We developed a cost-sensitive model for intrusion response that incorporates preemptive deployment of the response actions. Specifically, our technique relies on comparing the cost of deploying a response against the cost of damage caused by an “un-attended” intrusion and decides to preemptively deploy a response which will incur the least cost. Our technique further allows adaptation of responses to the changing environment through evaluation of success and failure of previously triggered responses.

Adaptive Intrusion Detection

We address the problem of adaptive intrusion detection through combination of specification-based and anomaly based approaches. Instead of manually developing all possible legal behavioral patterns of a system, we rely on machine-learning techniques to classify software behaviors, at runtime, as correct or incorrect. The results of classification are recorded as specifications and used for future reference. Therefore, already seen patterns are classified immediately, while new patterns are processed by the machine-learning algorithm. We develop a new data structure, referred to as extended action graph (Exact) that is compact and precisely records previously classified patterns.

This work aimed to develop a framework to provide a secure trustworthy communication among peers in P2P network. The trust framework is based on two components:

• reputation-based  component



allows to assess the reputation of the peer before making decision about accepting or sending traffic to it. The approach is decentralized and does not require peers cooperation.

• anomaly detection based component provides enhancement to reputation-based trust management.

Reputation-based techniques lack global view of peer’s behavior making decision regarding reputation updates based on current actions only. This may lead to possible failure of these approaches to accurately capture a peer’s behavior. We consider current peer's actions within its usual behavior (normal profile) using anomaly detection technique.
In reputation model setting, we apply anomaly detection approach to expose suspicious behavior, which is unusual based on the established normal profile, but is not necessarily intrusive. Such behavior would rather be an indication of instability and therefore unpredictability of a peer. Translating this into reputation setting, less reputable peer is less likely to behave in a predictable fashion and, consequently, less trustworthy in communication.

A reputation-based trust management in peer-to-peer network systems.
2004 International Workshop on Security in Parallel and Distributed Systems
In Proceedings of 17th International Conference on Parallel and Distributed Computing Systems, PDCS 2004.
N. Stakhanova, S. Ferrero, J. Wong and Y. Cai.
[PDF] [slides]

Trust Framework for P2P Networks using Peer-Profile based Anomaly Technique.
ICDCSW'05: The 2d International Workshop on Security in Parallel and Distributed Systems, SDCS 2005.
N. Stakhanova, S. Basu, J. Wong and O.Stakhanov. [PDF][slides]