Measuring IDS-estimated attack impacts for rational incident response: A decision theoretic approach

Intrusion detection system (IDS) plays a vital role in defending our cyberspace against attacks. Either misuse-based IDS or anomaly-based IDS, or their combinations, however, can only partially reflect the true system state due to excessive false alerts, low detection rate, and inaccurate incident diagnosis. An automated response component built upon IDS therefore must consider the stale and imperfect picture inferred from them and takes action accordingly.This article presents an approach for measuring attack impact with the evidence of IDS alerts, with the objective to suggest rational response by cost-benefit analysis. More specifically, based on a very realistic assumption that a system evolves as a Markov decision process conditioned upon the current system state, imperfect observation, and action, we use partially observable Markov decision process to model the efficacy of IDS as providing a probabilistic assessment of the state of system assets, and to maximize a reward signal (defined as a function of both cost and benefit) by taking appropriate actions in response to the estimated system states in terms of desirable security properties. The ultimate goal is to move the system to more secure states with respect to pre-specified security metrics, and assist system administrators to identify the best tradeoff between the cost and benefit of security policies. We finally use a benchmark data set to practically illustrate the application of our methodology and conduct a proof-of-concept validation on its feasibility and efficiency.