An intrusion response decision-making model based on hierarchical task network planning

An intrusion response decision-making model based on hierarchical task network (HTN) planning is presented in the paper. Compared with other response decision-making models, the response decision-making model consists of not only the response measure decision-making process but also response time decision-making process that is firstly proposed in the paper. The response time decision-making model is able to determine response time for different response HTN subtasks. Owing to the introduction of the response time decision-making, the intrusion response system can apply different response strategies to achieve different response goals set by administrators. The proposed response measure decision-making model can optimize a response plan by balancing the response effectiveness and the response negative impact in both a single response measure and a set of response measures. The response decision-making model is self-adaptive and has the ability of tolerating to false positive IDS alerts. The proposed model has been used in the intrusion detection alert management and intrusion response system (IDAM&IRS) developed by us. The functions and architecture of IDAM&IRS are introduced in this paper. In addition, the intrusion response experiments of IDAM&IRS are presented, and the features of the response decision-making model are summarized.