An Incident Response Support System Based On Seriousness Of Infection

Recently, cyber attacks become so sophisticated that conventional countermeasures that focus on preventing intrusion are becoming less effective. Thus, recent countermeasures are focusing on after intrusion such as an incident response. We previously proposed a system in order to support. network administrators performing incident responses. However, our previous system uses only anomaly detection technique to detect signs of cyber attacks so that we may overlook some signs. In addition, we bother with a lot of unimportant detection reports including many false positives. Our previous system deals with detected malware one by one. Such behavior cannot cope with various situations of incidents. As a solution, this paper proposes an incident response support system based on seriousness of infection. The system combines various types of detection techniques and raises the large number of detection report. To manage detection reports, we define Infection Suspicious Level (ISL) that represents degree of suspicious about malware infection. By assigning ISL to all network segments, the system performs appropriate monitoring, analysis, and takes countermeasure semi-automatically-based on ISL. The proposed system can raise a number of detection reports, reduce the false positive problem, and provide several strategies against attack.