Network Intrusion Response Systems: Towards Standardized Evaluation of Intrusion Response
摘要
While intrusion detection has become increasingly relevant and standardized, the same cannot be said for intrusion response. Currently, intrusion response systems vary widely in terms of infrastructure requirements, evaluation methodologies, and performance metrics. In this paper, we take a step toward standardizing intrusion response by introducing the concept of network intrusion response systems (NIRS). NIRS rely solely on network traffic data and perform network-level actions, thereby requiring minimal assumptions about the underlying infrastructure. We motivate this new definition by: (a) introducing the fundamental problem that NIRS aim to solve, i.e., turning alerts raised by network intrusion detection systems (NIDS) into network-level actions; (b) illustrating desirable properties that are fulfilled and their devised workflow in a network ecosystem. Finally, we discuss how NIRS, differently from other response solutions, can be evaluated on publicly available datasets that are typically used for NIDS assessment, thereby facilitating performance comparison between different implementations. We demonstrate how this evaluation can be performed on two baseline NIRS approaches: a heuristic-based and an LLM-based NIRS.