The continuous increase in the quantity and sophistication of cyberattacks is making it more difcult and error prone for system administrators to handle the alerts generated by intrusion detection systems (IDSs). To deal with this problem, several intrusion response systems (IRSs) have been proposed lately. IRSs extend the IDSs by providing an automatic response to the detected attack. Such a response is usually selected either with a static attack-response mapping or by quantitatively evaluating all available responses, given a set of predefned criteria. In this article, we introduce a probabilistic model-based IRS built on the Markov decision process (MDP) framework. In contrast to most existing approaches to intrusion response, the proposed IRS e?ectively captures the dynamics of both the defended system and the attacker and is able to compose atomic response actions to plan optimal multiobjective long-term response policies to protect the system. We evaluate the e?ectiveness of the proposed IRS by showing that long-term response planning always outperforms short-term planning, and we conduct a thorough performance assessment to show that the proposed IRS can be adopted to protect large distributed systems at runtime.
Iannucci, S., Abdelwahed, S. (2018). Model-based response planning strategies for autonomic intrusion protection. ACM TRANSACTIONS ON AUTONOMOUS AND ADAPTIVE SYSTEMS, 13(1), 1-23 [10.1145/3168446].