Abstract

Securing the constantly evolving IoT threat landscape is a challenging problem, with severe consequences when not tackled appropriately. In response to that challenge, the field of moving-target defense has developed, to address these threats by utilizing game-theoretic approaches to respond to them while maintaining a high level of availability. This work presents an implementation of an intrusion response system, which uses a Bayesian attack graph to model the complex state of the network and its hosts, and a partially observable Markov decision process to choose optimal mitigation actions. In order to cope with novel and unknown network attacks, like zero-day exploits, an alert management policy was added to focus the POMDP on the current state of the network and provide short-term mitigation actions. Finally, the system was evaluated against five scenarios (Mirai, Zeus, zero-day, 10 malicious traffic replays, and BlackEnergy) executed in a simulated SOHO environment. Evaluation results showed its high effectiveness against traditional threats, and a slight increase in effectiveness against novel threats.