Definition of response metrics for an ontology-based Automated Intrusion Response Systems

The main purpose of an AIRS (Automated Intrusion Response System) is to choose and execute the optimum response when the different security-event network detection sources detect security intrusions. The inference of the most suitable response should be made according to a set of response metrics that specify different rules for selecting a specific response according to some context and input parameters and the weight associated with each of them. Furthermore, the Semantic Web Rule Language (SWRL) can be used to specify these response metrics, providing an open and extensible framework for the behavior description of an AIRS, able to be integrated with the increasing number of Semantic Web tools. The aim of this paper is to study and characterize these metrics, as well as defining a set of response metrics for an AIRS, specifying these metrics with SWRL rules and testing their execution with Semantic Web current technologies. Finally, some results are shown concerning the inferred responses and performance of this SWRL-based reasoning.

Figure optionsDownload as PowerPoint slideHighlights
► We propose three response metrics to infer the best response against detected attacks.
► The metrics depend on the intrusion impact, the severity/cost/success of responses.
► The SWRL language is proposed for the formal definition of these metrics.
► The metrics are included in rules which govern the inference process of the AIRS.