A Network-Based Response Framework and Implementation

  • Marcus Tylutki
  • Karl Levitt
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4388)


As the number of network-based attacks increase, and system administrators become overwhelmed with Intrusion Detection System (IDS) alerts, systems that respond to these attacks are rapidly becoming a key area of research. Current response solutions are either localized to individual hosts, or focus on a refined set of possible attacks or resources, which emulate many features of low level IDS sensors.

In this paper, we describe a modular network-based response framework that can incorporate existing response solutions and IDS sensors. This framework combines these components by uniting models that represent: events that affect the state of the system, the detection capabilities of sensors, the response capabilities of response agents, and the conditions that represent system policy. Linking these models provides a foundation for generating responses that can best satisfy policy, given the perceived system state and the capabilities of sensors and response agents.


Autonomic response response modeling response framework 


  1. 1.
    Snapp, S., Brentano, J., Dias, G., Goan, T., Heberlein, T., Ho, C., Levitt, K., Mukherjee, B., Smaha, S., Grance, T., Teal, D., Mansur, D.: DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and an Early Prototype. In: Proc. 14th National Computer Security Conference (1991)Google Scholar
  2. 2.
    Heberlein, L., Dias, G., Levitt, K., Mukherjee, B., Wood, J., Wolber, D.: A Network Security Monitor. In: Proc. IEEE Symposium on Security and Privacy (1990)Google Scholar
  3. 3.
    Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, CA 94303, USA. SunSHIELD Basic Security Module Guide, Solaris 7, Part No. 805-2635-10 (October 1998)Google Scholar
  4. 4.
    Ionnidis, J., Bellovin, S.M.: Implementing Pushback: Router-based Defense against DDoS Attacks. In: Proc. The Network and Distributed System Security Symposium (2002)Google Scholar
  5. 5.
    Sterne, D., Djahandari, K., Wilson, B., Babson, B., Schnackenberg, D., Holliday, H., Reid, T.: Autonomic response to distributed denial of service attacks. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 134. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Tylutki, M., Levitt, K.: Mitigating distributed denial of service attacks using a proportional-integral-derivative controller. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 1–16. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Rowe, J.: Intrusion Detection and Isolation Protocol: Automated Response to Attacks. In: Recent Advances in Intrusion Detection (1999)Google Scholar
  8. 8.
    Kreidl, O., Frazier, T.: Feedback Control Applied to Survivability: A Host-Based Autonomic Defense System. IEEE Transactions of Reliability 52(3) (2003)Google Scholar
  9. 9.
    Musliner, D.: CIRCADIA Demonstration: Active Adaptive Defense. In: Proc. DISCEX 2003 (2003)Google Scholar
  10. 10.
    Toth, T., Kruegel, C.: Evaluating the Impact of Automated Intrusion Response Mechanisms. In: Proc. 18th Annual Computer Security Applications Conference (2002)Google Scholar
  11. 11.
    Cohen, F., Lambert, D., Preston, C., Berry, N., Stewart, C., Thomas, E.: A Framework for Deception (July 2005) (accessed July 2005),
  12. 12.
    Cohen, F.: Leading Attackers through Attack Graphs with Deceptions. Computers and Security 22(5), 402–411 (2003)CrossRefGoogle Scholar
  13. 13.
    The Honeynet Project (accessed June 2005),
  14. 14.
    Spitzner, L.: The Honeynet Project: Trapping the Hackers. In: Proc. IEEE Symposium on Security and Privacy (2005)Google Scholar
  15. 15.
    Templeton, S., Levitt, K.: A Requires/Provides Model for Computer Attacks. In: Proc. 2000 New Security Paradigms Workshop, pp. 31–38 (2000)Google Scholar
  16. 16.
    Cheung, S., Lindqvist, U., Fong, M.: Modeling Multistep Cyber Attacks for Scenario Recognition. In: Proc. DISCEX 2003 (2003)Google Scholar
  17. 17.
    Michel, C., Mé, L.: AdeLe: An Attack Description Language for Knowledge-Based Intrusion Detection. In: Trusted Information: The New Decade Challenge: IFIP TC11 16th International Conference on Information Security (IFIP/SEC 2001), pp. 353–368 (2001)Google Scholar
  18. 18.
    Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. 19.
    Staniford-Chen, S., Tung, B., Schanckenberg, D.: The Common Intrusion Detection Framework (CIDF). In: Information Survivability Workshop (1998)Google Scholar
  20. 20.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format. Internet Draft (July 2004) (accessed July, 2005),
  21. 21.
    Kim, G., Spafford, E.: The Design and Implementation of Tripwire: A File System Integrity Checker. Technical Report CSD-TR-93-071, Purdue University, West Lafayette, IN 47907-1398Google Scholar
  22. 22.
    Lee, W., Fan, W., Miller, M., Stolfo, S., Zadok, E.: Toward Cost-Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security, 5–22 (2002)Google Scholar
  23. 23.
    Rossey, L., Cunningham, R., Fried, D., Rabek, J., Lippmann, R., Haines, J., Zissman, M.: LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed. In: Recent Advances in Intrusion Detection (2001)Google Scholar
  24. 24.
    White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasadm, S., Newboldm, M., Hiber, M., Barb, C., Joglekar, A.: An Integrated Experimental Environment for Distributed Systems and Networks. In: Proc. 5th USENIX Operating systems Design and Implementation Symposium (2002)Google Scholar
  25. 25.
    McAlerney, J.M.: An Internet Worm Propagation Data Model”. M.S. thesis, University of California, Davis (2004)Google Scholar
  26. 26.
    Lee, W., Stolfo, S.: Data Mining Approaches for Intrusion Detection. In: Proc. 7 th USENIX Security Symposium (1998)Google Scholar
  27. 27.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proc. 13th Systems Administration Conference, USENIX (1999)Google Scholar
  28. 28.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  29. 29.
    Kruegel, C., Toth, T.: Flexible, Mobile Agent Based Intrusion Detection for Dynamic Networks. In: Proc. European Wireless (2002)Google Scholar
  30. 30.
    DNS Poisoning Summary (March 2005) (accessed July 2005),
  31. 31.
    How to Prevent DNS Cache Pollution, Article ID 241352 (accessed July 2005),;en-us;241352

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Marcus Tylutki
    • 1
  • Karl Levitt
    • 1
  1. 1.University of CaliforniaDavisUSA

Personalised recommendations