Risk-Aware Framework for Activating and Deactivating Policy-Based Response

Kanoun, Waël; Cuppens-Boulahia, Nora; Cuppens, Frédéric; Dubus, Samuel

doi:10.1109/nss.2010.80

Cited by 16 publications

(10 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the simulation scenarios, the sources of the attacks are usually either replayed attacks [5], [6], [7] or simulated attacks based on attack vectors [8], [9]. All of the works evaluate only the strategy performance except for Strasburg et al [6], who evaluate the performance and scalability of the strategy, and Wang et al [9], who vary simulation parameters to test the performance, sensitivity and scalability.…”

Section: Related Workmentioning

confidence: 99%

Network defence strategy evaluation: Simulation vs. live network

Medková

Husák

Drašar

2017

2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)

View full text Add to dashboard Cite

Abstract-A lot of research has been dedicated to finding an optimal strategy to defend network infrastructure. The proposed methods are usually evaluated using simulations, replayed attacks or testbed environments. However, these evaluation methods may give biased results, because in real life, attackers can follow a suboptimal strategy or react to a defence in an unexpected way. In this paper, we use a network of honeypots as a testing environment for evaluating network defence strategies. The honeypot network provides the opportunity to test a defence strategy against real attackers and is not as time and resource consuming as using white hat hackers. In our experiment, we use two different strategies to defend a group of honeypots in a live network and we compare these results to the results of a simulation with replayed attacks. We show that the results of the strategies in the simulation significantly differ from the results on the honeypot network which implies simulations are not sufficient for strategy evaluation. We also investigate how the attacker adapts to the responses taken by a defence strategy and how this change in behaviour affects the evaluation results.

show abstract

Section: Related Workmentioning

confidence: 99%

Network defence strategy evaluation: Simulation vs. live network

Medková

Husák

Drašar

2017

2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)

View full text Add to dashboard Cite

show abstract

“…The majority of the proposed IRS use Static Cost or Static Evaluated Cost models (Curtis and Carver, 2001;White et al, 1996;Strasburg et al, 2009;Lee et al, 2002;Stakhanova et al, 2007;Mu and Li, 2010;Wang and Elhag, 2006;Fisch, 1996;Porras and Neumann, 1997;Bowen et al, 2000;Musman and Flesher, 2000;Somayaji and Forrest, 2000;Lewandowski et al, 2001;Schnackenberg et al, 2001;Wang et al, 2001;Tanachaiwiwat et al, 2002;Foo et al, 2005;Papadaki and Furnell, 2006;Kanoun et al, 2010). In contrast, a few models have been presented in the third category, dynamic evaluated cost (Toth and Kregel, 2002;Balepin et al, 2003;Kheir et al, 2010).…”

Section: Intrusion Response Systemmentioning

confidence: 99%

ORCEF: Online response cost evaluation framework for intrusion response system

Shameli‐Sendi

Dagenais

2015

Journal of Network and Computer Applications

View full text Add to dashboard Cite

“…Also based on modeling, the risk-aware framework proposed in [18] contains an online component which measures the likelihood of success of an ongoing threat or attack, and the cumulative impacts (cost) of the threat and the response. These measures help the RS determine the need for activation or deactivation of the system's policies as countermeasures.…”

Section: Risk Assessment (Attack Cost)mentioning

confidence: 99%

“…Here, in order to make the IDPRS more precise, risk assessment should be conducted dynamically (online). There are systems in the literature capable of tackling risk assessment in different scenarios, varying from general purpose environments [11,16,17] to complex cyber-physical infrastructures such as the telecommunications industry or the smart grid [18,19].…”

Section: Response Executionmentioning

confidence: 99%

“…Each goal has its own sequence of responses according to the risks they imply, e.g., weak responses earlier in time, and strong responses later. Kanoun et al presented in [18] a risk-aware framework composed of an online model and its architecture, which allows activating or deactivating response policies. They focus on the need of having deactivation mechanisms which allow the RS to stop applying responses when it calculates that the impact of the reaction surpasses an sufficient threshold.…”

Section: Review Of the State Of The Art: Approaches Techniques And Tmentioning

confidence: 99%

See 1 more Smart Citation