A Service Dependency Model for Cost-Sensitive Intrusion Response

Kheir, Nizar; Cuppens-Boulahia, Nora; Cuppens, Frédéric; Debar, Hervé

doi:10.1007/978-3-642-15497-3_38

Cited by 76 publications

(70 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This countermeasure blocks all online users and has a big impact on QoS. In the second place, we see countermeasures cm 40 = BlockAllT raf f ic(vF W ), cm 43 = Disconnect(CloudServer3), and cm 45 = Shutdown(CloudServer3) on dp 4 . Each of these countermeasures disconnects the relationship between services and DB service.…”

Section: Security Impact On Service Quality Evaluationmentioning

confidence: 93%

“…As explained, they do not use the same measurement unit [1], [25]. Some models attempt to put these two costs in the same measurement unit by simplifying the problem [4]- [6]. For example, Balepin et al [6] propose to consider only availability loss of services affected by the intruder and countermeasure.…”

Section: Related Workmentioning

confidence: 99%

“…For instance, blocking the attacker's IP and http port has been selected on three defense points with different security performance (9.44, 7.53, and 1.56), security impact (4.35, 4.35, and 2.62), and security cost (2.00, 1.34, and 1.10). If we ignore dimension S C , cm 12 should likewise be ignored because of less security performance compared to cm 4 .…”

Section: Optimal Countermeasure Selectionmentioning

confidence: 99%

See 2 more Smart Citations

Dynamic Optimal Countermeasure Selection for Intrusion Response System

Shameli‐Sendi

Louafi

et al. 2018

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Abstract-Designing an efficient defense framework is challenging with respect to a network's complexity, widespread sophisticated attacks, attackers' ability, and the diversity of security appliances. The Intrusion Response System (IRS) is intended to respond automatically to incidents by attuning the attack damage and countermeasure costs. The existing approaches inherit some limitations, such as using static countermeasure effectiveness, static countermeasure deployment cost, or neglecting the countermeasures' negative impact on service quality (QoS). These limitations may lead the IRS to select inappropriate countermeasures and deployment locations, which in turn may reduce network performance and disconnect legitimate users. In this paper, we propose a dynamic defense framework that selects an optimal countermeasure against different attack damage costs. To measure the attack damage cost, we propose a novel defense-centric model based on a service dependency graph. To select the optimal countermeasure dynamically, we formulate the problem at hand using a multi-objective optimization concept that maximizes the security benefit, minimizes the negative impact on users and services, and minimizes the security deployment cost with respect to the attack damage cost.

show abstract

Section: Security Impact On Service Quality Evaluationmentioning

confidence: 93%

Section: Related Workmentioning

confidence: 99%

Section: Optimal Countermeasure Selectionmentioning

confidence: 99%

See 1 more Smart Citation

Dynamic Optimal Countermeasure Selection for Intrusion Response System

Shameli‐Sendi

Louafi

et al. 2018

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

show abstract

“…Return on response investment (RORI) is a quantitative model for ranking response plans by a cost-sensitive financial comparison and has been introduced in [7][8][9]19], and in the following. For the scope of this article, we consider sets of individual actions performed as a response to an adversary.…”

Section: Return On Response Investmentmentioning

confidence: 99%

Selection of Pareto-efficient response plans based on financial and operational assessments

Motzek

González-Granadillo

Debar

et al. 2017

EURASIP J. on Info. Security

Self Cite

View full text Add to dashboard Cite

Finding adequate responses to ongoing attacks on ICT systems is a pertinacious problem and requires assessments from different perpendicular viewpoints. However, current research focuses on reducing the impact of an attack irregardless of side effects caused by responses. In order to achieve a comprehensive yet accurate response to possible and ongoing attacks on a managed ICT system, we propose an approach that evaluates a response from two perpendicular perspectives: (1) A response financial impact assessment, considering the financial benefits of restoring and protecting potentially threatened operational capabilities while considering implementation and maintenance costs of responses. (2) A response operational impact assessment, which assesses potential impacts that efficient mitigation actions may inadvertently cause on the organization in an operational perspective, e.g., negative side effects of deploying mitigations. It is the key benefit of the presented approach to combine all obtained evaluations with a multi-dimensional optimization procedure such that a response plan is selected which reduces a state of risk below an admissible level while minimizing potential negative side effects of deliberately taken actions.

show abstract

“…The proposed model considers different kinds of dependencies between services, and derives quantitative differences between system states from these graphs. Kheir et al [13] propose a service dependency graph to evaluate the confidentiality and integrity impacts, as well as the availability impact. The confidentiality and integrity criteria are not considered in [12].…”

Section: Related Workmentioning

confidence: 99%

A Defense-Centric Model for Multi-step Attack Damage Cost Evaluation

Shameli‐Sendi

Louafi

et al. 2015

2015 3rd International Conference on Future Internet of Things and Cloud

View full text Add to dashboard Cite

Abstract-Measuring the attack damage cost and monitoring the sequence of privilege escalations play a critical role in choosing the right countermeasure by Intrusion Response System (IRS). The existing attack damage cost evaluation approaches inherit some limitations, such as neglecting the dependencies between system assets, ignoring the backward damage of exploited non-goal services, or omitting the potential damage toward the goal service. In this paper, we propose a defense-centric model to calculate the damage cost of a multistep attack. The main advantage of this model is providing an accurate damage cost by considering not only the damaged services (non-goal services) but also the potential damage toward the attacker target (goal service). To track the attacker's progress and find the attack path, an Attack-Defense Tree (ADT) is used. The model has been implemented in, but is not limited to, the cloud environment and tested with a multistep attack scenario.

show abstract

A Service Dependency Model for Cost-Sensitive Intrusion Response

Cited by 76 publications

References 14 publications

Dynamic Optimal Countermeasure Selection for Intrusion Response System

Dynamic Optimal Countermeasure Selection for Intrusion Response System

Selection of Pareto-efficient response plans based on financial and operational assessments

A Defense-Centric Model for Multi-step Attack Damage Cost Evaluation

Contact Info

Product

Resources

About