Informing the decision process in an automated intrusion response system
Papadaki M, Furnell SM
Information Security Technical Report, vol. 10, no. 3, pp150-161, 2005
The increasing volume and speed of network attacks point towards the need for automated solutions that can assist the response to detected intrusions. However, a significant question surrounds the reliability that could be achieved by an automated response system. This paper contends that suitable automated decisions can be made if the Responder is able to establish the context of an attack rather than just the occurrence of a suspected incident. The related decision criteria include the number of affected systems, the urgency to respond, and the confidence of the detection system. This paper considers the information that an automated response system would need to acquire from a variety of sources in order to inform response decisions. The discussion is presented in the context of the Flexible Automated Intelligent Responder architecture (which has been developed as part of the authors' wider research), and suggests that while the requirements are non-trivial, suitable information can be obtained and utilised to support automated response decisions.

