RRE

A game-theoretic intrusion response and recovery engine

Saman A. Zonouz, Himanshu Khurana, William H. Sanders, Timothy M. Yardley

Research output: Chapter in Book/Report/Conference proceedingConference contribution

69 Citations (Scopus)

Abstract

Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the Response and Recovery Engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. RRE applies attack-response trees to analyze undesired security events and their countermeasures using Boolean logic to combine lower-level attack consequences. In addition, RRE accounts for uncertainties in intrusion detection alert notifications. RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. Experimental results show that RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 900 nodes.

Original languageEnglish
Title of host publicationProceedings of the International Conference on Dependable Systems and Networks
Pages439-448
Number of pages10
DOIs
StatePublished - Nov 25 2009
Event2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009 - Lisbon, Portugal
Duration: Jun 29 2009Jul 2 2009

Other

Other2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009
CountryPortugal
CityLisbon
Period6/29/097/2/09

Fingerprint

Engines
Recovery
Intrusion detection
Availability

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Software

Cite this

Zonouz, S. A., Khurana, H., Sanders, W. H., & Yardley, T. M. (2009). RRE: A game-theoretic intrusion response and recovery engine. In Proceedings of the International Conference on Dependable Systems and Networks (pp. 439-448). [5270307] https://doi.org/10.1109/DSN.2009.5270307

RRE : A game-theoretic intrusion response and recovery engine. / Zonouz, Saman A.; Khurana, Himanshu; Sanders, William H.; Yardley, Timothy M.

Proceedings of the International Conference on Dependable Systems and Networks. 2009. p. 439-448 5270307.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Zonouz, SA, Khurana, H, Sanders, WH & Yardley, TM 2009, RRE: A game-theoretic intrusion response and recovery engine. in Proceedings of the International Conference on Dependable Systems and Networks., 5270307, pp. 439-448, 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009, Lisbon, Portugal, 6/29/09. https://doi.org/10.1109/DSN.2009.5270307
Zonouz SA, Khurana H, Sanders WH, Yardley TM. RRE: A game-theoretic intrusion response and recovery engine. In Proceedings of the International Conference on Dependable Systems and Networks. 2009. p. 439-448. 5270307 https://doi.org/10.1109/DSN.2009.5270307
Zonouz, Saman A. ; Khurana, Himanshu ; Sanders, William H. ; Yardley, Timothy M. / RRE : A game-theoretic intrusion response and recovery engine. Proceedings of the International Conference on Dependable Systems and Networks. 2009. pp. 439-448
@inproceedings{5d9b27daab4846249166d1f32f37ed33,
title = "RRE: A game-theoretic intrusion response and recovery engine",
abstract = "Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the Response and Recovery Engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. RRE applies attack-response trees to analyze undesired security events and their countermeasures using Boolean logic to combine lower-level attack consequences. In addition, RRE accounts for uncertainties in intrusion detection alert notifications. RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. Experimental results show that RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 900 nodes.",
author = "Zonouz, {Saman A.} and Himanshu Khurana and Sanders, {William H.} and Yardley, {Timothy M.}",
year = "2009",
month = "11",
day = "25",
doi = "10.1109/DSN.2009.5270307",
language = "English",
isbn = "9781424444212",
pages = "439--448",
booktitle = "Proceedings of the International Conference on Dependable Systems and Networks",

}

TY - GEN

T1 - RRE

T2 - A game-theoretic intrusion response and recovery engine

AU - Zonouz, Saman A.

AU - Khurana, Himanshu

AU - Sanders, William H.

AU - Yardley, Timothy M.

PY - 2009/11/25

Y1 - 2009/11/25

N2 - Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the Response and Recovery Engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. RRE applies attack-response trees to analyze undesired security events and their countermeasures using Boolean logic to combine lower-level attack consequences. In addition, RRE accounts for uncertainties in intrusion detection alert notifications. RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. Experimental results show that RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 900 nodes.

AB - Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the Response and Recovery Engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. RRE applies attack-response trees to analyze undesired security events and their countermeasures using Boolean logic to combine lower-level attack consequences. In addition, RRE accounts for uncertainties in intrusion detection alert notifications. RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. Experimental results show that RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 900 nodes.

UR - http://www.scopus.com/inward/record.url?scp=70450092394&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70450092394&partnerID=8YFLogxK

U2 - 10.1109/DSN.2009.5270307

DO - 10.1109/DSN.2009.5270307

M3 - Conference contribution

SN - 9781424444212

SP - 439

EP - 448

BT - Proceedings of the International Conference on Dependable Systems and Networks

ER -