An Adaptive and Cost-Based Intrusion Response System

An Adaptive and Cost-Based Intrusion Response System (ACBIRS) is presented in this paper. The designed system analyzes alerts from the Intrusion Detection System (IDS) and evaluates the attack cost, based on the probable damage of attacks on the protected system. Later on, a response is deployed to thwart the attack and prevent the attacker from reaching his/her goals. The proposed response selection approach is a cost-based method that considers attack features, including type of the attack, severity of the attack, value of targeted host/hosts services, and their data to prioritize alerts. Alerts will be responded with respect to their priorities. The selected responses are based on a measure called Response Merit (RM). The balance between attack damage cost, response cost together with the effectiveness of the response to countermeasure previous attacks determine the RM. In contrast to other Intrusion Response Systems (IRS), ACBIRS not only consists of the attack and response measures but also includes response feedback supervision that is proposed in this paper for the first time. ACBIRS allows responses to be adaptive in changing environments through success and failure assessment of previously deployed responses. Experiments show that ACBIRS can successfully prevent 92% of intrusions with only 3% disruption on benign traffic.