CYBER ATTACK RESPONSE

Diagnostic information from attack assessment is the key input when planning the an attack response which includes stopping an attack, recovering an affected system, and correcting the exploited vulnerabilities. In practice, attack response mostly has been planned and performed by system administrators or security analysts manually [38]. Stopping attacks often involve sending out notifications, disconnecting a user, terminating a connection, process or service, or disabling a user account, etc. [7, 8, 17, 35]. Recovering an affected system often requires reinstalling programs and using backup data to bring the system to a pre-attack state. Correcting vulnerabilities must specifically address the exploited vulnerabilities which can be diagnosed during the attack assessment. It usually takes time for software or security product vendors (e.g., Microsoft) to identify the vulnerabilities exploited by previously unknown attacks and develop solutions for them. For example, the LiveUpdate support offered by Symantec Corporation currently provides updates of vulnerabilities and other attack information every two weeks. Attack response in a quick, automotive manner still remains a challenge.

References 33

2.4 SUMMARY

This chapter reviews three areas to protect the security of a computer and network system:

r

prevention;

r

detection;

r

response

along with some examples of technologies in each area. This chapter also outlines the research work which is covered in detail in Parts III–VII and is summarized below:

r

Part II, Chapters 3–6: secure system architecture and design, including an asset protection-

driven security architecture, policy-based security protection, and new methods of job ad- mission control, job scheduling and job reservation on computers and networks;

r

Part III, Chapters 7–11: mathematical/statistical features and characteristics of attack and

normal use data;

r

Part IV, Chapters 12–13: the signature recognition methodology of cyber attack detection

using data clusters and ANN;

r

Part V, Chapters 14–15: the anomaly detection methodology of cyber attack detection using

statistical anomaly detection and data clustering;

r

Part VI, Chapters 16–17: the attack norm separation methodology of cyber attack detection

using the cuscore detection models which employ mathematical and statistical models of both attack and normal use data to cancel the effect of normal use data in the mixed attack and norm data and identify the presence of attack data in the residual data;

r

Part VII, Chapter 18: security incident assessment, including an optimization method to

select the smallest set of attack data characteristics that uniquely identify a range of attacks, and the attack profiling method to spatially and temporally correlate events of a security incident.

REFERENCES

1. Symantec Gateway Security 5000 Series v3.0 Administration Guide, 2005, ftp:// ftp.symantec.com/public/english us canada/products/symantec gateway security/5600- Series/manuals/SGS Administrators.

2. C.P. Pfleeger, Security in Computing. Upper Saddle River, NJ: Prentice Hall PTR, 1997. 3. Symantec Enterprise Security Manager Administrator’s Guide, 1998–2005, ftp://ftp. symantec.com/public/english us canada/products/symantec enterprise security manager/ 6.5/manuals/esm65adminguide.pdf.

4. Symantec Critical System Protection Administrator’s Guide, 2005, ftp://ftp.symantec. com/public/english us canada/products/symantec critical system protection/4.5/manuals/ scspadmin.pdf.

5. N. Ye, T. Farley, X. Li, and B. Harish, “Batch scheduled admission control for computer and network systems.” Information, Knowledge, Systems Management, Vol. 5, No. 4, 2005/2006, pp. 211–226.

6. Z. Yang, N. Ye, and Y.-C. Lai, “QoS model of a router with feedback control.” Quality and Reliability Engineering International, Vol. 22, No. 4., 2006, pp. 429–444.

7. N. Ye, X. Li, T. Farley, and X. Xu, “Job scheduling methods for reducing waiting time variance.” Computers & Operations Research, Vol. 34, No. 10, 2007, pp. 3069–3083. 8. X. Xu, and N. Ye, “Minimization of job waiting time variance on identical parallel ma-

chines.” IEEE Transactions on Systems, Man, and Cybernetics, Part C, in press.

9. N. Ye, Z. Yang, Y.-C. Lai, and Toni Farley, “Enhancing router QoS through job scheduling with weighted shortest processing time—adjusted.” Computers & Operations Research, Vol. 32, No. 9, 2005, pp. 2255–2269.

10. N. Ye, E. Gel, X. Li, T. Farley, and Y.-C. Lai, “Web-server QoS models: Applying schedul- ing rules from production planning.” Computers & Operations Research, Vol. 32, No. 5, 2005, pp. 1147–1164.

11. N. Ye, “Mining computer and network security data,” in N. Ye (ed.), The Handbook of Data Mining. Mahwah, NJ: Lawrence Erlbaum Associates, 2003, pp. 617–636.

12. N. Ye, T. Farley, and D. Aswath, “Data measures and collection points to detect traffic changes on large-scale computer networks.” Information, Knowledge, Systems Management, Vol. 4, No. 4, 2004, pp. 215–224.

13. N. Ye and T. Farley, “A scientific approach to cyberattack detection.” IEEE Computer, Vol. 38, No. 11, 2005, pp. 55–61.

14. N. Ye, X. Li, Q. Chen, S. M. Emran, and M. Xu, “Probabilistic techniques for intru- sion detection based on computer audit data.” IEEE Transactions on Systems, Man, and Cybernetics, Vol. 31, No. 4, 2001, pp. 266–274.

15. N. Ye, J. Giordano, and J. Feldman, “A process control approach to cyber attack detection.” Communications of the ACM, Vol. 44, No. 8, 2001, pp. 76–82.

16. S. M. Emran, and N. Ye, “A system architecture for computer intrusion detection.” Information, Knowledge, Systems Management, Vol. 2, No. 3, 2001, pp. 271–290. 17. Symantec Host IDS Implementation Guide, 1998–2003, ftp://ftp.symantec.com/

public/english us canada/products/symantec host ids/4.1.1/manuals/symantec host ids 4.1.1 implementation.pdf.

18. X. Li, and N. Ye, “A supervised clustering and classification algorithm for mining data with mixed variables.” IEEE Transactions on Systems, Man, and Cybernetics, Part A, Vol. 36, No. 2, 2006, pp. 396–406.

19. X. Li, and N. Ye, “A supervised clustering algorithm for mining normal and intrusive activity patterns in computer intrusion detection.” Knowledge and Information Systems, Vol. 8, No. 4, 2005, pp. 498–509.

20. N. Ye, and X. Li, “A scalable, incremental learning algorithm for classification problems.” Computers & Industrial Engineering Journal, Vol. 43, No. 4, 2002, pp. 677–692. 21. X. Li, and N. Ye, “Grid- and dummy-cluster-based learning of normal and intrusive clus-

ters for computer intrusion detection.” Quality and Reliability Engineering International, Vol. 18, No. 3, 2002, pp. 231–242.

22. N. Ye, Q. Chen, and C. Borror, “EWMA forecast of normal system activity for computer intrusion detection.” IEEE Transactions on Reliability, Vol. 53, No. 4, 2004, pp. 557– 566.

References 35

In document Secure Computer & Network Systems Modeling, Analysis, & Design pdf (Page 52-55)