Get access

A response selection model for intrusion response systems: Response Strategy Model (RSM)

Authors

  • Nor Badrul Anuar,

    Corresponding author
    1. Faculty of Computer Science and Information Technology, University of Malaya, Kuala Lumpur, Malaysia
    2. Security Research Group (SECReg), University of Malaya, Kuala Lumpur, Malaysia
    • Correspondence

      Nor Badrul Anuar, Faculty of Computer Science and Information Technology, University of Malaya, Kuala Lumpur, Malaysia.

      E-mail: badrul@um.edu.my

    Search for more papers by this author
  • Maria Papadaki,

    1. Centre for Security, Communications and Network Research, Plymouth University, Plymouth, U.K
    Search for more papers by this author
  • Steven Furnell,

    1. Centre for Security, Communications and Network Research, Plymouth University, Plymouth, U.K
    2. School of Computer and Security Science, Edith Cowan University, Perth, Western Australia
    Search for more papers by this author
  • Nathan Clarke

    1. Centre for Security, Communications and Network Research, Plymouth University, Plymouth, U.K
    2. School of Computer and Security Science, Edith Cowan University, Perth, Western Australia
    Search for more papers by this author

ABSTRACT

Intrusion response systems aim to provide a systematic procedure to respond to incidents. However, with different type of response options, an automatic response system is designed to select appropriate response options automatically in order to act fast to respond to only true and critical incidents as well as minimise their impact. In addition, incidents also can be prioritised into different level of priority where some incidents may cause a serious impact (i.e. high priority) and other may not (i.e. low priority). The existing strategies inherit some limitation such as using complex approaches and less efficient in mapping appropriate response based upon incidents' priority. Therefore, this study introduces a model called response strategy model to address the aforementioned limitation. In order to validate, it was evaluated using two datasets: DARPA 2000 and private dataset. The case study results have shown a significant relationship between the incident classification and incident priorities where false incidents are likely to be categorised as low priority and true incidents are likely to be categorised as the high priority. In particular, with response strategy model, an average of 92.68% of the false incidents was prioritised as the lowest priority is better compared with only 67.07% with Snort priority. Copyright © 2013 John Wiley & Sons, Ltd.

Ancillary