Survey of intrusion response decision-making techniques of automated intrusion response systems

Automated intrusion response system and its significances are briefly introduced in this paper. The intrusion response-decision making is one of the critical techniques of automated intrusion response systems. A hierarchical architecture about intrusion response decision-making problems is presented. The roles of response goals and response strategies in an intrusion response decisionmaking process are discussed, meanwhile their related work is introduced. Intrusion response decision-making factors are used in decision-making models and directly influence the results of intrusion decision-making models. The decision-making factors in the latest existing intrusion decision-making mechanisms are reviewed, and it is pointed out that some of these factors are not properly used in a few of existing decision-making models. In order to choose proper factors in an intrusion response decision-making model, a taxonomy of response decision-making factors is given. The existing models of intrusion response measure decision-making are presented, and their features and problems of these models are discussed in detail. The concept and idea of intrusion response time decision-making are proposed, and at the same time, a few of intrusion response time decision-making models are introduced. The architecture, response time decision-making model, response measure decision-making model and experiments of the intrusion detection alert management and intrusion response system (IDAM and IRS) developed by the authors are shown. In addition, its features are described. Finally the development trends of response decision-making are summarized.