Date of Award
Master of Science
Over the past decades, cyber attacks have grown in frequency as well as in sophistication.
Often, they elude the counter-measures that are in place due to inadequate expert man-power
that is necessary to manually deploy the correct responses and maintain systems being compromised.
We present a decision support framework to aid in timely deployment and maintenance
of effective responses when intrusive or malicious behavior is detected.
The support framework has two specific objectives: to identify the best set of responses given
the knowledge of the attack and the system being protected; and to identify the minimal set of
responses that must be deployed. While appropriateness of responses is of utmost importance
to safeguard systems from attacks, minimality in the number of responses, an important factor
from the deployment and maintainability perspective, has often been discarded. Our framework
leverages National Vulnerability Database as a source for information about the attacks, relies
on the pre-specified expert knowledge about the responses that can adequately stop attack
and takes into considerations the impact of an attack as well as responses on the system being
protected in terms of well-studied CIA (Confidentiality, Integrity and Availability) vector.
We utilize Trade-off Enhanced Conditional Preference Network (TCP-net) to qualitatively
represent and reason about the CIA priorities of the expert and model the problem of identifying
minimal set of most effective responses into a search problem. The choice of TCP-net stems
from the fact that the CIA priorities are typically qualitative in nature and it has been proven
that quantification of priorities that are inherently qualitative can result in incorrect and often
unexplainable results due to seemingly small perturbations in quantitative measures. Our TCPnet
based computation can generate provably optimal solution where optimality corresponds
to minimality of selected responses. While optimality is an important factor, the necessity
for computing the solution efficiently cannot be overstated, particularly in the context where
timeliness in response deployment is equally important. We investigate and evaluate several
heuristics with the goal of searching part of the potentially large solution space and compute
a solution that is ”close” to the optimal solution. We discuss the relative advantages and
disadvantages of each heuristic, and present a specific one that is efficient in computing the
Gunasekharan, Maheedhar, "A Framework for Selecting the Minimal Set of Preferred Responses to Counter Detected Intrusions" (2016). Graduate Theses and Dissertations. 15311.