RRE A Game-Theoretic Intrusion Response and Recovery Engine

RRE: A Game-Theoretic Intrusion Response and Recovery Engine

Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated responsetechniques. In this paper, we propose a new approach to automated response called the response andrecovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. The RRE applies attack-responsetrees (ART) to analyze undesired system-level security events within host computers and their countermeasures using Boolean logic to combine lower level attack consequences. In addition, theRRE accounts for uncertainties in intrusion detection alert notifications. The RRE then chooses optimalresponse actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. To support network-level multiobjective responseselection and consider possibly conflicting network security properties, we employ fuzzy logic theory to calculate the network-level security metric values, i.e., security levels of the system’s current and potentially future states in each stage of the game. In particular, inputs to the network-level game-theoretic response selection engine, are first fed into the fuzzy system that is in charge of a nonlinear inference and quantitative ranking of the possible actions using its previously defined fuzzy rule set. Consequently, the optimal network-level response actions are chosen through a game-theoreticoptimization process. Experimental results show that the RRE, using Snort’s alerts, can protect large networks for which attack-response trees have more than 500 nodes.


Comments are closed.