Design of an Intrusion Response System using Evolutionary Computation Rohit Parti

Agenda  Motivation  Automated Intrusion Response  Challenges  Response Model  Individuals Representation  EC Mechanism  Evaluation Function  Preliminary Results

Motivation  The number of computer attacks are increasing  Attacks are getting more sophisticated  Speed of Attacks are increasing

Motivation  Need for Computer Security –Intrusion Prevention –Intrusion Detection –Intrusion Response  Need for Automated Intrusion Response

Automated Intrusion Response  Need for Automated Response –Earlier Response Systems: Notification System and Manual Response Systems –System administrators can neither keep up with the pace that and IDS is delivering alerts, nor can they react within adequate time limits –Delay between detection of a possible intrusion and response to that intrusion –Research by Cohen shows that If delay is 10 hours, intruder has 80% success If delay is 20 hours, intruder has 95% success If delay is 30 hours, intruder has 100% success

Challenges in Automating Response  Countermeasures may only defend against attack, but can also have negative impact on legitimate users. –Possibility of response causing more damage than actual attack  Intrusion Detection Systems (IDS) are not perfect and can generate False Alarms. –This has an impact on response as uncertainty is generated in formulating a response.

Response Model  Focus is on choosing a response action from among alternatives that have the least negative impact on the whole system  Basic elements of the model –Resources (services provided by hosts) –System Users (users of the network) –Network Topology (the underlying communication architecture) –Firewall Rules  Entities: Resources and System Users together

Dependency  It is a relation between two entities. –One entity needs a service from another to be fully operational  Two types –Direct (represents dependency of an entity on a service) –Indirect (formed due to network topology and firewall rules)  Indirect dependencies are a precondition to fulfilling direct dependencies

Dependency Tree  Describes the relationship of an entity with other entities  Leaf Node: Describes an entity that does not depend on other entities  COMBINE Node: Describes an entity that needs access to more than one service  CHOICE Node: Describes an entity which needs access to at least one of a set of identical services

Capability  The capability c(r) of an entity ‘r’: – is a value ranging from 0.0 to 1.0 and – describes in how far the entity ‘r’ can perform its work given the current network configuration  If all the resources the entity ‘r’ uses are available, then c(r)=1.0  If a particular service the entity ‘r’ uses is unavailable, the value of c(r) decreases (as will be shown)

Capability Calculation  c(left) and c(right): denotes the capability of the left and right link of a node.  c: denotes the capability of any intermediate node  Leaf Node: –if entity provides service, capability is set to 1.0 –if entity does not provide service, capability is set to 0.0  COMBINE Node: c=(c(left)+c(right))/2  CHOICE Node: c=Max(c(left),c(right))

Example User ‘A’ (entity) uses the DNS server, the NFS server, and one of the two domain name servers DNS1 and DNS2 to accomplish all his tasks When the NFS server is unavailable

Dependency Degree  Describes in how far the operation of an entity is affected if the resource, which it depends on is no longer available –Example: user mainly surfs the internet High dependency on availability of DNS and HTTP server (say we set dependency degree to 100 %) Not very much on NFS server (say we set dependency degree to 75 %)  Changes to capability calculation –c(left)=c(left)*dependency degree –c(right)=c(right)*dependency degree

Evaluating the Network State  In a network many entities depend on other entities in the network  We create dependency trees for every such entity  Final State of Network: Average of all capability values of all dependency trees created over all entities  Handling cyclic dependencies: An unavailable service can affect the availability of other services –Create another dependency tree for the depending service

Individual Representation  Individual represents a response action –A set of operations that are performed when an intrusion is detected  A response actions is represented as a binary string of bits –Each bit is associated with an operation on a host that provides service  If a response action indicated an operation to be performed and the operation is already in effect, it is ignored –Example: If a response action indicates that a particular firewall rule be installed (removed), and that rule is already installed (not installed), the response action ignores the rule

EC Mechanism

Response History Agent (RHA)  Stores information about the attack and the response to that attack  Attack Information: Stored as “reports” generated by IDS  Response Information: Stored as a binary string that represents the response action  Partial Population: Created by selecting responses from RHA that have “similar intrusive patterns” (if many of the variables within the report are same)  As new attacks are generated, attack-response pair is added to the RHA  If exact similar attack had previously occurred we have the option to generate the response that was previously generated

Evaluation Function  Add the response action (defined by the individual) temporarily to the model  Determine total capability of network  For a mild attack, and a severe response, associate a penalty to the fitness –Mild attack: determined from IDS report  For a severe attack, and a mild response, associate a penalty to the fitness

Preliminary Results

Questions or Comments?

A Simpler Approach

Happy Thanksgiving!!! Thank You!!!