RRE

A game-theoretic intrusion response and recovery engine

Saman Aliari Zonouz, Himanshu Khurana, William H. Sanders, Timothy M. Yardley

Research output: Contribution to journalArticle

55 Citations (Scopus)

Abstract

Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the response and recovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. The RRE applies attack-response trees (ART) to analyze undesired system-level security events within host computers and their countermeasures using Boolean logic to combine lower level attack consequences. In addition, the RRE accounts for uncertainties in intrusion detection alert notifications. The RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. To support network-level multiobjective response selection and consider possibly conflicting network security properties, we employ fuzzy logic theory to calculate the network-level security metric values, i.e., security levels of the system's current and potentially future states in each stage of the game. In particular, inputs to the network-level game-theoretic response selection engine, are first fed into the fuzzy system that is in charge of a nonlinear inference and quantitative ranking of the possible actions using its previously defined fuzzy rule set. Consequently, the optimal network-level response actions are chosen through a game-theoretic optimization process. Experimental results show that the RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 500 nodes.

Original languageEnglish (US)
Article number6583161
Pages (from-to)395-406
Number of pages12
JournalIEEE Transactions on Parallel and Distributed Systems
Volume25
Issue number2
DOIs
StatePublished - Feb 1 2014
Externally publishedYes

Fingerprint

Engines
Recovery
Network security
Fuzzy rules
Intrusion detection
Fuzzy systems
Fuzzy logic
Availability

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Hardware and Architecture
  • Computational Theory and Mathematics

Cite this

Aliari Zonouz, Saman ; Khurana, Himanshu ; Sanders, William H. ; Yardley, Timothy M. / RRE : A game-theoretic intrusion response and recovery engine. In: IEEE Transactions on Parallel and Distributed Systems. 2014 ; Vol. 25, No. 2. pp. 395-406.
@article{ad0cf963861d4bdc9dbe934b2f078554,
title = "RRE: A game-theoretic intrusion response and recovery engine",
abstract = "Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the response and recovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. The RRE applies attack-response trees (ART) to analyze undesired system-level security events within host computers and their countermeasures using Boolean logic to combine lower level attack consequences. In addition, the RRE accounts for uncertainties in intrusion detection alert notifications. The RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. To support network-level multiobjective response selection and consider possibly conflicting network security properties, we employ fuzzy logic theory to calculate the network-level security metric values, i.e., security levels of the system's current and potentially future states in each stage of the game. In particular, inputs to the network-level game-theoretic response selection engine, are first fed into the fuzzy system that is in charge of a nonlinear inference and quantitative ranking of the possible actions using its previously defined fuzzy rule set. Consequently, the optimal network-level response actions are chosen through a game-theoretic optimization process. Experimental results show that the RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 500 nodes.",
author = "{Aliari Zonouz}, Saman and Himanshu Khurana and Sanders, {William H.} and Yardley, {Timothy M.}",
year = "2014",
month = "2",
day = "1",
doi = "10.1109/TPDS.2013.211",
language = "English (US)",
volume = "25",
pages = "395--406",
journal = "IEEE Transactions on Parallel and Distributed Systems",
issn = "1045-9219",
publisher = "IEEE Computer Society",
number = "2",

}

RRE : A game-theoretic intrusion response and recovery engine. / Aliari Zonouz, Saman; Khurana, Himanshu; Sanders, William H.; Yardley, Timothy M.

In: IEEE Transactions on Parallel and Distributed Systems, Vol. 25, No. 2, 6583161, 01.02.2014, p. 395-406.

Research output: Contribution to journalArticle

TY - JOUR

T1 - RRE

T2 - A game-theoretic intrusion response and recovery engine

AU - Aliari Zonouz, Saman

AU - Khurana, Himanshu

AU - Sanders, William H.

AU - Yardley, Timothy M.

PY - 2014/2/1

Y1 - 2014/2/1

N2 - Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the response and recovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. The RRE applies attack-response trees (ART) to analyze undesired system-level security events within host computers and their countermeasures using Boolean logic to combine lower level attack consequences. In addition, the RRE accounts for uncertainties in intrusion detection alert notifications. The RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. To support network-level multiobjective response selection and consider possibly conflicting network security properties, we employ fuzzy logic theory to calculate the network-level security metric values, i.e., security levels of the system's current and potentially future states in each stage of the game. In particular, inputs to the network-level game-theoretic response selection engine, are first fed into the fuzzy system that is in charge of a nonlinear inference and quantitative ranking of the possible actions using its previously defined fuzzy rule set. Consequently, the optimal network-level response actions are chosen through a game-theoretic optimization process. Experimental results show that the RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 500 nodes.

AB - Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the response and recovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. The RRE applies attack-response trees (ART) to analyze undesired system-level security events within host computers and their countermeasures using Boolean logic to combine lower level attack consequences. In addition, the RRE accounts for uncertainties in intrusion detection alert notifications. The RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. To support network-level multiobjective response selection and consider possibly conflicting network security properties, we employ fuzzy logic theory to calculate the network-level security metric values, i.e., security levels of the system's current and potentially future states in each stage of the game. In particular, inputs to the network-level game-theoretic response selection engine, are first fed into the fuzzy system that is in charge of a nonlinear inference and quantitative ranking of the possible actions using its previously defined fuzzy rule set. Consequently, the optimal network-level response actions are chosen through a game-theoretic optimization process. Experimental results show that the RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 500 nodes.

UR - http://www.scopus.com/inward/record.url?scp=84891815876&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84891815876&partnerID=8YFLogxK

U2 - 10.1109/TPDS.2013.211

DO - 10.1109/TPDS.2013.211

M3 - Article

VL - 25

SP - 395

EP - 406

JO - IEEE Transactions on Parallel and Distributed Systems

JF - IEEE Transactions on Parallel and Distributed Systems

SN - 1045-9219

IS - 2

M1 - 6583161

ER -