Using Specification-Based Intrusion Detection for Automated Response

  • Ivan Balepin
  • Sergei Maltsev
  • Jeff Rowe
  • Karl Levitt
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2820)


One of the most controversial issues in intrusion detection is automating responses to intrusions, which can provide a more efficient, quicker, and precise way to react to an attack in progress than a human. However, it comes with several disadvantages that can lead to a waste of resources, which has so far prevented wide acceptance of automated response-enabled systems. We feel that a structured approach to the problem is needed that will account for the above mentioned disadvantages. In this work, we briefly describe what has been done in the area before. Then we start addressing the problem by coupling automated response with specification-based, host-based intrusion detection. We describe the system map, and the map-based action cost model that give us the basis for deciding on response strategy. We also show the process of suspending the attack, and designing the optimal response strategy, even in the presence of uncertainty. Finally, we discuss the implementation issues, our experience with the early automated response agent prototype, the Automated Response Broker (ARB), and suggest topics for further research.


Response Action File System Intrusion Detection System Call Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alphatech: ALPHATECH Light Autonomic Defense System (last accessed June 30, 2003),
  2. 2.
    Amoroso, E.: Intrusion Detection: an introduction to Internet surveillance, correlation, trace back, traps, and response, Books, New Jersey (1999)Google Scholar
  3. 3.
    Carver Jr., C.A., Pooch, U.W.: An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response. In: Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 6-7 (2000)Google Scholar
  4. 4.
    Fred Cohen & Associates, Deception for Protection (last accessed June 30, 2003),
  5. 5.
    Free Software Foundation, Inc., The GNU Privacy Guard (last accessed June 30, 2003),
  6. 6.
    Ko, C.C.W.: Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach, Ph.D. Thesis, Davis, CA (August 1996)Google Scholar
  7. 7.
    Lee, W., Fan, W., Miller, M., Stolfo, S., Zadok, E.: Toward Cost-Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security 10(1, 2) (2002)Google Scholar
  8. 8.
    Lewandowski, S., Van Hook, D., O’Leary, G., Haines, J., Rosse, L.: SARA: Survivable Autonomic Response Architecture. In: DISCEX II 2001, Anaheim, CA (June 2001)Google Scholar
  9. 9.
    Network Associates Laboratories: Secure Execution Environments/Generic Software Wrappers for Security and Reliability (last accessed June 30, 2003),
  10. 10.
    Raiffa, H.: Decision Analysis: Introductory Lectures on Choices under Uncertainty. Addison-Wesley, Reading (1968)zbMATHGoogle Scholar
  11. 11.
    RedHat, Inc.: Red Hat Security Advisory RHSA-2000:100-02 (last accessed June 30, 2003),
  12. 12.
    SecurityFocus, Mailing List: FOCUS-IDS (last accessed June 30, 2003),
  13. 13.
    Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium (2002)Google Scholar
  14. 14.
    Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the New Security Paradigms Workshop, Cork, Ireland (September 2000)Google Scholar
  15. 15.
    Tylutki, M.: : Optimal Intrusion Recovery and Response Through Resource and Attack Modeling, Ph.D. Thesis, Davis, CA (September 2003)Google Scholar
  16. 16.
    Toth, T., Kruegel, C.: Evaluating the impact of automated intrusion response mechanisms. In: 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, December 9-13 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Ivan Balepin
    • 1
  • Sergei Maltsev
    • 2
  • Jeff Rowe
    • 1
  • Karl Levitt
    • 1
  1. 1.Computer Security LaboratoryUniversity of California, DavisDavisUSA
  2. 2.IU8Bauman Moscow State Technical UniversityMoscowRussia

Personalised recommendations