Proceedings of the 2008 IEEE

International Conference on Information and Automation

June 20 -23, 2008, Zhangjiajie, China

Automatic Intrusion Response System Based on

Aggregation and Cost
Yu Sun1, Rubo Zhang2

College of Information, Guangdong Ocean University, Zhanjiang,524088,China

College of Computer Science and Technology, Harbin Engineering University, Harbin150001,China
yusun0815@yahoo.com.cn, zrbzrb@hrbeu.edu.cn

Abstract-One of the most significant issues in intrusion

detection is automating responses to intrusions, but has so far
been largely overlooked and therefore requires further research
in its own right. And another main weakness of current intrusion
detection systems is that they often generate too many same or
similar alerts for one intrusion and system immune alerts. This
will use a lot of time to respond repeatedly. As a result, a better
method to solve above problem is making use of the aggregation
to classify the alerts and the Response Cost to decrease the system
immune alerts. At last, this paper presents a modal of automatic
intrusion response system and introduces the implement in detail.

I.

INTRODUCTION

With the rapid development of Internet and the coming of

information time, networks affect the society and life of people
more and more significantly. At present, the intrusion incidents
are increasing and they are becoming increasingly
sophisticated. Annual reports from the CERT Coordination
Center (CERT/CC) handled 137,529 computer security
incidents in 2003 [1].
Over the past twenty years, a great deal of research has been
devoted to support the development of Intrusion Detection
Systems (IDSs). IDSs are security tools that are used to detect
traces of malicious activities which are targeted against
networks and their resources. Now, the technology of IDSs has
received wide acceptance in the computer security domain and
is more mature. However, the issue of response to detected
incidents is another significant issue, but has so far been
largely overlooked and therefore requires further research in its
own right. Intrusion Response Systems (IRSs) are a series
actions and countermeasures when an intrusion is detected.
An interesting research work on Survivable Autonomic
Response Architecture (SARA) [2] uses the term autonomic
response by drawing an analogy with the autonomic nervous
system, which automatically controls certain functions of an
organism without any conscious input. Another cooperative
model is EMERALD, a distributed framework for network
monitoring, intrusion detection and automated response
proposed by Porras and Neumann[3]. The response component
of the framework is represented by the Resolver that is
responsible for analyzing attack reports and coordinating
response efforts. The Cooperative Intrusion Traceback and
Response Architecture (CITRA) presented in [4] provide an
example of cooperative agent-based system. This architecture
utilizes neighborhood structure where the information about

978-1-4244-2184-8/08/$25.00 2008 IEEE.

detected intrusion is propagated back through the

neighborhood to the source of the attack and submitted to the
centralized authority. The centralized authority, referred to as
Discovery Coordinator, finally determines an optimal system
response. Carver [5] presents a method of response taxonomy
and an adaptive intrusion response system (AAIRS). Similar
adaptation concept based on the feedback is presented in
ADEPTS [6]. In this case effectiveness index, a metric
showing effectiveness of a response action against particular
attack, is decreased if the action fails.
The remainder of this paper is organized as follows. The
next section discusses related work. Section 3 presents a modal
of Automatic Intrusion Response, ACAIRS. Section 4
describes the implement of ACAIRS. Section 5 concludes this
paper and points out some future research directions.
II.

PREVIOUS WORK

A. Manual and Automatic Responses

The detection of a suspected intrusion typically triggers a
manual intervention by a system administrator, after having
received an alert message from IDSs. However, responding
manually to intrusions is not necessarily an easy task, as it can
represent a significant administrative overhead. That may
involve dealing with a high number of alerts and notifications
from the IDSs, ensuring awareness of security bulletins and
advisories from incident response teams, and taking
appropriate actions to resolve each of the alerts reported.
The success rate of hackers intrusion has great relation to
the interval between the time finding the attack and the time
making responses for the attack. If proper responses have been
made as soon as the intrusion has been detected, the success
rate of intrusion will dramatically decrease, almost to zero [7].
Another factor that highlights the need for automatic
response is the changing nature of the techniques employed by
attackers, including the widespread use of automatic scripts to
generate attacks of distributed nature [8]. These can further
diminish the ability to respond manually, since there is
practically no time available to do so.
Up to now, the degree of automation in current IDSs is very
low, being largely limited to the automation of passive
responses (e.g. alarms, notifications and Email).
B. Cost-Sensitive Model
In order to build cost-sensitive models, we must first
understand the relevant cost factors and the metrics used to

1783

define them. Wenke Lee [9] identifies the following major cost
factors: damage cost, response cost.
1) Damage cost (DCost) characterizes the amount of damage
to a target resource by an attack when intrusion detection is
unavailable or ineffective.
2) Response cost (RCost) is the cost of acting upon an alarm
or log entry that indicates a potential intrusion.
To determine whether response will be taken, DCost and
RCost must be considered. If the damage done by the attack to
resource r is less than RCost, then ignoring the attack actually
reduces the overall cost. For example, e is an intrusion incident,
if RCost(e)>DCost(e) , the intrusion is not responded to
beyond simply logging its occurrence, and the loss is DCost(e).
If RCost(e)!DCost(e), then the intrusion is acted upon and the
loss is limited to RCost(e). In reality, however, by the time an
attack is detected and response ensues, some damage may have
incurred.
III.

A MODEL OF AUTOMATIC INTRUSION RESPONSE

This paper introduces a kind of Aggregation and Cost Based

Automatic Intrusion Response System (ACAIRS). The
structure of the ACAIRS is shown in Figure 1.

Figure.1 The structure of ACAIRS

RPU is the most important model of ACAIRS. It responds

each alert in conjunction with lots of factors.
5) Response Actions
Response Actions have details of available response actions,
enabling selection of responses with the most appropriate
characteristics.
6) Response Cost
Response Cost conserves the cost of damage to a target
resource (DCost) and the cost of acting upon an alarm (RCost)
for every kind of intrusion.
7) Response Policy
Response Policy uses expert systems technology to indicate
the most desirable characteristics for responses in the current
condition.
8) Response Log
Response Log records the process of response in detail.
IV.

THE IMPLEMENT OF THE MODEL

Alert Aggregation
MIT Lincoln Lab [10] first categorizes the intrusions
occurring in the dataset into U2R, DOS, R2L, and PROBE,
based on their intrusion results.
Then within each of these categories, the intrusions are
further partitioned by the techniques used to execute the
intrusion. Intrusions of each sub-category can be further
partitioned according to the attack type name, destination IP
address and interval. If S is the similar degree of each intrusion
incident, A, D and I are the similar degree of attack type name,
destination IP address and interval respectively. Toward every
two alerts, discussed blow.
1) Attack type name
names are identical
#1
(1)
A="
!0 names are not identical
2) Destination IP address
As an attacker may be able to launch attacks through
imitative source IP addresses, it is useful to be able to quantify
the proximity of two destination IP addresses. D = 1 when the
two destination IP addresses are identical, and D = 0 when
there is no way the two addresses could be on the same subnet.
IP addresses are identical
#1
$
D = "0.5
IP are not identical but on the same subnet (2)
$0
IP addresses are not on the same subnet
!

1) IDSs
The intrusions are captured by IDSs and then are written to
the database. This paper uses SNORT and Mysql as the
assistant implements.
2) Interface
3) Interval
Interface will send the available data to the Clustering Model
Supposing that the interval of two incidents is T.
through reading the database when there is a new intrusion
1
T 10 min
#
detected.
$
(3)
I = "(30 T ) / 20
10 min < T 30 min
3) Alert Aggregation
$
0
T > 30 min
One of the main weaknesses of current IDSs is that they
!
often generate too many same or similar alerts for one intrusion.
In terms of (1), (2) and (3)
This will make administers very baffle and headache confront
(4)
S = A+ D+ I
to so much data. As a result, a better method to solve above
To each of four categories, a threshold will be defined
problem is making use of the aggregation to category the alerts. respectively. For example, a new alert comes from Interface
4) Response Process Unit (RPU)
model, its incident number is N, then it will be compared with

1784

each of N-1 alerts before written to database. So, a set SN =

{S1, S2, ! SN-1} can be gotten.
SM = MAX ( SN ),
(5)
N is the subscript number which is made SM most
If SM is less than this threshold, then creating a new subcategory and it will be considered a new alert which need
being responded. Otherwise, the new alert will join the subcategory where Sn is and it will be regarded as repeat alert.

2) Assistant Information
Assistant Information contains some information about
machines in the local protected Networks. It not only can
adjust the value of the RI, but also can afford information to
the Response Process Unit in case attacked target is
unavailable as a result of the intrusion.
Alert Confidence
The confidence of alerts comes from each IDS. Along with
confidence increases, the value of RI will be added.
Operate System
This factor contains a list of the operating systems installed
on the target, their versions, and the most recent updates. By
knowing the operating system installed, the RI is able to
determine if the system is vulnerable to the attack or not.
System Vulnerability
The System Vulnerability defines all kinds of OS
vulnerability issued up to the minute, and which vulnerability
is being attempted in the attack. By identifying the relevant
vulnerability, the RPU will be able to estimate which action
will be adapted.

Figure.2 An example of joining the sub-category and

creating a new sub-category

Figure 2 shows the progress of alert aggregation. The four

colors represent four different categories respectively. And
different small figures denote sub-categories. When a white
square comes, at first, it will be assigned to U2R whose color is
white. Then, through the arithmetic above, there is a similar
sub-category in the U2R and it will be send here. When a gray
triangle comes, it will be assigned to R2L whose color is gray.
But in R2L there is not similar sub-category, and then a new
sub-category will be created and it will be added to.
B Determination of Response
After a new alert detected and aggregated, the next step is
considering whether it worth being responded. The alerts from
IDSs content lots of not only repeat and similar alerts but also
system immune alerts. System immune alerts are real attacks
but not harmful to the targets. Therefore, before final response
they should be filtered.
1) Response Imminence
In order to understand which alert ought to be ignored, or
which alert ought to be responded with what kind of policy.
We need a factor to do that. The Response Imminence (RI)
represents the danger that arises after the occurrence of an
intrusion. The more RI is, the more severe response is. If RI is
less than a certain threshold, the alert will be ignored. RI is
influenced by many factors.

System Importance
The System Importance points out that target are a host, or a
server, or a router and different target has different important
degree. For instance, the RI of a router is higher than the one of
a host. Because that if a router is attacked, there are many hosts
that connect with it in danger.
3) Response Cost
This is another critical factor affecting the RI, this paper
uses cost given by Wenke Lee [9].
TABLE I
THE COST OF CATEGORY
Category
ROOT
R2L
DOS
PROBE

Sub-Category
local
remote
single
multiple
crashing
consumption
simple
stealth

DCost
100
100
50
50
30
30
2
2

RCost
40
60
20
40
10
15
5
7

If DCost>RCost, then it should be deal with, and the more

DCost is, the more influence to the RI.
C. Selection of Response
1) Response Type
Response Type has two parts: passive response and active
response.
" Ignoring
" Recording log
" Sending Email
" Alerting administrator
# Collecting more information
# Protecting Resources
# Limiting permitted user behavior
# Terminating network connections
# Blocking network traffic through firewalls
denotes passive response;
denotes active response.
Each response action is associated with one of the above types.

1785

2) Selecting Appropriate Policy

Responses are derived from afore-defined rules, which
suggest which response actions should be considered for
specific intrusions, under which conditions. However, selecting
an appropriate policy is very important and necessary. The
determination of appropriate response characteristics involves
more generic rules.

environment. In Proceedings of the 2005 International Conference on

Dependable Systems and Networks, pp. 508-517, 2005.
[7] F.B.Cohen, Simulating Cyber Attacks, Defenses, and Consequences,
http://all.net/journal/ntb/simulate/simulate.html.
[8] Papadaki M, Furnell SM, Lee SJ, Lines BL, Reynolds PL. Enhancing
Response in Intrusion Detection Systems. Journal of Information
Warfare, 2002,2(1), pp.90-102.
[9] Wenke Lee. Toward Cost-Sensitive Modeling for Intrusion Detection and
Response. Journal of Computer Security, 2002,10(1/2), pp. 318-336.
[10]Intrusion
Detection
Attacks
Database.
http://www.ll.mit.edu/IST/ideval/docs/1999/attackDB.html.

Figure.3 The example of rules

Some examples of these rules are illustrated in Figure 3. If

Dcost ! RCost or RI is less than a threshold, we will do
nothing except recording a log. Otherwise, in the condition
where is DCost > RCost, if RI is higher and System Type is a
server, we will adopt actions limiting permitted user behavior
and alerting administrator. Because we have not better hold the
server back from network, we should note administrator to do
that. Additionally, if intrusion type is DOS and alert
confidence is high, blocking network traffic is the best way, as
DOS could damage the system resource severely.
The Response Process Unit makes all the components work
together. It is a center of the ACAIRS. When policy has been
selected, the RPU will use Response Toolkit to execute the
actions according to the rules.
V.

CONCLUSIONS AND FUTURE WORK

The paper presents a method of alert aggregation to solve the

problem of many repeat or similar alerts, and then points out a
modal of automatic intrusion response system and introduces
the designment and implement in detail. Automatic intrusion
response approaches such as this paper described have the
potential to significantly reduce the burden on system
administrators. Nonetheless, there are some place should be
improved on. Work is being done to improve ACAIRS and
measure its efficiency and performance.
REFERENCES
[1] CERT Coordination Center. CERT/CC Statistics 1988-2005.
http://www.cert.org/stats/cert_stats. html.
[2] Lewandowski, S., Van Hook, D., O'Leary, G., Haines, J., Rosse.
Survivable Autonomic Response Architecture, DISCEX II'01, Anaheim,
CA, 2001.
[3] P. Porras and P. Neumann. EMERALD: event monitoring enabling
responses to anomalous live disturbances. In Proceedings of the 1997
National Information Systems Security Conference, 1997.
[4] D. Schnackenberg, H. Holliday, R. Smith, et al. Cooperative intrusion
traceback and response architecture citra. In Proceedings, IEEE DARPA
Information Survivability Conference and Exposition (DISCEX I), 2001.
[5] Curtis A.Carver, Hill JMD, Pooch UW. Limiting uncertainty in intrusion
response. In: Second annual IEEE systems, man, and cybernetics
information assurance and security workshop, West Point, New York;
June 5e6, 2001.
[6] B. Foo, Y.S.Wu, Y.C. Mao, S. Bagchi, and E. H. Spafford. ADEPTS:
Adaptive intrusion response using attack graphs in an e-commerce

1786