Developing a Network Science Based Approach to Cyber Incident Analysis.

摘要

Adversaries that conduct cyber crime continue to enjoy a significant head start on analysts who are tasked with discovering important information which can deter and ultimately defeat their attacks. A major reason for this problem is the slow process of the current analysis methodology. In this paper we present a new method of incident analysis which is artefact driven and not process driven. In our method, key aspects of the incident are revealed dynamically through the tracking of the interactions between the artefacts. With the discovered information, many attacks that are in progress can be stopped and new incidents can be prevented in a fraction of the time it would take to discover this information through traditional analysis. This new method builds a community for each individual incident found within the network. We evaluate our approach on two botnet data traces. Our preliminary results show that the communities built based on the artefact interactions shed light on the roles of each contributing botnet participant. Discovering these roles gives the analyst expedient options in responding to the attack. We believe this work has the potential to significantly help cyber incident analysis by reducing the time gap between identifying an incident and discovering actionable intelligence from it.