The continuous increase in the quantity and sophistication of cyberattacks is making it more difficult and error prone for system administrators to handle the alerts generated by intrusion detection systems (IDSs). To deal with this problem, several intrusion response systems (IRSs) have been proposed lately. IRSs extend the IDSs by providing an automatic response to the detected attack. Such a response is usually selected either with a static attack-response mapping or by quantitatively evaluating all available responses, given a set of predefined criteria. In this article, we introduce a probabilistic model-based IRS built on the Markov decision process (MDP) framework. In contrast to most existing approaches to intrusion response, the proposed IRS effectively captures the dynamics of both the defended system and the attacker and is able to compose atomic response actions to plan optimal multiobjective long-term response policies to protect the system. We evaluate the effectiveness of the proposed IRS by showing that long-term response planning always outperforms short-term planning, and we conduct a thorough performance assessment to show that the proposed IRS can be adopted to protect large distributed systems at runtime.

中文翻译：

---

基于模型的自主入侵防护响应规划策略

网络攻击的数量和复杂程度不断增加，使得系统管理员处理入侵检测系统 (IDS) 生成的警报变得更加困难和容易出错。为了解决这个问题，最近提出了几种入侵响应系统（IRS）。IRS 通过对检测到的攻击提供自动响应来扩展 IDS。给定一组预定义的标准，通常使用静态攻击响应映射或通过定量评估所有可用响应来选择此类响应。在本文中，我们介绍了一种基于概率模型的 IRS，该 IRS 建立在马尔可夫决策过程 (MDP) 框架上。与大多数现有的入侵响应方法相比，所提出的 IRS 有效地捕捉了被防御系统和攻击者的动态，并能够组合原子响应动作来规划最优的多目标长期响应策略来保护系统。我们通过表明长期响应计划总是优于短期计划来评估提议的 IRS 的有效性，并且我们进行了彻底的性能评估以表明提议的 IRS 可以用于在运行时保护大型分布式系统。