ADEPTS: Adaptive Intrusion Containment and Response using Attack Graphs in an E-commerce Environment

Get BibTex-formatted data

Download

PDF

Author

Yu-Sung Wu, Bingrui Foo, Blake Matheny, Tyler Olsen, Saurabh Bagchi

Tech report number

CERIAS TR 2003-32

Entry type

article

Abstract

Distributed e-commerce systems are suitable targets for malicious attacks because of the potential financial impact. Intrusion detection in such systems has been an active area of research. Once an intrusion is detected, it is important to contain the effect of the intrusion to some parts of the system while allowing the other parts to continue to provide service. It is also important to take preventive or reactive response to reduce the likelihood of the system being compromised through a future attack. In this paper, we present the design and implementation of an Adaptive Intrusion Tolerant System, ADEPTS, for automatically containing and responding to intrusions in a distributed e-commerce system. We use a directed acyclic graph (DAG) of intrusion goals as the underlying representation in the system. In an I-DAG, the nodes are sub-goals of an attack and to reach a particular node, goals corresponding to its child nodes have to be achieved first. We assume an intrusion detection framework which provides alerts to ADEPTS. In response, a parallel algorithm is executed to compute the likelihood that one or more goals in the DAG have been achieved. Next, a response measure computation algorithm is executed to determine the appropriate response action. There is also a feedback mechanism which estimates the success or failure of a deployed response and uses that in adjusting the system weights to guide future choices. ADEPTS is implemented on a distributed e-commerce system that comprises services including, web server, application server, database server, directory server. Alerts are simulated corresponding to different attack types, the algorithms executed and response actions deployed. The experiments bring out the latency of the infrastructure, and the effectiveness in dealing with failed responses through escalation compared to statically mapped Intrusion Response Systems (IRS).

Download

PDF

Date

2003 – 12 – 18

URL

http://www.ece.purdue.edu/~sba ... s/adepts_dsn04_submit.pdf

Key alpha

Bagchi

Organization

Purdue University

School

School of Electrical and Computer Engineering

Affiliation

Dependable Computing Systems Lab

Publication Date

2003-12-18

Keywords

automated intrusion response, intrusion containment, e-commerce system, simulated attacks, response latency and effectiveness

Subject

Intrusion response

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Article{ Bagchi,
	title = "ADEPTS: Adaptive Intrusion Containment and Response using Attack Graphs in an E-commerce Environment",
	author = "Yu-Sung Wu, Bingrui Foo, Blake Matheny, Tyler Olsen, Saurabh Bagchi",
	year = "2003",
	month = "12",
	organization = "Purdue University",
	school = "School of Electrical and Computer Engineering",
	day = "18",
	abstract = "Distributed e-commerce systems are suitable targets for malicious attacks because of the potential financial impact. Intrusion detection in such systems has been an active area of research. Once an intrusion is detected, it is important to contain the effect of the intrusion to some parts of the system while allowing the other parts to continue to provide service. It is also important to take preventive or reactive response to reduce the likelihood of the system being compromised through a future attack. In this paper, we present the design and implementation of an Adaptive Intrusion Tolerant System, ADEPTS, for automatically containing and responding to intrusions in a distributed e-commerce system. We use a directed acyclic graph (DAG) of intrusion goals as the underlying representation in the system. In an I-DAG, the nodes are sub-goals of an attack and to reach a particular node, goals corresponding to its child nodes have to be achieved first. We assume an intrusion detection framework which provides alerts to ADEPTS. In response, a parallel algorithm is executed to compute the likelihood that one or more goals in the DAG have been achieved. Next, a response measure computation algorithm is executed to determine the appropriate response action. There is also a feedback mechanism which estimates the success or failure of a deployed response and uses that in adjusting the system weights to guide future choices. ADEPTS is implemented on a distributed e-commerce system that comprises services including, web server, application server, database server, directory server. Alerts are simulated corresponding to different attack types, the algorithms executed and response actions deployed. The experiments bring out the latency of the infrastructure, and the effectiveness in dealing with failed responses through escalation compared to statically mapped Intrusion Response Systems (IRS).",
	affiliation = "Dependable Computing Systems Lab",
	keywords = "automated intrusion response, intrusion containment, e-commerce system, simulated attacks, response latency and effectiveness",
	subject = "Intrusion response",
	url = "http://www.ece.purdue.edu/~sbagchi/Research/Papers/adepts_dsn04_submit.pdf",
}