DSS for computer security incident response applying CBR and collaborative response

摘要

Recently, as hacking attempts increase dramatically; most enterprises are forced to employ some safeguards for hacking proof. For example, firewall or IPS (Intrusion Prevention System) selectively accepts the incoming packets, and IDS (Intrusion Detection System) detects the attack attempts from network. The latest version of firewall works in cooperation with IDS to immediately response to hacking attempts. However, it may make false alarms that misjudge normal traffic as hacking traffic and cause network problems to block the normal IP address by false alarms. By these false alarms made by IDS, system administrators or CSOs make wrong decisions and important data may be exposed or the availability of network or server system may be exhausted. Therefore, it is important to minimize the false alarms.rnAs a way of minimizing false alarms and supporting adequate decisions, we suggest the RFM (Recency, Frequency, Monetary) analysis methodology, which analyzes log files with incorporating three criteria of recency, frequency and monetary with statistical process control chart, and thus leads to an intuitive detection of anomaly and misuse events. Moreover, to cope with hacking attempts proactively, we apply CBR (case based reasoning) to find out similarities between already known hacking patterns and new hacking patterns. With the RFM analysis methodology and CBR, we develop DSS which can minimize false alarms and decrease the time to respond to hacking events. In case that RFM analysis module finds out unknown viruses or worms occurred, this CBR system matches the most similar incident case from case-based database. System administrators can easily get information about how to fix and how we fixed in similar cases. And CSOs can build a blacklist of frequently detected IP addresses and users. This blacklist can be used for incident handling.rnFinally, we propose collaborative incident response system with DSS, this distributed agent systems interactively exchange the suspicious users and source IP addresses data and decide who is true-anomalous users and which IP addresses is the most riskiest and then deny all connections from that users and IP addresses automatically with less false-positives.