Cost model

Cost model

Date: Wed Sep 8 1998
by Christopher Wee


The cost model is fed a stream of attacks. Each attack has a pre-agreed-upon name (e.g., Syn-Flood, or portscan). The attacks have parameters attached to them. e.g., SYNFLOOD(victim_up, victim_port, src_ip, src_port) PORTSCAN(beginning_port,ending_port) The cost-model is implemented in CLIPS rules. The rules are stored on /home/assp/sw/UCDavis/RespEngine/


The only response considered thus far is to block a connection. The blocking capability is BLOCK_LINK(ip1,port2,ip2,port2) where ip1 and ip2 describe an existing network link. The response engine supplies a list of possible responses to each attack to the cost-model. At this time, only one response per attack is provided. Thus, the cost-model must decide whether to accept the response, or do nothing.

Knowledge base

The knowledge base (KB) codifies what services are mapped to what port. e.g., SMTP is mapped to port 25. In the KB, there is a set of of service,value tuples. Some services include SMTP, FTP, WWW. The values are a positive integer denoting the value of the service to the entire system (and presumably, user population) as a whole.

It is also possible to override this value for specific hosts with a triple (e.g., < k2,FTP,200>). The purpose of the cost-model is to select the reponse that minimizes the cost to the total system.