Significant advancements in Intrusion Detection Systems has led to improved alerts. However, Intrusion Response Systems which aim to automatically respond to these alerts, is a research area which is not yet advanced enough to benefit from full automation. In Security Operations Centres, analysts can implement countermeasures using knowledge and past experience to adapt to new attacks. Attempts at automated Intrusion Response Systems fall short when a new attack occurs to which the system has no specific knowledge or effective countermeasure to apply, even leading to overkill countermeasures such as restarting services and blocking ports or IPs. In this paper, a countermeasure standard is proposed which enables countermeasure intelligence sharing, automated countermeasure adoption and execution by an Intrusion Response System. An attack scenario is created on an emulated network using the Common Open Research Emulator, where an insider attack attempts to exploit a buffer overflow on an Exim mail server. Experiments demonstrate that an Intrusion Response System with dynamic countermeasure knowledge can stop attacks that would otherwise succeed with a static predefined countermeasure approach.
|Title of host publication||2020 31st Irish Signals and Systems Conference, ISSC 2020|
|Publisher||Institute of Electrical and Electronics Engineers Inc.|
|Publication status||Published - 31 Aug 2020|
|Event||31st Irish Signals and Systems Conference, ISSC 2020 - Letterkenny, Ireland|
Duration: 11 Jun 2020 → 12 Jun 2020
|Name||2020 31st Irish Signals and Systems Conference, ISSC 2020|
|Conference||31st Irish Signals and Systems Conference, ISSC 2020|
|Period||11/06/2020 → 12/06/2020|
Bibliographical notePublisher Copyright:
© 2020 IEEE.
Copyright 2020 Elsevier B.V., All rights reserved.
ASJC Scopus subject areas
- Artificial Intelligence
- Information Systems
- Signal Processing