Operational Characteristics of an Automated Intrusion Response System

  • Maria Papadaki
  • Steven Furnell
  • Benn Lines
  • Paul Reynolds
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2828)


Continuing organisational dependence upon computing and networked systems, in conjunction with the mounting problems of security breaches and attacks, has served to make intrusion detection systems an increasingly common, and even essential, security countermeasure. However, whereas detection technologies have received extensive research focus for over fifteen years, the issue of intrusion response has received relatively little attention – particularly in the context of automated and active response systems. This paper considers the importance of intrusion response, and discusses the operational characteristics required of a flexible, automated responder agent within an intrusion monitoring architecture. This discussion is supported by details of a prototype implementation, based on the architecture described, which demonstrates how response policies and alerts can be managed in a practical context.


Intrusion Detection Intrusion Detection System Response Policy System Administrator Automate Response 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    CERT Coordination Center: Security of the Internet. The Froehlich/Kent Encyclopedia of Telecommunications, vol. 15, pp. 231–255. Marcel Dekker, New York (1997)Google Scholar
  2. 2.
    Richardson, R.: 2003 CSI/FBI Computer Crime and Security Survey (2003),
  3. 3.
    Power, R.: 2002 CSI/FBI Computer Crime and Security Survey. Computer Security Issues and Trends VIII(1), 10–11, 20–21 (2002)Google Scholar
  4. 4.
    Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering  SE-13(2), 222–232 (1987)Google Scholar
  5. 5.
    Allen, J., Christie, A., et al.: State of the Practice of Intrusion Detection Technologies, Technical Report CMU/SEI-99-TR-028, Carnegie Mellon University (2000),
  6. 6.
    Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network Intrusion Detection. IEEE Networks 8(3), 26–41 (1994)CrossRefGoogle Scholar
  7. 7.
    Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)Google Scholar
  8. 8.
    Amoroso, E.: Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traps, Trace Back, and Response, Second Printing, Intrusion. Net Books, New Jersey (1999)Google Scholar
  9. 9.
    Bace, R., Mell, P.: NIST Special Publication on Intrusion Detection Systems. National Institute of Standards and Technology (NIST) (2001),
  10. 10.
    Newman, D., Snyder, J., Thayer, R.: Crying Wolf: False Alarms hide attacks. Network World Fusion Magazine (2002),
  11. 11.
    Cohen, F.B.: Simulating Cyber Attacks, Defences, and Consequences. The Infosec Technical Baseline studies (1999),
  12. 12.
    Lee, S.Y.J.: Methods of response to IT system intrusions, MSc thesis, University of Plymouth, Plymouth (2001)Google Scholar
  13. 13.
    Cheung, S., Levitt, K.N.: Protecting Routing Infrastructures from Denial of Service Using Cooperative Intrusion Detection. In: Proceedings of the New Security Paradigms Workshop, Langdale,Cumbria UK (1997),
  14. 14.
    Furnell, S.M., Dowland, P.S.: A conceptual architecture for real-time intrusion monitoring. Information Management & Computer Security 8(2), 65–74 (2000)CrossRefGoogle Scholar
  15. 15.
    Papadaki, M., Furnell, S.M., Lines, B.M., Reynolds, P.L.: A Response-Oriented Taxonomy of IT System Intrusions. In: Proceedings of Euromedia 2002, pp. 87–95. Modena, Italy (2002)Google Scholar
  16. 16.
    Papadaki, M., Furnell, S.M., Lee, S.J., Lines, B.M., Reynolds, P.L.: Enhancing response in intrusion detection systems. Journal of Information Warfare 2(1), 90–102 (2002)Google Scholar
  17. 17.
    Dowland, P., Furnell, S., Papadaki, M.: Keystroke Analysis as a Method of Advanced User Authentication and Response. In: Proceedings of IFIP/SEC 2002 - 17th International Conference on Information Security, Cairo, Egypt, pp. 215–226 (2002)Google Scholar
  18. 18.
    Irakleous, I., Furnell, S., Dowland, P., Papadaki, M.: An experimental comparison of secret-based user authentication technologies. Journal of Information Management & Computer Security 10(3), 100–108 (2002)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2003

Authors and Affiliations

  • Maria Papadaki
    • 1
  • Steven Furnell
    • 1
  • Benn Lines
    • 1
  • Paul Reynolds
    • 2
  1. 1.Network Research GroupUniversity of PlymouthDrake Circus, PlymouthUnited Kingdom
  2. 2.Orange Personal Communications Services LtdBradley Stoke, BristolUnited Kingdom

Personalised recommendations