Abstract

In recent years, cost-sensitive intrusion response has gained significant interest, mainly due to its emphasis on the balance between potential damage incurred by the intrusion and cost of the response. However, one of the challenges in applying this approach is defining a consistent and adaptable measurement of these cost factors on the basis of system requirements and policy. In this paper,we present a host-based framework for the cost-sensitive assessment and selection of intrusion response. Specifically,we introduce a set of measurements that characterize the potential costs associated with the intrusion handling process, and propose an intrusion response evaluation method with respect to the risk of potential intrusion damage, the effectiveness of the response action and the response cost for a system. We provide an implementation of the proposed solution as an IDS-independent plugin tool and demonstrate its advantages on the several attack examples.