The Search for Efficiency in Automated Intrusion Response for Distributed Applications

Providing automated responses to security incidents in a distributed computing environment has been an important area of research. This is due to the inherent complexity of such systems that makes it difficult to eliminate all vulnerabilities before deployment and costly to rely on humans for responding to incidents in real time. Earlier work has investigated automated responses but failed to argue about the optimality of the response choices. Here we propose a new approach where the optimality of responses is considered from a global point of view, i.e., "What's the eventual outcome on the entire system due to a response?" We formalize the process of providing automated responses and the criterion for asserting global optimality of the set of deployed responses. We show that reaching the globally optimal solution is an NP-hard problem. Therefore we design a genetic algorithm framework for searching for good solutions. Our framework adapts itself to the changing environment based on history of attacks seen so far and effectiveness of responses. We demonstrate the solution on a distributed e-commerce application called PetStore with injection of real attacks and show that it improves the survivability of the system over the prior ADEPTS system.