Framework for Fuzzy Rule Based Automatic Intrusion Response Selection System (FRAIRSS) using Fuzzy Analytic Hierarchy Process and Fuzzy TOPSIS

Abstract

Intrusion Detection System (IDS) detects the intrusions and produces alerts. Automated Intrusion Response System (AIRS) selects and triggers the appropriate response based on some criteria to mitigate the intrusion without delay. The big challenges in the automated response selection process are a precise measurement of importance weight for each criterion and response prioritization for the specific category of attacks. Analytic hierarchy process (AHP) uses the pair-wise comparison of each criterion and does not require the accurate quantification but is unable to handle the vagueness or uncertainty in the importance judgment. This paper presents the framework called Fuzzy Rule-Based Automatic Intrusion Response Selection System (FRAIRSS) for automated response selection. Fuzzy AHP model has been created in order to deal with precise measurement and uncertainty in the importance judgment of each criterion. Fuzzy TOPSIS (Technique for Order of Preference by Similarity to Ideal Solution) multi-criteria decision making (MCDM) approach has been applied in order to resolve the response prioritization. Fuzzy Rule-based inference system is modeled to select the appropriate response from the prioritized response sets for each category of attacks. The framework has been simulated in MATLAB with various attack scenarios and it is found that FRAIRSS is selecting most appropriate response under the given attack scenarios.

Keywords

Intrusion response system Fuzzy AHP Fuzzy Rule-Based inference system response prioritization importance weight of response selection criteria

1 Introduction

The dependence on the network and internet services are increasing very fast and so the threat of intrusion. According to PWC Global State of Information Security Survey-2016 [1], the intrusion incidents have increased by 38% compared to the previous year. The constant increasing incidents required a powerful defense mechanism in order to overcome the organization loss.

There are the tools available for monitoring the intrusion on the system called IDS that generates the alerts in case an intrusion is detected. It becomes very tedious for the network administrator to respond each alert without any delay, exclusively when the generated alerts are very large in numbers. So an AIRS is required to handle a large number of alerts and respond appropriately based on the response selection criteria, without much delay [2]. The goal of an AIRS is to select automatically the correct response to the alerts to mitigate the attack with less penalty cost [2].

Various frameworks and models have been proposed for the AIRS, which considered various response selection criteria. In this paper, four response selection criteria are identified and selected that are most frequently used by the various researchers of the domain.

One of the big obstacles is how to assign the accurate quantitative importance weight for each criterion in order to select an appropriate response. Under the literature survey, it is found that most of the AIRS models manually assigned the weight to each criterion without any further analysis. There should be some well-defined methods to overcome this problem.

Fuzzy AHP uses the linguistic terms for the pairwise comparison of each criterion by the multiple security expert participants and avoiding the need for accurate quantification as well as accommodating the level of decision maker’s uncertainty. Apart from this Fuzzy AHP (FAHP) also provides the method to analyze and ensure the consistency ratio and acceptance level of the pair-wise comparison from the domain experts. This paper presents the methods for measurement of the importance of each response selection criterion based on the Fuzzy AHP and also analyzes the consistency acceptance level of the assigned weight.

Another challenge under AIRS is the response prioritization based on the attack type. In order to deal with this problem, multi-criteria decision making (MCDM) approach has been used to model the problem. Although there are various MCDM methods are available such as AHP, SAW, and TOPSIS. In this paper, Fuzzy TOPSIS technique has been applied because of its capability of supporting the uncertainty due to fuzziness and its decision process considering the positive as well as negative ideal solutions in order to produce the final decision of prioritization [19, 20].

The major contribution of this work is to design the framework FRAIRSS comprising mainly three components: importance weight evaluation, response set prioritization and appropriate response selection.

The whole paper is organized as follows: Section II presents the related works. Section III presents the proposed framework. Section IV describes the response selection criteria. Section V presents the proposed method of Fuzzy AHP based measurement of the importance weight for each response selection criterion. Section VI describes the FRAIRSS Response set prioritization using Fuzzy TOPSIS. Section VII describes the FRAIRSS Fuzzy Inference Model. Section VIII presents the discussion over results and section IX gives the conclusion.

2 Related work

2.1 Intrusion response system

Aderonke Justina et al. [4], have presented the COSIRS (Cost-Sensitive Intrusion Response System) response cost assessment model by considering the three criteria: damage cost caused by the intrusion, response cost, and the operational cost [3]. This approach suffers from multiple limitations. First, they did not consider attack type. Response selection without considering the attack types may lead to inaccurate selection of response. For example, shutdown response might be best suited in the case of U2R (User to Root) attack but it may not be the best solution under the DOS (Denial of Service) attack if availability is in the highest priority of organization’s security policy. Secondly, criteria weights are assigned manually & response prioritization has not been evaluated.

Yu Sun et al. [5], proposed an Aggregation and Cost Based Automatic Intrusion Response System (ACAIRS) model. This approach is having the limitations of not considering the attack type and criteria weight.

Bingrui Foo et al. [6], presented an automated intrusion response mechanism called ADEPTS, based on the intrusion graph called I-GRAPH. Although this approach considered the attack types but there is no evaluation in terms of confidentiality, integrity, availability and criteria weight assignment.

Zheng Wu et al. [7], presented the response decision model based on a three layer Analytic Hierarchy Process (AHP). This approach considered the attack types as well as automated criteria weight assignment but not considered the security goals under the evaluation process and criteria weight assignment does not deal with the decision maker’s uncertainty or vagueness.

Chengpo Mu et al. [8, 9], have presented Intrusion Detection Alert Management and Intrusion Response System (IDAM&IRS) with the list of response factors such as attack related factors, response related factors and target related factors. This approach does not show any evaluation in terms of the criteria weight & response prioritization.

Wang Zeng-quan et al. [10], analyzed the various elements that are important for designing the adaptive response system. They presented the alarm matrix and analyzed the various criteria involved in the designing of IRS such as: analysis of IDS properties like attack & alarm frequency; analyzed the quality of IDS with five aspects: Detection preciseness frequency, failing frequency, distorting frequency, alarm reliability and IDS efficiency. Under the analysis process, criteria weight & security goals are not considered.

Alireza Shameli-Sendi et al. [16] have presented ORCEF (Online response cost evaluation framework) framework for cost-sensitive IRS. They have considered the various response selection criteria such as Positive confidentiality, positive integrity, negative network users etc. MCDM based model has been created using the SAW techniques for response prioritization. This approach suffers from multiple limitations. Firstly, no method is mentioned related to the criteria weight evaluation. Secondly, for response prioritization SAW (Simple Additive Weighting) MCDM technique is used. Although SAW calculation is very simple but the result obtained may not be logical [19].

2.2 Multi-criteria decision making (MCDM)

MCDM setting the priority to alternatives based on criteria determined by the experts. Widely used MCDM methods are AHP, SAW, ELECTRE, and TOPSIS. Simple Additive Weighting (SAW) calculation is very simple but estimates revealed do not always reflect the real situation; result obtained may not be logical [19], whereas Technique for Order Preferences by Similarity to Ideal Solutions (TOPSIS) has a simple process with easy to use and program characteristics. The number of steps remains the same regardless of the number of attributes [19, 20]. Since our goal is to produce the practical framework that can be easily implemented without having any dilemma of being diverted from the real and logical situations, the TOPSIS MCDM has been chosen as it best fit into the required goal of the framework. In order to deal with the expert’s opinion, in place of quantitative, qualitative measurement has been used in terms of the linguistic variables. To handle the uncertainty of the expert’s opinion measured in terms of linguistic variables, Fuzzy TOPSIS mechanisms has been chosen for modeling the proposed framework.

2.3 Contribution

Majority of the models uses a set of criteria, but only a few models consider the evaluation of the criteria weight automatically. Zheng Wu et al. [7] has proposed AHP based model for assigning the appropriate weight for each criterion which manages the accurate quantitative weight assignment but it cannot be able to deal with uncertainty of the decision makers [3]. In this paper, Fuzzy AHP has been applied for importance weight calculation of each criterion with the capability to deal with the uncertainty of the decision makers. This work is close to Alireza Shameli-Sendi et al. [16], but they used manual and static weight assignment to each criterion and did not present the technique for automated importance weight assignment. Their framework being very complex. The SAW technique used is very simple MCDM mechanism in itself but does not consider the Ideal situation in order to decide the prioritization and Estimates revealed do not always reflect the real situation; hence result obtained may not be logical [19]. As in most of the proposed frameworks of AIRS, it is found a need for the decision maker precise importance weights for each criterion assigned manually, that may comprise uncertainty, which may lead to inappropriate results. To overcome this problem, this work uses the hybrid approach for more consistent evaluation and prioritization of the intrusion response based on the criteria. Because of varied importance weight of the selected criteria, fuzzy AHP is able to handle the uncertainty and used to calculate the relative importance weight of each criterion. Afterward, by utilizing obtained importance weight of each criterion as an input to the fuzzy TOPSIS algorithms, the set of intrusion response alternatives are prioritized. The main contributions of the paper are to:

Design fuzzy AHP based automated importance weight assignment to each response selection criterion which not only deals with accurate quantitative weight assignment but also handles the decision maker’s vagueness or uncertainty.

Design fuzzy TOPSIS MCDM based response prioritization for each response set under the classified attack type.

Design fuzzy rule-based inference system for selecting the appropriate response from the prioritized response set for each attack type. Thereby designed inference system produces the selected response as an output based on the input called attack confidence level and target resource value.

3 Proposed framework

3.1 FRAIRSS architecture

IDS generates the alerts, which are categorized into four main attack types i.e. U2R (user to root attack), R2L (root to local attack), DOS (Denial of Service attack) and Probe attacks. Response pool has been created and categorized into the three response set based on the domain expert opinion and the literature survey i.e. U2R & R2L Response set, DOS response set and Probe response set. The architecture of the proposed framework FRAIRSS is presented in the Fig. 1.

Fig.1

FRAIRSS Architecture.

3.2 FRAIRSS execution stages

Step 1: Identify Response Pool.

Step 2: Classify the response pool into the response set based on the attack type on which they can be applied as shown in Table 1 with the following objectives:

In case of the U2R and R2L type of attack, since the system might be under the control of attacker, aim of selected response should be to increase the Confidentiality and Integrity of the system.

In case of DOS attack, since an attacker may slow down the system, here the primary objective should be to increase the Availability of the system.

In BROBE attack, the basic motto should be to increase the availability and confidentiality of the system.

Because response set for U2R and R2L attack types are having the same objective, so they grouped together. Table 1 representing the selected response set based on the mentioned attack types [7 , 17].

Table 1
Response Set Based on Attack Types

S No Attack Type Response Alternatives

1 PROBE No Response (NR)

2 Block Attackers Source IP Address (BSIP)

3 Close Destination Port (CDP)

4 U2R and R2L Shutdown Host (SH)

5 Kill Process (KP)

6 Disable User(DU)

7 DOS Shutdown Host (SH)

8 Reboot Host (RH)

9 Restart Process (RP)

10 Reset Connection (RST)

S No	Attack Type	Response Alternatives
1	PROBE	No Response (NR)
2		Block Attackers Source IP Address (BSIP)
3		Close Destination Port (CDP)
4	U2R and R2L	Shutdown Host (SH)
5		Kill Process (KP)
6		Disable User(DU)
7	DOS	Shutdown Host (SH)
8		Reboot Host (RH)
9		Restart Process (RP)
10		Reset Connection (RST)

Step 3: Classify the attack pool generated by IDS into four categories: U2R, R2L, DOS and PROBE attack.

Step 4: Identify the set of response selection criteria. Here, four criteria are identified: Confidentiality (C), Integrity (I), Availability (A) and Response Cost (RC).

Step 5: Specify the organization’s security policy in terms of CIA and response cost.

Step 6: Evaluate the weight of each criterion using fuzzy AHP considering the response selection.

Step 7: Evaluation of the response priority for each response set. Fuzzy TOPSIS has been used to set the priority of each response within the response set.

Step 8: Identifying the Target Value (TV) by expert opinion using linguistic variables such as low, medium, high etc.

Step 9: Identifying the attack confidence level (ACL). ACL can be inferred from the IDS and be represented in the form of linguistic variables.

Step 10: Designing the Fuzzy Rule-Based Inference Engine for each prioritized response set. It will take Target Value and attack confidence level as input and produce an optimal response that can be applied to the detected attack.

4 Response selection criteria

All the mentioned AIRS models possess their own set of response selection criteria and they do not show any uniformity. Four response selection criteria are identified that have been considered by the most of the AIRS models [7 , 17]. Identified response selection criteria are:

1. Confidentiality (C): data must not be revealed to an unauthorized user.

2. Integrity (I): ensure the accuracy of data.

3. Availability (A): ensure the availability of resource or data to authorized user.

4. Response Cost (RC): Cost occurs in the system due to applied selected response and can figure out by the cost of various resources and services running in the targeted systems with the help of expert opinion using linguistic variables.

5 FAHP based measurement of importance weight for each criterion

Although AHP [11] avoids the accurate quantitative measurement of the importance weight of each criterion but cannot handle the uncertainty in the importance judgment. To handle this uncertainty we need the fuzzy set with AHP called FAHP. Here the triangular fuzzy numbers (TFNs) are used for representing the fuzzy relative importance of each criterion.

5.1 Triangular Fuzzy Number (TFNs)

TFN is represented by (l, m, u) with the membership function defined as [12, 13]: $μ_{A} (x) = {\begin{matrix} \frac{x - l}{m - l} & if l \leq x \leq m \\ \frac{x - u}{m - u} & if m \leq x \leq u \\ 0 & otherwise \end{matrix}$ (1) Decision makers will use linguistic terms to compare the criteria as shown in Table 2 [14].

Table 2

Linguistic terms and equivalent TFNs

Saaty scale	Definition (Linguistic term)	Fuzzy triangular scale
1	Equally important	(1, 1, 1)
3	Weakly important	(2, 3, 4)
5	Fairly important	(4, 5, 6)
7	Strongly important	(6, 7, 8)
9	Absolutely important	(9, 9, 9)
7	The intermittent values between two adjacent scales	(1, 2, 3)
8		(3, 4, 5)
9		(5, 6, 7)
10		(7, 8, 9)

5.2 Fuzzy AHP based evaluation of importance weight for each criterion

Steps for measurement of the importance weight of each criterion:

Step 1: Based on the linguistic terms and TFNs (as mentioned in Table 2) decision makers will compare each of the four selected criterion in order to create a pair-wise comparison matrix for the criteria as shown in Table 3.

Table 3
Comparison matrix (Based on the organization’s needs)

Criteria C I A RC

C (1, 1, 1) $(\frac{1}{6}, \frac{1}{5}, \frac{1}{4})$ (5, 6, 7) (4, 5, 6)

I (4, 5, 6) (1, 1, 1) (7, 8, 9) (7, 8, 9)

A $(\frac{1}{7}, \frac{1}{6}, \frac{1}{5})$ $(\frac{1}{9}, \frac{1}{8}, \frac{1}{7})$ (1, 1, 1) (1, 1, 1)

RC $(\frac{1}{6}, \frac{1}{5}, \frac{1}{4})$ $(\frac{1}{9}, \frac{1}{8}, \frac{1}{7})$ (1, 1, 1) (1, 1, 1)

Criteria	C	I	A	RC
C	(1, 1, 1)	$(\frac{1}{6}, \frac{1}{5}, \frac{1}{4})$	(5, 6, 7)	(4, 5, 6)
I	(4, 5, 6)	(1, 1, 1)	(7, 8, 9)	(7, 8, 9)
A	$(\frac{1}{7}, \frac{1}{6}, \frac{1}{5})$	$(\frac{1}{9}, \frac{1}{8}, \frac{1}{7})$	(1, 1, 1)	(1, 1, 1)
RC	$(\frac{1}{6}, \frac{1}{5}, \frac{1}{4})$	$(\frac{1}{9}, \frac{1}{8}, \frac{1}{7})$	(1, 1, 1)	(1, 1, 1)

Step 2 and 3: Compute the geometric mean $(\tilde{r_{i}})$ and fuzzy weight for each criterion ( $(\tilde{w_{i}})$ ) [14] (shown in Table 4) using the equations: $\tilde{r_{i}} = (\prod_{j = 1}^{n} \tilde{a_{ij}}), i = 1, 2, . . ., n$ and $\tilde{w_{i}} = \tilde{r_{i}} \otimes (\tilde{r_{1}} \otimes \tilde{r_{2}} \otimes \dots \tilde{r_{n}})^{- 1} = ({hw}_{i}, {mw}_{i}, {uw}_{i})$ respectively. Here, n = 4 represents the number of response selection criteria and $\tilde{a_{ij}}$ indicates the decision makers importance of i^th criterion over the j^th criterion.

Table 4

Calculated geometric mean and importance weight for each criterion

	$\tilde{r_{i}}$	$\tilde{w_{i}}$
C	(1.35, 1.57, 1.80)	(0.19, 0.23, 0.31)
I	(3.74, 4.23, 4.70)	(0.52, 0.63, 0.80)
A	(0.35, 0.38, 0.41)	(0.05, 0.06, 0.07)
RC	(0.37, 0.40, 0.43)	(0.05, 0.06, 0.07)
Total	(5.82, 6.57, 7.34)
Reverse (power of -1)	(0.17, 0.15, 0.14)
Increasing Order	(0.14, 0.15, 0.17)

Step 4: De-fuzzifying the fuzzy importance weight of each criterion to obtain the relative non-fuzzy weight (M_i) and normalized non-fuzzy importance weight (N_i) of each criterion (shown in Table 5) using the equation [14]: $M_{i} = \frac{{lw}_{i} + {mw}_{i} + {uw}_{i}}{3}; N_{i} = \frac{M_{i}}{Σ_{i = 1}^{n} M_{i}}$

Table 5

Non-fuzzy and normalized relative importance weight of each criterion

	M _i	N _i	Importance Weight % of each criterion	Priority of each criterion
C	0.24	0.24	23.95	2
I	0.65	0.64	64.18	1
A	0.06	0.06	5.79	4
RC	0.06	0.06	6.08	3
Total	1.016

So, the obtained importance weight of criteria [C, I, A, RC] = [0.24, 0.64, 0.06, 0.06] It can be observed from the Table 5 that, the Integrity (I) criterion has scored the highest importance weight 64.18 and so be given the first priority. The second priority should be given to the Confidentiality (C), which scored the importance weight 23.95. Similarly, the other two criteria Response Cost (RC) and Availability (A) scored importance weight 6.08 and 5.79 respectively and ranked 3^rd and 4^th.

5.3 Analyzing of consistency ratio for the proposed criteria weight evaluation

To verify consistency of the taken comparison matrix C to ensure a certain level of quality of decision, the consistency ratio (CR) has to be computed and checked if its value is less than 0.1. If CR ≤ 0.1 then we can consider that the evaluation is consistent [15]. $CR = \frac{CI}{RI}$ , where, RI is a random consistency index and according to [11], RI = 0.90 for n = 4 (n is the number of criteria) CI is a Consistency Index and can be computed as [15]: $CI = \frac{λ_{\max} - n}{n - 1}$ , where, $λ_{\max} = Σ_{j = 1}^{n} \tilde{a_{ij}} \frac{\tilde{w_{j}}}{\tilde{w_{i}}} wherei, j = 1, 2, . . ., n$ . The consistency ratio CR is found to be 0.08, which is less than 0.1, therefore the comparison matrix C can be considered as consistent.

6 FRAIRSS response set prioritization using fuzzy TOPSIS technique

6.1 Prioritization of response set for R2L and U2R attack

Linguistic variables and equivalent fuzzy numbers used for rating the positive and negative category of criteria are shown in Table 6. Response prioritization evaluation steps using Fuzzy TOPSIS [18]:

Step 1: Generate feasible alternatives and determining the evaluation criteria.

Evaluation criteria: C, I, A and RC

Response alternatives for R2L & U2R attacks: SH (Shutdown Host), KP (Kill Process) and DU (Disable User)

Step 2: Choose the appropriate linguistic variables for the importance weight of the criteria obtained by FAHP. Evaluate linguistic ratings for alternatives with respect to criteria. We assumed the number of decision makers k = 1.

Step 3: Construct fuzzy decision matrix $\tilde{D}$ . Suppose there are n criteria and m alternatives. $\tilde{D} = [\begin{matrix} \tilde{x_{11}} & \tilde{x_{12}} & \dots & \tilde{x_{1 n}} \\ \tilde{x_{21}} & \tilde{x_{22}} & \dots & \tilde{x_{2 n}} \\ ⋮ & ⋮ & \dots & ⋮ \\ \tilde{x_{m 1}} & \tilde{x_{m 2}} & \dots & \tilde{x_{mn}} \end{matrix}]$ $\tilde{w} = [\begin{matrix} \tilde{w_{1}}, & \tilde{w_{2}}, & \dots, & \tilde{w_{n}} \end{matrix}]$ Where $\tilde{x_{ij}}, \forall_{i, j}$ and $\tilde{w_{j}}, j = 1, 2, . . ., n$ are linguistic variables. $\tilde{D} = [\begin{matrix} (7, 9, 10) & (7, 9, 10) & (0, 1, 3) & (7, 9, 10) \\ (5, 7, 9) & (5, 7, 9) & (3, 5, 7) & (5, 7, 9) \\ (5, 7, 9) & (5, 7, 9) & (7, 9, 10) & (1, 3, 5) \end{matrix}]$ Here, columns represent the response selection criteria and responses are represented by rows.

Step 4: Normalize fuzzy decision matrix denoted by $\tilde{R} = {[\tilde{r_{ij}}]}_{m \times n}$ , where, $\tilde{r_{ij}} = (\frac{a_{ij}}{c_{j}^{*}}, \frac{b_{ij}}{c_{j}^{*}}, \frac{c_{ij}}{c_{j}^{*}})$ ; $c_{j}^{*} =_{i}^{\max} c_{ij},$ for benefit or positive criteria. Or $\tilde{r_{ij}} = (\frac{a_{j}^{-}}{c_{ij}}, \frac{a_{j}^{-}}{b_{ij}}, \frac{a_{j}^{-}}{a_{ij}})$ ; $a_{j}^{-} =_{i}^{\min} a_{ij},$ for cost or negative criteria. $\tilde{R} = [\begin{matrix} (0.70,0.90,1.0) & (0.70,0.90,1.0) & (0.00,0.33,1.0) & (0.70,0.78,1.0) \\ (0.56,0.78,1.0) & (0.56,0.78,1.0) & (0.43,0.71,1.0) & (0.56,0.71,1.0) \\ (0.56,0.78,1.0) & (0.56,0.78,1.0) & (0.70,0.90,1.0) & (0.20,0.33,1.0) \end{matrix}]$ Note that only RC is the Negative Criteria.

Step 5: Construct weighted normalized fuzzy decision matrix using the equation:

\tilde{V} = [\tilde{v_{ij}}]_{m}, i = 1, 2, . . ., mandj = 1, 2, . . ., n

, where

\tilde{v_{ij}} = \tilde{r_{ij}} (\cdot) \tilde{w_{j}}

\tilde{V} = [\begin{matrix} (0.17,0.22,0.24) & (0.45,0.58,0.64) & (0.00,0.02,0.06) & (0.04,0.05,0.06) \\ (0.13,0.19,0.24) & (0.36,0.50,0.64) & (0.03,0.04,0.06) & (0.03,0.04,0.06) \\ (0.13,0.19,0.24) & (0.36,0.50,0.64) & (0.04,0.05,0.06) & (0.01,0.02,0.06) \end{matrix}]

Step 6: Calculate fuzzy positive-ideal solution (FPIS, A^*) and fuzzy negative-ideal solution (FNIS, A^-)

A^{*} = [\begin{matrix} (0.17,0.22,0.24) & (0.45,0.58,0.64) & (0.04,0.05,0.06) & (0.04,0.05,0.06) \end{matrix}]

A^{-} = [\begin{matrix} (0.13,0.19,0.24) & (0.36,0.50,0.64) & (0.00,0.02,0.06) & (0.01,0.02,0.06) \end{matrix}]

Step 7: Calculate the distance of each alternative (shown in Table 7) from A^* and A^- using the equations:

d_{i}^{*} = Σ d (\tilde{v_{ij}}, \tilde{v_{j}^{*}}), and d_{i}^{-} = Σ d (\tilde{v_{ij}}, \tilde{v_{j}^{-}}), i = 1, 2, . . ., m

, where

d (\tilde{a}, \tilde{b}) = \sqrt{\frac{1}{3} [(a_{1} - b_{1})^{2} + (a_{2} - b_{2})^{2} + (a_{3} - b_{3})^{2}]}

Table 6
Linguistic variables and fuzzy number for ratings the positive and negative category of criteria

Linguistic variables (Positive)	Linguistic variables (Negative)	Fuzzy triangular number
Ineffective (I)	Ineffective (I)	(0, 0, 1)
Very Poor (VP)	Very Poor (VP)	(0, 1, 3)
Poor (P)	Poor (P)	(1, 3, 5)
Average (A)	Average (A)	(3, 5, 7)
Good (G)	Bad (B)	(5, 7, 9)
Very Good (VG)	Very Bad (VB)	(7, 9, 10)
Excellent (E)	Noxious (N)	(9, 10, 10)

Table 7

Distance of each alternative from A^* and A^-

FPIS and FNIS / Response Alternatives	SH	KP	DU
A ^*	0.04	0.12	0.13
A ^-	0.12	0.04	0.04

Step 8: Calculate ${CC}_{i} = \frac{d_{i}^{-}}{d_{i}^{*} + d_{i}^{-}}, i = 1, 2, . . ., m$ (shown in Table 8)

Table 8

Closeness coefficient

Response Alternatives	Closeness Coefficient CC_i
SH	0.75
KP	0.27
DU	0.23

Step 9: Based on the CC_i of each alternative, rank the alternatives in descending order. Similarly, with the help of fuzzy decision matrix ${\tilde{D}}_{DOS}$ and ${\tilde{D}}_{PROBE}$ as shown below, the prioritization of response sets for DOS and PROBE attacks are calculated as shown in Tables 10 and 11 respectively. ${\tilde{D}}_{DOS} = [\begin{matrix} (7, 9, 10) & (7, 9, 10) & (0, 1, 3) & (7, 9, 10) \\ (5, 7, 9) & (5, 7, 9) & (3, 5, 7) & (5, 7, 9) \\ (5, 7, 9) & (5, 7, 9) & (3, 5, 7) & (5, 7, 9) \\ (5, 7, 9) & (5, 7, 9) & (7, 9, 10) & (1, 3, 5) \end{matrix}]$ ${\tilde{D}}_{PROBE} = [\begin{matrix} (7, 9, 10) & (7, 9, 10) & (0, 1, 3) & (7, 9, 10) \\ (5, 7, 9) & (5, 7, 9) & (3, 5, 7) & (5, 7, 9) \\ (5, 7, 9) & (5, 7, 9) & (7, 9, 10) & (1, 3, 5) \end{matrix}]$ The obtained prioritized response set will be used for assigning the level of response to the output variable AppliedResponse (shown in Table 9, for the response alternatives of R2L & U2R attack types) in terms of the linguistic variables like low, medium, high etc. and its equivalent fuzzy numbers (shown in Table 13). Similarly, the CC_i of response alternatives for the DOS as well as BROBE attack types are calculated and there equivalent linguistic value of applied response levels are shown in the Tables 10 and 11.

Table 9

CC_i of alternatives for R2L & U2R attack types with its equivalent linguistic value of applied response level

Response Alternatives	Closeness Coefficient CC_i	Applied Response Level
SH	0.75	High
KP	0.27	Medium
DU	0.23	Low

Table 10

CC_i of alternatives for DOS attack type with its equivalent linguistic value of applied response level

Response Alternatives	Closeness Coefficient CC_i	Applied Response Level
SH	0.65	Very High
RH	0.31	Medium
RP	0.29	Low
RST	0.35	High

Table 11

CC_i of alternatives for PROBE attack type with its equivalent linguistic value of applied response level

Response Alternatives	Closeness Coefficient CC_i	Applied Response Level
NR	0.00	Low
SIP	0.83	Medium
CDP	0.96	High

Table 12

Linguistic variable and its Fuzzy equivalent for input variables

Linguistic variable	Fuzzy equivalent	Membership Function Type
Low	0, 2, 4	Triangular (trimf)
Medium	3, 5, 7	Triangular (trimf)
High	6, 7, 10, 10	Trapezoidal (trapmf)

Table 13

Linguistic variable and its Fuzzy equivalent for output variables

Linguistic variable	Fuzzy equivalent	Membership Function Type
Low	0, 1, 3	Triangular (trimf)
Medium	2, 4, 6	Triangular (trimf)
High	5, 7, 10, 10	Trapezoidal (trapmf)

7 FRAIRSS fuzzy inference model

Fuzzy logic inference system [21] is very flexible in terms adaptability. Thus because of the use of fuzzy logic based system expensive and precise measurement is not required and measurements with low precision can be implemented, which will keep the overall system complexity low. Thus the use of fuzzy logic control makes the implementation of the system much more practical which is the number one goal of the proposed framework. Main reason for selecting the fuzzy rule-based inference system is:

It is very fast, easy to calculated, near optimum, intuitive, has widespread acceptance and well suited to human input

7.1 Design of fuzzy inference engine: FRAIRSS_R2L_U2R

Fuzzy Inference system called FRAIRSS_R2L_ U2R (Fuzzy Rule-Based Automatic Intrusion Response Selection System for R2L and U2R attack type) is designed to pick the most appropriate and suitable response from the prioritized response set under the given constraints and attack circumstances. FRAIRSS_R2L_U2R takes attack confidence level and attack target value as input and produces the level of response that can be appropriate to apply in the given attack circumstances. The input and output variables are assigned the fuzzy value in linguistic variable forms as mentioned in Tables 12 and 13 respectively. Mamdani fuzzy inference controller [22] is used for designing fuzzy inference system FRAIRSS_R2L_U2R as shown in Fig. 2, with the parameters as: centroid for defuzzyfication, IP/OP range [0, 10] and Min, Max for AND & OR operations. Mamdani’s method is one of the fuzzy inference system (FIS) built using fuzzy set theory that maps input space to an output space using fuzzy logic and used to solve the various decision problems.

Fig.2

FRAIRSS_R2L_U2R: Mamdani fuzzy inference controller for R2L and U2R attack based response selection.

The membership functions for the input variables AttackConfidenceLevel and TergetResourceValue and for output variable AppliedResponse are shown in Figs. 3, 4 and 5 respectively.

Fig.3

AttackConfidenceLevel Membership function.

Fig.4

TergetResourceValue Membership function.

Fig.5

AppliedResponse Membership function.

7.2 Fuzzy rule base

The rule base is a set of rules of the IF-THEN form. The IF portion of a rule refers to the degree of membership in one of the fuzzy sets. The THEN portion refers to the consequence, or the associated system output fuzzy set. Inference Rule Base of FRAIRSS_R2L_U2R for Response Selection given in Table 14.

Table 14
Inference Rule Base of FRAIRSS_R2L_U2R for Response Selection

S No Inference rule base of FRAIRSS_R2L_U2R

1 If (ACL is l) & (TRV is l) then (AR is l) (1)

2 If (ACL is l) & (TRV is m) then (AR is l) (1)

3 If (ACL is l) & (TRV is h) then (AR is m) (1)

4 If (ACL is m) & (TRV is l) then (AR is l) (1)

5 If (ACL is m) & (TRV is m) then (AR is m) (1)

6 If (ACL is m) & (TRV is h) then (AR is m) (1)

7 If (ACL is h) & (TRV is l) then (AR is m) (1)

8 If (ACL is h) & (TRV is m) then (AR is m) (1)

9 If (ACL is h) & (TRV is h) then (AR is h) (1)

Here each rule is having the equal weight. i. e. 1; ACL: AttackConfidenceLevel; TRV: TargetResourceValue; AR: AppliedResponse; l:Low; m:Medium; h:High; vh: veryhigh.

Similarly the fuzzy rule based inference system FRAIRSS_DOS and FRAIRSS_PROBE has been created for the response selection for DOS and PROBE attack types are mentioned in Tables 15 and 16 respectively and simulated in the MATLAB.

Table 15

Inference rule base of FRAIRSS_DOS for response selection

S No	Inference rules base of FRAIRSS_DOS
1	If (ACL is l) & (TRV is l) then (AR is l) (1)
2	If (ACL is l) & (TRV is m) then (AR is m) (1)
3	If (ACL is l) & (TRV is h) then (AR is h) (1)
4	If (ACL is m) & (TRV is l) then (AR is l) (1)
5	If (ACL is m) & (TRV is m) then (AR is m) (1)
6	If (ACL is m) & (TRV is h) then (AR is h) (1)
7	If (ACL is h) & (TRV is l) then (AR is m) (1)
8	If (ACL is h) & (TRV is m) then (AR is vh) (1)
9	If (ACL is h) & (TRV is h) then (AR is vh) (1)

Here each rule is having the equal weight. i. e. 1; ACL: AttackConfidenceLevel; TRV: TargetResourceValue; AR: AppliedResponse; l:Low; m:Medium; h:High; vh: veryhigh.

Table 16

Inference Rule Base of FRAIRSS_PROBE for Response Selection

S No	Inference rules base of FRAIRSS_PROBE
1	If (ACL is l) & (TRV is l) then (AR is l) (1)
2	If (ACL is l) & (TRV is m) then (AR is l) (1)
3	If (ACL is l) & (TRV is h) then (AR is m) (1)
4	If (ACL is m) & (TRV is l) then (AR is l) (1)
5	If (ACL is m) & (TRV is m) then (AR is m) (1)
6	If (ACL is m) & (TRV is h) then (AR is m) (1)
7	If (ACL is h) & (TRV is l) then (AR is m) (1)
8	If (ACL is h) & (TRV is m) then (AR is h) (1)
9	If (ACL is h) & (TRV is h) then (AR is h) (1)

Here each rule is having the equal weight. i. e. 1; ACL: AttackConfidenceLevel; TRV: TargetResourceValue; AR: AppliedResponse; l:Low; m:Medium; h:High; vh: veryhigh.

8 Result and Discussion

Fuzzy logic toolbox in Matlab is used to simulate the designed fuzzy inference system. The defined fuzzy rules can be viewed graphically using rule viewer; for example the Fig. 6 represents the rules for FRAIRSS_R2L_U2R inference system, where the aggregate output is shown at the bottom and the defuzzified output is shown at the center of the area as a small vertical line. The surface view for the FRAIRSS_R2L_U2R inference system is shown in Fig. 7, represents the relationship between inputs and the output in terms of data distribution. Surface view depicts three dimensional surface for the output variable AppliedResponse with respect to the variations in two input variables AttackConfidenceLevel and TargetResourceValue respectively. The defuzzified value of input scenarios and selected defuzzified value of the output variable is shown in Table 17. The variation in the output variable will occur according to the rules defined for FRAIRSS_R2L_U2R, FRAIRSS_DOS and FRAIRSS_PROBE fuzzy rule base. As defined organization’s policy (Table 5) in terms of response selection criteria (C, I, A and RC), it is shown that the highest priority is given to the integrity and second highest priority to confidentiality. Availability and response cost have equal importance being in the third priority. In scenario number 1 (Table 17), defuzzified value of attack confidence level is 8.01 indicating the attack confidence level is high and match with the rule number 7, 8 and 9 in the defined rule base for FRAIRSS_R2L_U2R inference system (Table 14). Whereas, the target resource defuzzified value is 7.85, which match with the rule number 3, 6 and 9 of the defined rule base for FRAIRSS_R2L_U2R inference system. The FRAIRSS_R2L_U2R inference system produces defuzzified value 7.98 as an output, which indicates the applied response should be high. In the mentioned security policy and scenario number 1, where attack confidence level and target resource value both are high, the proposed system produces the response Shutdown Host (SH) as an output. Since, under security policy, highest priority is given to integrity and confidentiality as compare to availability with attack confidence level and target resource value both are also high, then the selected response Shutdown Host (SH) is best suited & appropriate response under this scenario. In the scenario number 7, the attack confidence level is low (defuzzified value 3 as shown in Table 17) and target resource value is high (defuzzified value 8 as shown in Table 17). So, under DOS attack type with the mentioned situation the inferred level of response from the proposed system is high i.e. the selected response is Reset Connection (RST) as shown in Table 10. Since the integrity and confidentiality are assigned the highest priority, although the attack confidence level is low but target resource value is high, so Reset Connection (RST) in this situation will be the best possible solution in terms of response selected.

Fig.6

FRAIRSS_R2L_U2R inference system rule view.

Fig.7

FRAIRSS_R2L_U2R inference system surface view.

Table 17

Response selected in terms of output variable on various input scenario (defuzzified values)

Scenario number	Attack confidence level	Target resource value	Selected response level	Attack type	Selected Response Level (Linguistic Term)	Name of the selected response
1	8.01	7.85	7.98	R2L/U2R	High	SH (Table 9)
2	5	5	4	R2L/U2R	Medium	KP (Table 9)
3	5	2	1.33	R2L/U2R	Low	DU (Table 9)
4	8	3	4	DOS	Medium	RH (Table 10)
5	7	9	8.26	DOS	Very High	SH (Table 10)
6	6	8	6	DOS	High	RST (Table 10)
7	3	8	6	DOS	High	RST (Table 10)
8	5	5	4	PROBE	Medium	BSIP (Table 11)
9	9	5	7.98	PROBE	High	CDP (Table 11)
10	2	2	1.33	PROBE	Low	NR (Table 11)

Different output inferred by the proposed framework (containing FRAIRSS_R2L_ U2R, FRAIRSS_DOS and FRAIRSS_PROBE fuzzy inference systems) are shown in Fig. 8, indicating various responses selected under defined attack type (R2L/U2R, DOS and PROBE attacks), with the inputs as target resource value and the attack confidence level. It is shown clearly in the Fig. 8, that the response Shutdown Host (SH), which may produce high response cost, is selected by proposed framework only if attack confidence level as well as target resource value both are towards the higher end. Whereas, the response No Response (NR), having no response cost at all, is selected only if attack confidence level as well as target resource value both are towards the lower end. As seen, it is demonstrated how FRAIRSS framework can select appropriate response in different scenarios. Different scenarios with the attack types, attack confidence level, target resource value and organization’s security policy are evaluated, (out of which 10 scenarios are shown in the Table 17) and it is found that the proposed framework is producing the desired and optimal response that can be applied to given scenario in order to mitigate the intrusions.

Fig.8

Various responses selected.

8.1 Performance analysis

The performance analysis of the proposed framework is evaluated based on Response Trigger Time (RTT). RTT is the total execution time required by the framework to select the appropriate response.

As described in Table 18, in total FRAIRSS framework takes about 11 ms as the RTT, which is actually very fast to select the appropriate response in order to mitigate the attack before it progresses towards compromising the target. The whole framework is prototyped on a machine with Intel i5 CPU clocked at 2.30 GHz with 4 GB RAM and running 64-bit windows operating system with programmed in MATLAB. As the objective of AIRS is to trigger the response as fast as possible, so that attacker may not get enough time for compromising the target. As compared to the framework ORCEF proposed by Alireza Shameli-Sendi et al. [16], which takes about 450 ms response trigger time because of its complex design and number of parameters; this work reduces the time gap between identifying the attacked and triggering the appropriate response.

Table 18
Response Trigger Time of the FRAIRSS framework

Description of the execution stages	Execution time (ms)
Importance weight using fuzzy AHP	3
Response priority for R2L &U2R FTOPSIS	2
Response priority for DOS FTOPSIS	2
Response priority for PROBE FTOPSIS	2
Response selection using inference system	2

9 Conclusions

This paper presented the FRAIRSS framework which is very simple and practical model that can easily be implemented and used in real time. Fuzzy AHP handles the challenge of assigning the precise quantitative value as well as it also deals with the vagueness of the assigned importance weight of each criterion by the decision makers. The paper describes how Fuzzy AHP can be used for the measurement of importance weight of each response selection criterion.

The Importance weight of each criterion is further applied to the Fuzzy TOPSIS MCDM techniques for solving the issue of response set prioritization. Fuzzy rule-based inference system has been created for selecting the appropriate response from the prioritized response set based on the given input parameters i.e. attack confidence level and the target resource value. FRAIRSS framework is simulated in the MATLAB and it is found that the proposed framework is selecting the most desired and appropriate response for the given attack type and the input scenarios.

References

PWC, Turnaround and transformation in cybersecurity, Global State of Information Security Survey, 2016.

Shameli-Sendi

, Cheriet

and Hamou-Lhadj

, Taxonomy of intrusion risk assessment and response system, Journal of Computers & Security, Elsevier 45 (2014), 1–16.

Singh

D.K.

and Kaushik

, Analysis of decision making factors for automated intrusion response system (AIRS): A review, International Journal of Computer Science and Information Security 14(6) (2016), 471–478.

Justina

Ikuomola, A., Simon and Sodiya, A Credible Cost-Sensitive Model For Intrusion Response Selection, IEEE, Fourth International Conference CASoN 2012, pp. 222–227.

Sun

and Zhang

, Automatic Intrusion Response System Based on Aggregation and Cost, International Conference on Information and Automation, IEEE 2008, pp. 1783–1786.

Foo

, Wu

, Mao

, Bagchi

and Spafford

, ADEPTS: Adaptive Intrusion Response using Attack Graphs in an ECommerce Environment, , International Conference on Dependable Systems and Networks, IEEE 2005, pp.508–517.

, Xiao

, Xu

, Peng

and Zhuang

, Automated Intrusion Response Decision Based on the Analytic Hierarchy Process, International Symposium on Knowledge Acquisition and Modeling Workshop, IEEE (2008), pp. 574–577.

, Shuai

and Liu

, Analysis of Response Factors in Intrusion Response Decision-Making, Third International Conference on Computational Science and Optimization, IEEE 2010, pp. 395–399.

and Li

, An intrusion response decision-making model based on hierarchical task network planning, Journal of Expert Systems with Applications, Elsevier 37(3) (2010), 2465–2472.

10.

Zeng-quan

, Hui-Qiang

and Rui-Jie

, Analysis of an Intelligent Agent Intrusion Response System, IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology 2006.

11.

Saaty

T.L.

, The Analytic Hierarchy Process, McGraw-Hill International Book Company, New York. 1980.

12.

Kaufmann

, Gupta

A.M.M.

, Fuzzy Mathematical Models in Engineering and Management Science, Elsevier Science Publishers, North-Holland. Amsterdam, 1988.

13.

Chang

D.Y.

, Applications of the extent analysis method on fuzzy AHP, European Journal of Operational Research, Elsevier 95(3) (1996), 649–655.

14.

Mustafa

B.A.

, A fuzzy AHP approach for supplier selection problem: A case study in a gear motor company, IJMVSC 4(3) (2013), 11–23.

15.

Phanarut

and Wannasiri

, Applying fuzzy analytic hierarchy process to evaluate and select product of notebook computers, International Journal of Modeling and Optimization 2(2) (2012), 168–173.

16.

Shameli-Sendi

and Michel

, ORCEF: Online response cost evaluation framework for intrusion response system, Journal of Network and Computer Applications, Elsevier 55 (2015), 89–107.

17.

Shameli-Sendi and Michel

, ARITO: Cyber-attack response system using accurate risk impact tolerance, IJIS, Springer 13(4) (2013), 367–390.

18.

Mohamed

, Abdelhak

and T.

, How to Select Web Services Intelligently on the basis of a Brain Inspired Method for Solving Fuzzy Multi-Criteria Decision Making Problems, SAI Conference (IntelliSys), London. IEEE, 2015, pp. 141–149.

19.

Velasquez

and Patrick

T.H.

, An analysis of multi-criteria decision making methods, International Journal of Operations Research 10(2) (2013), 56–66.

20.

Caterino

, Iervolino

, Manfredi

and Cosenza

, A Comparative Analysis of Decision Making Methods for the Seismic Retrofit of RC Buildings, Beijing, China, The 14th World Conference on Earthquake Engineering 2008.

21.

Patil

and Srinivasaraghavan

, Smart Traffic Controller using Fuzzy Inference System (STCFIS), 2nd International Conference on NGCT, IEEE 2016, pp. 335–340.

22.

Sivanandam

S.N.

, Sumathi

and Deepa

S.N.

, Introduction to Fuzzy Logic using MATLAB, Springer, Edition 1. 2007.

Framework for Fuzzy Rule Based Automatic Intrusion Response Selection System (FRAIRSS) using Fuzzy Analytic Hierarchy Process and Fuzzy TOPSIS

Abstract

Keywords

1 Introduction

2 Related work

2.1 Intrusion response system

2.2 Multi-criteria decision making (MCDM)

2.3 Contribution

3 Proposed framework

3.1 FRAIRSS architecture

5 FAHP based measurement of importance weight for each criterion

5.1 Triangular Fuzzy Number (TFNs)

6 FRAIRSS response set prioritization using fuzzy TOPSIS technique

6.1 Prioritization of response set for R2L and U2R attack

Table 6 Linguistic variables and fuzzy number for ratings the positive and negative category of criteria

7.1 Design of fuzzy inference engine: FRAIRSS_R2L_U2R

Table 18 Response Trigger Time of the FRAIRSS framework

References

Table 6
Linguistic variables and fuzzy number for ratings the positive and negative category of criteria

Table 18
Response Trigger Time of the FRAIRSS framework