A response selection model for intrusion response systems: Response Strategy Model (RSM)

Intrusion response systems aim to provide a systematic procedure to respond to incidents. However, with different type of response options, an automatic response system is designed to select appropriate response options automatically in order to act fast to respond to only true and critical incidents as well as minimise their impact. In addition, incidents also can be prioritised into different level of priority where some incidents may cause a serious impact (i.e. high priority) and other may not (i.e. low priority). The existing strategies inherit some limitation such as using complex approaches and less efficient in mapping appropriate response based upon incidents’ priority. Therefore, this study introduces a model called response strategy model to address the aforementioned limitation. In order to validate, it was evaluated using two datasets: DARPA 2000 and private dataset. The case study results have shown a significant relationship between the incident classification and incident priorities where false incidents are likely to be categorised as low priority and true incidents are likely to be categorised as the high priority. In particular, with response strategy model, an average of 92.68% of the false incidents was prioritised as the lowest priority is better compared with only 67.07% with Snort priority. Copyright © 2013 John Wiley & Sons, Ltd.