Visible to the public Automated Response Actions

SoS Newsletter- Advanced Book Block

Automated Response Actions

A recurring problem in cybersecurity is the need to automate systems to reduce human effort and error and to be able to react rapidly and accurately to an intrusion or insertion. The nine articles cited here describe a number of interesting approaches and a novel study using sunglass reflections to reconstruct keypad use on cellphones and other mobile devices.

  • "RRE: A Game-Theoretic Intrusion Response and Recovery Engine," Zonouz, S.A.; Khurana, H.; Sanders, W.H.; Yardley, T.M., Parallel and Distributed Systems, IEEE Transactions on , vol.25, no.2, pp.395,406, Feb. 2014. (ID#:14-1276) Available at: Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the response and recovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. The RRE applies attack-response trees (ART) to analyze undesired system-level security events within host computers and their countermeasures using Boolean logic to combine lower level attack consequences. In addition, the RRE accounts for uncertainties in intrusion detection alert notifications. The RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. To support network-level multiobjective response selection and consider possibly conflicting network security properties, we employ fuzzy logic theory to calculate the network-level security metric values, i.e., security levels of the system's current and potentially future states in each stage of the game. In particular, inputs to the network-level game-theoretic response selection engine, are first fed into the fuzzy system that is in charge of a nonlinear inference and quantitative ranking of the possible actions using its previously defined fuzzy rule set. Consequently, the optimal network-level response actions are chosen through a game-theoretic optimization process. Experimental results show that the RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 500 nodes.
  • "Exploring the prudent limits of automated cyber attack," Caton, J.L., Cyber Conflict (CyCon), 2013 5th International Conference on , vol., no., pp.1,16, 4-7 June 2013. (ID#:14-1277) Available at: This paper places into conversation the notion of using automated cyber attacks as a part of preliminary defense, as the rates at which cyber conflicts occur far surpass the decision-making capability of world leaders. This paper discusses implementing necessary limits regarding the use of automated cyber attacks in national defense, as well as the implications and criteria considered when developing and deploying these systems. The Gerras critical thinking model is utilized to determine which criteria are necessary, and examines the use of automated cyber attacks in the context of a potential cyber resilience policy.
  • "S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems," Strasburg, C.; Basu, S.; Wong, J.S., Computer Software and Applications Conference (COMPSAC), 2013 IEEE 37th Annual , vol., no., pp.319,328, 22-26 July 2013. (ID#:14-1278) Available at: As cyber threats increasingly utilize automated and adaptive attacks to bypass or overwhelm static defenses, the role of intrusion detection and response systems (IDRS) as an active defense layer is becoming more critical. To remain effective against current attacks IDRS must be capable of automating detection of, and response to, threats in their specific environment. Different operating characteristics, detection capabilities, and response actions all contribute to make each environment unique, complicating this automation. In this work we consider IDRS automation in three areas: detector tuning, detector correlation, and response selection. We motivate and present a novel, more finely-grained model of threats, detectors, and responses called S-MAIDS: A Semantic Model of Automated Intrusion Detection Systems. Based on the concept of a "signal" (an observable indicator of an attack), we show the utility of combining such a model with an existing measure of IDRS performance to facilitate automated tuning, cross-system correlation, and response selection. We support our claims through several case-studies demonstrating the application of this model, and provide the model as an OWL ontology.
  • "Complexity and emergence in ultra-tactical cyberspace operations," Caton, J.L., Cyber Conflict (CyCon), 2013 5th International Conference on , vol., no., pp.1,14, 4-7 June 2013. (ID#:14-1279) Available at: This paper recognizes the implications of cyber situations that may occur, such as automated cyber attack responses, which can surpass the human ability to respond and intervene. The authors explores the inclusion of the ultra-tactical, similar to human and machine cognition in decision making, into the classic strategic-operational-tactical approach. This paper analyzes attributes that enhance the complexity of cyberspace, the projected impacts on decision making making protocols, future methods to analyze the benefits and challenges of automated cyber responses, and the possible ability of future to correctly and dynamically distinguish between malicious threats and normal occurrences.
  • "RECLAMO: Virtual and Collaborative Honeynets Based on Trust Management and Autonomous Systems Applied to Intrusion Management," Gil Perez, M.; Mateos Lanchas, V.; Fernandez Cambronero, D.; Martinez Perez, G.; Villagra, V.A., Complex, Intelligent, and Software Intensive Systems (CISIS), 2013 Seventh International Conference on, vol., no., pp.219,227, 3-5 July 2013. (ID#:14-1280) Available at: Security intrusions in large systems is a problem due to its lack of scalability with the current IDS-based approaches. This paper describes the RECLAMO project, where an architecture for an Automated Intrusion Response System (AIRS) is being proposed. This system will infer the most appropriate response for a given attack, taking into account the attack type, context information, and the trust and reputation of the reporting IDSs. RECLAMO is proposing a novel approach: diverting the attack to a specific honey net that has been dynamically built based on the attack information. Among all components forming the RECLAMO's architecture, this paper is mainly focused on defining a trust and reputation management model, essential to recognize if IDSs are exposing an honest behavior in order to accept their alerts as true. Experimental results confirm that our model helps to encourage or discourage the launch of the automatic reaction process.
  • "Cerebro: A platform for collaborative incident response and investigation," Connell, A.; Palko, T.; Yasar, H., Technologies for Homeland Security (HST), 2013 IEEE International Conference on , vol., no., pp.241,245, 12-14 Nov. 2013. (ID#:14-1281) Available at: Today's incident response training, architectures, and methodologies are all built upon disconnected siloes of domain expertise, but attacks upon an organization's critical information systems are not done in a disjointed way. Attacks on critical information systems and infrastructure are not solely network, or malware, or single disks; they are coordinated, large-scale multisite attacks done in an organized manner. With the increase in frequency and sophistication of these attacks, it is not enough to rely on intrusion detection systems, trusted IT staff, or organizational information security divisions. The velocity of a cyber-attack should be met with an equally coordinated response. There is a need to develop a platform that enables responders to establish trust and develop an effective collaborative response plan and investigation process across multiple organizations and legal bodies to track adversaries, mitigate the threat, get critical systems back online, and pursue legal action against the offenders. In this work we propose such a platform for efficient collaboration. The work is informed by the author's practices in supporting law enforcement organizations dealing with large-scale distributed attacks on critical information systems and infrastructure and by an examination of Stuxnet, a computer worm discovered in June 2010 that is believed to have been created by the United States and Israel to attack Iran's nuclear facilities. Based on these experiences of operational support, the authors propose Cerebro, an Extensible Large-Scale Analysis Platform designed to fuse structured domain specific information, decision support, and collaboration in an automated fashion, to effectively detect and respond to such attacks.
  • "Automated digital forensic technique with intrusion detection systems," Barhate, K.; Jaidhar, C., Advance Computing Conference (IACC), 2013 IEEE 3rd International on , vol., no., pp.185,189, 22-23 Feb. 2013. (ID#:14-1282) Available at: In today's technology, new attacks are emerging day by day which makes the systems insecure even the system wrapped with number of security measures. Intrusion Detection System (IDS) is used to detect the intrusion. Its prime function is to detect the intrusion and respond in timely manner. In other words, IDS function is limited to detection as well as response. The IDS is unable to capture the state of the system when an intrusion is detected. Hence, it fails to preserve the evidences against the attack in original form. To maintain the completeness and reliability of evidence for later examination, new security strategy is very much needed. In this research work, automated Digital Forensic Technique with Intrusion Detection System is proposed. Once an IDS detects an intrusion, it sends an alert message to administrator followed by invoke the digital forensic tool to capture the state of the system. Captured image can be used as evidence in the court of law to prove the damage.


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.