An intrusion response decision-making model based on hierarchical task network planning

  • Authors:

  • Chengpo Mu;Yingjiu Li

  • Affiliations:

  • The Key Laboratory for Mechatronic Engineering and Control, Beijing Institute of Technology, 100081 Beijing, PR China;School of Information Systems, Singapore Management University, 178902 Singapore, Singapore

  • Venue:
  • Expert Systems with Applications: An International Journal
  • Year:
  • 2010

Quantified Score

Hi-index 12.05

Visualization

Abstract

An intrusion response decision-making model based on hierarchical task network (HTN) planning is presented in the paper. Compared with other response decision-making models, the response decision-making model consists of not only the response measure decision-making process but also response time decision-making process that is firstly proposed in the paper. The response time decision-making model is able to determine response time for different response HTN subtasks. Owing to the introduction of the response time decision-making, the intrusion response system can apply different response strategies to achieve different response goals set by administrators. The proposed response measure decision-making model can optimize a response plan by balancing the response effectiveness and the response negative impact in both a single response measure and a set of response measures. The response decision-making model is self-adaptive and has the ability of tolerating to false positive IDS alerts. The proposed model has been used in the intrusion detection alert management and intrusion response system (IDAM&IRS) developed by us. The functions and architecture of IDAM&IRS are introduced in this paper. In addition, the intrusion response experiments of IDAM&IRS are presented, and the features of the response decision-making model are summarized.