Automated Intelligent Cyberdefense Agents (AICAs) that are part Intrusion Detection Systems (IDS) and part Intrusion Response Systems (IRS) are being designed to protect against sophisticated and automated cyber-attacks. An AICA based on the ideas of Self-Adaptive Autonomic Computing Systems (SA-ACS) can be considered as a managing system that protects a managed system like a personal computer, web application, critical infrastructure, etc. An AICA, specifically the IRS components, can compute a wide range of potential responses to meet its security goals and objectives, such as taking actions to prevent the attack from completing, restoring the system to comply with the organizational security policy, containing or confining an attack, attack eradication, deploying forensics measures to enable future attack analysis, counterattack, and so on. To restrict its activities in order to minimize collateral/organizational damage, such an automated system must have set Rules of Engagement (RoE). Automated systems must determine which operations can be completely automated (and when), which actions require human operator confirmation, and which actions must never be undertaken. In this paper, to enable this control functionality over an IRS, we create Rules of EngaGement for Automated cybeR Defense (REGARD) system which holds a set of Rules of Engagement (RoE) to protect the managed system according to the instructions provided by the human operator. These rules help limit the action of the IRS on the managed system in compliance with the recommendations of the domain expert. We provide details of execution, management, operation, and conflict resolution for Rules of Engagement (RoE) to constrain the actions of an automated IRS. We also describe REGARD system implementation, security case studies for cyber defense, and RoE demonstrations.

翻译：自动化智能网络防御代理（AICA）兼具入侵检测系统（IDS）与入侵响应系统（IRS）功能，旨在防护复杂且自动化的网络攻击。基于自适应自主计算系统（SA-ACS）理念设计的AICA可视为一个管理系统，用于保护被管理系统（如个人计算机、网络应用程序、关键基础设施等）。AICA（尤其是IRS组件）能计算多种潜在响应策略以实现安全目标，例如：阻止攻击完成、恢复系统以符合组织安全策略、隔离或限制攻击、清除攻击、部署取证措施以支持未来攻击分析、实施反制等。为约束其行为以最小化附带损害或组织损失，此类自动化系统必须设定交战规则（RoE）。自动化系统需确定哪些操作可完全自动化（及何时执行）、哪些操作需人工操作员确认、以及哪些操作绝不可执行。本文为支持对IRS的控制功能，构建了自动化网络防御交战规则（REGARD）系统，该系统持有一组根据人工操作员指令保护被管理系统的交战规则（RoE）。这些规则依据领域专家建议，限制IRS对被管理系统的操作。我们详述了用于约束自动化IRS行为的交战规则（RoE）的执行、管理、操作及冲突消解机制。此外，还介绍了REGARD系统的实现、网络安全防御案例研究及RoE演示。