Abstract
Purchase PDF (776 K)
E-mail Article
Add to my Quick Links
Cited By in Scopus (1)
Purchase PDF (461 K)
doi:10.1016/j.comnet.2006.09.006 
Copyright © 2006 Elsevier B.V. All rights reserved.
Automated adaptive intrusion containment in systems of interacting services
Available online 13 October 2006.
References and further reading may be available for this article. To view references and further reading you must purchase this article.
Abstract
Large scale distributed systems typically have interactions among different services that create an avenue for propagation of a failure from one service to another. The failures being considered may be the result of natural failures or malicious activity, collectively called disruptions. To make these systems tolerant to failures it is necessary to contain the spread of the occurrence automatically once it is detected. The objective is to allow certain parts of the system to continue to provide partial functionality in the system in the face of failures. Real world situations impose several constraints on the design of such a disruption tolerant system of which we consider the following – the alarms may have type I or type II errors; it may not be possible to change the service itself even though the interaction may be changed; attacks may use steps that are not anticipated a priori; and there may be bursts of concurrent alarms. We present the design and implementation of a system named Adepts as the realization of such a disruption tolerant system. Adepts uses a directed graph representation to model the spread of the failure through the system, presents algorithms for determining appropriate responses and monitoring their effectiveness, and quantifies the effect of disruptions through a high level survivability metric. Adepts is demonstrated on a real e-commerce testbed with actual attack patterns injected into it.
Keywords: Automated adaptive intrusion response; Intrusion containment; E-commerce system; Survivability; Attack graphs
Article Outline
- 1. Introduction
- 2. Related research
- 3. Process flow and fundamental structures in adepts
- 3.1. Overview
- 3.2. I-Graph
- 3.2.1. I-Graph structure
- 3.2.2. I-Graph generation
- 3.3. Attack sub-graphs
- 4. Responses in Adepts
- 4.1. Determining response locations
- 4.1.1. CCI computation algorithm
- 4.1.2. False alarm estimation
- 4.1.3. Missed alarm estimation
- 4.1.4. Response set computation algorithm
- 4.2. Response deployment
- 4.2.1. Response infrastructure
- 4.2.2. Choosing responses
- 4.3. Matching in attack template library
- 4.3.1. Immunizer
- 4.4. Handling unknown alerts
- 4.5. Response chains and persistent attacks
- 4.6. Providing feedback to responses
- 4.6.1. Varying EI
- 4.6.2. Deactivating responses
- 4.7. Complexity analysis
- 5. Implementation of Adepts and testbed
- 5.1. Description of e-commerce application
- 5.2. Detectors
- 5.3. Attack scenarios
- 5.4. Response repository
- 6. Experiments and results
- 6.1. Experiment 1: missed alarm and false alarm estimation
- 6.2. Experiment 2: adaptation of response action
- 6.3. Experiment 3: scalability of Adepts
- 6.4. Experiment 4: survivability of E-commerce testbed
- 7. Conclusions
- Appendix. Scalability experiment
- References
- Vitae
