Research on automated rollbackability of intrusion response

The rollbackable automated intrusion response mechanism, a method whereby an intrusion response can be treated by in the context of the detection/response life-cycle. The idea derives from the observation that most intrusion responses have negative effects. To decrease the cumulative response cost, response rollback could be carried out at some suitable time, for example when the attack has terminated or the attack 'detection' is proved to be a false positive. Additionally, technologies supporting automated response are proposed, such as the structure of a response policy and the way the automated response might be implemented. A proposed implementation structure of rollbackable automated intrusion response system (RAIRS) is also given. With the quantified response cost, the result of our experiments shows that response rollback is promising as a way to decrease the expected cumulative intrusion response cost.