Speculating Incident Zone System on Local Area Networks
Pages 40 - 45
Abstract
Triage process in the incident handling lacks the ability to assess overall risks to modern cyber attacks. Zoning of local area networks by measuring internal network traffic in response to such risks is important. Therefore, we propose a SPeculating INcident Zone (SPINZ) system for supporting the triage process. The SPINZ analyzes internal network flows and outputs an incident zone, which is composed of devices related to the incident. We evaluate the performance of the SPINZ through simulations using incident flow datasets generated from internal traffic open data and lateral movement traffic. As a result, we confirm that the SPINZ has the capability to detect an incident zone, but removing unrelated devices from an incident zone is an issue to be further investigated.
References
[1]
WJB Beukema. 2016. Enhancing Network Intrusion Detection through Host Clustering. Master's thesis. University of Twente, Drienerlolaan, The Netherlands.
[2]
Moira West Brown, Don Stikvoort, Klaus-Peter Kossakowski, Georgia Killcrece, Robin Ruefle, and Mark Zajicek. 2013. Handbook for computer security incident response teams (CSIRTs). Technical Report CMU/SEI-2003-HB-002, Carnegie Mellon SEI. (2013).
[3]
Paul Cichonski, Tom Millar, Tim Grance, and Karen Scarfone. 2012. Computer security incident handling guide. NIST Special Publication 800, 61 (2012).
[4]
Ahmed Fawaz, Atul Bohara, Carmen Cheh, and William H. Sanders. 2016. Lateral Movement Detection Using Distributed Data Fusion. In 2016 IEEE 35th Symposium on Reliable Distributed Systems (SRDS'16). 21--30.
[5]
Guofei Gu, Phillip Porras, Vinod Yegneswaran, and Martin Fong. 2007. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In 16th USENIX Security Symposium (USENIX Security 07). USENIX Association.
[6]
Guofei Gu, Junjie Zhang, and Wenke Lee. 2008. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08).
[7]
Hirokazu Hasegawa, Yukiko Yamaguchi, Hajime Shimada, and Hiroki Takakura. 2016. An incident response support system based on seriousness of infection. In 2016 International Conference on Information Networking (ICOIN). IEEE, 69--74.
[8]
Daichi Hasumi, Shigeyoshi Shima, and Takahiro Kakumaru. 2016. Issue analysis toward forensics gathering infrastructure that supports the more efficient incident handling. The Special Interest Group Technical Reports of IPSJ 2016-SPT-17, 7, 1--6.
[9]
Daichi Hasumi, Shigeyoshi Shima, and Hiroki Takakura. 2017. Proposal of the triage supporting system for the more efficient incident handling. In 2017 Symposium on Cryptography and Information Security (SCIS).
[10]
JPCERT/CC 2017. Detecting Lateral Movement through Tracking Event Logs. (2017). Retrieved Jun 7, 2018 from https://www.jpcert.or.jp/english/pub/sr/ir_research.html
[11]
Alexander D. Kent. 2015. Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory. (2015).
[12]
Alexander D. Kent. 2015. Cybersecurity Data Sources for Dynamic Network Research. In Dynamic Networks in Cybersecurity. Imperial College Press.
[13]
Bingdong Li, Mehmet Hadi Gunes, George Bebis, and Jeff Springer. 2013. A supervised machine learning approach to classify host roles on line using sFlow. In Proceedings of the first edition workshop on High performance and programmable networking (HPPN 2013). ACM, 53--60.
[14]
Mark Simos 2018. Overview of Petya, a rapid cyberattack. (2018). Retrieved Jun 7, 2018 from https://cloudblogs.microsoft.com/microsoftsecure/2018/02/05/overview-of-petya-a-rapid-cyberattack/
[15]
Microsoft 2016. Microsoft TechNet Windows Sysinternals PsExec. (2016). Retrieved Jun 7, 2018 from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
[16]
National Audit Offece 2017. Investigation: WannaCry cyber attack and the NHS. (2017). Retrieved Jun 7, 2018 from https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/
[17]
Ponemon Institute 2017. 2017 Cost of Data Breach Study Global Overview. (2017). Retrieved Jun 7, 2018 from https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN
[18]
John G. Proakis and Masoud Salehi. 2002. Communication Systems Engineering (2 ed.). Prentice Hall Inc., Upper Saddle River, NJ, USA.
[19]
Jun-ichi Takeuchi and Kenji Yamanishi. 2006. A unifying framework for detecting outliers and change points from time series. IEEE Transactions on Knowledge and Data Engineering 18, 4 (2006), 482--492.
[20]
Verizon 2016. 2016 Data Breach Investigations Report. (2016). Retrieved Jun 7, 2018 from https://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf
[21]
Verizon 2018. 2018 Data Breach Investigations Report. (2018). Retrieved Jun 7, 2018 from https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
[22]
Nikos Virvilis and Dimitris Gritzalis. 2013. The Big Four - What We Did Wrong in Advanced Persistent Threat Detection?. In 2013 International Conference on Availability, Reliability and Security (ARES 2013). 248--254.
Index Terms
- Speculating Incident Zone System on Local Area Networks
Recommendations
Incident handling: an orderly response to unexpected events
SIGUCCS '03: Proceedings of the 31st annual ACM SIGUCCS fall conferenceComputer viruses, worms, denial of service attacks, equipment failures, vandalism, theft and other unwelcome events can send your computer services staff scrambling and cause a variety of problems for your user community. Even the least of these ...
System for Continuous Collection of Contextual Information for Network Security Management and Incident Handling
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and SecurityIn this paper, we describe a system for the continuous collection of data for the needs of network security management. When a cybersecurity incident occurs in the network, the contextual information on the involved assets facilitates estimating the ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
August 2018
57 pages
ISBN:9781450359108
DOI:10.1145/3229598
Copyright © 2018 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 August 2018
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
SIGCOMM '18
Sponsor:
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 339Total Downloads
- Downloads (Last 12 months)44
- Downloads (Last 6 weeks)8
Reflects downloads up to 12 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in