An Attack Impact and Host Importance based Approach to Intrusion Response Action Selection

Selecting appropriate actions is crucial for building effective Intrusion Response Systems (IRS) that can counter intrusions according to their priority level. Currently, the priority level of intrusions is determined manually, in a static manner, which is time consuming, ineffective and cannot scale with the growing number of attacks. In this paper we present an effective event prioritization methodology by encoding domain knowledge, namely attack impact and host importance, into features in terms of the confidentiality, integrity and availability (CIA). The proposed approach is demonstrated using a testbed architecture where a total of six features are generated from the domain knowledge and are labeled with appropriate response options. One set of features encodes attack impact in terms of its potential damage and its ability to propagate and another set of features encodes host importance in terms of data sensitivity, service criticality, number of connections and vulnerabilities on the basis of the CIA factors. The case study results indicate that the generated features help security analysts to select appropriate response options according to the priority level of events. Additionally, as a result of the methodology a labelled Intrusion Response (IR) dataset is generated. In future work we aim to use machine learning to analyze this dataset to infer actions automatically.