.
Lindqvist U, Jonsson E. How to systematically classify computer security intrusions. Security and Privacy,
1997 Proceedings, 1997 IEEE Symposium on: IEEE; 1997. p. 154-63.
Locasto ME, Wang K, Keromytis AD, Stolfo SJ. Flips: Hybrid adaptive intrusion prevention. Recent
Advances in Intrusion Detection: Springer; 2006. p. 82-101.
Mateos V, Villagrá VA, Romero F, Berrocal J. Definition of response metrics for an ontology-based
Automated Intrusion Response Systems. Computers & Electrical Engineering. 2012;38:1102-14.
Mitchell R, Chen I-R. A survey of intrusion detection techniques for cyber-physical systems. ACM
Computing Surveys (CSUR). 2014;46:55.
Mitchell R, Chen I. Effect of intrusion detection and response on reliability of cyber physical systems.
Reliability, IEEE Transactions on. 2013;62:199-210.
Mu C, Li X, Huang H, Tian S. Online risk assessment of intrusion scenarios using DS evidence theory.
Computer Security-ESORICS 2008: Springer; 2008. p. 35-48.
Mu C, Li Y. An intrusion response decision-making model based on hierarchical task network planning.
Expert systems with applications. 2010;37:2465-72.
MyCert-Report. MyCERT “Malaysian Computer Emergency response Team Incident Statistics", Available
on: http://www.mycert.org.my/en/services/statistic/mycert/2013/main/detail/914/index.html ,Accessed on:
October 2014. 2014.
Nadeem A, Howarth M. Adaptive intrusion detection & prevention of denial of service attacks in MANETs.
Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing:
Connecting the World Wirelessly: ACM; 2009. p. 926-30.
Nadeem A, Howarth M. Protection of MANETs from a range of attacks using an intrusion detection and
prevention system. Telecommunication Systems. 2013;52:2047-58.
Nadeem A, Howarth MP. An intrusion detection & adaptive response mechanism for MANETs. Ad Hoc
Networks. 2014;13:368-80.
Neuman C. Challenges in security for cyber-physical systems. DHS: S&T workshop on future directions in
cyber-physical systems security: Citeseer; 2009.
O'Neill M. The Internet of Things: do more devices mean more risks? Computer Fraud & Security.
2014;2014:16-7.
Olusola AA, Oladele AS, Abosede DO. Analysis of KDD’99 Intrusion detection dataset for selection of
relevance features. Proceedings of the World Congress on Engineering and Computer Science2010. p. 20-2.
Papadaki M, Furnell S. Achieving automated intrusion response: a prototype implementation. Information
management & computer security. 2006;14:235-51.
Patel A, Taghavi M, Bakhtiyari K, Júnior JC. An intrusion detection and prevention system in cloud
computing: A systematic review. Journal of Network and Computer Applications. 2013;36:25-41.
Paxson V. Bro: a system for detecting network intruders in real-time. Computer networks. 1999;31:2435-63.
Poolsappasit N, Dewri R, Ray I. Dynamic security risk management using bayesian attack graphs.
Dependable and Secure Computing, IEEE Transactions on. 2012;9:61-74.
Porras PA, Neumann PG. EMERALD: Event monitoring enabling response to anomalous live disturbances.
Proceedings of the 20th national information systems security conference1997. p. 353-65.
Qi H, Shiraz M, Gani A, Whaiduzzaman M, Khan S. Sierpinski triangle based data center architecture in
cloud computing. The Journal of Supercomputing. 2014:1-21.
Ragsdale DJ, Carver Jr CA, Humphries JW, Pooch UW. Adaptation techniques for intrusion detection and
intrusion response systems. Systems, Man, and Cybernetics, 2000 IEEE International Conference on: IEEE;
2000. p. 2344-9.
Roesch M. Snort: Lightweight Intrusion Detection for Networks. LISA1999. p. 229-38.
Room SIIR. http://www.sans.org/reading-room/whitepapers/malicious/code-red-worm-45, Accessed on 27th
may 2014. 2001.
Sabahi FaAM. Intrusion detection: A survey. in Systems and Networks Communications, . ICSNC'08. 3rd
International Conference on. . IEEE. 2008.
Sadoddin R, Ghorbani A. Alert correlation survey: framework and techniques. Proceedings of the 2006
International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and
Business Services: ACM; 2006. p. 37.
SANS institute S, Dinesh. Intrusion prevention systems: security's silver bullet? Business Communications
Review. 2003;33:36-41.
Scarfone K, Mell P. Guide to intrusion detection and prevention systems (idps). NIST special publication.
2007a;800:94.
Scarfone K, Mell P. Guide To Intrusion Detection and Prevention Systems (IDPS), Sp-800-94. Special
Publication NIST: National Institute of Science and Technology National Institute of Science and Technology,
Gaithersburg. 2007b.
Schnackengerg D, Holliday H, Smith R, Djahandari K, Sterne D. Cooperative intrusion traceback and
response architecture (CITRA). DARPA Information Survivability Conference & Exposition II, 2001
DISCEX'01 Proceedings: IEEE; 2001. p. 56-68.
Shameli-Sendi A, Cheriet M, Hamou-Lhadj A. Taxonomy of intrusion risk assessment and response system.
Computers & Security. 2014;45:1-16.
Shameli-Sendi A, Dagenais M. ORCEF: Online response cost evaluation framework for intrusion response
system. Journal of Network and Computer Applications. 2015.
Shameli-Sendi A, Desfossez J, Dagenais M, Jabbarifar M. A Retroactive-Burst Framework for Automated
Intrusion Response System. Journal of Computer Networks and Communications. 2013;2013.
Shameli-Sendi A, Ezzati-Jivan N, Jabbarifar M, Dagenais M. Intrusion response systems: survey and
taxonomy. Int J Comput Sci Netw Secur. 2012;12:1-14.
Snapp SR, Brentano J, Dias GV, Goan TL, Heberlein LT, Ho C-L, et al. DIDS (distributed intrusion
detection system)-motivation, architecture, and an early prototype. Proceedings of the 14th national
computer security conference: Citeseer; 1991. p. 167-76.
Sookhak M, Akhundzada A, Sookhak A, Eslaminejad M, Gani A, Khan MK, et al. Geographic Wormhole
Detection in Wireless Sensor Networks. PloS one. 2015;10.
Stakhanova N, Basu S, Wong J. A Cost-Sensitive Model for Preemptive Intrusion Response Systems.
AINA2007a. p. 428-35.
Stakhanova N, Basu S, Wong J. A taxonomy of intrusion response systems. International Journal of
Information and Computer Security. 2007b;1:169-84.
Strasburg C, Stakhanova N, Basu S, Wong JS. A framework for cost sensitive assessment of intrusion
response selection. Computer Software and Applications Conference, 2009 COMPSAC'09 33rd Annual
IEEE International: IEEE; 2009a. p. 355-60.
Strasburg C, Stakhanova N, Basu S, Wong JS. Intrusion response cost assessment methodology. Proceedings
of the 4th International Symposium on Information, Computer, and Communications Security: ACM; 2009b.
p. 388-91.
Tanachaiwiwat S, Hwang K, Chen Y. Adaptive intrusion response to minimize risk over multiple network
attacks. ACM Trans on Information and System Security. 2002;19:1-30.
Technology T-N. ,http://teleco-network.blogspot.com/search?q=firewall, 2011, Accessed on: 27th May 2014.
2011.
Toth T, Kruegel C. Evaluating the impact of automated intrusion response mechanisms. Computer Security
Applications Conference, 2002 Proceedings 18th Annual: IEEE; 2002. p. 301-10.
Vigna G, Kemmerer RA. NetSTAT: A network-based intrusion detection system. Journal of computer
security. 1999;7:37-71.
Vigna GaRAK. Intrusion detection: a brief history and overview. Computer, 2002. 35(4): p. 0027-30. 2002.
Wang L, Liu A, Jajodia S. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts.
Computer communications. 2006;29:2917-33.
Wang S-H, Tseng CH, Levitt K, Bishop M. Cost-sensitive intrusion responses for mobile ad hoc networks.
Recent Advances in Intrusion Detection: Springer; 2007. p. 127-45.
Wang X, Reeves DS, Wu SF, Yuill J. Sleepy watermark tracing: An active network-based intrusion response
framework. Trusted Information: Springer; 2001. p. 369-84.
White GB, Fisch EA, Pooch UW. Cooperating security managers: A peer-based intrusion detection system.
Network, IEEE. 1996;10:20-3.
Wu Y-S, Foo B, Mao Y-C, Bagchi S, Spafford EH. Automated adaptive intrusion containment in systems of
interacting services. Computer Networks. 2007;51:1334-60.
Y. Frank Jou FG, Chandru Sargor, Shyhtsun Felix Wu, and Cleaveland W Rance. Architecture design of a
scalable intrusion detection system for the emerging network infrastructure. Technical Report CDRL A005,
Dept. of Computer Science, North Carolina State University, Releigh, N.C, USA, April 1997.
Ying L, Yan Z, Yang-jia O. The design and implementation of host-based intrusion detection system.
Intelligent Information Technology and Security Informatics (IITSI), 2010 Third International Symposium
on: IEEE; 2010. p. 595-8.
Zhang Z, Naït-Abdesselam F, Ho P-H, Kadobayashi Y. Toward cost-sensitive self-optimizing anomaly
detection and response in autonomic networks. computers & security. 2011;30:525-37.