A Security-policy Driven Distributed Incident Response Generator

Abstract

While the information security literature reported great advances in Intrusion Detection Systems (IDS) capabilities, it those systems have neglected their weaknesses in dealing with events that are detected when some state variable values are out of range but declared unknown because they could not find their definitions in the IDS databases. A Distributed Incident Response Generator (DIRG) is simply a distributed decision support system designed to generate incident responses in a distributed computing environment when the existing IDS system suspects an event that does not correspond to a known intrusion, residing in its databases. Since the suspected event is unknown to the IDS, the security administrator would have a great deal of uncertainty that should be feasibly managed to plan the appropriate incident response actions in a timely manner. In addition to the uncertainty associated with the suspected event, many data and information assets may be remotely located in a large organization, and an intrusion may be detected first in one location but not in others. In this case, a distributed stateful inspection of critical resources can help identify security incidents early enough to prevent further security compromises in the distributed computing environment. Every time the security administrator suspects an intrusion based on an IDS message of an unknown event, he/she creates several scenarios of possible security incidents that are compatible with a multiple-domain security knowledge designed to enforce the security policy of the organization. Values of state variables are collected from remote locations through distributed stateful inspection activities for the purpose of obtaining enough evidence to plan incident responses for the unknown event. The type of data involved in intrusion detection when ample uncertainty is present is often not suitable to formal statistical models and Bayesian modeling is not appropriate. This article proposes the adoption of Dempster and Shafer theory to process the intrusion data for the unknown event. The DIRG system engine transforms intrusion data into a belief structure using (1) the possible incident scenarios, (2) the consolidated stateful inspection data obtained throughout the distributed computing environment, and (3) the feasible security knowledge associated with the enforcement of the organization’s security policy. Belief values associated with various incident scenarios are then derived and evaluated to choose the most appropriate scenario for which an automatic incident response is generated. This article also provides a numerical example demonstrating the working of the DIRG system.