Visible to the public RRE: A Game-Theoretic Intrusion Response and Recovery Engine

TitleRRE: A Game-Theoretic Intrusion Response and Recovery Engine
Publication TypeJournal Article
Year of Publication2014
AuthorsZonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.
JournalParallel and Distributed Systems, IEEE Transactions on
Date PublishedFeb
KeywordsART, attack-response trees, automated response techniques, Boolean functions, Boolean logic, computer network security, Computers, decision theory, detection algorithms, Engines, fuzzy logic theory, fuzzy rule set, fuzzy set theory, fuzzy system, game-theoretic intrusion response and recovery engine strategy, game-theoretic optimization process, Games, Intrusion detection, Intrusion response systems, lower level attack consequences, Markov processes, network level game-theoretic response selection engine, network security property, network-level multiobjective response selection, network-level security metric values, networked computing systems, nonlinear inference, optimal network-level response actions, partially observable competitive Markov decision process, RRE, security, Snort alerts, stochastic games, Subspace constraints, system-level security events, trees (mathematics), two-player Stackelberg stochastic game, Uncertainty

Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the response and recovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. The RRE applies attack-response trees (ART) to analyze undesired system-level security events within host computers and their countermeasures using Boolean logic to combine lower level attack consequences. In addition, the RRE accounts for uncertainties in intrusion detection alert notifications. The RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. To support network-level multiobjective response selection and consider possibly conflicting network security properties, we employ fuzzy logic theory to calculate the network-level security metric values, i.e., security levels of the system's current and potentially future states in each stage of the game. In particular, inputs to the network-level game-theoretic response selection engine, are first fed into the fuzzy system that is in charge of a nonlinear inference and quantitative ranking of the possible actions using its previously defined fuzzy rule set. Consequently, the optimal network-level response actions are chosen through a game-theoretic optimization process. Experimental results show that the RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 500 nodes.

Citation Key6583161