Skip to main content
SpringerLink
Log in

Risk balance defense approach against intrusions for network server

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The paper presents a new defense approach based on risk balance to protect network servers from intrusion activities. We construct and implement a risk balance system, which consists of three modules, including a comprehensive alert processing module, an online risk assessment module, and a risk balance response decision-making module. The alert processing module improves the information quality of intrusion detection system (IDS) raw alerts by reducing false alerts rate, forming alert threads, and computing general parameters from the alert threads. The risk assessment module provides accurate evaluation of risks accordingly to alert threads. Based on the risk assessment, the response decision-making module is able to make right response decisions and perform very well in terms of noise immunization. Having advantages over conventional intrusion response systems, the risk balancer protects network servers not by directly blocking intrusion activities but by redirecting related network traffics and changing service platform. In this way, the system configurations that favor attackers are changed, and attacks are stopped with little impact on services to users. Therefore, the proposed risk balance approach is a good solution to not only the trade-off between the effectiveness and the negative effects of responses but also the false response problems caused by both IDS false-positive alerts and duplicated alerts.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

References

  1. Stakhanova, N., Basu, S., Wong, J.: A Taxonomy of Intrusion Response Systems. Technical Report 06–05. Department of Computer Science, Iowa State University (2006)

  2. Mu, C., Li, Y.: An intrusion response decision-making model based on hierarchical task network planning. Expert Syst. Appl. 37(3), 2465–2472 (2010)

    Article  MathSciNet  Google Scholar 

  3. Foo, B., Wu, Y.-S., Mao, Y.-C., et al.: ADEPTS: Adaptive intrusion response using attack graphs in an E-commerce environment. In: Proceeding of the DSN-DCC Symposium 2005. Yokohama, Japan (2005)

  4. Gehani, A., Kedem, G.: RheoStat: Real-time risk management. In: Proceeding of 7th International Symposium on Recent Advances in Intrusion Detection. Sophia Antipolis, France (2004)

  5. Nguyen, Q.L., Sood, A.: A comparison of intrusion-tolerant system architectures. IEEE Secur. Priv. 9(4), 24–31 (2011)

    Article  Google Scholar 

  6. Wang, F., Upppalli, R.: SITAR: a scalable intrusion-tolerant architecture for distributed services—a technology summary. In: Proceeding of the DARPA Information Survivability Conference and Exposition. Washington, DC, U.S. (2003)

  7. Valdes, A., Almgren, M., Cheung, S., et al.: An architecture for an adaptive intrusion-tolerant server, vol. 2845, pp. 158–178. LNCS Springer, Berlin (2003)

  8. Pal, P., Webber, F., Schantz, R.: The DPASA survivable JBI—a high-water mark in intrusion-tolerant systems. In: Proceeding of 2007 Workshop on Recent Advances in Intrusion Tolerant Systems. Lisbon, Portugal (2007)

  9. Saidane, A., Nicomette, V., Deswarte, Y.: The design of a generic intrusion-tolerant architecture for web servers. IEEE Trans. Dependable Secur. Comput. 6(1), 45–58 (2009)

    Article  Google Scholar 

  10. Zhang, T., Zhuang, X., Pande, S.: Building intrusion-tolerant secure software. In: Proceeding of the international symposium on Code generation and optimization. CA, USA (2005)

  11. Verssimo, P.E., Neves, N.F., Cachin, C., et al.: Intrusion-tolerant middleware: the road to automatic security. IEEE Secur. Priv. 4(4), 54–62 (2006)

    Article  Google Scholar 

  12. Pal, P., Rubel, P., Atighetchi, M., et al.: An architecture for adaptive intrusion-tolerant applications. Softw. Pract. Exp. 36(11–12), 1331–1354 (2006)

    Article  Google Scholar 

  13. Chen, L., Jiang, J., Zhang, D., et al.: Intrusion tolerant system based on multi-version redundant process. JTsing Hua University. 51(S1), 1519–1526 (2011)

  14. Aung, K.M.M., Park, K., Park, J.S.: A rejuvenation methodology of cluster recovery. In: Proceeding of the 05 IEEE International Symposium on Clustering Computing and Grid. Cardiff, UK (2005)

  15. Huang, Y., Arsenault, D., Sood, A.: Secure, resilient computing clusters: self-cleansing intrusion tolerance with hardware enforced security (SCIT/HES). In: Proceeding of the Second International Conference on Availability, Reliability, and Security. Vienna, Austria (2007)

  16. Reiser, H.P., Kapitza, R.: Hypervisor-based efficient proactive recovery. In: Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems. Beijing, China (2007)

  17. Sousa, P., Bessani, A.N., Obelheiro, R.R.: The FOREVER service for fault/intrusion removal. In: Proceedings of the 2nd Workshop on Recent Advances on Intrusiton-Tolerant Systems. Glasgow, Scotland (2008)

  18. Sousa, P., Bessani, A.N., Correia, M., et al.: Resilient intrusion tolerance through proactive and reactive recovery. In: Proceeding of 13th IEEE International Symposium on Pacific Rim Dependable Computing. Melbourne, Victoria, Australia (2007)

  19. Garcia, M., Bessani, A.N., Gashi, I., et al.: OS diversity for intrusion tolerance: Myth or reality? In: Proceedings of the 41st International Conference on Dependable Systems & Networks (DSN). Hong Kong (2011)

  20. Bass, T., Robichaux, R.: Defence-In-Depth: Qualitative Risk Analysis Methodology for Complex Network Centric Operation. http://www.silkroad.com/papers/pdf/archives/defense-in-depth-revisited-origintal.pdf (2004)

  21. http://en.wikipedia.org/wiki/Dujiangyan_Irrigation_System. Acc- essed 2012

  22. Han, J., Gao, D., Deng, R.H.: On the effectiveness of software diversity: a systematic study on real-world vulnerabilities. In: Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Como, Italy (2009)

  23. Thomas, A.: RAPID: reputation based approach for improving intrusion detection effectiveness. In: Proceedings of Sixth International Conference on Information Assurance and Security (IAS). Atlanta, GA, USA (2010)

  24. Victor, G.J., Rao, M.S., Venkaiah, V.C.H.: Intrusion detection systems-analysis and containment of false positive alerts. Int. J. Comput. Appl. 5(8), 0975–8887 (2010)

    Google Scholar 

  25. Stiennon, R.: Intrusion Detection Is Dead Long Live Intrusion Prevention. http://www.sans.org/rr/papers/index.php?id=1028, 2003-06-11

  26. Chengpo, M., Houkuan, H., Shengfeng, T.: A survey of intrusion-detection alert aggregation and correlation techniques. J. Comput. Res. Dev. 43(1), 1–8 (2006)

    Article  Google Scholar 

  27. Lee, W.: Toward cost-sensitive modeling for intrusion detection and response. J. Comput. Secur. 10(2), 5–22 (2002)

    Google Scholar 

  28. Balepin, I., Maltsev, S., Rowe, J., Levitt, K.: Using specification-based intrusion detection for automated response. In: Proceeding of the 6th International Symposium on Recent Advances in Intrusion Detection. Pittsburgh, PA, USA (2003)

  29. Toth, T., Kruegel, C.: Evaluating the impact of automated intrusion response mechanisms. In: Proceeding of 18th Annual Computer Security Application Conference. Las Vegas, Nevada, USA (2002)

  30. Carver, C.A.: Adaptive-Based Intrusion Response: [PhD dissertation]. Texas A &M University, College Station (2001)

  31. Goldman, R.P., Heimerdinger, W., Haro, S.A.: Information modeling for intrusion report aggregation. In: Proceeding of DARPA Information Survivability Conference and Exposition (DISCEX II). Anaheim, California, USA (2001)

  32. Valeur, F., Vigna, G., Kruegel, et al.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secur. Comput. 1(3), 146–169 (2004)

  33. Maines, J., Kewley, D., Tinnel, L., Taylor, S.: Validation of sensor alert correlators. Secur. Priv. Mag. 1(1), 46–56 (2003)

    Article  Google Scholar 

  34. Schnackenberg, D., Holliday, H., Smith, R., et al.: Cooperative intrusion traceback and response architecture. In: Proceeding of DARPA Information Survivability Conference and Exposition. Anaheim, CA, USA (2001)

  35. Cuppens, F., Mige, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceeding of the IEEE Symposium on Security and Privacy, Oakland, CA, USA (2002)

  36. Mu, C., Shuai, B.: Research on preprocessing technique of alert aggregation. In: Proceeding of Fifth International Joint Conference on Computational Sciences and Optimization. Harbin, China (2012)

  37. Mu, C., Huang, H., Tian, S., et al.: Intrusion-detection alerts processing based on fuzzy comprehensive evaluation. J. Comput. Res. Dev. 42(10), 1679–1685 (2005)

    Article  Google Scholar 

  38. Mu, C., Huang, H., Tian, S.: Intrusion detection alert verification based on multi-level fuzzy comprehensive evaluation. In: Proceedings of 2005 International Conference on Computational Intelligence and Security, LNAI 3801. Springer. Berlin, Germany (2005)

  39. Pietraszek, T.: Using adaptive alert classification to reduce false positive in intrusion detection. In: Proceeding of 2004 Recent Advances in Intrusion Detection. Lecture Notes in Computer Science vol. 3224, pp. 102–124 (2004)

  40. Elshoush, H.T., Qsman, I.M.: Improved framework for intrusion correlation. In: Proceeding of the World Congress on Engineering. London (2012)

  41. Carver, C.A., Hill, J.M.D., Pooch, U.W.: Limiting uncertainty in intrusion response. In: Proceedings of the 2nd IEEE Information Assurance and Security Workshop, West Point, NY (2001)

  42. Mu, C., Li, Y., Huang, H., et al.: Online risk assessment of intrusion scenarios using D–S evidence theory. In: Proceedings of 13th European Symposium on Research in Computer Security. Malaga, Spain (2008)

  43. Vacca, J.R.: Computer and Information Security Handbook, p. 232. Morgan Kaufmann Publications. Elsevier Inc., Los Altos, CA (2009)

  44. Zhang, Y.-Z., Fang, B.-X., Yun, X.-C.: A risk assessment approach for network information system. In: Proceeding of the Third International Conference on Machine Learning and Cybernetics. Shanghai, China (2004)

  45. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml (2011). Accessed 2011

  46. Liu, J.-C., Li, C.-H., Yu, J.-L., et al.: Anomaly detection using LibSVM training tools. Int. J. Secur. Appl. 2(4), 85–98 (2008)

    MathSciNet  Google Scholar 

Download references

Acknowledgments

Yingjiu Li’s work was partly supported by SMU Office of Research under Project No. 12-C220-SMU-001/MSS11C003

Author information

Authors and Affiliations

  1. Beijing Institute of Technology, Beijing , 100081, People’s Republic of China

    Chengpo Mu

  2. Virginia Commonwealth University, Richmond, VA , 23284, USA

    Meng Yu & Wanyu Zang

  3. Singapore Management University, Singapore , 178902, Singapore

    Yingjiu Li

Authors
  1. Chengpo Mu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meng Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yingjiu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wanyu Zang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chengpo Mu.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Mu, C., Yu, M., Li, Y. et al. Risk balance defense approach against intrusions for network server. Int. J. Inf. Secur. 13, 255–269 (2014). https://doi.org/10.1007/s10207-013-0214-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-013-0214-9

Keywords

Search

Navigation