Professional Documents
Culture Documents
IEEEAccess A Bio Inspired Reaction Against Cyberattacks AIS Powered Optimal Countermeasures Selection
IEEEAccess A Bio Inspired Reaction Against Cyberattacks AIS Powered Optimal Countermeasures Selection
VOLUME 4, 2016 1
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
tance of posing cybersecurity as a fundamental pillar in the that continuously pass through cloning and mutation phases
defensive strategies [8]. In such a frightening scenario, very in order to compute the optimal individual to adapt and
few will oppose that selecting the optimal set of countermea- fight against artificial antigens (namely, the threats detected
sures to react against those threats is of primary importance. within the protected system). To demonstrate the capability
Remarkably, such a selection needs to balance the inherent of the proposed methodology, a broad experimental phase is
trade-off between the effectiveness of the reaction, aiming provided, resulting in minimizing the risk to which the assets
at eradicating the attack from the protected system and thus are exposed in a more than acceptable time window.
restoring a safe state and its potential negative impact (or side For easy reference, the main contributions of the paper at
effect) on the targeted assets [9]. hand can be summarized as follows:
Until now, several proposals have been presented to solve • The proposal of a novel AIS-powered methodology
the challenges posed by the reaction ecosystem. Concretely, to select the optimal set of countermeasures to react
a plethora of literature works proposes cost-benefit quantita- against potential cyberthreats. The adaptation of such
tive approaches in choosing the optimal set of countermea- a bio-inspired technique to the reaction field permits
sures [10]. In some circumstances, those works leverage the the acquisition of crucial AIS characteristics, such as
useful capabilities of Artificial Intelligence (AI) methodolo- uniqueness, distributed reaction and self-regulation, di-
gies and bio-inspired approaches to determine the optimal versification, self-protection, and memorization. In par-
reaction in a semi-automatic or fully-automatic fashion [11]. ticular, the presented methodology avoids minimizing
Among those, AIS have been proved to comprise a promis- risk blindly. That is, the calculated countermeasures are
ing paradigm in different areas of the cybersecurity ecosys- enforced taking into account the acceptable risk for each
tem [12]. Specifically, such a bio-inspired technique aims to asset of the system.
emulate the biological immune system’s behavior in various • The AIS-powered reaction leverages a standard coun-
applications of computer science. As the immune system termeasures representation, which we believe would
is able to recognize and fight against foreign and poten- be beneficial to foster the reaction knowledge sharing
tially harmful entities to protect the human body, the AIS among different security teams.
try to shield the monitored assets from possibly dangerous • The proposition of a metric to quantitatively estimate
anomalies [13]. In this direction, AIS have been successfully the benefit of applying multiple countermeasures on the
applied to solve security-related challenges in the field of same asset, i.e., the countermeasure benefit.
anomaly detection, intrusion detection, scan, and flood detec-
tion, among others [14]. Surprisingly, AIS capabilities have The remainder of this paper is organized as follows.
not been thoroughly investigated when it comes to selecting Section II presents some preliminary concepts on the AIS,
the optimal reaction to fire against appearing threats. Despite reviews and discusses recent proposals related to counter-
this fact, and as pointed out in [15], their properties applied measures selection against threats, with particular focus on
to counteracting malicious cyber entities fit the needs of re- the proposed standard representation of a countermeasure.
lated reaction frameworks, which may weaponize biological In Section III, the methodology used to construct the AIS-
principles like clonality, self-regulation, immune memory, powered reaction is described, explaining the translation
specificity, and so forth. from cyberspace to the immunological sphere. Then, in Sec-
In order to contribute to mitigating this gap, an AIS- tion IV, the AIS-powered reactions are analyzed, detailing
powered reaction methodology is proposed, aiming at se- the algorithms needed to achieve their purposes. Next, Sec-
lecting and enforcing the optimal set of atomic countermea- tion V presents the results of the conducted experiments,
sures on the assets of the protected system exposed to risk. highlighting and discussing the advantages and drawbacks
By leveraging the standard countermeasures representation of the methodology. Finally, Section VI concludes the paper,
presented in [16], the reaction phase entities are first trans- proposing some interesting future lines to further contribute
lated to the artificial immunological ecosystem. Then, an to the reaction ecosystem.
index to evaluate the convenience of enforcing a particular
atomic countermeasure on an asset is proposed, namely, II. BACKGROUND
the countermeasure benefit. Notably, such an index intends Although both academy and industry are focusing their effort
to capture the quantitative characteristics of a countermea- around the cybersecurity context, some issues regarding the
sure, i.e., its effectiveness, impact, and cost. To this extent, reaction ecosystems are still unsolved [10]. As a matter of
since more than a countermeasure may be enforced on the example, potential tools to counteract ongoing threats are the
same asset, a careful analysis is carried out to study from Intrusion Reaction Systems (IRSs), which are IDSs (Intru-
a quantitative perspective the combined effect of multiple sion Detection Systems) capable of reacting against suspi-
countermeasures to be applied on such a same asset. Sub- cious activities in real or near real-time [17]. Additionally,
sequently, the AIS-powered reaction is presented, detailing recent efforts have been put to provide commercial SIEM
the steps needed to successfully respond and distinguish its (Security Information and Event Management) systems with
properties for static and dynamic reactions. In particular, the automated response capabilities [5]. Those proposals indeed
antibodies are modeled as sets of atomic countermeasures represent a significant advance in the endless arms race
2 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
among malevolent entities and defensive teams, but one is modeled as a set of components that possess state vari-
could say that there is still a long way to go. ables (i.e., active, updated, new version available, corrupted,
Next, we analyze the most recent and relevant works re- vulnerable). The DRL learns from a simulated version of the
garding the countermeasures selection framework, highlight- real system and then is tested on it in a successive phase
ing their main properties and drawbacks. Then, we present with a reward function based on execution time and cost of
some preliminary concepts to help readers fully understand the actions executed. Experiments are added to compare the
the features of the AIS field, which motivate the presented proposed DRL with Q-learning, focusing on non-stationary
methodology. Last but not least, the countermeasure standard systems, demonstrating its feasibility.
proposal presented in [16] is summarized since it represents Furthermore, a methodology to generate fine-grained re-
an essential basis on which this work is built. sponse policies is presented in [23]. Starting from 4 fun-
damental questions about the reaction phase (i.e., which
A. RELATED WORKS countermeasures should be selected, where should they be
Within the cybersecurity field, the reaction phase against deployed, in what order multiple countermeasures are de-
a cyberattack has been significantly less explored than the ployed, and how long do the countermeasures last), the au-
detection one, mainly due to the open challenges that still thors proposed a decision-making framework for IRS that op-
affect the response ecosystem, as well as a greater complexity timizes the responses based on four metrics (i.e., attack dam-
at empirically validating the research outcomes [18], [19]. In age, deployment cost, negative impact, and security benefit).
this direction, the work in [10] analyzed the major reaction To solve such an optimization problem, a Genetic Algorithm
proposals from 2012 to 2017, highlighting their principal with Three-dimensional Encoding (GATE) is considered,
advantages and potential deficiencies. where a set of meta-policies represents each individual.
Besides, in [20], the integration of a Stateful Return on Moreover, the authors in [24] presented an innovative
Response Investment (StRORI) metric within Hypergraph methodology for picking countermeasures based on AI tech-
models was proposed to effectively evaluate the potential niques and the production of security metrics. The main goal
application of countermeasures based on economic and threat is to select accurate responses to cyberattacks in near real-
assessment parameters. By solving the challenges affecting time, leveraging the data stemming from external security
classic RORI-based models (i.e., do not consider the al- data sources and SIEM systems. To further define relation-
ready deployed countermeasures), such metric is able to rank ships among the various entities, an ontological strategy is
countermeasures also analyzing the previously implemented introduced, joint with the logical inference used to extract
security measures. Then, the efficacy of the presented model knowledge. Then, the most probable attack path is predicted
is demonstrated by developing a prototype in a real use case using an attack tree to deploy the optimal remediations.
scenario, using the attack graph modeling. Notably, the Com- Likewise, authors in [25] developed a procedure to achieve
mon Vulnerabilities and Exposures (CVE)1 and Common minimum cost defense in the context of Cyber-Physical
Attack Pattern Enumeration and Classification (CAPEC)2 are Systems (CPS). In particular, such a procedure chooses op-
leveraged as standard knowledge bases of vulnerabilities and timal defense nodes using the Atom Attack Defense Trees
attacks, respectively, to support their claims. (A2DT), which is a variant of the more conventional Attack-
Additionally, a framework to respond to multi-path attacks Defense Tree (ADT) model. Then, the authors used an ad-hoc
is presented in [21]. Specifically, the authors formulated methodology to solve the path calculation over the A2DT and
the problem of reacting to those attacks as an optimization demonstrated its applicability through 2 use cases (i.e., Auto-
problem, which appears to be NP-hard. To resolve such a mated Teller Machine (ATM) and Supervisory Control And
problem, they proposed an ad-hoc greedy algorithm to select Data Acquisition (SCADA) systems). Similarly, in [26], au-
the most appropriate countermeasures in a cost-sensitive way. thors leveraged the ADT based on Directed Acyclic Graphs
Authors leveraged the PART (Probabilistic Attack-Response (DAGs) and then extracted from an ADT its defense se-
Tree) models to represent potential attacker movements and mantics describing how the two actors (i.e., attacker and
evaluate three metrics: security benefit, deployment cost, and defender) may interact. Later, the ADT is translated into an
negative impact. Moreover, the feasibility of the proposed Integer Linear Programming (ILP) problem that considers
approach is later proved within a common virtual network the various constraints (e.g., economic, actions of the actors,
presenting known CVE vulnerabilities. etc.). Notably, the authors developed an open-source tool to
Also, authors in [22] proposed an approach to implement automate the described methodology.
a model-free IRS based on Deep Reinforcement Learning The described works represent an important step within
(DRL). To deal with the size of modern network infrastruc- the reaction strategies ecosystem. Nevertheless, none of them
tures and their non-stationary characteristics, the method- leverages the significant advantages given by the adoption
ology utilized DRL to find near-optimal responses in an of a standard countermeasure representation. Moreover, very
acceptable time. More in detail, the system under protection few of them feature the adaptability of the selected counter-
measures against potential threats. It is clear that a methodol-
1 https://cve.mitre.org/ ogy capable of adapting its response based on the asset over
2 https://capec.mitre.org/ time would be extremely valuable when it comes to selecting
VOLUME 4, 2016 3
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
the optimal set of countermeasures to counteract threats the capabilities of such a bio-inspired methodology to detect
within the network, considering the resource availability at a vast number of unknown patterns (nonself objects) from
any time. Then, another important lack is highlighted in the normal ones (self objects), often using limited resources [41].
literature, that is, the reaction frameworks are applied to spe- Nevertheless, recent studies reveal that a remarkable research
cific scenarios leveraging a comprehensive knowledge of the effort has been put on detecting the threats and that real-time
protected system. One could argue that, in order to be generic mitigation or response has not been considered that much,
and thus applicable to several contexts, the countermeasure though [15]. In this direction, it is worth remarking that the
strategy should possess as little prior knowledge of the threats existing tools to counteract cyberattacks (i.e., the abovemen-
as possible. To this extent, the AIS-methodology is able to tioned IRS and new-generation SIEM) do not integrate AIS
provide countermeasures by leveraging the non-determinism solutions within their capabilities.
of the solution. In fact, the execution of the AIS-methodology
may generate more than one applicable countermeasure so C. COUNTERMEASURES STANDARD
that human decision-makers can strategically select the best REPRESENTATION
actions to undertake from a set of potentially effective solu- One of the most prominent challenges within the reaction
tions. ecosystem is the lack of a standard countermeasures rep-
resentation, whose direct consequence is the absence of a
B. ARTIFICIAL IMMUNE SYSTEMS
commonly shared and widely adopted knowledge base of
Living beings have developed multiple immune mechanisms remediations. To solve this issue, in our previous work [16],
in an effort to battle against dangerous antigens harming their we contributed to this field by proposing a representation that
health [27]. Those immune mechanisms form part of the details with fine granularity the fields needed to model the re-
biological immune system, which features high distribution mediation object accurately. We believe that such a proposal
and parallelism within the organisms, with several cells, is beneficial to foster the reaction knowledge sharing among
proteins, and organs participating [28]. different security teams, thus building more robust response
Within the digital world, AIS represent the equivalent of plans as an ultimate goal.
the biological immune system to solve non-biological but
computational problems. In fact, the AIS aim to emulate the cmID = (ID, Eff , Imp, Cost, Ωc , Ωp , Ωv , Ωa , φ, P , δ )
mechanisms and behaviors observed by the immunologists in | {z } |{z}
mandatory optional
order to be applied to a particular problem [15]. After a quite
(1)
complex modeling phase, AIS have been successfully applied
to various fields of digital knowledge, including optimiza- The proposed definition is shown in Equation 1, while its
tion theory [29], data analysis [30], image recognition [31], components are described in the following:
and computer security [32]. More specifically, AIS-based • ID ∈ N is the unique identifier of the countermeasure.
proposals have arisen to solve cybersecurity challenges for • Eff ∈ {L, M, H, X} represents the residual effective-
anomaly detection, intrusion detection, malicious process ness of the countermeasure, referring to its capability to
detection, scan and flood detection, and fraud detection, neutralize the threat.
among others [33], [34], [35], [36] others. Those proposals • Imp ∈ {L, M, H, X} represents the residual impact of
rely on the capabilities of four main bio-inspired techniques, the countermeasure since it can negatively impact the
namely, negative selection, clonal section, artificial immune corresponding asset(s) within the protected infrastruc-
networks, and Danger Theory [28], [37], [38]. ture.
Specifically, the clonal selection theory indicates that de- • Cost ∈ R+ represents the residual cost of the counter-
fined antibodies, in order to effectively counteract the mali- measure, which contains deployment, maintenance, and
cious antigens, iteratively pass through various steps, namely: indirect costs.
cloning, hypermutation, and selection phases. Throughout • Ωc = {ci ∈ C} is the link to common configuration
each iteration, the antibodies are further improved, getting knowledge base C to which the designed asset refers.
closer to the optimal solution. In this direction, the CLON- • Ωp = {pi ∈ P } is the link to common platform
ALG algorithm was proposed in [39], aiming at solving knowledge base P to which the designed asset refers.
optimization and pattern recognition problems. Later on, • Ωv = {vi ∈ V } is the link to common vulnerability
this algorithm has been used to answer cybersecurity-related knowledge base V to which the exploited vulnerability
issues [40]. Also in this case, the modeling phase requires refers.
a notable effort since the main components of the problem • Ωa = {ai ∈ A} is the link to common attack knowledge
that has to be solved need to be translated and encoded base A which the countermeasure counteracts.
into immuno-related elements to apply such a bio-inspired • φ describes the enforcement of the countermeasure in a
technique. machine-readable format.
As previously mentioned, several academic works pro- • P = {p1 , p2 , ..., pn }, n ≥ 0 describes the parameter(s)
posed the application of AIS to solve open challenges within a certain countermeasure may need in order to be imple-
the cybersecurity field. In particular, those works leveraged mented.
4 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
• δ includes additional information about the countermea- threats from happening, or at a reactive stage since it also is
sure, particularly: capable of eradicating an ongoing attack and remedying its
-- a textual description, in human-understandable lan- adverse effects. In the context of this research, the authors
guage. distinguished between i) static countermeasure, referring to
-- a field indicating whether the deployment of the coun- its preventive capabilities, and ii) dynamic countermeasure,
termeasure demands software or hardware changes. indicating its reactive ones [16]. Thus, valuable features of
-- a flag specifying if the countermeasure is static or the AIS methodology are imported to the reaction context,
dynamic. and listed in the following:
-- a field expressing whether the countermeasure is of • Uniqueness: like in the immune system, each reaction
short-term or long-term duration within the reaction here is unique against a specific threat.
strategy. • Distributed reaction and self-regulation: no central
-- examples of the enforcement (e.g., in pseudocode). coordination and control are required during the reactive
-- if applied for cyber defense, linkage to military tac- immuno-operation.
tical, strategic, or operational decisions, which may • Diversification: clonal selection and hypermutation
provide structures describing, among others, related constantly compute and present better responses to
Courses of Action (CoA), command hierarchy, or shield the system assets under attack.
mission-centric expected impacts. • Self-protection: the reactive immuno-reaction protects
In particular, the discrete values proposed for the residual nothing else but the designed assets, generating a tai-
effectiveness, impact and, cost stay for Low (L), Medium lored response while minimizing the negative impact.
(M), High (H), and Not Defined (X), respectively. We indi- • Memorization: reaction information is saved to opti-
cate those values as residual since they represent intrinsic mize responses in the future.
values of the countermeasure that persist during the time. By adopting the aforementioned features, one could easily
Then, when a certain countermeasure has been selected to say that the enforced reaction exhibits the desired properties
be enforced on a specific asset, it assumes real effectiveness, in an effort to be optimal.
impact, and cost values, which also rely on other parameters
which are connected to the countermeasure object itself, such A. RATIONALE
as the dependencies among the corrupted services, the time Before analyzing the proposed AIS methodology to select
needed to be implemented, or the perception of military- the countermeasures, some fundamental concepts must be
strategic planes, to cite some examples. explained to understand further the cybersecurity context in
In addition to the presented fields, another parameter is which such immuno-algorithm is applied. Indeed, an appro-
introduced to further corroborate the reaction steps. That is, priate modeling phase is fundamental to propose an AIS
M ∈ [0, 1] defines the maturity of a previously-hardened solution that can solve the problem correctly [15].
countermeasure enforced within the system. Specifically, M First, the system under protection can be modeled as a
takes into account how effective the enforcement of a security collection of several assets. Those assets present distinct
measure was on a certain asset of the system during a specific software and hardware configurations and are deployed to
period. Obviously, if such enforcement was effective (e.g., execute various tasks. For instance, a web server that is
by blocking an attack targeting an asset), the countermeasure in charge of serving requests coming from the Internet, a
tends to be considered as more mature and thus fired again database that memorizes data of interest, or a firewall that
against similar threats against similar assets. The maturity M filters the incoming connections, to name a few. It is worth
of a countermeasure is calculated as the number of times the noticing that the number of assets composing the ICT infras-
countermeasure has been effective Ns divided by the total tructures nowadays is huge due to the central role of those
number of implementations Ns + Nf , where Nf symbolizes systems in humans’ everyday life.
the number of times the countermeasure failed to counteract
the threat, as shown in Equation 2. A = {A1 , A2 , . . . , ANA } (3)
Ns Specifically, Equation 3 clarifies the set of assets A of the
M(cmi ) = (2)
Ns + Nf entire system of cardinality NA , where Ai represents a
generic asset. Each of those assets possesses a value indi-
III. METHODOLOGY cating its criticality CR(A) ∈ [0, 1]. Such a value indicates
In the light of the above, an adaptation of the AIS algorithm the importance of the asset for the network from a strategic
is proposed, aiming to cherry-pick the optimal set of coun- or economic perspective, where 0 denotes a low critical
termeasures to fire against a cyberthreat occurring within asset, while 1 stands for a highly critical one. For example,
the protected system. It has to be remarked that the AIS- the database storing the personal data of the employees
powered selection of countermeasures covers the entire spec- can be considered of high value for an enterprise, thus the
trum of the reaction ecosystem. Specifically, it can be fired corresponding criticality value is expected to be high (e.g.,
at a preventive phase due to its ability to prevent potential CR(database) = 0.9).
VOLUME 4, 2016 5
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
Obviously, the assets of the systems are prone to expose countermeasures that can be enforced on the entire assets set
security vulnerabilities. In this sense, the number and fre- A:
quency of newly-discovered vulnerabilities are constantly CM = {cm1 , cm2 , . . . , cmN } (8)
increasing, posing a complex challenge to the CSIRT (Com-
Concretely, Equation 8 illustrates the countermeasure set
puter Security Incident Response Teams). Such growth is
CM constituted of N countermeasures cmi . It has to be
mainly due to the sophistication of modern assets but also
stated that the countermeasures belonging to the aforemen-
to the high demand for new market-ready functionalities [1].
tioned set have to be considered as atomic objects, meaning
Vulnerabilities scanners normally report the vulnerabilities
that each one of them represents a fine-granularity reac-
by means of vulnerabilities reports3 . Thus, each asset of the
tion step. Besides, the countermeasures set features high
network is connected to a vulnerabilities set, assuming that an
dynamism within the reaction strategy since the included
asset can possess one or more vulnerabilities simultaneously.
atomic countermeasures can be deleted (e.g., an individual
V (Ax ) = {VAx 1 , VAx 2 , . . . , VAx l } (4) asset or threat does not exist anymore in the system) or
! added (e.g., the appearance of new assets or threats) over
N
[A time. Additionally, the countermeasures are stored following
V = {V1 , V2 , . . . , VNV } = V (Ax ) (5) the standard representation described in Section II-C. Those
x=1 objects represent the antibodies that the AIS-powered coun-
Explicitly, each asset Ax of the system is associated with termeasure system will select to fight against the antigens.
its vulnerabilities set V (Ax ) characterized by a certain num- Possible examples of countermeasures are “update software”
ber of vulnerabilities VAx i , as shown in Equation 4. To this in the context of a static reaction or “stop service” for a
extent, the union of the vulnerabilities set of all the assets dynamic reaction.
is represented as V (see Equation 5), where Vi means a More specifically, for each asset of the network, a subset of
generic vulnerability within the entire system. Furthermore, the entire countermeasures set is defined. Those remediations
the vulnerabilities of the assets can be potentially exploited are tailored for a certain asset (e.g., software and hardware
by cyberattacks performed by ill-motivated entities, aiming configuration, etc.), considering the vulnerabilities or the
at violating or interrupting their confidentiality, integrity, and attacks that can threaten it. Besides, we assume that one or
availability (CIA). Such attacks are growing in complexity more countermeasures can be enforced simultaneously on the
and power: multi-steps and zero-day attacks represent clear asset to fight against possible threats. Therefore, we denote
examples in this sense [21]. In this context, we denote ongo- the countermeasures set CM (Ax ) containing the atomic
ing attacks happening within the network with: countermeasures cmAx i that can be enforced on the asset
Ax in Equation 9; so CM (Ax ) can be understood as an
T = {T1 , T2 , . . . , TJ } (6) action plan that describes the sequence of cmAx i counter-
measures against the situation that triggered the execution of
Equation 6 refers to the attack set T composed by all the the bio-inspired algorithm. Precisely, each countermeasure
ongoing individual attacks Ti . Those attacks are unknown set CM (Ax ) of the asset Ax is contained within the coun-
to the system before potential security incidents manifest, termeasure set CM .
and they are detected by the security devices (e.g., IDSs,
CM (Ax ) = {cmAx 1 , cmAx 2 , . . . , cmAx j }
firewalls, etc.) deployed within the network. Those security (9)
devices, together with the vulnerability scanners, represent CM (Ax ) ⊆ CM
the detectors of the potential anomalies.
B. COUNTERMEASURE BENEFIT
Both vulnerabilities V and attacks T that may appear
The selection of the optimal set of countermeasures has
within the network are considered threats against the assets.
to consider the inherent tradeoff between the effectiveness
In particular, we denote such threats with τ (as reported
of the remediation and its negative impact and cost [42].
in Equation 7). Referring to the AIS methodology, they
Such balance burdens on the security administrator that
represent the antigens against which the selection of coun-
has to maintain an adequate level of protection with a
termeasures generates the response using antibodies.
limited budget. Bearing this in mind, in the context of
this research, we propose an index to evaluate the conve-
N
!
[ A
6 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
10.00
sure does not decrease the total benefit. More specifically,
9.00 the enforcement of an atomic countermeasure generates a
8.00 8
7.00
benefit B > 1 that does not interfere with the enforcement of
Benefit
VOLUME 4, 2016 7
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
B({cm1 , cm2 , . . . , cmN }) = Ax is highly critical (e.g., CR(Ax ) ≈ 1), the corresponding
N
!
X g x ) ≈ 0).
acceptable risk level is extremely low (e.g., RL(A
max1≤i≤N (B(cmi )) + min B(cmi ), 10 (15)
This means that, in case of the appearance of any threat
i=1 jeopardizing Ax , the countermeasures selection strategy shall
2 enforce efficient security measures to reduce the risk level
C. RISK LEVEL EVALUATION RL(Ax ) to RL(A
g x ). On the contrary, if Ax possesses a low
The selection of the optimal set of countermeasures, and its criticality value (e.g., CR(Ax ) ≈ 0), the acceptable risk level
g x ) ≈ 10). In this case, if any threat
is quite high (e.g., RL(A
subsequent enforcement, aims at protecting the assets of the
system by tuning the risk level as an ultimate goal. Hence, we appears, the selection methodology may decide not to enforce
define the risk level RL(τk , Ax , CMj (Ax )) ∈ [0, 10] (where countermeasures at all or remove them from the selection.
RL = 0 represents a situation of no risk, while RL = 10 Bearing this in mind, the optimal selection of countermea-
expresses an extremely-high risk one) of a certain asset Ax , sures is in charge of minimizing the difference between the
facing the threat τk , and protected with the set of atomic measured risk level RL and the acceptable risk level RL g of
countermeasures CMj (Ax ), as: each asset Ax of the system threatened by τk , as shown in
Equation 18. From now on, function f is referred to as fitness
P (τk , Ax ) × I(τk ) × CR(Ax ) function.
RL(τk , Ax , CMj (Ax )) =
B(CMj (Ax ))
s.t. min f = |RL(τk , Ax , CMj (Ax )) − RL(A
g x )| (18)
CMj (AX )
0 ≤ P (τk , Ax ) ≤ 1
Particularly, since the value of the fitness function belongs
1 < I(τk ) < 10 to the interval [0, 10], Equation 18 directly indicates that a
0 < CR(Ax ) < 1 lower value of fitness implies a better solution. It is worth
1 ≤ B(CMj (Ax )) ≤ 10 remarking that, in the case of a static reaction, the threat τk is
(16) replaced by a vulnerability VAx k , while, during the dynamic
In Equation 16, several parameters are considered to cal- reaction, τk is represented by an attack Tk . Moreover, when
culate the risk level correctly. First, P (τk , Ax ) represents the it comes to cherry-picking the correct countermeasures, it is
probability of the occurrence of the threat τk over the asset possible to leverage the flag presented within the countermea-
Ax . Second, I(τk ) expresses the negative impact of the threat sures standard representation in Section II-C that indicates
τk on the asset Ax or the normal network operations. Then, whether the countermeasure features static or dynamic char-
the criticality of the asset CR(Ax ) is added since we assume acteristics.
that the more critical the asset is, the higher the risk level. In
an effort to reduce the risk, a set of countermeasures can be IV. AIS-POWERED REACTION
potentially enforced, generating a benefit B(CM (Ax )). As previously mentioned, the AIS-powered selection of
In this direction, enforcing a set of countermeasures on countermeasures embraces both static and dynamic reac-
a specific asset should avoid risk minimization blindly. In tions. Throughout this Section, particular focus is given to
fact, the implementation of security measures should prevent the methodologies to effectively react to malicious events
both the underprotection or overprotection conditions over threatening the assets of the system under protection. In
the assets of the system. For instance, excessive enforcement particular, the algorithms presented next must be considered
of countermeasures may result, on the one hand, in overpro- part of the paper’s contribution since they represent a novel
tecting the assets, minimizing the risk more than necessary adaptation of the AIS to the reaction ecosystem. For a quick
(and possibly impacting their usability and consuming more reference, Figure 2 illustrates the flow of events and the main
resources). Thinking to scenarios in which the availability components involved within the static and dynamic reactions
of the resources is acutely low and controlled (e.g., IoT that will be detailed next.
scenario), employing more resources than the ones that are
effectively needed is not recommended. On the contrary, A. AIS STATIC REACTION
an incorrect selection of countermeasures may culminate in If any dangerous vulnerability is exposed by an asset within
underprotecting the assets, exposing them to concrete threats, the network, the AIS static reaction is in charge of interven-
which in critical scenarios may cause high risks for the entire ing in a preventive fashion. Recalling Equation 16, the risk
system. To solve such a problem, the acceptable risk level level for the AIS static reaction can be defined as follows:
g x ) ∈ [0, 10] is assigned to each asset of the network
RL(A P (VAx k , Ax ) × I(VAx k ) × CR(Ax )
Ax , and is defined as: RL(VAx k , Ax , CMj (Ax )) =
B(CMj (Ax ))
g x ) = α × (1 − CR(Ax )) (19)
RL(A (17)
Specifically, the vulnerability VAx k represents the antigen
As seen in Equation 17, such an important parameter is against which the antibodies (i.e., set of atomic countermea-
directly derived from the criticality CR(Ax ) of the asset Ax sures CMj (Ax ) of the asset Ax ) must be selected. Besides,
by adding the scaling factor α = 10. In particular, if the asset P (VAx k , Ax ) represents the probability that the vulnerability
8 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
• Involved assets
• Spotted vulnerabilities
• Involved assets
• Exploited vulnerabilities • Configuration knowledge base
• Attack probabilities • Platform knowledge base External
• Vulnerability knowledge base
sources
• Attack knowledge base
VAx k of the asset Ax is exploited. Then, I(VAx k ) mea- asset that exposes the vulnerability, the ID, and the severity of
sures the impact that the exploitation of the vulnerability the vulnerability, among others. A widely-used vulnerability
VAx k has on the asset and, consequently, on the system. scanner is OpenVAS5 , an open-source and powerful vulner-
Both P (VAx k , Ax ) and I(VAx k ) can be directly derived ability assessment tool capable of vulnerability scanning and
from Common Vulnerability Scoring System (CVSS4 ) fields management. It identifies the active services, open ports, and
related to VAx k . Since an asset can expose one or more running applications across the machines.
vulnerabilities simultaneously, a risk level calculation must Furthermore, in lines 8-14, the SIEM receives the vulnera-
be computed for each vulnerability. Thus, the main goal bility reports and inspects the information contained in them.
of the AIS static reaction is to calculate the optimal set of Specifically, for each asset Ax that presents a vulnerability
countermeasures CMj that minimizes the fitness function f . Vi , the correlated parameters P (Vi , Ax ), I(Vi ), and CR(Ax )
More specifically, for each asset Ax of the system exposing are extracted (line 10) in an effort to determine the risk level
vulnerabilities V (Ax ), such a function is calculated as the RL associated with the specific vulnerability in the absence
difference between (i) the sum of the measured risk levels of implemented countermeasures (line 12). Bear in mind
RL generated by the vulnerabilities divided by the number that B = 1 in case of “no action”, that is, the absence of
of vulnerabilities of the asset V (Ax ) and (ii) the acceptable implemented countermeasures, as initialized in line 11.
risk level RL
g of those assets, normalized by NA , as shown in Then, lines 15-22 detail the AIS static methodology to
Equation 20: select the optimal set of countermeasures. More in detail, an
PNA PVi ∈V (Ax ) RL(Vi ,Ax ,CMj (Ax )) g initial set of random solutions CM is generated (line 15). This
− RL(A )
x=1 |V (Ax )| x set contains the antibodies used to fight against the antigens
min f = (i.e., vulnerabilities). Each one of the antibodies CMj is, in
CMj NA
(20) turn, a set of atomic countermeasures to be implemented on
The pseudocode of the AIS static reaction is reported in each asset Ax that exposes a vulnerability Vi . In order to
Algorithm 1. To this extent, we assume that a certain number improve the initial generation of the solution, it is possible
of vulnerabilities scanners S ∈ S are deployed within the to leverage the maturity field M (Equation 2). That is, if
network. Those tools are in charge of scanning the assets any of the atomic countermeasures possesses a high maturity
of the network with a determined frequency (e.g., once per score against a particular vulnerability, it can have a higher
hour) to spot potential vulnerabilities. Concretely, lines 1-7 probability of belonging to the initial set of solutions.
describe the task of the vulnerabilities scanners S in search Once the initial generation has been performed, the affinity
of potential vulnerabilities Vi , which perform as antigens in of the antibodies is calculated (line 17). The pseudocode of
the proposed static version of AIS methodology. Whenever this function is reported in Algorithm 2. In particular, for each
a previously unknown vulnerability is found, a vulnerability asset Ax presenting a vulnerability Vi and for each atomic
report vri is created and sent to the SIEM for further analysis. countermeasure cmk assigned to the solutions CMj ∈ CM,
In particular, this report contains vital information such as the the benefit B of the countermeasures (Equation 10) and the
4 https://www.first.org/cvss/ 5 https://www.openvas.org/
VOLUME 4, 2016 9
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
RL (Equation 19) are calculated. To this extent, if more coun- better solutions.
termeasures have been selected as a solution to be enforced Afterward, the produced K clones {CMj1 , . . . , CMjK }
on the same asset Ax , the combined benefit B(CMj (Ax )) are mutated (line 19), as illustrated in Algorithm 4. More
must be evaluated as shown in Equation 15. Then, for each specifically, each set of atomic countermeasures (i.e., cloned
CMj ∈ CM, the corresponding fitness function f (CMj ) is antibody) undergoes through a mutation consisting of adding
calculated as illustrated in Equation 20. Besides, the average or removing an atomic countermeasure from the set with a
affinity of the antibodies is computed. certain probability P . To this extent, the proposed mutation
Later, in line 18, the antibodies with the highest affinity adds or removes one atomic countermeasure from a clone
(i.e., sets of atomic countermeasures which minimize the CM generating CM 0 with the same probability P = 0.5.
function f ) are cloned, as shown in Algorithm 3. Concretely, Then, the affinity of the mutated clones f (CM 0 ) is computed
the solutions CMj ∈ CM are ordered by increasing fitness (i.e., the fitness is evaluated). If such affinity is greater than
function f , and consequently, the K best CMj are cloned, the average affinity of the antibodies in the solution space
thus expanding the solutions space CM. At this stage, a avg_af f inity(CM) (i.e., the atomic countermeasures of the
crucial point is the correct selection of K. On the one hand, clones are not effective against the vulnerabilities), then those
a reduced number of clones may avoid creating a broad clones are removed. Otherwise, they become part of the
population (which leads to diversity in the solution). On the solutions set CM, replacing the lowest affinity antibodies in
other hand, the generation of several clones may slacken the CM at that instant.
convergence of the algorithm toward acceptable solutions. In Next, in line 20, the antibodies with the lowest affinity
this direction, a potential improvement is the selection of K are removed from the solution space, as reported in Algo-
proportional to the fitness function f . For instance, if such rithm 5. In particular, the K sets of atomic countermeasures
a function has not been sufficiently minimized (because of that exhibit the lowest value for the fitness function f are
the low affinity of the antibodies), the number of clones may eliminated from the solutions set CM, and, therefore, they
be higher to further explore the solutions space to search for are replaced with K random sets. Also in this case, as for the
10 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
Algorithm 3 clone_antibodies(CM).
1: for all CMj ∈ CM do
2: Order by f (CMj )
3: end for
4: Clone K best CMj , {CMj1 , . . . , CMjK } . K proportional to fitness function f
Algorithm 5 replace_antibodies(CM).
1: Eliminate K lowest affinity CM from CM
2: Add K randomly generated CM to CM
initial random generation (line 15), the maturity M of the adequate number of iterations. In this direction, since the
countermeasures may be considered. AIS static reaction is executed in a preventive fashion (i.e.,
Finally, the best antibody is assigned to the final solution the vulnerabilities are present within the system but are not
(line 21). The loop of lines 16-22 of Algorithm 1, contain- currently under exploitation), it is coherent to assume that the
ing the AIS static reaction methodology, continues till the algorithm can be run off-line and with a sufficient number of
stop condition is not met. Thus, it is clear that the choice iterations. Besides, the stop condition can be further enriched
of a correct stop condition is fundamental to execute an by adding finer-granularity options, such as the acceptable
VOLUME 4, 2016 11
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
12 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
(i.e., targeted asset Ax and connected ones), the correspond- countermeasures (i.e., CM (Ax ) = no action) is calculated
ing parameters P (Tk , Ax ), I(Tk ), and CR(Ax ) are extracted (line 12). During the dynamic reaction, it has to be remarked
(line 11), and the associated risk level RL in the absence of that timing is one of the most critical factors. Therefore, each
VOLUME 4, 2016 13
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
step needs to be executed in a timely fashion. Next, lines equiprobable with a probability P = 0.25. Consequently, the
15-22 contain the AIS dynamic methodology to select the affinity of the mutated clones f (CM 0 ) is computed (i.e., the
optimal set of countermeasures. Similarly to the AIS static fitness function is measured). If such affinity is greater than
reaction, an initial set of random solutions CM is generated the average affinity of the antibodies in the solution space
(line 15). This set serves as antibodies that will be used to avg_af f inity(CM) (i.e., the atomic countermeasure of the
counteract the antigens (i.e., the ongoing attack). Besides, clones are not adequate against the attack), then such clones
also in the dynamic variant, the maturity M (Equation 2) can are removed. Otherwise, they are added to the solutions set
be used to refine such an initial generation. CM, replacing the lowest affinity antibodies in CM at that
Once the initial generation of random antibodies has been instant.
achieved, the affinity of those antibodies is determined (line Afterward, in line 20, the antibodies with the lowest affin-
17). Specifically, as shown in Algorithm 7 for each asset ity are removed from the solution space CM. This step of the
Ax ∈ Y (Ax ) exploited by an ongoing attack Tk , and for dynamic reaction is equivalent to Algorithm 5 described for
each atomic countermeasure cmh belonging to the solutions the static version.
CMj ∈ CM, the benefit B of the countermeasures (Equa- Finally, the best antibody is chosen as a final solution (line
tion 10) and the RL (Equation 21) are evaluated. In this 21). The loop of lines 16-22 of Algorithm 6 endures till
direction, if more reaction steps have been selected to be the stop condition is not met. So, the selection of a specific
implemented on the same asset Ax , the combined benefit stop condition is vital to perform an acceptable number
B(CMj (Ax )) must be computed as specified in Equation 15. of iterations. To this extent, and in contrast with the AIS
Further, for each CMj ∈ CM, the corresponding fitness static methodology, the dynamic process is performed in a
function f (CMj ) is computed, as shown in Equation 23. reactive fashion (i.e., the assets of the system are actively
Besides, the average affinity of the different antibodies is under attack). Thus, it is clear that the algorithm needs to
calculated. be executed by prioritizing the timing factor. Moreover, the
Then, in line 18, the antibodies with the highest affinity acceptable risk level RLg can also be used to improve the
(i.e., set of atomic countermeasures able to minimize the risk) selection of the optimal set of countermeasures.
are cloned. This step is equivalent to Algorithm 3 proposed Once the loop in lines 16-22 ends, and consequently, the
for the static version, where K clones {CMj1 , . . . , CMjK } best antibody has been found, the atomic countermeasures
are generated proportionally to the fitness function f . forming the solution go through an updating stage (lines 23-
Later, line 19 performs the mutation phase of the clones 27). More specifically, like in the static reaction, the links to
{CMj1 , . . . , CMjK }, as reported in Algorithm 8. Precisely, the external common security knowledge bases are updated,
each set of atomic countermeasures (i.e., cloned antibody) as well as the maturity of the atomic security measures
experiences a mutation process consisting of adding or re- against the eradicated attack. Then, the attack set T is emp-
moving an atomic countermeasure or even modifying its tied.
parameters with a certain probability P from a clone CM
generating CM 0 . In this direction, the presented mutation C. EXPLANATORY EXAMPLE
modifies the enforcement parameter of a countermeasure To help the reader further understand the proposed methodol-
with a probability P = 0.5, while the addition or removal are ogy, let us illustrate its capabilities and potentialities using an
14 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
explanatory example. In particular, a Smart Home scenario parameters involved in the calculation of the optimal set of
is presented, where an external attacker is actively trying to atomic countermeasures are illustrated in Table 1.
jeopardize the interconnected smart devices. Figure 3 depicts Regarding the wireless AP, it is considered a quite high
the mentioned scenario, detailing the assets as follows: critical asset within the network, thus CR(A1 ) = 0.85.
• Asset A0 : It is a smartphone connected to a wireless Consequently, the acceptable risk level is RL(A
g 1 ) = 1.5. In
Access Point (AP) to gain Internet access. Such a de- addition, the impact of the exploited vulnerability is I(T1 ) =
vice does not possess any vulnerability in the proposed 8.8, which is the base value calculated by the CVE. Then, we
scenario, that is, V (A0 ) = ∅. assume that the probability of exploiting such vulnerability
• Asset A1 : It is a Wireless AP providing Internet connec- is high, i.e., P (T1 , A1 ) = 0.95, which can be seen as the
tivity to the smart devices. In this example, this device confidence that the security devices reporting the detection
exposes two vulnerabilities, so V (A1 ) = {V23 , V43 }. (e.g., IDS) has. So, the measured risk level in this situation is
• Asset A2 : It is a Smart TV connected to the AP to RL(T1 , A1 ) = 0.95 × 8.8 × 0.85 = 7.1. To counteract the
stream multimedia content. This device exhibits two ongoing attack, several dynamic countermeasures are listed
vulnerabilities, that is, V (A2 ) = {V9 , V37 }. in Table 1, together with their residual values. Recall that
such values become real when the atomic countermeasures
Additionally, in this example, we assume that the external
are actually enforced.
attacker is executing an attack against the AP to gain access
Regarding the Smart TV, its criticality value is CR(A2 ) =
to the Smart Home network. Specifically, the malicious ac-
0.7, generating an acceptable risk level RL(A
g 2 ) = 3. More-
tor is exploiting the vulnerability V43 of the wireless AP,
over, the impact that the violation of the exposed vulnera-
which allows external attackers to take complete control of
bility may cause is I(T2 ) = 7.5, which, also in this case,
the device6 . Then, the next target of the multi-step attack
is the base value computed by the CVE. Additionally, the
is represented by the Smart TV that the attacker aims to
probability of exploiting such vulnerability is P (T2 , A2 ) =
compromise through the vulnerability V9 . Such a security
0.7, which we assume is the value that the attack model has
flaw, in turn, allows remote attackers to cause a Denial of
reported for this scenario. Consequently, the risk level for this
Service (DoS) via a crafted web page7 . Thus, the attack path
asset is RL(T2 , A2 ) = 3.67. To block the possible steps of
of the malevolent external entity contemplates the execution
the attackers, the countermeasures in Table 1 are proposed,
of T1 to exploit V43 , and, once this step is accomplished, the
and, similarly to the previous case, their values are residual.
implementation of T2 to misuse V9 .
Yet, some considerations should be made to contextual-
ize the example thoroughly. First, it is worth mentioning
that the presented countermeasures are just a few potential
remediations that can be enforced on the threatened assets
to eradicate the attack. Furthermore, it has to be noted that
it is not realistic to expect the certain presence of a SIEM
solution in this scenario. However, some lightweight alter-
natives can be implemented to preserve the security level
𝐴0 : Smartphone
of the smart devices, which are becoming more important
𝑉 𝐴0 = ∅ every day and critical within the scenario in which they are
𝐴2 : Smart TV
𝐴1 : Wireless Access Point 𝑉 𝐴2 = {𝑉9 , 𝑉37 } deployed [2]. Also, the number of possible combinations of
𝑉 𝐴1 = {𝑉23 , 𝑉43 } atomic countermeasures to be enforced is relatively high,
even in such a small example. In fact, considering only the
possible activations of a countermeasure (without weighing
the parametric countermeasures), the number of possible
External
Attacker solutions for 11 countermeasures is 211 = 2048.
The steps of the AIS dynamic reaction for this tiny exam-
ple are illustrated in Figure 4. First, an initial set of random
FIGURE 3: Abstract view of the Smart Home scenario pro- antibodies is generated. In particular, three antibodies are
posed for this example initially created, i.e., CM = {CM1 , CM2 , CM3 }, selecting
random atomic countermeasures for their composition, i.e.,
In an effort to dynamically shield the targeted smart de- CM1 = {cm2 , cm7 }, CM1 = {cm5 , cm6 }, and CM3 =
vices, the AIS dynamic reaction is fired when the attack {cm1 , cm8 }. Later, the affinity of the generated antibodies
T1 is reported. Specifically, the set of assets that this reac- must be calculated, as indicated in Algorithm 7. At this
tion aims to protect are Y (A1 ) = {A0 , A1 , A2 }, but A0 point, those atomic security measures assume their real value
is excluded since it does not expose vulnerabilities. The against the ongoing threat, which are reported in Table 2.
From those values, it is possible to calculate the benefit
6 https://nvd.nist.gov/vuln/detail/CVE-2017-13772 B(cmi ) (Equation 10). Since no multiple countermeasures
7 https://nvd.nist.gov/vuln/detail/CVE-2019-11889 have been selected to be executed on the same asset, no com-
VOLUME 4, 2016 15
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
TABLE 1: AIS dynamic example settings for the Smart Home scenario.
Attack Countermeasure
Asset Ax CR(Ax ) RL(A
f x)
Vi I(Tk ) P (Tk , Ax ) RL(Tk , Ax ) ID Ef f Imp Cost P δ
• Block external IP
address
cm1 L L L # seconds
• SW – short-term
• Dynamic
• Block AP port
cm2 H M L # seconds • SW – short-term
• Dynamic
# seconds or • AP isolation
Wireless 0.85 1.5 V43 8.8 0.95 7.1 cm3 H H M # frames or • SW – short-term
AP A1 # alerts • Dynamic
• Update AP Firware
cm4 H L L # version • SW – long-term
• Dynamic
• Additional authen-
authentication tication
cm5 M M M
factor • SW – long-term
• Dynamic
• Block internal IP
address
cm6 M M L # seconds
• SW – short-term
• Dynamic
# seconds or • Host isolation
cm7 H H M # frames or • SW – short-term
# alerts • Dynamic
• Patch vulnerability
Smart 0.7 3 V9 7.5 0.7 3.67 cm8 H L L N.A. • SW – long-term
TV A2 • Dynamic
• Unplug Smart TV
cm9 H H L # seconds • HW – short-term
• Dynamic
• Change Smart TV
cm10 H X H N.A. • HW – long-term
• Static
cmX X X X N.A. • No action
bined effect B({cmi , cmj , . . . }) needs to be calculated in In this case, the fitness value of the mutated antibody CM10
this case. Then, the risk level RL(Tk , Ax , cmi ) is calculated is f (CM10 ) = 0.98, slightly improving f (CM1 ), since the
again considering the benefit provided by implementing the benefit of the mutated countermeasure is cm02 = 4.79. Given
selected atomic countermeasures. Additionally, the fitness of that the affinity of CM10 is lower than the average affinity
each antibody is calculated (Equation 23), and, subsequently, avg_af f inity(CM), the mutated antibody becomes part of
their average affinity avg_af f inity(CM) = (0.985+1.37+ the solution space CM replacing CM3 (i.e., the worst affinity
1.53)/3 = 1.348. antibody at this step). Finally, the worst antibody within
the solution space CM2 is removed, and a new randomly
Therefore, the antibodies must pass through the cloning generated one replaces it, say, CM4 , to start a new iteration
and mutation phases. For the sake of simplicity, this example of the AIS methodology.
is run selecting K = 1. Thus, the best antibody CM1 is
cloned. To this extent, we assume that the probabilistic muta-
tion phase in Algorithm 8 selects to modify the enforcement V. EXPERIMENTS
parameter of cm2 ∈ CM1 generating CM10 . Specifically, Several thoughtful experiments have been conducted to
such modification, say, increases the number of seconds dur- demonstrate the capabilities and feasibility of the proposed
ing which the AP port is blocked to stop the external attacker. methodology. Specifically, the tests have been executed on a
16 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
FIGURE 4: Example: AIS dynamic reaction steps for the presented example
TABLE 3: Description and values for each input parameter used in the experiments.
Parameter Description Value Domain
|τ | Number of threats within the protected system [20, 100] N
P (τk , Ax ) Probability of the occurrence of the threat τk over the asset Ax RAND(0,1) R
I(τk ) Impact of the threat τk over the asset Ax RAND(0,10) R
NA Number of assets belonging to the protected system [20, 100] N
CR(Ax ) Criticality of the asset Ax RAND(0,1) R
|CM | Number of countermeasures to be enforced [100, 1,000] N
Ef f (cmi ) Effectiveness of the countermeasure cmi RAND(0,1) R
Imp(cmi ) Negative impact of the countermeasure cmi RAND(0,1) R
Cost(cmi ) Cost of the countermeasure cmi RAND(0,1) R
|CM| Number of antibodies [10, 40] N
K Number of clones |CM|/3 N
Iter Number of iterations of the AIS-powered reaction [100, 1,000] N
VOLUME 4, 2016 17
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
Due to the inherent characteristics of the methodology Iter = 100 and |CM| = 20. Particularly, the fitness value
(as detailed in Section III), several parameters need to be ameliorates slightly, whereas the execution time worsens as
considered and tuned to achieve an optimal configuration the methodology has to calculate more benefit values.
and, subsequently, react against potential threats effectively. Then, the third row (Figure 5g-5h-5i) depicts the effect
In particular, Table 3 resumes the input parameters to be set, of a larger number of iterations setting |CM | = 400 and
together with the values used. To this extent, it has to be |CM| = 10. Specifically, the fitness enhances more signifi-
noted that several values (i.e., P (τk , Ax ), I(τk ), CR(Ax ), cantly in this case, but the algorithm runs for a longer time.
Ef f (cmi ), Imp(cmi ), and Cost(cmi )) are generated ran- Finally, the fourth and last row is composed of a unique
domly to better argue on the capabilities of the presented graph (i.e., Figure 5j), in which the inspected parameters
methodology by introducing randomness. are boosted to the maximum value of the current experiment
Additionally, the random generation of the parameters of simultaneously, i.e., Iter = 1,000, |CM | = 1,000, |CM| = 30.
the threat (i.e., P (τk , Ax ) and I(τk )) allows us to generalize As expected, the fitness value reaches its lowest (thus best)
the reaction efficiency of the AIS-powered methodology value, but the AIS-reaction execution becomes relatively
since the experiments do not focus on specific attacks or sus- slow.
picious activities. In this sense, the AIS-powered methodol- All in all, this experimental phase allows one to con-
ogy is agnostic to the specific threat, as long as it is correctly clude that a higher number of iterations or antibodies harms
detected and reported to the SIEM. From those reports, the the timing performance of the methodology, which over-
SIEM is in charge of extracting the relevant parameters that all operates satisfactorily given the reduction of the fitness
will fire the reaction. value in each test. On the contrary, an increasing number of
Additionally, some of the input parameters related to the countermeasures slightly degrades the execution time of the
system under protection are chosen within an assigned range, algorithm, as expected.
for instance, NA , |τ | ∈ [20, 100], |CM | ∈ [100, 1,000]. This
choice relies on the fact that we believe that such configu- B. ANALYSIS OF RESULTS
rations represent realistic environments of modern systems This section offers an in-depth analysis and discussion on
without loss of generality. Besides, the output parameters the outcomes of the several experiments conducted on the
measured during the experiments are illustrated in Table 4. proposed AIS-powered methodology. Note that each of the
Particularly, it is worth remarking that the possible fitness presented experiments has been repeated 100 times to avoid
values are included in [0, 10], where 0 indicates the optimal the effects of potential outliers due to the randomness of the
solution, and 10 refers to the worst one. used parameters, as reported in Table 3.
Before executing the actual experimental sessions, vari-
ous tests have been executed, aiming at acquiring an initial 1) On the performance of the AIS-powered reaction
knowledge on the sensitivity of the parameters and how First, the fitness values and execution time have been mea-
they affect the overall performance of the algorithm. The sured while increasing the number of iterations, as illustrated
results of such tests are reported in Figure 5. Those tests in Figure 6. For this test, NA = 20 and τ = 20 are randomly
have been carried out by defining a fixed number of assets generated, simulating the existence of 20 compromised assets
(i.e., NA = 20) and threats (i.e., τ = 20) to simulate within the protected system. In addition, the number of coun-
a network in which 20 compromised assets are operating, termeasures and antibodies is fixed, i.e., |CM | = 1,000 and
which represents a small system without loss of generality. |CM| = 20. Explicitly, at each iteration, the output parameters
In particular, for each row of Figure 5, two parameters are are measured and, afterward, the arithmetic medians over
fixed, and the third one is changed to discuss its impact on the 100 repetitions are plotted (i.e., the dashed blue line for the
fitness and execution time. It has to be stressed out that each fitness and the dashed-dotted green line for the execution
experiment has been repeated 100 times to avoid potential time, respectively) together with the corresponding standard
outliers due to the randomness of the considered entities. deviations (the red vertical line and the black one, respec-
Additionally, the first Y-axis (i.e., concerning the fitness) has tively). Thus, the plot in Figure 6 portrays two trends of a
been limited to the [0, 1] interval, whereas the secondary Y- thousand points along with the relative standard deviations.
axis (i.e., relative to the execution time) has been plotted on Regarding the fitness curve, it starts from an initial value
a logarithmic scale. representing the system without any countermeasure en-
Going into detail, the first row (Figure 5a-5b-5c) measures forced. Next, the AIS algorithm initiates, computing the solu-
the impact of an increasing number of antibodies within the tion that aims at minimizing the fitness. While the iterations
solution space, fixing Iter = 1,000 and |CM | = 100. number increases, the fitness of the best solution enhances,
Concretely, it is possible to observe that an increasing count stabilizing its value after 200 iterations approximately. The
of antibodies improves the fitness slightly while deteriorating improvement is then quite contracted down to the end of the
the execution time since the algorithm needs to manage a experiment, ending in f ≈ 0.3. To this extent, it should be
wider population. pointed out that, since the values of the countermeasures,
Next, the second row (Figure 5d-5e-5f) illustrates the assets, and threats parameters are generated randomly, it is
consequence of a growing quantity of countermeasures with very improbable that a solution exists (i.e., a combination
18 VOLUME 4, 2016
P. Nespoli et al.: A bio-inspired reaction against cyberattacks: AIS-powered optimal countermeasures selection
( [ H F X W L R Q W L P H V
( [ H F X W L R Q W L P H V
( [ H F X W L R Q W L P H V