Author’s Accepted Manuscript

Intrusion Response Systems: Foundations, Design,

and Challenges

Zakira Inayat, Abdullah Gani, Nor Badrul Anuar,

Muhammad Khuram Khan, Shahid Anwar

www.elsevier.com/locate/jnca

PII: S1084-8045(15)00299-4
DOI: http://dx.doi.org/10.1016/j.jnca.2015.12.006
Reference: YJNCA1524
To appear in: Journal of Network and Computer Applications
Received date: 21 September 2015
Revised date: 17 December 2015
Accepted date: 23 December 2015
Cite this article as: Zakira Inayat, Abdullah Gani, Nor Badrul Anuar, Muhammad
Khuram Khan and Shahid Anwar, Intrusion Response Systems: Foundations,
Design, and Challenges, Journal of Network and Computer Applications,
http://dx.doi.org/10.1016/j.jnca.2015.12.006
This is a PDF file of an unedited manuscript that has been accepted for
publication. As a service to our customers we are providing this early version of
the manuscript. The manuscript will undergo copyediting, typesetting, and
review of the resulting galley proof before it is published in its final citable form.
Please note that during the production process errors may be discovered which
could affect the content, and all legal disclaimers that apply to the journal pertain.
Intrusion Response Systems: Foundations, Design, and Challenges
Zakira Inayat1, 2,*, Abdullah Gani1, 3, Nor Badrul Anuar3, Muhammad Khuram Khan4, Shahid Anwar5
1
Center for Mobile Cloud Computing Research (C4MCCR), University of Malaya, 50603 Kuala Lumpur, Malaysia
2
Department of Computer Science, University of Engineering and Technology Peshawar, Peshawar 2500, Pakistan
3
Faculty of Computer Science and Information Technology, University of Malaya, 50603 Kuala Lumpur, Malaysia
4
Center of Excellence in Information Assurance (CoEIA), King Saud University, Riyadh, Saudi Arabia
5
Faculty of Computer System and Software Engineering, Universiti Malaysia Pahang, 26300 Gambang, Malaysia
*
Email: Zakirainayat@uetpeshawar.edu.pk

Abstract
In the last few decades, various network attacks have emerged. This phenomenon requires serious consideration to address its extensive consequences. To
overcome the effects of network attacks, an appropriate intrusion detection system and a real-time intrusion response system are required. In this paper, we
present an IRS taxonomy based on design parameters to classify existing schemes. Furthermore, we investigate the essential response design parameters for IRS
to mitigate attacks in real time and obtain a robust output. The majority of existing schemes disregard the importance of semantic coherence and dynamic
response parameters in the response selection process. Therefore, most existing schemes produce inaccurate results by generating false alarms. These design
parameters are comprehensively discussed in this paper. We have qualitatively analyzed existing IRS schemes on the basis of the response design parameters.
Open research challenges are identified to highlight key research areas in this research domain.
Keywords: intrusion detection, intrusion response, semantic coherence, response design parameter
1 Introduction
For years, network security has been the focus of substantial research (Cisco, 2014). In the last few decades, humans have become increasingly technology-
dependent (e.g., use of the Internet for business, educational, and social activities). A number of security incidents, including threats to confidentiality, integrity,
and data availability, have occurred because of the excessive use of computer networks. The availability of computer networks and the integrity of data must be
secure enough from intrusions, which include denial of service (DoS) attacks, unauthorized access, spoofing attacks, and application layer attacks (Hansman
and Hunt, 2005, Hoque et al. , 2014). Moreover, the annual report published by the Computer Emergency Response Team (CERT) indicates that the rate of
intrusions is increasing every year (Cert, 2014). The Malaysian CERT in 2014 indicated a 50% increase in intrusions and reported more than 10,000 incidents
(MyCert-Report, 2014). These reports prove that the effect of intrusions is unavoidable. Thus, a security mechanism is needed to enforce the security policies
and overcome intrusions.
Security mechanisms, such as firewalls, authentication, cryptography, and access control are used as the first line of defense to security problems and issues
(Kruegel et al. , 2005, SANS institute 2003). However, these anti-threat applications are unable to detect internal intrusions and inadequately provide security
countermeasures. Therefore, various types of intrusion systems that originated from intrusion detection systems (IDSs), such as intrusion prevention systems
(IPSs) and intrusion response systems (IRSs), were developed to detect, prevent, and respond to intrusions (Anuar et al. , 2010). An IDS is a collection of
software or hardware resources that can detect, analyze, and report intrusions in a computing system. As an extension of IDS, an inline IDS or IPS detects and
prevents potential intrusions in real time (Scarfone and Mell, 2007a). However, IPS requires high-performance systems and are difficult to manage in analyzing
and preventing intrusions at the same time, particularly in a distributed environment. Thus, a security countermeasure that continuously monitors system
performance is needed to effectively identify and handle potential incidents. This countermeasure is called IRS.
On the basis of the level of automation, IRSs are classified into notification, manual, and automated response systems (Stakhanova et al. , 2007b). Despite the
significant emphasis given to IDS and IPS, the detection of intrusions will be useless without an appropriate response system to thwart intrusions. To the best of
our knowledge, three surveys (Shameli-Sendi et al. , 2014, Shameli-Sendi et al. , 2012, Stakhanova, Basu, 2007b) provide the classification of IRS and emphasize
the important aspects related to IRS and its security issues. These surveys classified IRS into two categories, such as automated and non-automated, on the basis
of their functionality. Furthermore, these surveys categorized IRS into cost-sensitive, adaptive, and non-adaptive IRS. In (Stakhanova, Basu, 2007b), the IRS
design is based on the degree of automation, time of response, cooperation ability, and response selection method are described. In (Shameli-Sendi, Ezzati-Jivan,
2012), it is stated that the efficient response design is associated with the cost-sensitivity of the response and the prediction of minimum damage cost based on
response cost. In (Shameli-Sendi, Cheriet, 2014), the author proposed a taxonomy for intrusion risk assessment (IRA) and presented integrating risk assessment
techniques. Consequently, existing surveys indicate that the effective coordination between intrusion response and risk assessment leads to an efficient
framework to manage uncertainty in IRS.
Many studies have been conducted on IRS design and classification. However, existing IRS designs employ a static approach in selecting an optimum response
option and lack semantics for intrusion alerts generated by the IDSs at distributed locations in the network (Mateos et al. , 2012). Instead of choosing a flexible
response metric, existing response systems (Mu and Li, 2010, Stakhanova et al. , 2007a) use static response metrics, such as static risk threshold metric, severity
metric, IDS confidence metric, and damage reduction metric. Consequently, the systems have difficulty in real time detection and response, false alarm
management, and uncertainty in IRS (Anuar et al. , 2008, Hubballi, 2014). Therefore, there is a need for IDS and IRS to dynamically adapt, so as to detect and
respond automatically. However, this paper proposes response design parameters for designing an efficient IRS, particularly in a distributed environment. The
addition of these response design parameters in existing IRS design will result in an automated IRS with no false-alarm rates, low uncertainty, and proficiency
to respond dynamically in real time. Thus, the contributions of this paper are as follows:
 A detailed literature survey that analyzes the latest trends in IDS and IRS and highlights the challenges that exist in the design of existing IRS.
 A taxonomy of the design attributes to enhance the design of IRS by proposing some essential response design metrics and identifying the main areas that
need to be improved in IRS design.
 A comparative study based on the design metrics of IRS to prevent attacks, integrate new enhancements, and determine future research trends for experts
and general users.
The rest of this paper is organized as follows. Section 2 discusses the selected studies and classifies the earlier stage of IDS. Section 3 categorizes the selected
studies by presenting the contributions of the researcher about IRS. Section 4 presents the analysis of existing IRS based on the proposed design metrics. Section
5 presents the challenges in the current IRS and future direction. Finally, Sections 6 conclude our survey by comparing existing approaches and providing a
general design approach for IRS. Table 1 shows the list of acronyms.
Table 1
List of Acronyms
Symbols Description
AAIRS Adaptive Automated Intrusion Response System
AD Anomaly Detection
ADI Attack Damage Index
ACM Association for Computing Machinery
AIRS Automated Intrusion Response System
CCN Content Centric Networking
CIA Confidentiality, Integrity, Availability
CPS Cyber Physical System
CSM Cooperating Security Managers
DDoS Distributed Denial of Services
DIDS Distributed Intrusion Detection System
DoS Denial of Services
EMERALD Event Monitoring Enabling Responses to Anomalous Disturbance
FLIPS Feedback Learning Intrusion Prevention System
HIDS Host-Based Intrusion Detection System
HPMIDCPS Hierarchical performance model for intrusion detection in cyber-physical systems
IDS Intrusion Detection System
IDAR Intrusion Detection & Adaptive Response Mechanism
IEEE Institute of Electrical & Electronic Engineers
IoT Internet of Things
IPS Intrusion Prevention System
IRS Intrusion Response System
LS Local Subsystem
MANET Mobile Ad Hoc Network
MOVIH-IDS Mobile-Visualization Hybrid IDS
NBA Network-Based Analysis
NIDS Network-based Intrusion Detection System
NDN Name Data Networking
NetSTAT Network Statistical Analysis Tool
ORCEF Online response cost evaluation framework
PSO Particle Swarm Optimization
RMS Remote Management Subsystem
RBF Radial Basis Function
SD Signature-based Detection
 SWRL Semantic Web Rule Language
TDI Topology Dependency Index

2 Intrusion Detection Systems

Security has become a critical issue in today’s highly distributed and networked systems. Existing defensive mechanisms, such as firewalls, authentication,
access control, and cryptography, are unable to provide complete security. For instance, a firewall is a first line of defense that filters network traffic by
allowing and denying packets on the basis of administrator policies (Technology, 2011). The authentication mechanism is responsible for establishing a user’s
identity and is used as a prerequisite for access control. Access control restricts the availability of resources and secures local infrastructure. Cryptography is
another anti-threat application used for communication security. However, these defensive mechanism are inadequate to completely address the problem of
intrusion detection and response system. In addition, these first lines of defense are used to secure communication and resources and are unable to detect the
internal intrusions (Kruegel, Valeur, 2005, SANS institute 2003).
Furthermore, these defensive mechanisms fail to secure computer networks, cloud computing, content in the CCN, and core technologies of future generation
networks such as IoT and CPS, because these security mechanisms are unable to detect internal intrusions (Kruegel, Valeur, 2005, SANS institute 2003). The
detection of internal intrusion in these domains is a challenging task because of their inherent complexity, sharing technology, and remotely located components
(Patel et al. , 2013). However, the distributed structure of these domains become an attractive target for intruders and are vulnerable to physical attacks because
of their extensive use over a wide geographic area. The main cause for intrusion in the cloud computing, CCN, IoT, and CPS is the interaction between physical,
software, and digital components. It is therefore, the need of the hour to secure communication channels in the cloud, IoT , CPS, and the information content in
CCN against intrusions by introducing an efficient supporting security technologies, such as IDS with appropriate security countermeasures (e.g., IRS) (Choo,
2011, O'Neill, 2014).
Many IDSs have been developed for securing networks (Anantvalee and Wu, 2007, Butun et al. , 2014), CPS (Mitchell and Chen, 2014), IoT (Ashraf and
Habaebi, 2015, Khan et al. , 2014a), cloud computing (Patel et al. , 2013), and CCN (Karami and Guerrero-Zapata, 2015b). For instance, autonomic security
solution in IoT devices detects physical attacks in remotely located components without any human intervention (Ashraf and Habaebi, 2015). Cooperative
autonomous resilient defense (CyPhyCARD) was proposed (Azab and Eltoweissy, 2011) as a cloud service to detect unknown intrusions in CPS. CyPhyCARD is
a distributed, anomalous, and runtime-programmable platform that uses EvoSense virtual sensors and defense missions to regularly scan the Target of Defense
(ToD) host, external and internal communication. Furthermore, on the attacks detection, the defense missions reconfigure the ToD host, host network, and
digitally controlled physical components to mitigate attacks. IDS as a service (CIDS) (Kholidy and Baiardi, 2012) provides snort as a cloud application to clients
to detect known attacks. However, its disadvantages include high computational overhead and failure to detect unknown attacks at the network layer. In
(Karami and Guerrero-Zapata, 2015a), an intelligent cache replacement method using Adaptive Neuro-Fuzzy Inference System (ANFIS) is proposed to secure
the CCN, which detect and mitigate two generic cache pollution attacks namely false-locality and locality-disruption in NDN. As compared to other security
mechanisms in NDN, this method has a high detection accuracy without much computational cost.
IDS aims to detect intrusions, whereas IRS is responsible to thwart detected intrusions and mitigate the effects of attacks. Similar to IPS, the IRS works with
IDS because it provides the main input for the detection engine. IDS delivers basic information about the external or internal intrusions, including its location,
occurrence time, intrusion mode, type of attack, and details on the network layer. The following section classifies IDS on the basis of deployment, detection
approach, and response option (i.e., passive or active). Based on the deployment approach, IDSs are categorized as host based, network based, distributed, and
hybrid IDS. According to the detection approach, IDS is categorized into anomaly (behavior based), signature (knowledge based), hybrid (anomaly + signature),
and specification based (Liao H-J, 2013).
2.1 Types of Deployment Approach
Host and network-based are the two types of deployment approaches for IDS. HIDS detect intrusions on a host machine, whereas NIDS identify and detect
intrusions in network traffic. Selecting the proper IDS from a wide variety of currently available IDS, whether network based, host based, commercial, or
freeware, is difficult and time consuming because a number of parameters must be considered according to the requirements. For example, in designing a
defensive mechanism for a database, the integrity factor must be considered. However, availability factors are necessary in designing an IDS for network
security.
a) A host-based system requires a separate sensor for each individual computer. This type of system audits information from a single computer (single host) or
distinct host (multi-host) and responds to occurring events. A single host monitors a single machine, whereas a multi-host, also called a distributed host,
audits data from multiple hosts on a single network to detect intrusion (Carver, May 2001). Implementing a host-based system is easier than implementing
network-based systems (Ying et al. , 2010). For example, Hyperview (Ali. A Ghorbani, 2009) is a host-based system that consists of two detection
components, namely, neural network and associated expert system, to detect early intrusion.
b) A network-based system monitors network traffic data between network devices and compares them to the predefined pattern of attacks to detect any
suspicious activity. The distinguishing feature of a network-based system is that it requires few sensors to monitor a large network and heterogeneous set of
hosts without adding any load to the hosts, thus reducing overhead effect on the overall networks. The majority of existing and commercially available IDSs
are network based (Bace, 2002). ACME (Bonifaco and Moreira, 1997, Cansian et al. , 1997) is a network-based system that utilizes a neural network and
expert system to detect intrusions. Figure 1 illustrates the IDS position with respect to the data source (network/host), where NIDS monitors network traffic
and HIDS monitors the information on a host system.
 HIDS HIDS
HIDS
Subnet 1

HIDS
Switch
Attacker

Internet Router Firewall

NIDS NIDS
Server

Switch

Subnet 2
HIDS HIDS

HIDS

Figure 1. Network- and host-based IDSs.

c) In addition to the aforementioned traditional deployment approaches, other types of deployment approaches were developed, including distributed and
hybrid approaches (Figure 2). In the distributed approach, various IDS are combined as remote sensors to obtain reports about an intrusion to a centralized
authority. These remote sensors can be network based, host based, or a combination (hybrid) of both. DIDS (Huang et al. , 1999, Snapp et al. , 1991) is a
distributed and rule-based IDS and is the first system that integrates audit reports from many different hosts on a single network. DIDS combines
distributed and local host monitoring system to detect intrusions (Kholidy and Baiardi, 2012). The other type is the hybrid approach, which is composed of
both NIDS and HIDS approach (Butun, Morgera, 2014). It would be advantageous to integrate NIDS into host-based system, such that it would filter
notification and alerts to HIDS, controlled from the same central location. Figure 2 describes IDS based on the deployment approach, whether IDS monitor
intrusion in a host machine, network, in hybrid or in a distributed manner.
 To examine the log file To monitor ,capture, and
Host-based Network-based
and real time usage of examine network
IDS IDS
the host transmitted traffic

Deployment
Approach

Various IDS are combined

working as a remote sensors Distributed Composed of NIDS
controlled by centralized Hybrid IDS and HIDS
IDS
authority

Take advantages from

the combination

Figure 2. Classification of IDS based on deployment approaches.

2.2 Types of Detection Approach

IDSs identify intrusions on the basis of valid characteristics, such as network traffic (e.g. source and destination port, IP sources), files, and behavior patterns.
IDS is categorized into anomaly-, signature-, hybrid-, and specification-based approaches according to the detection approach. The hybrid-based approach is a
combination of signature and anomaly approaches.
a) In the anomaly-based approach, all network traffic, system, and user-level activity are stored and monitored to detect any deviations from normal activity.
Any deviation from the normal pattern generates an alert called an intrusion (Scarfone and Mell, 2007a). Normal and abnormal patterns can be trained by
using machine learning approaches, such as neural network, Bayesian network, Markov models, fuzzy logic, genetic algorithm, and decision trees
(Adetunmbi et al. , 2008, Han J, 2006). The anomaly-based approach does not require any signatures. Thus, the detection of unknown attacks based on static
characteristics (e.g. content of files and traffic) is possible. There are many advantages of this approach, but the potential advantage of this method is that it
can detect previously unfamiliar and new attacks. However, this feature reduces detection accuracy by generating many false alarms (Carver, May 2001).
This method detects deviations in three steps, namely, parameterization, training stage, and detection stage (Estevez-Tapiador et al. , 2004). Furthermore,
the techniques for anomaly detection, as shown in Figure 3, can be categorized as statistical based, machine learning based, and knowledge based (Butun,
Morgera, 2014, Lazarevic et al. , 2005). For instance, the anomaly-based IDS (Karami and Guerrero-Zapata, 2015b) applies machine learning-based
approach such as fuzzy logic to detect unknown attacks. This IDS is based on the hybridization of PSO and K-means clustering algorithms in CCN was
developed by combining two distance-based methods as classification and outlier. The main advantage of this approach is the high accuracy of detection, low
false alarm rate and low computational cost, however the training phase will increase the response time. One of the recent contribution in (Karami and
Guerrero-Zapata, 2015c) is an automated and anomaly-based countermeasure using a hybrid method based on the multiobjective RBF+PSO algorithm to
proactively detect and adaptively mitigate DoS attacks in a CCN-based network infrastructure named NDN. This method has low false alarm rate and high
 detection accuracy. Another example of anomaly based is (Mitchell and Chen, 2013), in which the attackers model is used to classify the attackers behaviour
in CPS including random, opportunistic, and insidious behaviors.
b) Unlike anomaly-based detection, signature-based detection schemes monitor and analyze users and system activity and compare the collected information to
a predefined pattern stored in a large database. The main advantage of this type of scheme is the minimum false alarm rate, whereas the main drawback is
that this method is unable to detect new and unfamiliar intrusions even if these intrusions are built as minimum variants of known attacks (Sabahi, 2008).
Furthermore, this approach can be implemented by using expert system, state transition analysis, model-based reasoning system, pattern matching, and key
stroke monitoring (Figure 3) (Kumar and Spafford, 1994). Snort (Roesch, 1999) is a signature-based NIDS that uses the predefined signature method to
monitor network activity for any suspicious pattern. However, its generated response is limited to reports and alarms only.
c) In addition to the anomaly- and signature-based detection approach, a hybrid-based method combines the anomaly pattern with a signature database, which
is capable of detecting both known and unknown attacks (Sabahi, 2008). This approach reduces the problem of false alarms and increases the capability of
detecting unknown attacks. EMERALD (Porras and Neumann, 1997) employs the hybrid approach, which combines statistical profiling with signature
analysis, thus providing high scalability for the protection of large and distributed networks.
d) A specification-based approach defines a set of constraints and specifications that indicate the correct operation of a protocol or program and is used to
monitor the execution of the program (Anantvalee and Wu, 2007). This approach is similar to an anomaly-based detection approach because both methods
detect unknown attacks and identify intrusion as the deviation from normal behavior. However, the specification-based approach is based on manually
created specification and constraints. Thus, this approach generates low false alarm rates compared with the high false alarm rate of an anomaly-based
approach. A specification-based approach is more effective than the other approaches for intrusion detection in CPS; the dictionary associated with
knowledge-based designs cannot be updated by channel scarcity, and the storage constraint will limit the size of the attack dictionary (Mitchell and Chen,
2014). The proposed IDS in Ref. (da Silva et al. , 2005) used a specification-based approach for detection by applying the decentralized approach of detection
where the intrusion detector was distributed in the entire network. The type of detection approach and the details of each approach are given in Figure 3.
 Identify any deviation from
the stored data base Statistical Generates profiles by observing the
behavior of the system activities

Anomaly-based Generate an explicit or implicit

Machine learning model of the analyzed pattern
detection

Rely on the availability of the prior

Knowledge-based data of network parameter in
normal and under certain attacks

Knowledge about attacks

Match threats signature Expert system as if- then implication
with the pre-installed rules
intrusion data base
Model-based Combine models of misuse
reasoning with evidetional reasoning

Used the stored known pattern

Signature-based
Detection Approach Pattern matching of attacks for the detection
detection purpose

Represent attacks as a
State transition
sequence of state transition
analysis of the monitored system

Key stroke Detects the occurrence of an

monitoring intrusion by using key stroke

To combine both anomaly

Hybrid-based detection and signature method ,to
detect known and unknown
attacks

Specification-based Similar to anomaly approach but Monitor System activity

detection define a set of constraints and instead of user behavior
specification and generate low
false-positive

Figure 3. Classification of IDS based on Detection Approaches.

2.3 Passive vs. Active Response Option
IDSs generate responses on the basis of threat description and attack symptoms. Two type of response options can be selected: passive and active (Shameli-
Sendi, Ezzati-Jivan, 2012, Stakhanova, Basu, 2007b).
a) The passive response aims to notify and activate other parties about the existence of an intrusion and depends on these parties to take further preventive
action. For example, an IDS notifies an administrator by email about an intrusion. Other examples for passive response include syslog console, email, pager,
SNMP, and mobile notification (Anuar, Papadaki, 2010). Snort (Roesch, 1999) uses a passive approach that generates only alarms or reports and notifies
the system administrator when the intrusion is detected. However, human involvement in this response option provides opportunities for attackers to harm
the system.
b) An active response immediately produces an automated action to reduce intrusion effects without human involvement (Mateos, Villagrá, 2012, Stakhanova,
Basu, 2007b). Active response options are categorized into two types of actions: proactive and reactive. Proactive actions prevent intrusions by using a set of
pre-emptive actions (Foo et al. , 2005) before the intrusion occurs. In reactive actions, threat mitigation occurs after threat detection. However, this option
sometimes produces a negative result if the systems are configured incorrectly. For example, a false-positive intrusion may block or terminate a legitimate
user. Thus, to reduce the incorrect response, two types of systems that are similar to IDSs were proposed: IPS and IRS. As Figure 4 shows, IPS shares
similarities with IDS in terms of system deployment and detection approach. However, IPS performs proactive responses, such as blocking and terminating
network sessions, to minimize intrusion effects.

Network Traffic/Log Network Traffic/Log

file on the system file on the system Re-active
Pro-Active Passive Response
Response Response
Generates Automated
Attacks Prevention
Alert IRS Response
IPS Engine IDS

Knowledge Knowledge Knowledge

Base Base Base

Early Prevention of Intrusion Intrusion Detection Intrusion Response

Figure 4. IPS, IDS, and IRS.

The main differences between IPS, IDS, and IRS are as follows: IPS can prevent detected alerts before occurring; IDS is passive and generates alerts when an
intrusion is detected; IRSs automatically responds to intrusions by using reactive response, which is described in detail in Section 3. Among these systems, only
IDS is inadequate and unable to address the detected attacks without a proper prevention and response system. The current study shows that IDS was expanded
and updated to IDPS by adding an extra module of prevention (Scarfone and Mell, 2007b). Distributed intrusion detection and prevention (Haslum et al. , 2007)
is a real time and cost-sensitive IDPS that uses fuzzy logic for the real-time online risk assessment of intrusions. Table 2 presents the advantages and
disadvantages of the detection approach, deployment approach, and response option, which are explained in the above section.
Table 2
Classification of IDS Approaches
Dimension Approaches Pros Cons
Detection Anomaly-based - Detect unknown (zero-day) attacks - High false-positive rate
Approach
Signature- - Low false alarms - Misses unknown attacks
based - Low processor demand - Attack description must be
- Rely on predetermined pattern, stored and updated
thus deterministic and can be
customized for any system

Specification- - Detect unknown attacks - Unable to specify all system

based - Low false-positive rate states
- Human must utilize model
Deployment Host - Can be easily deployed in the - Increased load on resource-
Approach existing infrastructure constrained nodes
- Distributed control - HIDS can have a very limited
- Easily detects host-level view of the entire network
misbehavior - vulnerability of audit material
Network - NIDS detects the intrusion that - Effectiveness is limited by
HIDS fails to identify visibility
- Requires very few sensors to - Unable to decrypt or encrypt
monitor the overall network data
- Reduced load on resource- - Unable to detect packets received
constrained nodes from host
Response Passive - Facilitates the flow of information - Passive response exposes the
Option by allowing alarm events to access information assets to attacks
information assets while the security administrator
investigates the alarms.
- May unnecessarily delay benign
traffic because alarm events are
blocked.
Active - Immediate response to protect - The optimal configuration under
 information assets active response is smaller than
- No human involvement. that is the passive response

Table 3 provides the classifications of IDS based on deployment, detection approach, and response options. Table 3 indicates that from 2001 onwards, many of
the existing IDSs have automated response (active) countermeasures and few IDSs have manual responses (passive).
Table 3
Classification of IDS based on deployment and detection and response approach
Year IDS Ref Deployment Detection Response
Approach Approach Option
1996 CSM (White et al. , 1996) HIDS Signature Active

1997 EMERALD (Porras and Neumann, HIDS Anomaly + Active

1997) Signature
1997 ACME (Bonifaco and Moreira, NIDS Anomaly + Passive
1997, Cansian, Moreira, Signature
1997)
1999 Snort (Roesch, 1999) NIDS Signature based Passive

1999 Bro (Paxson, 1999) NIDS Signature based Passive

2000 JiNao (Jou et al. , 2000) NIDS Anomaly + Active

Signature
2001 AAIRS (Carver, May 2001) HIDS N/A Active

2002 Network IRS (Toth and Kruegel, NIDS N/A Active

2002)
2003 Specification- (Balepin et al. , 2003) HIDS Specification based Active
based IRS
2005 ADEPTS (Foo, Wu, 2005) HIDS Anomaly + Active
Signature
2006 FAIR (Papadaki and Furnell, NIDS N/A Active
2006)
2007 Cost-Sensitive (Wang et al. , 2007) NIDS N/A Active
Model for
MANET
2007 Stakhanova’s (Stakhanova, Basu, NIDS Signature based Active
IRS 2007a)
2009 AIDP (Nadeem and Howarth, NIDS Anomaly Active
2009)
2009 MOVIH-IDS (Herrero et al. , 2009) NIDS Anomaly + Active
Signature
 Year IDS Ref Deployment Detection Response
Approach Approach Option
2009 Strasburg’s (Strasburg et al. , 2009a) HIDS N/A Active
IRS
2009 Distributed (Krontiris et al. , 2009) NIDS Specification based Active
IDS
2010 Kheir’s IRS (Kheir et al. , 2010) NIDS N/A Active
2010 AIRS based on (Lanchas, González, NIDS Signature based Active
ontologies 2010)
2010 IDAM&IRS (Mu and Li, 2010) NIDS Anomaly + Active
Signature
2011 ADRS (Zhang et al. , 2011) NIDS Anomaly-based Active
2012 Response (Mateos, Villagrá, 2012) NIDS N/A Active
metrics for
ontology-based
AIRS
2013 GIDP for (Nadeem and Howarth, NIDS Anomaly + Active
MANETs 2013) Signature
2013 Retroactive- (Shameli-Sendi et al. , NIDS N/A Active
Burst 2013)
Framework
2013 HPMIDCPS (Mitchell and Chen, HIDS Anomaly-based Active
2013)
2014 IDAR (Nadeem and Howarth, NIDS Anomaly + Active
2014) Signature
2015 ORCEF (Shameli-Sendi and NIDS N/A Active
Dagenais, 2015)
2015 Fuzzy IDS (Karami and Guerrero- NIDS Anomaly-based Active
Zapata, 2015b)
N/A for not available

3 Intrusion Response Systems

As explained in the aforementioned section, the limitation of IDS is that this system only warns the administrator if any malicious activity passes through the
network. No action is taken on the identified attacks because IDSs lack response systems. In contrast to IDS, IPS can take preventive actions before occurring
intrusion rather than only generating an alarm (Scarfone and Mell, 2007a). However, similar to any type of security system, the complete prevention of
intrusions is impractical in today’s distributed environments. Thus, the limitation of both IDS and IPS was addressed by adding the response components in the
IDS. The mitigation of attacks detected by IDS is the responsibility of IRS.
In a security system, IDSs are activated if the IPSs are unable to prevent an intrusion. Although IDS is a second line of defense that works efficiently, detects
attacks, and generates alarms, IDS without a reactive response to an intrusion is considered unprofitable (Mu and Li, 2010). IRS is a new research field for
investigation that receives considerably less attention than IDS. Figure 5 illustrates the basic functionality of IRS and IDS. IDS is activated when some
intrusions are detected in the system. IRS is always activated on the basis of IDS output. When IDSs obtain threat information, the response component
generates responses on the basis of the symptoms of attacks.
Host

3
Firewall
Response Actions

IDS

Intrusion Alerts
Response System

1
Possible Feedback loop
2

1 Attack
2 Analysis
Network
3 Notification
History
Database

Figure 5. Intrusion Response System basic function.

IRS is defined as a security countermeasure (Chen and Yang, 2004) that is performed when an intrusive behavior occurs. Table 4 presents the existing IRS
based on their functionality.

Table 4
Intrusion Response Systems
Year IRS Ref Title of the paper Description
1996 CSM (White, Fisch, Cooperating security To develop a host-based distributed
1996) managers: A peer-based IDS and automated IDS

1997 EMERALD (Porras and EMERALD: Event To propose a distributed IDS for
Neumann, 1997) monitoring enabling response large-scale heterogeneous
to anomalous live computing environment
disturbances
2000 JiNao (Jou, Gong, Design and implementation of To propose a hybrid-based system
2000) a scalable IDS for the that responds to the distributed
protection of network attacks
infrastructure
2001 AAIRS (Carver, May Adaptive Agent-Based To present an IRS with responses
2001) Intrusion Response, Ph.D. that are based on the confidence
thesis metric and the success of the
previous response
2001 TBAIR (Wang et al. , Sleepy Watermark Tracing: To present a network-based
2001) An Active Network Based framework that provides highly
Intrusion Response accurate and real-time IRS
Framework
2002 Network (Toth and Evaluating the impact of To propose an evaluation algorithm
IRS Kruegel, 2002) automated intrusion response to compare intrusion severity and
mechanisms response cost
2003 Specificatio (Balepin, Using specification-based To present a service-dependency
n-based IRS Maltsev, 2003) intrusion detection for graph to evaluate the effects of
automated response. attacks
2005 ADEPTS (Foo, Wu, 2005) ADEPTS: adaptive intrusion To propose a distributed and
response using attack graphs adaptive response that evaluates the
in an e-commerce success or failure of the deployed
environment response using feedback mechanism
2006 FAIR (Papadaki and Achieving automated To propose a flexible response by
Furnell, 2006) intrusion response: a integrating intelligence and
prototype implementation. flexibility to the response decision
process
2006 FLIPS (Locasto et al. , Flips: Hybrid adaptive To offer a hybrid approach that are
2006) intrusion prevention. mostly applicable for host-based
IPS
2007 Cost- (Wang, Tseng, Cost-sensitive intrusion To develop a cost-sensitive model by
Sensitive 2007) responses for mobile ad hoc using TDI and ADI parameters to
model for networks reflect the damage cost and
MANET response cost
Year IRS Ref Title of the paper Description
2007 Stakhanova’ (Stakhanova, A Cost-Sensitive Model for To propose a cost-sensitive,
s IRS Basu, 2007a) Preemptive Intrusion preemptive, adaptive, and
Response Systems automated model
2009 AIDP (Nadeem and Adaptive intrusion detection To present AIDP by using an
Howarth, 2009) and prevention of denial of anomaly-based method
service attacks in MANET
2009 MOVIH- (Herrero, MOVIH-IDS: A mobile- To propose a highly scalable,
IDS Corchado, 2009) visualization hybrid IDS adaptive, and distributed IDS that
deploys a hybrid approach by using
an artificial neural network
2009 Strasburg’s (Strasburg, A framework for cost- To present a host based and cost-
IRS Stakhanova, sensitive assessment of sensitive framework
2009a) intrusion response selection.
2010 OrBAC (Kanoun et al. , Risk-aware framework for To propose a network model that
2010) activating and deactivating uses a risk-aware approach for
policy-based response response selection
2010 Kheir’s IRS (Kheir, A service-dependency model To propose a dependency graph in
Cuppens- for cost-sensitive intrusion evaluating confidentiality, integrity,
Boulahia, 2010) response and availability effects
2010 AIRS based (Lanchas, Ontologies-based automated To present an ontology-based AIRS
on González, 2010) intrusion response system to solve the problem of adaptability
ontologies and false alarms
2010 IDAM&IRS (Mu and Li, An intrusion response To balance the response impact and
2010) decision-making model based response effect in a set of responses
on hierarchical task network using risk index
planning
2011 ADRS (Zhang, Naït- Toward cost-sensitive self- To propose a decision-theoretic
Abdesselam, optimizing anomaly detection framework to systematically analyze
2011) and response in autonomic response cost in autonomic
networks networks
2012 Ontology- (Mateos, Definition of response metrics To dynamically interpret response
based AIRS Villagrá, 2012) for an ontology-based metrics in selecting optimum
Automated Intrusion response
Response Systems
2013 GIDP for (Nadeem and Protection of MANETs from a To propose an approach with a
MANETs Howarth, 2013) range of attacks using an fixed response by isolating the
intrusion detection and intruding node
prevention system
 Year IRS Ref Title of the paper Description
2013 Retroactive- (Shameli-Sendi, A Retroactive-Burst To propose an adaptive and cost-
Burst Desfossez, 2013) Framework for Automated sensitive approach that utilizes a
Framework Intrusion Response System. risk assessment component to
measure the effectiveness of the
applied response
2014 IDAR (Nadeem and An intrusion detection & To present an adaptive response
Howarth, 2014) adaptive response mechanism that provides a flexible response
for MANETs instead of isolating the intruding
nodes
2015 ORCEF (Shameli-Sendi Online response cost To propose a framework for IRS
and Dagenais, evaluation framework for that dynamically evaluates the
2015) intrusion response system response cost based on the network
element and resource dependencies

3.1 Types of IRS

As shown in Table 4 that the studied surveys (Shameli-Sendi, Cheriet, 2014, Shameli-Sendi, Ezzati-Jivan, 2012, Stakhanova, Basu, 2007b) classified IRS on the
basis of level of automation, response selection method, response cost, response time, adaptability nature, response lifetime, and applied location. Furthermore,
these surveys found that the current IRSs lack one or more dimensions. Therefore, current IRSs are inappropriate for securing the present distributed
environment. The common limitations of existing IRSs include the inability to respond in real time, handle false alarms, and consider the feedback of response
to execute future responses, as well as the existence of uncertainty issue. Figure 6 indicates that when IDs detect intrusions, IRS performs a mitigation action.
When IDSs generate an alert, the following actions will be undertaken to mitigate intrusion according to the system and attacks statistics: a) auditing (i.e., an
audit record should be created); b) generation of an alert message about the intrusion must be sent to all system and network administrators if they exist; c) a
mitigation step is employed to stop the intrusion. Figure 6 shows that IRSs are categorized into three approaches according to the degree or level of automation:
notification, manual, and automated response systems. Each of type is described in detail in the following sections.
 Early Prevention
Pro-active Response
Information
gathering Monitoring
Intrusion Analysis of
Start Intrusion Detection
Prevention System the gathered
System
data

Detection

Selection of the
Intrusion Response
appropriate
System
response

Mitigation

Response Implement the response

Option ( Re-active Response)

Active Passive

Automated Notification Manual

IRS IRS IRS

Generates alerts on Administrator

Generate automatic generates response on
the detection of
response without any preconfigure set of
attacks
human intervention response

Figure 6. From IDS to IRS.

3.1.1 Notification Response Systems

In the early 1990s, an IDS with notification response was developed (Vigna, 2002). The majority of existing IRSs (Paxson, 1999, Y. Frank Jou) are notification
systems that mainly provide information about intrusions by alarms, email messages, and console alerts. System administrators select the best reactive
countermeasure on the basis of these alerts to respond to the detected intrusions (Shameli-Sendi, Ezzati-Jivan, 2012). However, this approach is inappropriate
for sending alerts through email because an attacker can monitor and block email messages. Furthermore, this approach creates a time gap between the
detection and response, which is a major challenge and opens an opportunity for attackers. Notification response systems cannot prevent attacks or return the
system to a safe mode (Stakhanova, Basu, 2007b). Bro is a network IRS that generates real-time alerts in the form of reports, emails, and notifications (Paxson,
1999).
3.1.2 Manual Response Systems
The notification system is inadequate because it generates alerts upon the detection of attacks. A system for thwarting attacks must be utilized. Thus, a manual
response system was generated. The administrator in this type of system applies a predetermined set of responses on the basis of the symptoms of attacks to
generate a manual response. This approach is highly automated compared with the notification system approach (Tanachaiwiwat et al. , 2002, Toth and
Kruegel, 2002). However, the delay between intrusion detection and time occur when the system administrators initiate a response (Lee et al. , 2002). Protecting
the system against fast attacks, such as Dos and DDoS, is impossible when this system is adopted (Asosheh and Ramezani, 2008). The studied surveys show that
many of the existing IRS use manual (passive) response approach.
3.1.3 Automated Response Systems
Notification (Paxson, 1999, Y. Frank Jou) and manual response system approaches (Tanachaiwiwat, Hwang, 2002, Toth and Kruegel, 2002) are insufficient and
unable to respond to high-speed attacks because of its non-active nature. The aforementioned approaches leave a time gap of vulnerability between the first
response and detected intrusion (Stakhanova, Basu, 2007b, Ying, Yan, 2010). Thus, highly automated response systems are proposed to decrease the size of the
vulnerability window. These systems (Foo, Wu, 2005, Wu et al. , 2007) are highly automated and provide an immediate response without human intervention
unlike the manual and notification system (Stakhanova, Basu, 2007b). However, the major problem with this approach is the high false alarm rate (Ho et al. ,
2012), uncertainty (Carver et al. , 2001), response cost, and development of decision-making mechanisms. Another challenge is the possibility that an
inappropriate response is executed for the detected intrusion (Mu and Li, 2010). On the basis of the complexity of response system, automated response is
divided into three categories, namely, adaptive, expert system, and association-based response system, as shown in Figure 7 (Eng and Haug, 2004). The detail
about each category of automated IRS is given in Table 5.
 Generate automatic
response without any Automated IRS
human intervention

Adaptive-based Association-based

Feedback loop to Use simple decision table

evaluate previous
Expert-based
approach, wherein a specific
response response is associated with a
specific attack
The response action
decisions are based on
one or more metrics

Figure 7. Types of automated IRS.

Although, today’s IDSs are highly automated, automated intrusion response support is still limited because of the high false alarm rate (Ho, Lai, 2012) and
selection of the best cost-sensitive response (Kheir et al. , 2009a). Table 5 describes the functionality and classification of automated IRS based on adaptive,
expert, and associative-based approach.
Table 5
Classification of Automated IRS
Automated IRS Year Ref Function
AAIRS 2001 (Carver, May 2001) Response option is based on dynamic
mapping.

ADEPTS 2005 (Foo, Wu, 2005) ADEPT uses the graph-based approach to
model the intrusions.
Stakhanova’s 2007 (Stakhanova, Basu, Cost-sensitive IRS that introduces the
Adaptive –
IRS 2007a) response goodness parameter to classify the
based System
success and failure of response.

AIRS based 2010 (Lanchas, González, Adaptive IRS reduces uncertainty in detection
on ontologies 2010) using semantic coherence.

IDAR 2014 (Nadeem and IDAR selects the response based on confidence
Howarth, 2014) level and severity of attacks.
 Automated IRS Year Ref Function
CSM 1996 (White, Fisch, 1996) CSM calculates the level of services (LOS) for
each user.
EMERALD 1997 (Porras and EMERALD uses the threshold metric and
Neumann, 1997) severity metric to provide an automated
Expert-based response.
System FAIR 2006 (Papadaki and Analyzes the static and dynamic contexts of
Furnell, 2006) the attack using database.
IDAM&IRS 2010 (Mu and Li, 2010) The response is activated if the response static
threshold is greater than the risk threshold
metric.
Association- NetSTAT 1999 (Vigna and This framework represents attack signatures
based System Kemmerer, 1999) as state transition diagrams.
JiNao 2000 (Jou, Gong, 2000) A hybrid approach that uses rule-based
scheme to respond to known and unknown
attacks.
Network IRS 2002 (Toth and Kruegel, This IRS calculates the response cost in terms
2002) of the reduction of system capability and
system resources.

3.2 IRS Modeling and Trend

Although IRS is an essential part of the intrusion detection process, researchers have given little attention to IRS compared with IDS. IRS can still be improved
further, and we want to study the areas in IRS design that can be enhanced. We categorize the studied research for IRS according to the specific digital libraries.
The search criteria for the primary selection include the search strings related to the topic in the conference and digital libraries, such as IEEE, ACM, Elsevier,
and Springer. Some publications were taken from other journals and conferences. We identified some keywords (e.g., IDS and IRS) that are relevant to the topic
for searching in any digital libraries. The studied papers from each digital library covers the main aspects related to the approaches and development of IDS, as
well as the design of cost-sensitive and automated IRS. We summarize the studied papers in different stages. For instance, in stage 1, we present the initial data
gathered by applying the search query to all digital libraries. In stage 2, we exclude irrelevant works. In stage 3, the paper is included or excluded on the basis of
keywords, titles, and abstracts. Finally, stage 4 presents the final selection with 24 papers from IEEE, 14 from ACM, 26 from Elsevier, and 16 from Springer
Digital Library. The total number of studied papers in the final selection is 112 because 32 papers were selected from some other related journals and conferences.
We also discuss the progression of IRS according to annual publications. In the last decade, no research was conducted on automated, adaptive, and cost-sensitive
IRS because IRS was just limited to notifications and manual, non-adaptive response systems. According to the studied surveys, IRS is limited to manual and host-
based approaches in the early 1990’s. Figure 8 presents a comparison of the number of publications with respect to year-wise automation, as well as cost-sensitive
IRS in Web of Science, ISI citation journals, and conferences over the past decade. The graph in Figure 8 (a) shows the total number of IRS publications that were
developed from 2006 to 2014. Moreover, the researchers focused in 2007 and gave considerably less attention until 2012 (Figure 8 (b)). However, the number of
automated IRS increased compared with that of cost-sensitive IRS in 2012. Furthermore, we discuss the annual progression of IRS publications in top journals.
We classify the studies and their contributions on the basis of whether the IRS is automated or cost-sensitive.

(a) Publications in IRS (b) Publications in Cost-Sensitive and Automated IRS

Figure 8. Number of ISI journals in the field of IRS (Web of Science online database).

Figure 9 indicates a gradual improvement in the development of IRS in terms of automated, adaptive, and cost-sensitive IRS. The figure shows that few studies
were conducted on dynamic response metric and semantic coherence, which help IRS provide a real-time response without generating false alarms. These issues
in existing IRSs motivate the researchers to conduct future works in the same field of IRS. We conclude that AIRSs must be adaptive, cost-sensitive, proactive,
and semantically coherent to achieve low false alarm rates and high accuracy in IRS. Existing IRSs are lacking one or many of the aforementioned features. The
required designed parameter for a good IRS is discussed in detail in the following section.
 Notification IRS Manual IRS Automated IRS

Cost-Sensitive Intrusion Response System Adaptive Intrusion Response System

Host- Based (HIDS) Network-Based (NIDS)

IRS [White, 1996] IRS [Cansian, 19997]
Automated IRS
Notification IRS [Porras, 1997, Vigna, 1998]
Automated [Y. Frank, 1997]
Notification Adaptive-based, Expert-based,
1997 IRS
IRS Associative-based, Static response
Manual IRS
Hybrid IRS
1998 [Porras, 1997]
Static IRS CSM [White, 1996],
EMERALD[Porras, 1997] Manual IRS, Bro
Reactive, Non-Adaptive [Paxson, 1999]
HIDS, Hybrid Snort [Roesch,
1999 Distibuted IRS Adaptive based/
[Bonifaco, 1997] 1999]
[Snapp,1999] Non-adaptive IRS

Manual IRS
2000 Adaptive IRS [Carver, 2000]
[N,A,2000] HIDS,
Response based on success of
distributed Hybrid JiNao Automated IRS [Jou,2000] previous response
(Cost-sensitive,Static Mapping)

Cost-Sensitive AIRS
2001
[Schnackenberg, 2001]
Reactive, Non-Adaptive, TBAIR [Wang, 2001]
Adaptive AIRS [Carver, 2001]
Static risk assessment Automated, Reactive, Non-
HIDS, Automated, Response
Adaptive, dynamic
adaptation to intrusive behavior
2002
Network IRS [Toth, 2002]
Manual IRS, Non-adaptive [Lee, 2002]
Cost-Sensitive, Reactive, Specification-based IRS Cost-Sensitive, Risk minimizing Model,
2003 Non adaptive [Balepin, 2003] Alarm confidence, Attack frequency
Cost-Sensitive, Reactive, Non-
Adaptive, Dynamic risk
assessment (Service dependy
2004 Graph)

Adept [FOO, 2005]

2005
Cost-Sensitive, Proactive,
Adaptive, Static risk
assessment Cost-Sensitive IRS
2006 [Papadaki, 2006] FLIPS [Locasto,2006]
Reactive, Non- Adaptive, Hybrid, Adaptive
Static risk assessment
Stakhanova’s IRS
[ Stakhanova,2007] Adaptive IRS [Haslum,2007]
2007 Cost-Sensitive IRS for
Cost-sensitive, Proactive, Automated, Non-
Adaptive, static risk MANET [Wang,2007] Adaptive,Proactive, Dynamic
assessment Reactive, Adaptive, Dynamic (Non-Attack graph)
2008 risk assessment

Adaptive IRS
Strasburg’s IRS Automated AIDP [Herrero,2009],
2009 [Strasburg, 2009] [Nadeem,2009] Automated, IRS
HIDS, Reactive, Adaptive, Static response, NIDS High scalable, distributed,
Static risk assessment NIDS response using ANN
2010
Automated IRS
IDAM&IRS [Mu, 2010] Adaptive, Cost
[Lanchas, 2010]
Cost-Sensitive IRS [Kanoun, 2010] Cost Sensitive, Reactive, Non- sensitive IRS
Semantic Coherence, False
Proactive, Adaptive, Dynamic (Attack adaptive, Retroactive [Ikuomola, 2010]
Alarm Minimization
Graph-based) Kheir’s IRS [Kheir,2010] functional
2011 Proactive, Non- Adaptive, dependency graph
Dynamic (Service dependency for assessment of
Cost-Sensitive ADRS [Zhang, 2011] graph-based) response cost
Proactive, Retroactive, Adaptive,
Dynamic risk assessment
2012 Automated IRS
[Mateos, 2012]
Definition of dynamic
response metric

2013 [Wang’s IRS,2013]

Cost-Sensitive Reactive, GIDP for MANET
Non- Adaptive, Dynamic [Nadeem,A, 2013] Automated IRS [Shameli-
(Attack Graph-based) Non-Adaptive, Static response, Sendi,2013]
Adaptive, Automated Reactive, Dynamic risk assessment Retroactive-Burst
Response strategy model IDAR [Nadeem ,A, 2014]
2014 IRS [Zonouz, 2014] Framework
[Anuar, N.B, 2014] Dynamic, Cost-sensitive
RSM based on incident RRE: attack response and automated response
priority, Automated, Cost- tree, Markov decision for any type of intrusion
sensistive process ORCEF: Automated IRS
[Shameli-Sendi 2015]
2015 Retroactive-Adaptive
Figure 9. Phylogenetic tree intrusion response approaches; the organization of papers is based on their history and advancement.

4 Intrusion Response Systems Design

This section describes existing IRS based on desirable features for designing automated and cost-sensitive IRS. A poorly designed IRS may generate a high
number of false alarms, which affect the accuracy of IRS and degrade the performance of the system and webserver. False alarms, alert correlations, and
uncertainty remain significant issues in IRS design because research on this field still lack dynamic response metrics and semantic coherence in the intrusion
response selection process. Existing IRSs are unable to provide a real-time optimum response because of the absence of semantic coherence and dynamic
response metrics features. Furthermore, the response selection process based on the static approach increases the response cost associated with re-establishing
services. Thus, IRSs must dynamically choose response metrics and respond automatically to different types of attacks without generating any false alarm. A
comprehensive study is required to explain the abovementioned features in Automated IRSs. The current Automated IRSs are unable to exhibit all of these
features at the same time (Table 6). For instance, some IRSs are cost-sensitive and adaptive in nature. However, these IRSs are not semantically coherent and
use static response metric to select responses, consequently creating uncertainty in IRS.
4.1 IRS Characteristics
Table 6 describes the five most important parameters required for IRS, namely, adaptive nature, cost-sensitive, semantic coherence, manage false alarm, and
response metrics policy: (a) an adaptive nature indicates that the IRS chooses optimum responses dynamically according to the previous response success and
failure in thwarting past seen attacks (Carver, May 2001); (b) IRS is required to be cost-sensitive and be able to assess the risk, complexity, and cost of the
response (Stakhanova, Basu, 2007a); (c) semantic coherence features allow the IRS to understand the intrusion notification and events with different syntaxes
and semantics from different IDSs (Lanchas, González, 2010); (d) the false alarm rate indicates IDS confidence and accuracy. The response is based on the
success of the response executed in the past and the confidence of the false alarm. None of the existing systems are free of false alarms because these systems
generate false alarms up to some extent; (e) the comparative study of IRS shows that existing IRS employs a static approach to the response metrics, and
response selection is always based on some specific static metrics (Mateos, Villagrá, 2012). Table 6 illustrates that none of the existing IRS include all essential
features of a good IRS at once because some IRSs do not have a semantic coherence feature or lack an adaptive and cost-sensitive feature. Furthermore, some
IRSs are inadequate to employ a dynamic approach to the response metrics. Consequently, these response systems with uncertainty in IDS confidence and
unable to differentiate and manage false alarms, as well as generate a real-time response to the detected intrusions.
Table 6
Missing response design parameters in existing automated IRS
IRS Year Adaptive Cost- Semantic Manage Response Metrics
nature Sensitive coherence False Policy
Alarms
IRS Year Adaptive Cost- Semantic Manage Response Metrics
nature Sensitive coherence False Policy
Alarms

CSM (White, Fisch,

1996 No No No No Static
1996)
ACME (Bonifaco
and Moreira, 1997,
1997 Yes No No Yes Static
Cansian, Moreira,
1997)
EMERALD (Porras
1997 No No No No Static
and Neumann, 1997)
AAIRS (Carver, May
2001, Ragsdale et al. , 2001 Yes No No No Static
2000)
Network IRS (Toth
2002 No Yes No No Static
and Kruegel, 2002)
Specification-based
IRS (Balepin, 2003 No Yes No No Static
Maltsev, 2003)
ADEPTS (Foo, Wu,
2005 Yes Yes No No Static
2005)
FAIR (Papadaki and
2006 No Yes No No Static
Furnell, 2006)
Cost-Sensitive Model
for MANET (Wang, 2007 Yes Yes No No Static
Tseng, 2007)
Stakhanova’s IRS
(Stakhanova, Basu, 2007 Yes Yes No No Static
2007a)
AIDP (Nadeem and
2009 Yes No No No Static
Howarth, 2009)
MOVIH-IDS
(Herrero, Corchado, 2009 Yes No No No Static
2009)
Strasburg’s IRS
(Strasburg, 2009 Yes Yes No No Static
Stakhanova, 2009a)
OrBAC (Kanoun,
Cuppens-Boulahia, 2010 Yes Yes No No Static
2010)
 IRS Year Adaptive Cost- Semantic Manage Response Metrics
nature Sensitive coherence False Policy
Alarms

Kheir’s IRS (Kheir,

Cuppens-Boulahia, 2010 No Yes No No Static
2010)
AIRS based on
ontologies (Lanchas, 2010 Yes Yes Yes No Static
González, 2010)
IDAM &IRS (Mu and
2010 No Yes No Yes Static
Li, 2010)
ADRS (Zhang, Naït-
2011 Yes Yes No No Static
Abdesselam, 2011)
GIDP for MANETs
(Nadeem and 2013 No No No Yes Static
Howarth, 2013)
Retroactive-Burst
Framework (Shameli- 2013 Yes Yes No No Static
Sendi, Desfossez, 2013)
IDAR (Nadeem and
2014 Yes Yes No Yes Static
Howarth, 2014)
ORCEF (Shameli-
Sendi and Dagenais, 2015 Yes Yes No Yes Static
2015)

4.2 Review and analysis of IRS based on the proposed design parameters
This section describes the required design parameters for IRS and the similarities and differences of the selected parameter for IRS design based on the
attributes presented in the taxonomy. A comparison of existing IRS based on response design parameters is presented in Table 8. To the best of our knowledge,
these surveys provide a good classification of IRS (Shameli-Sendi, Cheriet, 2014,Shameli-Sendi, Ezzati-Jivan, 2012, Stakhanova, Basu, 2007b). However, no
previous taxonomy provides a complete description for designing a good automated IRS. Furthermore, the details of the proposed parameters are described in
the succeeding sections. We propose the following response parameters in designing automated IRS. The response parameters, which should be considered in
IRS design for any organization, include response nature, security policy, network performance, prediction ability, adjustment nature, response assessment,
semantic coherence, alarm confidence, scalability, and response metric policy. These parameters are defined in the following paragraph.
Response nature categorizes the response as static, dynamic, and cost-sensitive. Security policies differentiate the response options on the basis of its effect on
the confidentiality, integrity, or availability of data (Anwar S, 2015, da Silva, Martins, 2005). Network performance refers to the effect of the applied response
on the network. The prediction ability feature indicates whether the response should be activated before or after the intrusion. The adjustment nature specifies
the adaptive and non-adaptive nature of the response according to the nature of the attack. The response assessment attribute measures the response effect on
the basis of the most recently applied response result. The semantically coherent feature provides a distinct way to extract meaning from intrusion alerts. The
alarm confidence attribute assesses the degree of accuracy and indicates the IRS confidence level. Scalability implies that the IRS must be scalable to any
number of nodes in a network and can connect multiple IRS in such a way that they all work as a single unit to improve system performance. The response
metric policy attribute includes the static and dynamic response parameter. The dynamic response metric implies that the response metrics must be changed
according to the nature of attacks during response selection process. The studied surveys indicate that the current IRS applies the static approach to response
metrics during the response selection process upon encountering the problem of false alarms, non-adaptability, and uncertainty. These parameters are
described in detail in the following section, and a comparison of the parameters is given in Table 8.
4.2.1 Response Nature
According to response nature, existing IRS can be categorized into the following: a) static mapping, b) dynamic mapping, and c) cost-sensitive mapping. In these
three types, the researcher focuses on the cost-sensitive attribute compared with other features and proposes the design of a cost-sensitive IRS because static and
dynamic mapping do not consider the response cost during the response selection process. The cost-sensitive metric in designing response systems attempts to
balance intrusion damage and response cost in the response selection process (Lee, Fan, 2002). The response is activated when the intrusion damage is greater
than the response cost.
a) Static Mapping
Static mapping systems (Locasto, Wang, 2006, Schnackengerg et al. , 2001) map an alert to a pre-specified fixed response. These systems are easy to build.
However, these models are static in nature. Thus, the attacker can easily deceive the response system because response metrics can be predicted by the
attackers. Furthermore, this approach is inadequate for large and distributed global networks. Most existing automated IRS depend on the mapping of
attacks to a predefined response (Toth and Kruegel, 2002).
b) Dynamic Mapping
Dynamic mapping maps an alert to a predefined set of response options. These models provide flexibility to the response systems because these maps can be
adjusted according to the attack metrics. The optimum responses to an attack can vary on the basis of response metrics (i.e., severity, confidence, and
network policy) and the targeted host (Carver, May 2001). The optimum response is dynamically chosen from a set of responses according to the statistical
features of the attack. For example, priority is given to high-confidence and high-severity attacks over attacks with low confidence and severity. The dynamic
nature of this model provides security to the systems. However, this model unable to learn from attacks. Thus, the intelligence level of this model remains
constant until the next upgrade (Porras and Neumann, 1997).
c) Cost-Sensitive Mapping
The cost-sensitive response decision model is the only response system that attempts to balance the intrusion damage and response cost (Lee, Fan, 2002). The
optimal response is considered if the response cost is less than the damage cost (Stakhanova, Basu, 2007a, Wang, Tseng, 2007). These response systems are
the most attainable approach for the response selection process. Thus, the cost-sensitive parameter must be considered in designing any IRS. The selection of
intrusion response is not based on its ability to respond to attacks but based on its side effect on the target machine. Existing studies (Kheir, 2010) show that
a number of methods were developed to compare the intrusion cost and response cost, including the evaluation of the response cost based on the static and
dynamic approach and logical or functional dependency graph to assess intrusion or apply response cost (Jahnke et al. , 2007). For instance, response cost
was calculated (Ali. A Ghorbani, 2009) based on the intrusion detection cost, the damage cost of the attack, and the cost of the applied response on the
detected attacks.
Furthermore, the assessment of intrusion risk is very important in the cost-sensitive approach to minimize the performance cost of applying the optimum
response. Offline risk assessment and online risk assessment are two approaches that have been proposed to evaluate the intrusion damage and response
cost. The offline risk assessment is calculated on a static basis and used to evaluate all the resources in advance. Conversely, online risk assessment is
calculated on a dynamic basis to precisely measure the intrusion damage (Årnes et al. , 2005, Mu et al. , 2008, Wang, Tseng, 2007). Online risk assessment
and the need to update the cost factor over time are the two major challenges faced by the cost-sensitive approach.
Table 7 illustrates that online risks assessment approaches are categorized into three main types, namely, attack graph-based approaches, service-
dependency graph-based approaches, and non-graph-based approaches. The attack graph is used to identify attacks and their flow paths to all critical
resources in the network based on service vulnerability (Dantu et al. , 2004, Poolsappasit et al. , 2012). By contrast, the confidentiality, integrity, and
availability (CIA) of services are defined for each service in service-dependency graph-based approach (Kheir et al. , 2009b). In the dependency graph,
responses are mapped onto specific resources instead of being statically assigned to elementary attack steps. A non-graph-based approach is an interesting
approach that does not utilize a graph and CIA model for risk assessment. During the intrusion response selection processes, risk analysis is performed on
the basis of the information provided in the alert risk assessment component (Årnes, Sallhammar, 2005). Table 7 presents the annual risk assessment
approaches based on whether they use or do not use graphs to model the flow of attacks.
Table 7
Risk Assessment Approaches
Risk Assessment Year Ref Description
Approach

Attack graph- 2006 (Wang et al. , Helps an IDS by correlating output with the appropriate
based approach 2006) intensity.
2007 (Jahnke, Thul, A graph-based approach that models the effect of attacks
 2007) and response.
2007 (Neuman) The graphs of the attack are used to detect the targets of
the attacks in a distributed environment.
Service- 2003 (Balepin, A cost-sensitive model to explain the automated response
dependency graph- Maltsev, 2003) by using a specification-based IDS and service-dependency
based approach graph.
2010 (Kheir, A cost-sensitive model based on a service-dependency
Cuppens- graph to evaluate the CIA effect.
Boulahia, 2010)
2015 (Patel, Taghavi, Dynamically evaluates the response cost against resource
2013) dependency, network elements, and number of online
users.
Non-graph-based 2002 (Lee, Fan, 2002) Cost-sensitive model is based on four response metrics:
approach operational cost, damage cost, response cost, and
development cost.
2007 (Strasburg et al. Intrusion response cost assessment methodology is
, 2009b) proposed based on response goodness, response potential
damage, and response operational cost.
2007 (Wang, Tseng, Calculates the response cost using the terms TDI and ADI.
2007)
2009 (Stakhanova, Compares response deployment cost utilizing an exploit
Basu, 2007a) graph and activates a response based on static cost metric.

4.2.2 Security Policy

The security policy parameter categorizes attacks for the selection of the optimum response during the response selection process. This parameter must be
consider during the response design time. According to this design metric, attacks are categorized according to confidentiality, availability, and integrity to
determine the attack with a significant effect among security policies (Lindqvist and Jonsson, 1997). Various types of computer attacks usually violate the three
different security properties, namely, CIA (Anwar et al. , 2014, Lindqvist and Jonsson, 1997). (a) Confidentiality: attackers attempt to violate confidentiality by
accessing the system or data without authorization (either implicit or explicit). (b) Integrity: when attackers try to modify any information inside or passing
through a system or change the system state, this type of attack causes an integrity violation. (c) Availability: an attack causes an availability violation when the
attackers attempt to make the resources unavailable to their intended or legitimate users. Service dependency graph is used to define the aforementioned term
for each service.
Furthermore, the author in (Lindqvist and Jonsson, 1997), categorizes the attacks into three types. (a) Exposure: These are attacks against the system
confidential information and providing services to unauthorized entities. (b) Denial of Service: DOS are the attacks against system resource’s availability and is
subdivided into unselective, selective, and transmitted attacks. Transmitted attacks are attacks that affect the service delivered by other systems to their users.
(c) Erroneous Output: These are attacks against system integrity and are further categorized into selective, unselective, and transmitted attacks. IDS and IRS
must be designed according to the statistics of attacks. For example, DoS and DDoS (Sookhak et al. , 2015) attacks make resources unavailable to users. These
attacks differ from spoof- and password-based attacks, which affect confidentially and integrity. Thus, in the case of accessing network and server, the
availability of resources is the responsibility of IRS. However, if someone attempts to access the database, the IRS must be designed to maintain the integrity
and confidentiality of data. These attacks vary in nature and require a response system according to their nature.
4.2.3 Network Performance
Network performance must be considered one of the required and desirable features in designing IRS. The existing IRS chooses the response irrespective of the
network performance degradation. Selecting the wrong security countermeasure from a set of response options may significantly affect network performance.
Therefore, IDS and IRS are required to provide an effective response to respond to attacks with low network degradation (Room, 2001). For instance, the
overall network performance in fixed response approach is degraded by isolating the malicious node. By contrast, the adaptive intrusion response does not
affect network performance where the response is selected based on some response metrics without isolating the malicious node. The adaptive approach is more
efficient than a fixed approach because network performance degradation is very low compared with that of a fixed isolated approach.
For instance, a response system (Wang, Tseng, 2007) was presented wherein the response is based on two response terms: TDI and ADI. The intruding node is
isolated if ADI is higher than TDI; this phenomenon degrades network performance. To address this challenge, the author proposed IDAR (Nadeem and
Howarth, 2014), which used a flexible, adaptive, and hybrid method to select a response without isolating the intruding node. The response can be selected based
on the confidence level in detected attacks, degradation in the network performance, and attack severity. Furthermore, in Table 8, the existing IRS is analyzed
based on the low and high network performance.
4.2.4 Prediction Ability
Prediction ability shows the capacity of the response system to detect and respond to any type of malicious activity before or after its occurrence. IRS is
classified into reactive and proactive on the basis of prediction ability (Shameli-Sendi, Ezzati-Jivan, 2012). During the design of IRS, reactive approach must be
followed. In the reactive response system, the response action is delayed until the intrusion is detected. Although a delayed response would not be useful and
does not provide high security, many of the existing response systems (Shameli-Sendi, Cheriet, 2014) employ this approach. Moreover, the reactive response is
criticized because the attacker gains unauthorized access to the database and harms the most confidential information before the IRS can detect and respond to
malicious activity. Returning the system to a healthy state is difficult because of the damages caused by an attack before detection (Anuar, Sallehudin, 2008).
However, in reactive approach, the automated IRS is a best solution for the aforementioned problem. By contrast, the proactive approach is intended to control
and prevent any malicious activity before its occurrence. This approach requires the response mechanism and detection process to be tightly coupled, for
example, the response can be triggered by the detection of an intrusion. The real-time prevention of an intrusion is difficult to perform in distributed
environment. The proactive IRS is considered important for securing the global network and host from a variety of attacks. This approach requires an intrusion
prediction mechanism based on probability measures (Feng et al. , 2009), and achieving 100% accuracy in the prediction result is difficult to guarantee
(Stakhanova, Basu, 2007b).
4.2.5 Adjustment Nature
The adjustment nature indicates the ability of IRS to re-adjust the strength of the response according to the nature of attacks. This design metric categorizes the
response option as adaptive and non-adaptive (Foo, Wu, 2005, Stakhanova, Basu, 2007b). The response system must be adaptive in nature to dynamically
respond to the attacks according to the statistical features of the attacks. The majority of response systems are non-adaptive in the sense that the mechanism of
the employed response is always the same during the response selection process. Although this approach is simple and easy to maintain, it is unsuitable for the
current distributed computing environment. In the adaptive approach, the system can dynamically adjust the response selection process according to the
statistical features and response history of the attacks. The major challenge of this approach is making decisions according to the attacks and attacked system
statistics to calculate the response measure and response time. Stakhanova (Stakhanova, Basu, 2007a) presented the response goodness approach to convert a
non-adaptive model to an adaptive model. The following procedure (Algorithm 1) can be used to convert a non-adaptive IRS to an adaptive IRS.
List of responses required:
Attack cost required
1. For each response in the listed response, compute
2. RG (t) =∑ _∑
n+m
3. RE (t) = × RG (t)
4. End for
Algorithm 1. Conversion of non-adaptive IRS to adaptive IRS.
For each response, the goodness factor is first calculated (line 2). Response goodness is evaluated by subtracting the sum of response failures (∑ ) from the
sum of response successes (∑ ) divided by the total number of response deployments. Response effectiveness is calculated by multiplying the response
goodness with the response cost, whereas s, se, and de represent static cost, statically evaluated cost, and dynamically evaluated cost, respectively.
4.2.6 Response Assessment
Response assessment is a design parameter that measures the response effect on the basis of the most recently applied response result, which improves the
response selection process. In designing IRS, the risk assessment component must be included to assess the success and failure of the previously deployed
response, response cost, and damage for the newly applied response. Response execution can be classified into two types based on the risk assessment approach:
burst and retroactive (Shameli-Sendi, Ezzati-Jivan, 2012). No mechanism for the risk assessment of an intrusion in the network and host-based IRS exists in the
burst mode (Strasburg, Stakhanova, 2009b). The major challenge of this approach is the performance cost because all the responses are applied without the
appropriate measurement of the risk. Consequently, the response cost may exceed the damage cost. The survey of IRS shows that the majority of existing IRS
employ the burst mode to execute the response, as indicated in Table 8. To address this challenge, a feedback mechanism must be considered in the design of
IRS, which measures the intrusion risk.
In the retroactive mode, a feedback mechanism for IRA exists. This mechanism measures the response effect on the basis of the most recently applied response
result. This mode applies the most optimum response in a set of responses utilized in the past. The major challenges that needs to be addressed in using this
approach in an adaptive system is measuring the success of the most currently applied response and handling multiple occurrences of malicious activities (Mu,
Li, 2008, Mu and Li, 2010). These problems can be controlled by using dynamic (online) risk assessment. The first retroactive model was proposed in literature
(Mu and Li, 2010). This model entails the calculation of a static threshold for each response in a set of responses. The current risk index of the network is
obtained during the intrusion detection time. The optimum response is allowed to run when the risk threshold of the network is higher than the response static
threshold.
4.2.7 Semantic Coherence
The semantic coherence parameter must be included in designing a potential IRS for response system to understand the semantic and syntax of an intrusion
alert from distinct sources and extract their meaning to solve the problem of adaptability of response systems to respond to different types of intrusions.
Semantic-based IRSs can also make intelligent decisions on the basis of the context of the target domain. One of the limitations of the existing reviewed response
systems is its adaptability to a variety of intrusion sources because the semantic coherence of intrusions are not considered. Thus, the false alarm rate and
uncertainty in IDS increase because false alarms can be reduced by rich semantic information. For instance, without understanding the meaning of intrusion,
IDS cannot detect and differentiate whether the hacker can scan networks for vulnerable activities or the network administrator can scan the network for
security. The detailed analysis presented in Table 8 describes that the existing design of IRS lacks this parameter.
4.2.8 Alarm Confidence
A false alarm is the main indicator to assess the degree of accuracy and determine the IRS confidence level (Anuar, Sallehudin, 2008). False alarm occurs when
the IDSs are unable to differentiate between normal and suspicious activity and generates an alarm for the normal activity as an attack. Verifying whether an
attack is an actual attack or a false alarm is beyond the scope of IDS and an automated IRS. Thus, a false alarm handler parameter must be considered in
designing IRS, which can manage the false alarms generated by IDS. Many research usually evaluate the performance of IDS and IRS using three metrics:
False-positive rate, false-negative rate, and its complement, true positive rate. False positive occurs when the IDS identifies normal activity as intrusive activity,
whereas false negative transpires when the IDS recognizes intrusive activity as normal activity. True positive occurs when the IDS recognizes intrusive activity
as intrusion and the normal activities as normal traffic (Hubballi, 2014). Although existing surveys of IRS demonstrate that the current IDS and IRS exhibit all
the features, such as adaptability, cost-sensitivity, and automation. However, issues of alarm confidence and uncertainty still exist, which implies that the success
or failure of a response system cannot be determined, thus affecting the functionality of IRS. Table 8 categorizes the existing IRS based on the low, midrate, and
high false alarm rate.
4.2.9 Scalability
Scalability is an essential design metric for IDS and a response countermeasure. IDS and response countermeasure must be scalable to any number of nodes in a
network and choose the optimum response in real time. This design parameter improves the performance of the defensive system by connecting multiple IDS
and response countermeasures in such a way that all the IDSs work as a single unit. In Table 8, the existing IRS is analyzed according to this design parameter
in such a way that the IRS is scalable to how much node. In the current large distributed network, IRSs are unable to detect and correlate intrusion from
different sources because of the lack of scalability. Moreover, this scalability feature increases response speed and decreases the time delay between detection
and response by using multiple detection and response units working as a single unit. Although this design metric provides real time response by reducing time
delay between detection and response, the correlation between the detected intrusions and false alarms is a crucial issue for scalable IDS and IRS. The studied
surveys (Butun, Morgera, 2014, Shameli-Sendi, Cheriet, 2014, Stakhanova, Basu, 2007b) demonstrate that large-scale deployment is very difficult with the
existing architecture of IRS. Furthermore, all the IRSs that select the response system based on the rule-based approach are not scalable. For instance, the cost-
sensitive intrusion response for MANET that is simulated up to 50 nodes provides higher scalability and adaptive isolation of the defective node while
maintaining network performance (Wang, Tseng, 2007).
4.2.10 Response Metrics Policy
This design parameter enables IRS to select the best suitable response option based on the dynamic response metrics and statistical features of the attacks. The
most appropriate response should be activated according to a set of response metrics that specify the rule for response during the response selection process. A
set of response metrics provides an opportunity to measure the input parameters in selecting a specific response to mitigate attacks. Static and dynamic
approaches are the two types of methods employed in the response metrics to select the optimum response. In the static approach, the response metric cannot be
dynamically selected and always utilizes the same response metrics regardless of the attack nature. However, dynamic response metrics allows IRSs to choose
the most appropriate response in a flexible way on the basis of system and the attack statistics without requiring any additional modification. The response
metrics can be updated based on the semantic coherence without any required additional modification. The Semantic Web Rule Language (SWRL) is used to
describe the response metrics in a dynamic and flexible way by using semantic coherence (Lanchas, González, 2010) (Mateos, Villagrá, 2012).
Employing state-of-the-art IRS indicates that the existing IRSs choose the response metric in a fixed manner regardless of the state of the system or intrusion
context. Table 8 presents the common metrics for selecting the optimum response based on intrusion impact, severity, response cost, IDS confidence, response
success, and level of importance of the affected resources. The variation of response metrics vary from system to system implies that some IRSs only select the
severity metric, whereas other systems adopt the damage cost and response cost metric. In addition, the response metric assigns more or less weight to the
parameters variably depending on the level of significance of resources for an organization. An IRS chooses one response metric or another according to the
resources compromised by the intrusion. For example, if the affected resource is the workstation of a user, AIRS may focus on the response cost rather than the
success rate. However, in case of a database server, priority is given to response severity and the effectiveness of a response rather than the high cost of
executing the response.
The most important challenge in selecting the dynamic response metrics is developing decision-making mechanisms based on the intrusion statistics. However,
the main advantage is the reduction of response cost and uncertainty in the response selection process. Thus, the IRS design must employ a dynamic approach
for an optimum response. For instance, IDAM and IRS (Mu and Li, 2010) use a static approach to evaluate a static risk threshold associated with a set of
responses. Risk threshold is based on the response effectiveness and negative effects of the response to a set of measured responses. The optimum response is
based on the risk index of the network and the response static threshold. The response is triggered when the risk index of the network is greater than the
response static threshold.
Table 8 shows the reviewed papers that are applicable to IRS with respect to the proposed design parameter. Although, many parameters are same for all the
IRSs. However, some important parameters differ, including semantic coherence, dynamic response metrics, and scalability. Before designing any IRS, the
proposed parameter shown in Table 8 must be included for a real time and automated response with low false alarm rate.

Table 8
Comparison of existing IRS based on proposed design parameters
Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence

- Level of services
Availability, (LOS),
CSM (White, Dynami Non-
1996 Integrity, n/a Reactive Burst No Low n/a - suspicious level of
Fisch, 1996) c Adaptive
Confidentiality users

EMERALD Dynami Non- - Threshold metric

(Porras and 1997 Availability n/a Reactive Burst No Midrate Yes - Severity metric
c Adaptive
Neumann, 1997)
- IDS confidence
- Attack
AAIRS (Carver, Dynami - Confidence metric
2001 N/A n/a Reactive Adaptive Burst No Low Yes
May 2001) c - Response success
metric
 Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence

Cost- - Response impact

Network IRS Non- - Response
(Toth and 2002 Sensitiv N/A High Reactive Burst No Midrate Yes
Adaptive severity
Kruegel, 2002) e
- Damage
Specification Cost- Availability, Assessment
based Non-
2003 Sensitiv Integrity, n/a Reactive Burst No Low N/A - Resource
IRS(Balepin, adaptive
e Confidentiality dependencies
Maltsev, 2003)
Cost- - Response
ADEPTS 2005 Sensitiv N/A n/a Proactive Adaptive Burst No High N/A effectiveness
(Foo, Wu, 2005) e - Response cost
- Counter-effects
Cost- - Transparency
FAIR (Papadaki Non- - Stopping power
and Furnell, 2006 Sensitiv N/A Midrate Reactive Burst No Midrate N/A
Adaptive - Efficiency
2006) e
- Confidence level

Cost-Sensitive - Topology dependency

Cost- Authenticity, Simulated
model for index (TDI)
2007 Sensitiv Integrity, Reactive Adaptive Burst No High up to 50
MANET High - Attack damage index
e availability
(Wang, Tseng, (ADI)
Nodes
2007)

Table 8
Continued……
Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence

- Metric of benefit at
Stakhanova’s Cost- the lowest risk
IRS Integrity ,
2007 Sensitiv Midrate Proactive Adaptive Burst No Midrate N/A - Response damage
(Stakhanova, Availability
e reduction
Basu, 2007a)
Cost- Availability,
DIPS (Haslum, Non- N/A
2007 Sensitiv Integrity, Low Proactive Burst No High Yes
Abraham, 2007) Adaptive
e Confidentiality
 Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence

AIDP (Nadeem Simulated

2009 N/A Availability High Reactive Adaptive Burst No High upto 64 N/A
and Howarth,
2009) nodes

MOVIH-IDS Availability,
Cost- N/A
(Herrero, 2009 Integrity, Midrate Proactive Adaptive Burst No Midrate Yes
Sensitive
Corchado, 2009) Confidentiality
Strasburg’s IRS - Intrusion damage
Cost-
(Strasburg, - Response goodness
2009 Sensitiv N/A n/a Reactive Adaptive Burst No High N/A
Stakhanova, - Severity and Likelihood
e
2009a) of intrusion
OrBAC
Cost- Availability,
(Kanoun,
2010 Sensitiv Integrity, Midrate Proactive Adaptive Burst No High Yes N/A
Cuppens-
e Confidentiality
Boulahia, 2010)
Kheir’s IRS
Cost- - Availability
(Kheir, Non-
2010 Sensitiv Availability Low Proactive Burst No Low N/A - Integrity
Cuppens- Adaptive
e - Confidentially impact
Boulahia, 2010)
AIRS based on
Cost- - Intrusion semantic
ontologies
2010 Sensitiv Availability High Proactive Adaptive Burst Yes High N/A - Importance of the
(Lanchas,
e compromised resources
González, 2010)
IDAM&IRS Cost-
(Mu and Li, Sensitiv
Non- - Current risk index
2010) 2010 e N/A Midrate Reactive Retroactive No Low Yes
Adaptive - Static risk threshold

Table 8
Continued……
Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence

ADRS (Zhang, 2011 Cost- Availability, Midrate Proactive Adaptive Retroactive No High - Computational cost
upto 100
Naït- Sensitiv Integrity, - Detection accuracy
 Year Response Security policy Network Prediction Adjustment Response Semantic Alarm Scalability Response Metrics Policy
IRS Nature Performance Ability Nature Assessment Coherence Confidence

Abdesselam, e Confidentiality nodes - False positive rate

2011)
Response
- Damage reduction metric
metrics for Cost-
- Minimum cost metric
ontology based 2012 Sensitiv Availability High Reactive Adaptive Burst Yes High N/A
- Highest severity
AIRS (Mateos, e
- efficiency metric,
Villagrá, 2012)
GIDP for
MANETs Availability,
Dynami Non-
(Nadeem and 2013 Integrity, Low Reactive Burst No Midrate Yes N/A
c adaptive
Howarth, Confidentiality
2013)
Retroactive-
Burst - Dynamic risk assessment
Framework Cost- - Response index
(Shameli- 2013 Sensitiv N/A Low Reactive Adaptive Retroactive No Low N/A - Confidence level
Sendi, e - Response cost and
Desfossez, effect
2013)
IDAR - Severity of attacks
Cost- Availability, Simulated
(Nadeem and - Network performance
2014 Sensitiv Integrity, High Reactive Adaptive Burst No Low up to 200
Howarth, degradation
e Confidentiality Nodes
2014) - Response impact
ORCEF - Damage cost,
Cost- Availability,
(Shameli-Sendi - Confidence level of
2015 Sensitiv Integrity, High Reactive Adaptive Retroactive No Low Yes
and Dagenais, attack,
e Confidentiality
2015) - Attacker target value

N/A for not available, n/a for not applicable

5 Challenges and Future Direction Of IRS
This section explains the research challenges and future trends for research related to the development of a
real-time automated response. Before establishing any response system, the challenges must be identified and
resolved to reduce the effect of an intrusion.
5.1 Challenges
The following are the challenges that limit the development of a good IRS. Although the highlighted design
parameter is disregarded in designing IRS, various challenges emerge with the proposed IRS. Existing IRSs
are unsuitable for mitigating attacks until the methods given in Figure 10 are employed and incorporated.
The evolving limitations that developers experience in developing IRS include the following:
5.1.1 Alert Correlation
For a large distributed network, different IRSs are included with a distributed system to monitor attacks.
These IRSs are implemented by a correlation component, which must be installed on every host for
cooperative detection and response process. The main challenge to IRS is the occurrence of an intrusion
correlation that requires alert data from different sensors that identify and monitor intrusion to be managed
(Kruegel, Valeur, 2005). A method for developing a correlation approach for intrusion alerts based on
ontology was presented (Li and Tian, 2010). However, this method is unable to detect unknown attacks in
real-time because the ontology knowledge base must be updated for the reflection of a new type of attack. The
quality of alerts monitored by IDS can be effectively improved by alert correlation techniques that are
appropriate to facilitate quick monitoring and identification of an ongoing intrusion and intruder. Some
challenges related to alert management need to be addressed, namely, are knowledge-based acquisition,
aggregation of alert, correlation management, and evaluation of alerts (Sadoddin and Ghorbani, 2006).
5.1.2 Data Sets
The main challenge in the designing IRS is the lack of publically available datasets for evaluation and
training. Existing data sets, such as DARPA MIT (Khan et al. , 2014b, Laboratory, 2000) and KDD 99
(Olusola et al. , 2010), are standard data sets that provide labeled data for ta researcher working in the field
of IDS and IRS. These datasets are mostly outdated and not sufficient in the current environment as new
threats continue to emerge. Thus, researchers must acquire public datasets to evaluate various frameworks
and algorithms.

Alert
Data Sets Correlation

Risk
Assessment Challenges for Real Time
and QoS Intrusion Response
Response System

Heterogeneous Managing false

Data alarm

Figure 10. Challenges in IRS.

5.1.3 Risk Assessment and Quality of Service Guarantee

The majority of existing studies consider individual topics in design issues. For instance, risk assessment and
quality of service (QoS) are significant design issues that need to be considered in designing IRS to mitigate
attacks. Selecting a good response option by the IRS increases the security performance against an intruder.
However, optimum response decreases the QoS (service availability) (Patel, Taghavi, 2013). Thus, the aim of
IRS design is to improve the network and security performance and decrease the negative effect of the
response simultaneously. The main challenge is maintaining the QoS of the users because users can access
many available services. Thus, it is not considered in the network. Moreover, considering risk assessment and
QoS design issues result in a new challenge in IRS because these two terms degrade network performance.
Thus, the tradeoff between QoS and risk assessment must be evaluated.
5.1.4 Heterogeneous Data
The ability to extract hidden pattern sand information from a large amount of heterogeneous data is
important before predicting attacks. In a distributed network-based response system, data validity is highly
important, that is, different IRSs are included in a different host and integrated to monitor network traffic to
detect any malicious activity. A data analysis system that can automatically analyze and organize data is
needed to predict the future patterns of attack. In recent years, multidimensional data and large-volume
datasets increased rapidly. The effectiveness of a hybrid approach with heterogeneous data to detect normal
and malicious activities is discussed in a previous work (Junqi and Zhengbing, 2008). Collecting and updating
scattered information on a regular basis from a provider or security community can be proposed (Deris
Stiawan).
5.1.5 Managing False Alarm
Although substantial research has been conducted on IDS, uncertainty in detecting intrusions still exist.
Verifying whether an attack is an actual attack or a false alarm is beyond the scope of IDS. Thus, a
mechanism in IRS that can handle the false alarms generated by IDS should be developed. AIRS based on
ontologies (Lanchas, González, 2010) provides a distinct way to extract semantic information from intrusion
alert and solve the problem of false alarm and uncertainty to some extent. Although the false alarm rate is
drastically reduced in the ontology-based IDS, the accuracy of the detection rate is improved. However, the
complete management of false alarm is not completed, which is an important research topic.
5.1.6 Real-Time Response
Real-time response increases the need to provide early-warning intrusion and security violation threats for
security in IRS. Thus, the system must be active and systematic in classifying and distinguishing malicious
activity from non-malicious activity. The time gap between the response and the detected intrusion creates a
window of vulnerability for attackers. One problem emerging in detection and response systems is the
difficulty in identifying and recognizing the packet analysis in real-time traffic. The second problem is that
accessing traffic can be more difficult than in interpreting it because a network is often designed for
performance not visibility.
5.2 Future Directions
False alarm, cost-sensitive, scalability, and adaptive nature are an important issue from IRS design point of
view. The studied survey on IRSs show that existing IDSs and IRSs are unable to manage false alarm. Thus,
in future IRS, a false alarm handler must be included in the response selection process to manage false
alarms generated by IDSs. The online risk assessment component must be considered in designing future IRS
to measure the effectiveness of the deployed response, which is highly crucial in cost-sensitive mapping.
Furthermore, the effective coordination between the response system and risk assessment mechanism helps
manage, false alarm and uncertainty in IRS and choose the cost-sensitive response for all types of attacks.
Scalability and alert correlation is a very important factor in the designing of distributed IRS. Which
improves real -time IRS performance without affecting network performance. Accordingly, the weakness in
IRS framework is minimized by designing an adaptive IRS and dynamic response metrics, which considers
semantic coherence to improve the performance of the IRS in distributed environment, where attacks come
from different sources.
 In static approach the intruding is always isolated during the response selection process, which effect the
system performance. However, in adaptive response, the optimum response is selected without isolating the
intruding nodes. Therefore, adaptive approach must be follow in designing IRS. In developing a smart and an
effective response system, completely understanding the problems that need to be addressed is necessary. For
instance, isolating the whole server from the global network or terminating the processes that using a
considerable amount of CPUs will disrupt many installed services (Qi et al. , 2014).The future IRS must be
based on the dynamic response metric, which considers the syntax and semantic of the metric that can be
changed according to nature of attack without requiring any additional modification. The IRS must be
designed according to the statistical features of the attack, which considers the type of attacks and its effect on
the CIA model. For instance, some attacks, such as DDoS (Mitchell and Chen, 2013) attacks, disrupt the
availability of a system; thus, a response is needed, which improves availability. Some attackers attempt to
access and modify the stored data. Thus, a response, which can improve data confidentiality and integrity of
the system, is required.

6 Conclusion
For many years, developing a potential IRSs that repels the attacks remain a drastic challenge in IRS. The
state-of-the-art IDSs indicate that detection of intrusion will be useless without an appropriate response
system. The optimum response selection is based on the good designing of IRS. However, developing an
efficient response mechanism to completely thwart attacks is inherently complex because of the multiple
unknown factors that must be considered in designing IRS. This paper surveys existing IRSs design
parameters. The main findings of this paper is that, despite extensive research in this area, existing IRS are
lack the semantic of intrusion and use the static response metric instead of the dynamic approach, thus
generating more false alarms. In addition, the majority of adaptive IRSs lack efficient algorithms to update
the response history over time. The existing IRSs only consider static response of isolating the intruding node
and are unable to consider the dynamic response without isolating the intruding node. Consequently, the
network performance will be degraded by static response option. Furthermore, the risk assessment
component is missing, which is crucial to manage a false positive, response cost against damage cost, and
select an optimum response to thwart attacks. Significant work is in progress in developing state-of-the-art
IRSs. However, research work on designing a potential automated IRS is still in its infancy. We are still far
away from designing an appropriate automated IRS.
To meet the newly imposed IRS design requirements, we determine new and desirable parameters to improve
the IRS design to minimize attacks. This survey presents existing IDSs in terms of detection capability,
deployment approach, and response option, along with their classification. In addition, the design
specification and functionality of existing IRSs, as well as the missing parameters for the selection of a good
response option in these IRSs, have been discussed. Furthermore, new design parameters are proposed for
designing a good IRS. We also discussed some important factors, including alarm confidence, semantic
coherence, and dynamic response metric as desirable features in designing IRS. The main contribution of this
paper is the proposed response design parameters to improve the response mechanism for the decision-
making process of the response according to the statistical features of attacks. Finally, the challenges
encountered in designing a good IRS are discussed. In addition, recommendations of the proposed design
parameters are provided, along with future directions for this research, to aid researchers in the designing of
a good IRS.

Acknowledgments
This work is fully funded by the Malaysian Ministry of Higher Education under the University of Malaya
High Impact Research Grant UM.C/625/1/HIR/MOE/FCSIT/03.
7 References
Adetunmbi AO, Falaki SO, Adewale OS, Alese BK. Network intrusion detection based on rough set and k-
nearest neighbour. International Journal of Computing and ICT Research. 2008;2:60-6.
Ali. A Ghorbani WL, Mahbod Tavallaee. Network Intrusion Detection and Prevention:Concepts and
Techniques, Accessed on: books.google.com.my/books?isbn=0387887717. 2009.
Anantvalee T, Wu J. A survey on intrusion detection in mobile ad hoc networks. Wireless Network Security:
Springer; 2007. p. 159-80.
Anuar NB, Papadaki M, Furnell S, Clarke N. An investigation and survey of response options for Intrusion
Response Systems (IRSs). Information Security for South Africa (ISSA), 2010: IEEE; 2010. p. 1-8.
Anuar NB, Sallehudin H, Gani A, Zakari O. Identifying false alarm for network intrusion detection system
using hybrid data mining and decision tree. Malaysian journal of computer science. 2008;21:101-15.
Anwar S JZ. Response Option for Attacks Detected by Intrusion Detection System, The 4th International
Conference on Software Engineering and Computer System, . 2015;volume 4:7.
Anwar S, Zain JBM, Zulkipli MFB, Inayat Z. A Review Paper on Botnet and Botnet Detection Techniques in
Cloud Computing, ISCI 2014 – IEEE Symposium on Computers & Informatics. 2014:5.
Årnes A, Sallhammar K, Haslum K, Brekne T, Moe MEG, Knapskog SJ. Real-time risk assessment with
network sensors and intrusion detection systems. Computational Intelligence and Security: Springer; 2005.
p. 388-97.
Ashraf QM, Habaebi MH. Autonomic schemes for threat mitigation in Internet of Things. Journal of
Network and Computer Applications. 2015;49:112-27.
Asosheh A, Ramezani N. A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a
smart classification. WSEAS Transactions on Computers. 2008;7:281-90.
Azab M, Eltoweissy M. Defense as a service cloud for Cyber-Physical Systems. Collaborative Computing:
Networking, Applications and Worksharing (CollaborateCom), 2011 7th International Conference on: IEEE;
2011. p. 392-401.
Bace RG. Intrusion Detection, http://dl.acm.org/citation.cfm?id=347487, Book, ISBN:1-57870-185-6, 2002.
Balepin I, Maltsev S, Rowe J, Levitt K. Using specification-based intrusion detection for automated response.
Recent Advances in Intrusion Detection: Springer; 2003. p. 136-54.
Bonifaco J, Moreira E. An adaptive intrusion detection system using neural networks. Proceedings of the
IFIP SEC1997.
Butun I, Morgera SD, Sankar R. A survey of intrusion detection systems in wireless sensor networks.
Communications Surveys & Tutorials, IEEE. 2014;16:266-82.
Cansian AM, Moreira E, Carvalho A, Bonifacio J. Network intrusion detection using neural networks. Proc
Int Conf on Computational Intelligence and Multimedia Applications1997. p. 276-80.
Carver ACJ. Adaptive Agent-Based Intrusion Response, Ph.D. thesis, Texas A&M University, USA. May
2001.
Carver CA, Hill JM, Pooch UW. Limiting uncertainty in intrusion response. Proceedings of the 2001 IEEE
Workshop on Information Assurance and Security2001. p. 5-6.
Cert. CERT Statistics, http://www.cert.org/stats , 2014, Accessed on October 2014. 2014.
Chen Y-M, Yang Y. Policy management for network-based intrusion detection and prevention. Network
Operations and Management Symposium, 2004 NOMS 2004 IEEE/IFIP: IEEE; 2004. p. 219-32.
Choo K-KR. The cyber threat landscape: Challenges and future research directions. Computers & Security.
2011;30:719-31.
Cisco.http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/secure_my_business/
what_is_network_security/index.html, Accessed on October, 2014. 2014.
da Silva APR, Martins MH, Rocha BP, Loureiro AA, Ruiz LB, Wong HC. Decentralized intrusion detection
in wireless sensor networks. Proceedings of the 1st ACM international workshop on Quality of service &
security in wireless and mobile networks: ACM; 2005. p. 16-23.
Dantu R, Loper K, Kolan P. Risk management using behavior based attack graphs. Information
Technology: Coding and Computing, 2004 Proceedings ITCC 2004 International Conference on: IEEE; 2004.
p. 445-9.
Deris Stiawan MYI, Abdul Hanan Abdullah. , http://eprints.unsri.ac.id/73/1/2011_7_12_4212_4224.pdf, 2011,
Accessed on August 2014.
Eng PE, Haug M. Automatic response to intrusion detection, Thesis,. 2004:1-55.
Estevez-Tapiador JM, Garcia-Teodoro P, Diaz-Verdejo JE. Anomaly detection methods in wired networks: a
survey and taxonomy. Computer Communications. 2004;27:1569-84.
Feng L, Wang W, Zhu L, Zhang Y. Predicting intrusion goal using dynamic Bayesian network with transfer
probability estimation. Journal of Network and Computer Applications. 2009;32:721-32.
Foo B, Wu Y-S, Mao Y-C, Bagchi S, Spafford E. ADEPTS: adaptive intrusion response using attack graphs
in an e-commerce environment. Dependable Systems and Networks, 2005 DSN 2005 Proceedings
International Conference on: IEEE; 2005. p. 508-17.
Han J KM. Data Mining: Concepts and Techniques: Morgan kaufmann; Book, Southeast Asia Edition. 2006.
Hansman S, Hunt R. A taxonomy of network and computer attacks. Computers & Security. 2005;24:31-43.
Haslum K, Abraham A, Knapskog S. Dips: A framework for distributed intrusion prediction and prevention
using hidden markov models and online fuzzy risk assessment. Information Assurance and Security, 2007
IAS 2007 Third International Symposium on: IEEE; 2007. p. 183-90.
Herrero Á, Corchado E, Pellicer MA, Abraham A. MOVIH-IDS: A mobile-visualization hybrid intrusion
detection system. Neurocomputing. 2009;72:2775-84.
Ho C-Y, Lai Y-C, Chen I-W, Wang F-Y, Tai W-H. Statistical analysis of false positives and false negatives
from real traffic with intrusion detection/prevention systems. Communications Magazine, IEEE.
2012;50:146-54.
Hoque N, Bhuyan MH, Baishya RC, Bhattacharyya D, Kalita JK. Network attacks: Taxonomy, tools and
systems. Journal of Network and Computer Applications. 2014;40:307-24.
Huang M-Y, Jasper RJ, Wicks TM. A large scale distributed intrusion detection framework based on attack
strategy analysis. Computer Networks. 1999;31:2465-75.
Hubballi N, and Vinoth Suryanarayanan. . "False alarm minimization techniques in signature-based
intrusion detection systems: A survey.", Computer Communications 49 (2014): 1-17. Computer
Communications 49 (2014): 1-17. 2014;13:128.
Jahnke M, Thul C, Martini P. Graph based metrics for intrusion response measures in computer networks.
Local Computer Networks, 2007 LCN 2007 32nd IEEE Conference on: IEEE; 2007. p. 1035-42.
Jou Y, Gong F, Sargor C, Wu X, Wu S, Chang H, et al. Design and implementation of a scalable intrusion
detection system for the protection of network infrastructure. DARPA Information Survivability Conference
and Exposition, 2000 DISCEX'00 Proceedings: IEEE; 2000. p. 69-83.
Junqi W, Zhengbing H. Study of intrusion detection systems (IDSs) in network security. Wireless
Communications, Networking and Mobile Computing, 2008 WiCOM'08 4th International Conference on:
IEEE; 2008. p. 1-4.
Kanoun W, Cuppens-Boulahia N, Cuppens F, Dubus S. Risk-aware framework for activating and
deactivating policy-based response. Network and System Security (NSS), 2010 4th International Conference
on: IEEE; 2010. p. 207-15.
Karami A, Guerrero-Zapata M. An ANFIS-based cache replacement method for mitigating cache pollution
attacks in Named Data Networking. Computer Networks. 2015a;80:51-65.
Karami A, Guerrero-Zapata M. A fuzzy anomaly detection system based on hybrid pso-kmeans algorithm in
content-centric networks. Neurocomputing. 2015b;149:1253-69.
Karami A, Guerrero-Zapata M. A hybrid multiobjective rbf-pso method for mitigating dos attacks in named
data networking. Neurocomputing. 2015c;151:1262-82.
Khan N, Yaqoob I, Hashem IAT, Inayat Z, Mahmoud Ali WK, Alam M, et al. Big data: survey, technologies,
opportunities, and challenges. The Scientific World Journal. 2014a;2014.
Khan S, Shiraz M, Abdul Wahab AW, Gani A, Han Q, Bin Abdul Rahman Z. A comprehensive review on
adaptability of network forensics frameworks for mobile cloud computing. The Scientific World Journal.
2014b;2014.
Kheir N. Response policies and counter-measures : Management of service dependencies and intrusion and
reaction impacts, PhD Thesis. 2010;1:177-85.
Kheir N, Cuppens-Boulahia N, Cuppens F, Debar H. A service dependency model for cost-sensitive intrusion
response. Computer Security–ESORICS 2010: Springer; 2010. p. 626-42.
Kheir N, Debar H, Cuppens-Boulahia N, Cuppens F, Viinikka J. Cost evaluation for intrusion response using
dependency graphs. Network and Service Security, 2009 N2S'09 International Conference on: IEEE; 2009a.
p. 1-6.
Kheir N, Debar H, Cuppens F, Cuppens-Boulahia N, Viinikka J. A service dependency modeling framework
for policy-based response enforcement. Detection of Intrusions and Malware, and Vulnerability Assessment:
Springer; 2009b. p. 176-95.
Kholidy H, Baiardi F. CIDS: a framework for intrusion detection in cloud systems. Information Technology:
New Generations (ITNG), 2012 Ninth International Conference on: IEEE; 2012. p. 379-85.
Krontiris I, Benenson Z, Giannetsos T, Freiling FC, Dimitriou T. Cooperative intrusion detection in wireless
sensor networks. Wireless sensor networks: Springer; 2009. p. 263-78.
Kruegel C, Valeur F, Vigna G. Intrusion detection and correlation: challenges and solutions, book, vol 14, :
Springer Science & Business Media; 2005.
Kumar S, Spafford EH. A pattern matching model for misuse intrusion detection, In Proceedings of the
National Computer Security Conference, pages 11–21, Baltimore, MD,. 1994.
Laboratory L. http://www.ll.mit.edu/ideval/data/, Accessed on October 2014. 2000.
Lanchas VM, González VAV, Bueno FR. Ontologies-based automated intrusion response system.
Computational Intelligence in Security for Information Systems 2010: Springer; 2010. p. 99-106.
Lazarevic A, Kumar V, Srivastava J. Intrusion detection: A survey. Managing Cyber Threats: Springer;
2005. p. 19-78.
Lee W, Fan W, Miller M, Stolfo SJ, Zadok E. Toward cost-sensitive modeling for intrusion detection and
response. Journal of Computer Security. 2002;10:5-22.
Li W, Tian S. An ontology-based intrusion alerts correlation system. Expert Systems with Applications.
2010;37:7138-46.
Liao H-J LC-H, Lin Y-C, Tung K-Y. Intrusion detection system: A comprehensive review. Journal of
Network and Computer Applications. 2013;36:16-24. 2013.
Lindqvist U, Jonsson E. How to systematically classify computer security intrusions. Security and Privacy,
1997 Proceedings, 1997 IEEE Symposium on: IEEE; 1997. p. 154-63.
Locasto ME, Wang K, Keromytis AD, Stolfo SJ. Flips: Hybrid adaptive intrusion prevention. Recent
Advances in Intrusion Detection: Springer; 2006. p. 82-101.
Mateos V, Villagrá VA, Romero F, Berrocal J. Definition of response metrics for an ontology-based
Automated Intrusion Response Systems. Computers & Electrical Engineering. 2012;38:1102-14.
Mitchell R, Chen I-R. A survey of intrusion detection techniques for cyber-physical systems. ACM
Computing Surveys (CSUR). 2014;46:55.
Mitchell R, Chen I. Effect of intrusion detection and response on reliability of cyber physical systems.
Reliability, IEEE Transactions on. 2013;62:199-210.
Mu C, Li X, Huang H, Tian S. Online risk assessment of intrusion scenarios using DS evidence theory.
Computer Security-ESORICS 2008: Springer; 2008. p. 35-48.
Mu C, Li Y. An intrusion response decision-making model based on hierarchical task network planning.
Expert systems with applications. 2010;37:2465-72.
MyCert-Report. MyCERT “Malaysian Computer Emergency response Team Incident Statistics", Available
on: http://www.mycert.org.my/en/services/statistic/mycert/2013/main/detail/914/index.html ,Accessed on:
October 2014. 2014.
Nadeem A, Howarth M. Adaptive intrusion detection & prevention of denial of service attacks in MANETs.
Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing:
Connecting the World Wirelessly: ACM; 2009. p. 926-30.
Nadeem A, Howarth M. Protection of MANETs from a range of attacks using an intrusion detection and
prevention system. Telecommunication Systems. 2013;52:2047-58.
Nadeem A, Howarth MP. An intrusion detection & adaptive response mechanism for MANETs. Ad Hoc
Networks. 2014;13:368-80.
Neuman C. Challenges in security for cyber-physical systems. DHS: S&T workshop on future directions in
cyber-physical systems security: Citeseer; 2009.
O'Neill M. The Internet of Things: do more devices mean more risks? Computer Fraud & Security.
2014;2014:16-7.
Olusola AA, Oladele AS, Abosede DO. Analysis of KDD’99 Intrusion detection dataset for selection of
relevance features. Proceedings of the World Congress on Engineering and Computer Science2010. p. 20-2.
Papadaki M, Furnell S. Achieving automated intrusion response: a prototype implementation. Information
management & computer security. 2006;14:235-51.
Patel A, Taghavi M, Bakhtiyari K, Júnior JC. An intrusion detection and prevention system in cloud
computing: A systematic review. Journal of Network and Computer Applications. 2013;36:25-41.
Paxson V. Bro: a system for detecting network intruders in real-time. Computer networks. 1999;31:2435-63.
Poolsappasit N, Dewri R, Ray I. Dynamic security risk management using bayesian attack graphs.
Dependable and Secure Computing, IEEE Transactions on. 2012;9:61-74.
Porras PA, Neumann PG. EMERALD: Event monitoring enabling response to anomalous live disturbances.
Proceedings of the 20th national information systems security conference1997. p. 353-65.
Qi H, Shiraz M, Gani A, Whaiduzzaman M, Khan S. Sierpinski triangle based data center architecture in
cloud computing. The Journal of Supercomputing. 2014:1-21.
Ragsdale DJ, Carver Jr CA, Humphries JW, Pooch UW. Adaptation techniques for intrusion detection and
intrusion response systems. Systems, Man, and Cybernetics, 2000 IEEE International Conference on: IEEE;
2000. p. 2344-9.
Roesch M. Snort: Lightweight Intrusion Detection for Networks. LISA1999. p. 229-38.
Room SIIR. http://www.sans.org/reading-room/whitepapers/malicious/code-red-worm-45, Accessed on 27th
may 2014. 2001.
Sabahi FaAM. Intrusion detection: A survey. in Systems and Networks Communications, . ICSNC'08. 3rd
International Conference on. . IEEE. 2008.
Sadoddin R, Ghorbani A. Alert correlation survey: framework and techniques. Proceedings of the 2006
International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and
Business Services: ACM; 2006. p. 37.
SANS institute S, Dinesh. Intrusion prevention systems: security's silver bullet? Business Communications
Review. 2003;33:36-41.
Scarfone K, Mell P. Guide to intrusion detection and prevention systems (idps). NIST special publication.
2007a;800:94.
Scarfone K, Mell P. Guide To Intrusion Detection and Prevention Systems (IDPS), Sp-800-94. Special
Publication NIST: National Institute of Science and Technology National Institute of Science and Technology,
Gaithersburg. 2007b.
Schnackengerg D, Holliday H, Smith R, Djahandari K, Sterne D. Cooperative intrusion traceback and
response architecture (CITRA). DARPA Information Survivability Conference & Exposition II, 2001
DISCEX'01 Proceedings: IEEE; 2001. p. 56-68.
Shameli-Sendi A, Cheriet M, Hamou-Lhadj A. Taxonomy of intrusion risk assessment and response system.
Computers & Security. 2014;45:1-16.
Shameli-Sendi A, Dagenais M. ORCEF: Online response cost evaluation framework for intrusion response
system. Journal of Network and Computer Applications. 2015.
Shameli-Sendi A, Desfossez J, Dagenais M, Jabbarifar M. A Retroactive-Burst Framework for Automated
Intrusion Response System. Journal of Computer Networks and Communications. 2013;2013.
Shameli-Sendi A, Ezzati-Jivan N, Jabbarifar M, Dagenais M. Intrusion response systems: survey and
taxonomy. Int J Comput Sci Netw Secur. 2012;12:1-14.
Snapp SR, Brentano J, Dias GV, Goan TL, Heberlein LT, Ho C-L, et al. DIDS (distributed intrusion
detection system)-motivation, architecture, and an early prototype. Proceedings of the 14th national
computer security conference: Citeseer; 1991. p. 167-76.
Sookhak M, Akhundzada A, Sookhak A, Eslaminejad M, Gani A, Khan MK, et al. Geographic Wormhole
Detection in Wireless Sensor Networks. PloS one. 2015;10.
Stakhanova N, Basu S, Wong J. A Cost-Sensitive Model for Preemptive Intrusion Response Systems.
AINA2007a. p. 428-35.
Stakhanova N, Basu S, Wong J. A taxonomy of intrusion response systems. International Journal of
Information and Computer Security. 2007b;1:169-84.
Strasburg C, Stakhanova N, Basu S, Wong JS. A framework for cost sensitive assessment of intrusion
response selection. Computer Software and Applications Conference, 2009 COMPSAC'09 33rd Annual
IEEE International: IEEE; 2009a. p. 355-60.
Strasburg C, Stakhanova N, Basu S, Wong JS. Intrusion response cost assessment methodology. Proceedings
of the 4th International Symposium on Information, Computer, and Communications Security: ACM; 2009b.
p. 388-91.
Tanachaiwiwat S, Hwang K, Chen Y. Adaptive intrusion response to minimize risk over multiple network
attacks. ACM Trans on Information and System Security. 2002;19:1-30.
Technology T-N. ,http://teleco-network.blogspot.com/search?q=firewall, 2011, Accessed on: 27th May 2014.
2011.
Toth T, Kruegel C. Evaluating the impact of automated intrusion response mechanisms. Computer Security
Applications Conference, 2002 Proceedings 18th Annual: IEEE; 2002. p. 301-10.
Vigna G, Kemmerer RA. NetSTAT: A network-based intrusion detection system. Journal of computer
security. 1999;7:37-71.
Vigna GaRAK. Intrusion detection: a brief history and overview. Computer, 2002. 35(4): p. 0027-30. 2002.
Wang L, Liu A, Jajodia S. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts.
Computer communications. 2006;29:2917-33.
Wang S-H, Tseng CH, Levitt K, Bishop M. Cost-sensitive intrusion responses for mobile ad hoc networks.
Recent Advances in Intrusion Detection: Springer; 2007. p. 127-45.
Wang X, Reeves DS, Wu SF, Yuill J. Sleepy watermark tracing: An active network-based intrusion response
framework. Trusted Information: Springer; 2001. p. 369-84.
White GB, Fisch EA, Pooch UW. Cooperating security managers: A peer-based intrusion detection system.
Network, IEEE. 1996;10:20-3.
Wu Y-S, Foo B, Mao Y-C, Bagchi S, Spafford EH. Automated adaptive intrusion containment in systems of
interacting services. Computer Networks. 2007;51:1334-60.
Y. Frank Jou FG, Chandru Sargor, Shyhtsun Felix Wu, and Cleaveland W Rance. Architecture design of a
scalable intrusion detection system for the emerging network infrastructure. Technical Report CDRL A005,
Dept. of Computer Science, North Carolina State University, Releigh, N.C, USA, April 1997.
Ying L, Yan Z, Yang-jia O. The design and implementation of host-based intrusion detection system.
Intelligent Information Technology and Security Informatics (IITSI), 2010 Third International Symposium
on: IEEE; 2010. p. 595-8.
Zhang Z, Naït-Abdesselam F, Ho P-H, Kadobayashi Y. Toward cost-sensitive self-optimizing anomaly
detection and response in autonomic networks. computers & security. 2011;30:525-37.