ABSTRACT
An intrusion response system (IRS) monitors the health of a system continuously based on IDS alerts to effectively handle malicious or unauthorized activities. It applies appropriate countermeasures to prevent problems from worsening and to return the system to a healthy mode. A notification system generates alerts when an attack is detected. An alert can contain information such as attack description, time of attack, source IP, and user accounts used to attack. Typically, an IRS automatically executes a preconfigured set of response actions based on the occurrence of a specific type of attack. This approach is more automated than the IDS approach, where an administrator is required to take such response actions manually. Unlike an IDS, here no human intervention is required. So, there is no delay between intrusion detection and response. Figure 6.1 shows a generic structure of an IRS. The four basic components of a generic IRS are a detection component, a reaction component, a monitoring component, and a managing system. Unlike IDSs and IPSs, the reaction component of an IRS includes a response system, which uses a predefined approach to respond to any intrusion automatically.
