In recent years, cost-sensitive intrusion response has gained

significant interest due to its emphasis on the balance between

potential damage incurred by the intrusion and cost of the response.

However, one of the challenges in applying this approach is defining a

consistent and adaptable measurement framework to evaluate the expected

benefit of a response. In this thesis we present a model and framework

for the cost-sensitive assessment and selection of intrusion response.

Specifically, we introduce a set of measurements that characterize the

potential costs associated with the intrusion handling process, and

propose an intrusion response evaluation method with respect to the risk

of potential intrusion damage, the effectiveness of the response action

and the response cost for a system. The proposed framework has the

important quality of abstracting the system security policy from the

response selection mechanism, permitting policy adjustments to be made

without changes to the model. We provide an implementation of the

proposed solution as an IDS-independent plugin tool, and demonstrate its

advantages over traditional static response systems and an existing

dynamic response system.