Automatic Response to Intrusion Detection

Abstract

Attacks on computer systems are a growing problem. According to CERT there where 137,529 reported incidents in 2003 in contrast to 82,094 reported incidents in 2002. As the numbers of incidents grow, the work of applying countermeasures to the incidents will take more and more of the system administrator’s time. To ease this job an automated Intrusion Response System (IRS) could handle some of the incident and apply the right countermeasure. An IRS is dependent on an Intrusion Detection System (IDS), and applies responses on the incidents reported by the IDS. These responses can range from logging the incident to launching a counterattack. In this thesis we have described IRS in general. We have also presented a new classification of IRS that classifies systems in more fine grained categories than before. Some IRSs are presented in detail. Further we have evaluated the architectures presented and refined one of them to suit a Network IDS. The enhanced architecture includes a new decision method which can group single incidents belonging to an attack. Another feature of the improved model is the integration of a more precise IDS confidence matrix. The framework is described in detail and we have developed a demonstrator to visualize a part of the framework. We have proposed solutions to integrate this enhanced architecture with Telenors existing IDS, where at least one of them is feasible to implement.