RRE: A game-theoretic intrusion response and recovery engine

Saman A. Zonouz, Himanshu Khurana, William H. Sanders, Timothy M. Yardley

Research output: Chapter in Book/Report/Conference proceedingConference contribution

71 Scopus citations

Abstract

Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the Response and Recovery Engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. RRE applies attack-response trees to analyze undesired security events and their countermeasures using Boolean logic to combine lower-level attack consequences. In addition, RRE accounts for uncertainties in intrusion detection alert notifications. RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. Experimental results show that RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 900 nodes.

Original languageEnglish (US)
Title of host publicationProceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009
Pages439-448
Number of pages10
DOIs
StatePublished - Nov 25 2009
Event2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009 - Lisbon, Portugal
Duration: Jun 29 2009Jul 2 2009

Publication series

NameProceedings of the International Conference on Dependable Systems and Networks

Other

Other2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009
CountryPortugal
CityLisbon
Period6/29/097/2/09

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'RRE: A game-theoretic intrusion response and recovery engine'. Together they form a unique fingerprint.

  • Cite this

    Zonouz, S. A., Khurana, H., Sanders, W. H., & Yardley, T. M. (2009). RRE: A game-theoretic intrusion response and recovery engine. In Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009 (pp. 439-448). [5270307] (Proceedings of the International Conference on Dependable Systems and Networks). https://doi.org/10.1109/DSN.2009.5270307