Historically computer security efforts have focused on relatively simple prevention mechanisms, on detecting attacks that are not prevented, and manual efforts to stop the attack and/or clean up afterwards. These procedures are ineffective when faced with fast moving, programmed attacks or in jumping ahead of an attacker using a complex series of malicious procedures. In these cases, automated response procedures are required. Practitioners, however, are wary about automatic response because of the high false positive rates generated by today's intrusion detection systems. If automated response systems are allowed to block detected attacks, many legitimate transactions would be accidentally blocked. Furthermore, an attacker could exploit the automated response to launch a denial of service attack. This project will investigate a new approach to automated response reasoning. The approach is based upon a semantic model of the effects on the system due to both attacks and possible responses. Planning of responses is performed with the goal of removing attacker capabilities without affecting the critical capabilities of the system. A successful response system will stop fast-moving programmed attacks automatically without hindering the normal operations of the protected system.
