Automated Planning for Incident Response Based on CBR

Ping Liu, Haifeng Yu, Qing Miao Beijing Institute of system and engineering

National Key Laboratory of Science and Technology on Information System Security, Beijing, China

e-mail: liuzuhan@126.com

AbstractAlthough the new type of network security incidents continue to occur, most security incidents are similar, the response methods have in common, so CBR (Case Based Reasoning) technology can be used to describe the successful experience of the past incident response. Based on past examples of how to develop rapid response strategy is the key to incident responses. Automated planning method can greatly improve the efficiency and level of decision making. According to the characteristics of incident responses, combined with automatic planning method, CBR technology and ontology technology, a novel approach of getting incident response methods is presented.

Keywords- CBR; network system; incident response; information security

I. INTRODUCTION In the field of information security similar security

incidents have similar incident response method. So it prompts us to use our past experience of incident response method. In order to store and share with structured expression of incident response methods, ontology and CBR technology are used as powerful tools.

A typical CBR paradigm consists of two parts as follows: Question: describe the network system state when the

incident occurs. Solution: the method of solving question derived from

incidents. CBR paradigm can be described in all forms of AI, such

as frames, objects, predicates and rules. Using ontology to solve problems of information security

is an important research direction in the future. Currently, the application of ontology in the information security domain has focused on IDS [1-4].

In order to integrate knowledge in heterogeneous CBR systems, literal[5] presented an approach to semi-automatically construct ontology-based CBR system. This system solve partially the problems of ontology-based CBR system such as: its architecture is nonstandard, reusing knowledge in legacy CBR is deficient and constructing ontology is difficult. David[6] summarized the conversational CBR as a means of providing more effective support for interactive problem and pointed out the challenges that remain to be addressed.

The memory organization of case base is studied in literal. Using concept hierarchy and directed graph to the memory organization and structure is the idea of Perner[7], but the autoplan method is not referred.

Autoplan is an important part in AI domain. The plan is composed of actions that have been organized as structure such as total and partial order sequence. The establishment of incident response methods is according the current abnormal state of information network to identify a series of actions and after taking these actions the information network will achieve normal state. So the establishment of incident response method is an automated planning process.

Graphplan is a new planning approach. It was presented mainly by Blum and adopted as the foundation of many current automated planning algorithms[8]. The main disadvantage of graphplan is that encoding the control rules in the special domain into the planning graph is not easy.

The algorithm of graphplan has been successfully used in the domain of information security.

Solving the state explosion of complex system is the main aim of autoplan. Planning task decomposition is an important planning technique in the automated planning domain[9] and it can be used to express the incident responses paradigm. Hierarchy structure of state transform network is used to structure the various granular incident response paradigms. With the increase of the expressed paradigm, a complex network that has tree and graph will been created. Since the steps of every incident response paradigm may have same part, the hierarchy network representation of paradigm can avoid the redundancy of the case base.

This paper is organized as follows: Section 2 discusses the principle of incident responses using automated planning. Section 3 illustrates the approach of encoding the state and transformation of network system. Section 4 gives two application examples. Finally, section 5 presents conclusion and the future work.

II. THE PRINCIPLE OF INCIDENT RESPONSE USING AUTOMATED PLANNING

Incident response that started from the current state of network, using a series of commands and software tools, executing a series of actions, making network system to achieve the normal state. So the incident response is a network system state transforming process. The incident response method can be decided by automated planning.

A. The Network System Incident Response Method Model In the domain of determined automated planning the

execution of action determines the state transform of the

___________________________________ 978-1-4244-6943-7/10/$26.00 2010 IEEE

system. According to the hierarchy structure of action we get the hierarchy structure of system state transform.

substate2

currentstate

substate1

normalstate

action22

action21

action2p

state1 action

kaction

2

substate11

substate12

substate1x

action211

action212

action21v

action1

state2

substatem

Figure 1. The network system incident response method model.

Using state and action decomposition[9] to complete the system modeling analysis and according to the execution of the subactions we can forecast dynamical trends of the system.

As shown in Fig.1, the current state of the network system is decomposed as:

substate 1, substate 2, ..., substate m. This decomposition satisfies:

m

i

isubstatestatecurrent1

)(_

Also the substate 1 is decomposed as: substate 11, substate 12, ..., substate 1x. The normal state of the network system can be

decomposed in the same way. The action 2 is decomposed as: action 21, action 22, ..., action 2p. This decomposition

satisfies:

p

i

iactionaction1

)(22

The action 21 is decomposed as: action 211, action 212, ..., action 21v. When we say that the current state can achieve the

normal state, we mean that after executing a series of actions the network system can achieve its normal state.

In the network system incident response method modelFig.1 the decomposition of action and state follows

certain rules. At first an action in automated planning has preconditions. The state is decomposed according to the corresponding the decomposition of action. This means that if subaction_j has precondition precondition(subaction_j), there must be a substate_i satisfies:

isubstatejsubactiononpreconditi _)_( For any substate, if propositions p and q belongs to it, then p

and q satisfy the following constraint: qpsubstateqpsubstate ,,:

Here is the mutex relation. The decomposition of actions in depth should go on until

the atom actions are obtained. Figure 2 shows a part of action decomposition of responding IRC botnet.

Figure 2. The decomposition of actions in responding IRC botnet

We say that actions A={a} and B={b,c,d} are two section, and B has three branches. A must executed before B. Actions in B have no executing order. So the relation of the four actions is partial order.

B. The transformation of state set In the hierarchical structure of incident response method

model as shown in Fig.1, suppose the current state is decomposed into state set :

cs = {substate 1, substate 2, ..., substate m} And cs is transformed to state1 after the action1. Suppose the state1 is decomposed into state set :

s1 = {substate 1, substate 2, ..., substate n} And action1 is decomposed into action set:

a1 = {action11, action12, , action1q} This transformation is illustrated in Fig.3.

substate 2

substate 1

substate m

substate 2

substate 1

substate n

subaction set

Figure 3. Transformation of substates in the network system.

If there is a subaction in action set a1 that can not complete the corresponding transformation from cs to state 1, we can deduce that the transformation from cs to normal state can not completed.

C. The Representation of Action In convenient for the description of autoplanning the

incident response method that use the PDDL, we define the structure of action as following:

Struct action{ Name; Precondition;

c

d

b

a

get basic information

of botnet

simulate the controller to completely

control the botnet

cut off the connect

control the botnet

Effect; Cost;//the action cost Struct action_time;//time related to action execute Struct action_net;//the graph of subaction }

Struct action_time{ StartTime; DurativeTime;//the action lasting time EndTime; } Struct action_net{//a graph that has no circle Nodes;//action Edges;//action order relation }

III. ENCODING THE STATE AND TRANSFORMATION OF NETWORK SYSTEM

A. Representation of Network System State At first we encode all the state of the network system.

Assuming that the state set S has k states, namely: },...,3,2,1|{ kisS i

We can use 0 and 1 string to encode each state respectively, and the limit of string length is :

kl 2log This could ensure a tolerable space to store the state set.

To facilitate the search and identification of the state, we need to encode the various elements of Fig.1, add prefix in the code word to express different levels and types of elements, such as shown in Table 1.

TABLE I. THE CODE OF NETWORK SYSTEM STATE ELEMENTS

Element types

00 Action 01 State

Level number

16 bits binary number

Corresponding level number of state or action

B. Presenting the Relationship Among the State Elements of the Network System Having only the presentation of network system state

elements is not enough to express the incident response process, but also needing the corresponding code to describe the relationship among the various elements. These code words should be easy to recognize and short enough. Relations required to describe are:

(1) Relation among siblings, relation between father and son: the relationship among subactions or substates generated in the decomposition process (shown in Table 2).

TABLE II. RELATION AMONG THE NETWORK SYSTEM ELEMENTS

Brotherhood 00 Action 01

Paternity 10 State 11

(2) Relation among precondition, action and effect: Under certain conditions (precondition), the implementation of actions arose state transformation (effect), we use the encoding format (Table 3) to describe the relation among precondition, action and effect.

TABLE III. NETWORK SYSTEM STATE TRANSITION CODE TABLE

precondition action effect

C. Encode Iincident Response Method Having the definition of state code, action code and state

transforming code in the network system, binary string that composed of a series code of state transition and actions can be used to express incident response methods. The format of encoding incident response method is shown in Table 4.

TABLE IV. TABLE OF ENCODING INCIDENT RESPONSE METHOD

1 Initial state code Action Code Successor state code

2 State code Action Code Successor state code n State code Action Code Normal state code

D. Incident Response Planning Solution Establishing an incident response method is a process of

path search from the current state to normal state. If we get the path and record the actions on the path, then we get the concrete response method.

Seeking out the current state we get the initial state in the state space. In order to get the incident response method, we must search a path in the state space to reach the normal state.

In the hierarchy structure of incident response method model as shown in figure 1, we defined several operations as follows:

Abstract: the movement from lower to senior, denoting it with up( ) and finding the parent node in a tree.

Concrete: The movement from senior to lower, denoting it with down( ) and finding the child node in a tree.

Forward: Moving to the next state denoted by forward( ), the movement on the same level .

IV. TWO PRACTICAL EXAMPLES

A. The Response Process of IRC Botnet As shown in Fig.4 we take four actions to process the

IRC botnet. (1) Get the basic information of the botnet (a) get the information about the control server. (b) get the information about the channel. (c) get the information about the command set supported

by botnet (d) get the information about the coding rules of the

controlling password and the host. (2) Control the botnet (a) control the server information, such as domain name

or IP, port, connection password (if it exists). (b) channel information, channel password (if it exists). (c) control the password, coding rules and the host. (d) the command set supported by bot, such as

authentication, upgrade and delete itself.

Net connectionadded enormously

Host runningslowly

Connects fromlocal IP to the same

port of manydiffrent IP

1 get basicinformation of

the botnet

Normalstate

1get basic information

of the botnet

12Get channel infor.

11Get Control server

infor.

14Get infor. of

controlling password ,coding rules

and hosts

23 clear the botof the host

22 simulatecontrol

21 disconnectthe network

current state

13Get commands

supported by bot

Figure 4. The decomposition of state and action in responding IRC botnet

(3) Simulate the controller to completely control the botnet

(a) send the update command, so that botnet download and run their own special killing tool, can also modify the control password or update the botnet, and thus take over the entire botnet. If botnet certificates the download program, this method is not effective.

(b) The method that the botnet uses command delete itself to delete itself is worthiness only when the botnet are engaged in malicious activity. Otherwise, simply delete botnet the system with vulnerability will be infected by other malicious code.

(4) Cutting off the connection Cutting off the connection between host and controlling

server at the position of gateway or security devices, the host is out of botnet control.

B. The Response Process of DoS Occurred during SQL Slammer worm Attacks If the intrusion detection system detects that SQL

Slammer worm is attacking the network, the responding action decomposition may be illustrated in Fig.5.

V. USING THE TEMPLATE We discuss the principle of incident response using

automated planning; illustrate the approach of encoding the state and transformation of network system. Then two application examples are presented.

In the paradigms of CBR there is a path between two vertices denoting initial state and goal state in the plan graph. With the increase of the paradigms the graph will has more and more paths that marked accumulation of experience in incident response.

In this paper, incident response methods also are strategic. In the future we will refine incident response methods according to software environment and software tools.

SQL Slammerworm(current state)

1 networkisolation

2 hostisolation

3 securityenhancements

Normalstate

1 networkisolation

prevent the spreadof worms

access-list 110 denyudp any eq 1434

prevent the spreadof worms

2 hostisolation

shield theUDP1434 port

disable the MSSQL service

disconnect thenetwork

3 securityenhancements

disable the MS SQLservice, reboot the

system

download andinstall the patches

restart the MS SQLservice

Figure 5. Action decomposition of responding DoS occurred during SQL

Slammer worm attack

REFERENCES [1] Peyman Kabiri and Ali A. Ghorbani, Research on Intrusion

Detection and Response: A Survey, International Journal of Network Security, Vol.1, No.2, pp. 84-102, Sep. 2005, http://isrc.nchu.edu.tw/ijns.

[2] Huy Kang Kim, Kwang Hyuk Im, and Sang Chan Park, DSS for computer security incident response applying CBR and collaborative response, Expert Systems with Applications 37 (2010), pp. 852-870.

[3] Jeffrey Undercoffer, Anupam Joshi, and John Pinkston, Modeling Computer Attacks: An Ontology for Intrusion Detection, Springer, LNCS 2820, pp. 113-135, 2003.

[4] Shao-shin Hung, Shing-Min Liu, A user-oriented ontology-based approach for network intrusion detection, computer stantards and & interfaces, 30 (2008), pp. 78-88, http://www.sciencedirect.com.

[5] Junjie Gao and Guishi Deng, Semi-automatic Construction of Ontology-based CBR System for Knowledge Integration, International Journal of Computer Systems Science and Engineering 2008, pp. 297-303, http://www.waset.org.

[6] David W. Aha, David McSherry and Qiang Yang, Advances in conversational case-based Reasoning, The Knowledge Engineering Review, Vol. 20:3, pp. 247-254. 2006, Cambridge University Press.

[7] Petra Perner, Case-Based Reasoning and the Statistical Challenges, 2008, pp. 430-443, http://www.ibai-institut.de.

[8] Alfonso E. Gerevini, Alessandro Saetti and Ivan Serina, Temporal Planning with Problems Requiring Concurrency through Action Graphs and Local Search, In Proc. of ICAPS-2010, pp. 226-229.

[9] Bibai J., Saveant P., Schoenauer M., and Vidal V., An Evolutionary Meta heuristic Based on State Decomposition for Domain-Independent Satisficing Planning, 2010, http://www.aaai.org.