Selection of countermeasures against network attacks based on dynamical calculation of security metrics

Abstract

This paper considers the issue of countermeasure selection for ongoing computer network attacks. We outline several challenges that should be overcome for the efficient response: the uncertainty of an attacker behavior, the complexity of interconnections between the resources of the modern distributed systems, the huge set of security data, time limitations, and balancing between countermeasure costs and attack losses. Although there are many works that are focused on the particular challenges, we suppose that there is still a need for an integrated solution that takes into account all of these issues. We suggest a model-driven approach to the security assessment and countermeasure selection in the computer networks that takes into account characteristics of different objects of assessment. The approach is based on integration with security information and event management systems to consider the dynamics of attack development, taking into account security event processing. Open standards and databases are used to automate security data processing. The suggested technique for countermeasure selection is based on the countermeasure model that was defined on the basis of open standards, the family of interrelated security metrics, and the security analysis technique based on attack graphs and service dependencies. We describe the prototype of the developed system and validate it on several case studies.