An Advanced Incident Response Methodology Based on Correlation Analysis of Polymorphic Security Events
Summary :
In order to cope with the continuous evolution in cyber threats, many security products (e.g., IDS/IPS, TMS, Firewalls) are being deployed in the network of organizations, but it is not so easy to monitor and analyze the security events triggered by the security products constantly and effectively. Thus, in many cases, real-time incident analysis and response activities for each organization are assigned to an external dedicated security center. However, since the external security center deploys its security appliances to only the boundary or the single point of the network, it is very difficult to understand the entire network situation and respond to security incidents rapidly and accurately if they depend on only a single type of security information. In addition, security appliances trigger an unmanageable amount of alerts (in fact, by some estimates, several thousands of alerts are raised everyday, and about 99% of them are false positives), this situation makes it difficult for the analyst to investigate all of them and to identify which alerts are more serious and which are not. In this paper, therefore, we propose an advanced incident response methodology to overcome the limitations of the existing incident response scheme. The main idea of our methodology is to utilize polymorphic security events which can be easily obtained from the security appliances deployed in each organization, and to subject them to correlation analysis. We evaluate the proposed methodology using diverse types of real security information and the results show the effectiveness and superiority of the proposed incident response methodology.
- Publication
- IEICE TRANSACTIONS on Communications Vol.E96-B No.7 pp.1803-1813
- Publication Date
- 2013/07/01
- Publicized
- Online ISSN
- 1745-1345
- DOI
- 10.1587/transcom.E96.B.1803
- Type of Manuscript
- PAPER
- Category
- Fundamental Theories for Communications
Authors
Haeng-Gon LEE
Korea Institute of Science and Technology Information
Jungsuk SONG
Korea Institute of Science and Technology Information
Sang-Soo CHOI
Korea Institute of Science and Technology Information
Gi-Hwan CHO
Chonbuk National University
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Haeng-Gon LEE, Jungsuk SONG, Sang-Soo CHOI, Gi-Hwan CHO, "An Advanced Incident Response Methodology Based on Correlation Analysis of Polymorphic Security Events" in IEICE TRANSACTIONS on Communications,
vol. E96-B, no. 7, pp. 1803-1813, July 2013, doi: 10.1587/transcom.E96.B.1803.
Abstract: In order to cope with the continuous evolution in cyber threats, many security products (e.g., IDS/IPS, TMS, Firewalls) are being deployed in the network of organizations, but it is not so easy to monitor and analyze the security events triggered by the security products constantly and effectively. Thus, in many cases, real-time incident analysis and response activities for each organization are assigned to an external dedicated security center. However, since the external security center deploys its security appliances to only the boundary or the single point of the network, it is very difficult to understand the entire network situation and respond to security incidents rapidly and accurately if they depend on only a single type of security information. In addition, security appliances trigger an unmanageable amount of alerts (in fact, by some estimates, several thousands of alerts are raised everyday, and about 99% of them are false positives), this situation makes it difficult for the analyst to investigate all of them and to identify which alerts are more serious and which are not. In this paper, therefore, we propose an advanced incident response methodology to overcome the limitations of the existing incident response scheme. The main idea of our methodology is to utilize polymorphic security events which can be easily obtained from the security appliances deployed in each organization, and to subject them to correlation analysis. We evaluate the proposed methodology using diverse types of real security information and the results show the effectiveness and superiority of the proposed incident response methodology.
URL: https://global.ieice.org/en_transactions/communications/10.1587/transcom.E96.B.1803/_p
Copy
@ARTICLE{e96-b_7_1803,
author={Haeng-Gon LEE, Jungsuk SONG, Sang-Soo CHOI, Gi-Hwan CHO, },
journal={IEICE TRANSACTIONS on Communications},
title={An Advanced Incident Response Methodology Based on Correlation Analysis of Polymorphic Security Events},
year={2013},
volume={E96-B},
number={7},
pages={1803-1813},
abstract={In order to cope with the continuous evolution in cyber threats, many security products (e.g., IDS/IPS, TMS, Firewalls) are being deployed in the network of organizations, but it is not so easy to monitor and analyze the security events triggered by the security products constantly and effectively. Thus, in many cases, real-time incident analysis and response activities for each organization are assigned to an external dedicated security center. However, since the external security center deploys its security appliances to only the boundary or the single point of the network, it is very difficult to understand the entire network situation and respond to security incidents rapidly and accurately if they depend on only a single type of security information. In addition, security appliances trigger an unmanageable amount of alerts (in fact, by some estimates, several thousands of alerts are raised everyday, and about 99% of them are false positives), this situation makes it difficult for the analyst to investigate all of them and to identify which alerts are more serious and which are not. In this paper, therefore, we propose an advanced incident response methodology to overcome the limitations of the existing incident response scheme. The main idea of our methodology is to utilize polymorphic security events which can be easily obtained from the security appliances deployed in each organization, and to subject them to correlation analysis. We evaluate the proposed methodology using diverse types of real security information and the results show the effectiveness and superiority of the proposed incident response methodology.},
keywords={},
doi={10.1587/transcom.E96.B.1803},
ISSN={1745-1345},
month={July},}
Copy
TY - JOUR
TI - An Advanced Incident Response Methodology Based on Correlation Analysis of Polymorphic Security Events
T2 - IEICE TRANSACTIONS on Communications
SP - 1803
EP - 1813
AU - Haeng-Gon LEE
AU - Jungsuk SONG
AU - Sang-Soo CHOI
AU - Gi-Hwan CHO
PY - 2013
DO - 10.1587/transcom.E96.B.1803
JO - IEICE TRANSACTIONS on Communications
SN - 1745-1345
VL - E96-B
IS - 7
JA - IEICE TRANSACTIONS on Communications
Y1 - July 2013
AB - In order to cope with the continuous evolution in cyber threats, many security products (e.g., IDS/IPS, TMS, Firewalls) are being deployed in the network of organizations, but it is not so easy to monitor and analyze the security events triggered by the security products constantly and effectively. Thus, in many cases, real-time incident analysis and response activities for each organization are assigned to an external dedicated security center. However, since the external security center deploys its security appliances to only the boundary or the single point of the network, it is very difficult to understand the entire network situation and respond to security incidents rapidly and accurately if they depend on only a single type of security information. In addition, security appliances trigger an unmanageable amount of alerts (in fact, by some estimates, several thousands of alerts are raised everyday, and about 99% of them are false positives), this situation makes it difficult for the analyst to investigate all of them and to identify which alerts are more serious and which are not. In this paper, therefore, we propose an advanced incident response methodology to overcome the limitations of the existing incident response scheme. The main idea of our methodology is to utilize polymorphic security events which can be easily obtained from the security appliances deployed in each organization, and to subject them to correlation analysis. We evaluate the proposed methodology using diverse types of real security information and the results show the effectiveness and superiority of the proposed incident response methodology.
ER -
English
