Presentation is loading. Please wait.

Presentation is loading. Please wait.

Limiting Uncertainty in Intrusion Response

Published byRafe Booker Modified over 6 years ago

Similar presentations

Presentation on theme: "Limiting Uncertainty in Intrusion Response"— Presentation transcript:

1 Limiting Uncertainty in Intrusion Response
Curtis A. Carver Jr. John M.D. Hill Udo W. Pooch

2 Agenda Motivation Adaptive, Agent-based Intrusion Response System (AAIRS) Uncertainty in Detection Uncertainty in Classifying Attacks Uncertainty in Response Conclusions 6/5/2001 SMC-IAW

3 Motivation (CERT Incidents)
The number of computer attacks is increasing and the attacks are becoming increasingly complex. 6/5/2001 SMC-IAW

4 Motivation (Intrusion Response Systems)
Intrusion response systems must address uncertainty. Response systems should provide automated mechanisms for adapting to uncertainty in intrusion response. Of the systems surveyed, none provided mechanisms for answering the following questions: IR Classification # Notification 31 Manual Response 8 Automatic Response 17 Total 56 6/5/2001 SMC-IAW

5 Uncertainty in Intrusion Response
Is the system really under attack? If the system is under attack, is this a new attack or part of an ongoing attack? Did my response plan work and if it did not, how can I adapt it? 6/5/2001 SMC-IAW

6 AAIRS Methodology Monitored System Response Toolkit System Admin Tool
Intrusion Detection System System Admin Tool Response Toolkit Interface Master Analysis Response Taxonomy Policy Specification Monitored System 6/5/2001 SMC-IAW

7 Uncertainty (Detection)
Intrusion detection is imperfect. AAIRS addresses uncertainty in detection by maintaining a false alarm rate on each supported intrusion detection system. The false alarm rate is maintained by the system administrator but could be updated automatically by calibrating the false alarm rate. 6/5/2001 SMC-IAW

8 Uncertainty (Classifying Attacks)
Detected attacks can be a new attack or part of an ongoing attack. Event List History Time Metric Session Identifier Attack Type Metric 6/5/2001 SMC-IAW

9 Uncertainty in Response
Response plan consists of a response goal, two or more plan steps, and associated tactics and implementations. Each plan step, tactic, and implementation has an associated success factor. The success factor is the ratio of the number of times it has been successfully deployed to the total number of times it has been deployed. 6/5/2001 SMC-IAW

10 Uncertainty in Response
Plan Generation Apply Policy Constraints Set Response Taxonomy Weights Determine System Response Goal Weights Build Tentative Plan Build Final Plan Implementation Success or Failure Plan Adaptation Failed Implementation Substitution Tactic Substitution Significant Change Adaptation 6/5/2001 SMC-IAW

11 Conclusions Must manage uncertainty in intrusion response system.
The techniques presented in this paper provide a starting point for addressing this uncertainty. 6/5/2001 SMC-IAW

Download ppt "Limiting Uncertainty in Intrusion Response"

Similar presentations

IATI Technical Advisory Group Technical Proposals Simon Parrish IATI Technical Advisory Group, DIPR March 2010.

IATI Technical Advisory Group Technical Proposals Simon Parrish IATI Technical Advisory Group, DIPR March 2010.
An Isolated Network in Support of an Advanced Networks and Security Course LTC Curtis A. Carver Jr. LTC John M.D. Hill Dr. Udo W. Pooch.

An Isolated Network in Support of an Advanced Networks and Security Course LTC Curtis A. Carver Jr. LTC John M.D. Hill Dr. Udo W. Pooch.
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Third Generation Adaptive Hypermedia Systems Curtis A. Carver Jr., John M.D. Hill and Udo W. Pooch.

Third Generation Adaptive Hypermedia Systems Curtis A. Carver Jr., John M.D. Hill and Udo W. Pooch.
CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.

CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Tactical Event Resolution Using Software Agents, Crisp Rules, and a Genetic Algorithm John M. D. Hill, Michael S. Miller, John Yen, and Udo W. Pooch Department.

Tactical Event Resolution Using Software Agents, Crisp Rules, and a Genetic Algorithm John M. D. Hill, Michael S. Miller, John Yen, and Udo W. Pooch Department.
Emerging Curriculum Issues in Digital Libraries MAJ(P) Curtis A. Carver Jr. LTC John M.D. Hill Udo W. Pooch.

Emerging Curriculum Issues in Digital Libraries MAJ(P) Curtis A. Carver Jr. LTC John M.D. Hill Udo W. Pooch.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Consensus Routing: The Internet as a Distributed System 2009. 2. 26 John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.

Consensus Routing: The Internet as a Distributed System John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.
Scheduling with uncertain resources Elicitation of additional data Ulaş Bardak, Eugene Fink, Chris Martens, and Jaime Carbonell Carnegie Mellon University.

Scheduling with uncertain resources Elicitation of additional data Ulaş Bardak, Eugene Fink, Chris Martens, and Jaime Carbonell Carnegie Mellon University.
Software Quality Metrics

Software Quality Metrics
Mobile Agents: A Key for Effective Pervasive Computing Roberto Speicys Cardoso & Fabio Kon University of São Paulo - Brazil.

Mobile Agents: A Key for Effective Pervasive Computing Roberto Speicys Cardoso & Fabio Kon University of São Paulo - Brazil.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.

Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Continuous Auditing. Items to be discussed include: Developing a Continuous Auditing Program Continuous Auditing Process Benefits of Continuous Auditing.

Continuous Auditing. Items to be discussed include: Developing a Continuous Auditing Program Continuous Auditing Process Benefits of Continuous Auditing.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google