CERIAS Tech Report 2003-32 ADEPTS: ADAPTIVE INTRUSION CONTAINMENT AND RESPONSE USING ATTACK GRAPHS IN AN E-COMMERCE ENVIRONMENT

Distributed e-commerce systems are suitable targets for malicious attacks because of the potential financial impact. Intrusion detection in such systems has been an active area of research. Once an intrusion is detected, it is important to contain the effect of the intrusion to some parts of the system while allowing the other parts to continue to provide service. It is also important to take preventive or reactive response to reduce the likelihood of the system being compromised through a future attack. In this paper, we present the design and implementation of an Adaptive Intrusion Tolerant System, ADEPTS, for automatically containing and responding to intrusions in a distributed e-commerce system. We use a directed acyclic graph (DAG) of intrusion goals as the underlying representation in the system. In an I-DAG, the nodes are sub-goals of an attack and to reach a particular node, goals corresponding to its child nodes have to be achieved first. We assume an intrusion detection framework which provides alerts to ADEPTS. In response, a parallel algorithm is executed to compute the likelihood that one or more goals in the DAG have been achieved. Next, a response measure computation algorithm is executed to determine the appropriate response action. There is also a feedback mechanism which estimates the success or failure of a deployed response and uses that in adjusting the system weights to guide future choices. ADEPTS is implemented on a distributed e-commerce system that comprises services including, web server, application server, database server, directory server. Alerts are simulated corresponding to different attack types, the algorithms executed and response actions deployed. The experiments bring out the latency of the infrastructure, and the effectiveness in dealing with failed responses through escalation compared to statically mapped Intrusion Response Systems (IRS).