Computer and network security can be improved by three kinds of tools: tools for intrusion prevention, tools for intrusion detection, and tools for incident response. Many systems have been proposed and developed for the first two kinds of tools. Concerning the third, as far as we know, the response plan is still left to the security manager: no automatic tools have been developed. Indeed, even if there exist forensic analysis, data recovery, and system upgrading tools, we do not yet have a comprehensive tool which includes log correlation, attack classification, and response plan generation. Our work deals with a Case-Based Reasoning system (called IRSS) that classifies attacks, looks in a case base for past attacks similar to the current one (according to given similarity metrics), and reuses the past response plans (adapted to the current attack) in order to restore normal conditions and improve network security. This paper provides an overview of the system and primarly focuses on the incident retrieval (attack classification) phase

An Incident Response Support System

G. CAPUZZI;E. CARDINALE;I. DI PIETRO;L. SPALAZZI
2006-01-01

Abstract

Computer and network security can be improved by three kinds of tools: tools for intrusion prevention, tools for intrusion detection, and tools for incident response. Many systems have been proposed and developed for the first two kinds of tools. Concerning the third, as far as we know, the response plan is still left to the security manager: no automatic tools have been developed. Indeed, even if there exist forensic analysis, data recovery, and system upgrading tools, we do not yet have a comprehensive tool which includes log correlation, attack classification, and response plan generation. Our work deals with a Case-Based Reasoning system (called IRSS) that classifies attacks, looks in a case base for past attacks similar to the current one (according to given similarity metrics), and reuses the past response plans (adapted to the current attack) in order to restore normal conditions and improve network security. This paper provides an overview of the system and primarly focuses on the incident retrieval (attack classification) phase
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11566/38962
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 5
  • ???jsp.display-item.citation.isi??? 1
social impact