Abstract

In recent years, cost-sensitive intrusion response has gained significant interest mainly due to its emphasis on the balance between potential damage incurred by the intrusion and cost of the response. However, one of the challenges in applying this approach is defining consistent and adaptable measurements of these cost factors on the basis of requirements and policy of the system being protected against intrusions. In this paper we present a framework for the cost-sensitive selection of intrusion response. Specifically, we introduce a set of measurements that characterize potential costs associated with the intrusion handling process and propose evaluation method of intrusion response with respect to the risk of potential intrusion damage, effectiveness of response action and response cost for a system. We provide an implementation of the proposed solution as a plugin tool for Snort IDS and demonstrate its advantages on DARPA data set and real network traffic.