Towards automated incident handling: how to select an appropriate response against a network-based attack?

Sven Ossenbühl, Jessica Steinberger, Harald Baier

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

11 Citations (Scopus)
116 Downloads (Pure)

Abstract

The increasing amount of network-based attacks evolved to one of the top concerns responsible for network infrastructure and service outages. In order to counteract these threats, computer networks are monitored to detect malicious traffic and initiate suitable reactions. However, initiating a suitable reaction is a process of selecting an appropriate response related to the identified network-based attack. The process of selecting a response requires to take into account the economics of an reaction e.g., risks and benefits. The literature describes several response selection models, but they are not widely adopted. In addition, these models and their evaluation are often not reproducible due to closed testing data. In this paper, we introduce a new response selection model, called REASSESS, that allows to mitigate network-based attacks by incorporating an intuitive response selection process that evaluates negative and positive impacts associated with each countermeasure. We compare REASSESS with the response selection models of IE-IRS, ADEPTS, CS-IRS, and TVA and show that REASSESS is able to select the most appropriate response to an attack in consideration of the positive and negative impacts and thus reduces the effects caused by an network-based attack. Further, we show that REASSESS is aligned to the NIST incident life cycle. We expect REASSESS to help organizations to select the most appropriate response measure against a detected network-based attack, and hence contribute to mitigate them.
Original languageUndefined
Title of host publicationProceedings of the 9th International Conference on IT Security Incident Management & IT Forensics (IMF 2015)
Place of PublicationUSA
PublisherIEEE Computer Society
Pages51-67
Number of pages17
ISBN (Print)978-1-4799-9902-6
DOIs
Publication statusPublished - 18 May 2015

Publication series

Name
PublisherIEEE Computer Society

Keywords

  • EWI-25483
  • METIS-312465
  • IR-96442

Cite this

Ossenbühl, S., Steinberger, J., & Baier, H. (2015). Towards automated incident handling: how to select an appropriate response against a network-based attack? In Proceedings of the 9th International Conference on IT Security Incident Management & IT Forensics (IMF 2015) (pp. 51-67). USA: IEEE Computer Society. https://doi.org/10.1109/IMF.2015.13
Ossenbühl, Sven ; Steinberger, Jessica ; Baier, Harald. / Towards automated incident handling: how to select an appropriate response against a network-based attack?. Proceedings of the 9th International Conference on IT Security Incident Management & IT Forensics (IMF 2015). USA : IEEE Computer Society, 2015. pp. 51-67
@inproceedings{65994b7006eb428eb11aaeb5ff8079d7,
title = "Towards automated incident handling: how to select an appropriate response against a network-based attack?",
abstract = "The increasing amount of network-based attacks evolved to one of the top concerns responsible for network infrastructure and service outages. In order to counteract these threats, computer networks are monitored to detect malicious traffic and initiate suitable reactions. However, initiating a suitable reaction is a process of selecting an appropriate response related to the identified network-based attack. The process of selecting a response requires to take into account the economics of an reaction e.g., risks and benefits. The literature describes several response selection models, but they are not widely adopted. In addition, these models and their evaluation are often not reproducible due to closed testing data. In this paper, we introduce a new response selection model, called REASSESS, that allows to mitigate network-based attacks by incorporating an intuitive response selection process that evaluates negative and positive impacts associated with each countermeasure. We compare REASSESS with the response selection models of IE-IRS, ADEPTS, CS-IRS, and TVA and show that REASSESS is able to select the most appropriate response to an attack in consideration of the positive and negative impacts and thus reduces the effects caused by an network-based attack. Further, we show that REASSESS is aligned to the NIST incident life cycle. We expect REASSESS to help organizations to select the most appropriate response measure against a detected network-based attack, and hence contribute to mitigate them.",
keywords = "EWI-25483, METIS-312465, IR-96442",
author = "Sven Ossenb{\"u}hl and Jessica Steinberger and Harald Baier",
note = "10.1109/IMF.2015.13",
year = "2015",
month = "5",
day = "18",
doi = "10.1109/IMF.2015.13",
language = "Undefined",
isbn = "978-1-4799-9902-6",
publisher = "IEEE Computer Society",
pages = "51--67",
booktitle = "Proceedings of the 9th International Conference on IT Security Incident Management & IT Forensics (IMF 2015)",
address = "United States",

}

Ossenbühl, S, Steinberger, J & Baier, H 2015, Towards automated incident handling: how to select an appropriate response against a network-based attack? in Proceedings of the 9th International Conference on IT Security Incident Management & IT Forensics (IMF 2015). IEEE Computer Society, USA, pp. 51-67. https://doi.org/10.1109/IMF.2015.13

Towards automated incident handling: how to select an appropriate response against a network-based attack? / Ossenbühl, Sven; Steinberger, Jessica; Baier, Harald.

Proceedings of the 9th International Conference on IT Security Incident Management & IT Forensics (IMF 2015). USA : IEEE Computer Society, 2015. p. 51-67.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Towards automated incident handling: how to select an appropriate response against a network-based attack?

AU - Ossenbühl, Sven

AU - Steinberger, Jessica

AU - Baier, Harald

N1 - 10.1109/IMF.2015.13

PY - 2015/5/18

Y1 - 2015/5/18

N2 - The increasing amount of network-based attacks evolved to one of the top concerns responsible for network infrastructure and service outages. In order to counteract these threats, computer networks are monitored to detect malicious traffic and initiate suitable reactions. However, initiating a suitable reaction is a process of selecting an appropriate response related to the identified network-based attack. The process of selecting a response requires to take into account the economics of an reaction e.g., risks and benefits. The literature describes several response selection models, but they are not widely adopted. In addition, these models and their evaluation are often not reproducible due to closed testing data. In this paper, we introduce a new response selection model, called REASSESS, that allows to mitigate network-based attacks by incorporating an intuitive response selection process that evaluates negative and positive impacts associated with each countermeasure. We compare REASSESS with the response selection models of IE-IRS, ADEPTS, CS-IRS, and TVA and show that REASSESS is able to select the most appropriate response to an attack in consideration of the positive and negative impacts and thus reduces the effects caused by an network-based attack. Further, we show that REASSESS is aligned to the NIST incident life cycle. We expect REASSESS to help organizations to select the most appropriate response measure against a detected network-based attack, and hence contribute to mitigate them.

AB - The increasing amount of network-based attacks evolved to one of the top concerns responsible for network infrastructure and service outages. In order to counteract these threats, computer networks are monitored to detect malicious traffic and initiate suitable reactions. However, initiating a suitable reaction is a process of selecting an appropriate response related to the identified network-based attack. The process of selecting a response requires to take into account the economics of an reaction e.g., risks and benefits. The literature describes several response selection models, but they are not widely adopted. In addition, these models and their evaluation are often not reproducible due to closed testing data. In this paper, we introduce a new response selection model, called REASSESS, that allows to mitigate network-based attacks by incorporating an intuitive response selection process that evaluates negative and positive impacts associated with each countermeasure. We compare REASSESS with the response selection models of IE-IRS, ADEPTS, CS-IRS, and TVA and show that REASSESS is able to select the most appropriate response to an attack in consideration of the positive and negative impacts and thus reduces the effects caused by an network-based attack. Further, we show that REASSESS is aligned to the NIST incident life cycle. We expect REASSESS to help organizations to select the most appropriate response measure against a detected network-based attack, and hence contribute to mitigate them.

KW - EWI-25483

KW - METIS-312465

KW - IR-96442

U2 - 10.1109/IMF.2015.13

DO - 10.1109/IMF.2015.13

M3 - Conference contribution

SN - 978-1-4799-9902-6

SP - 51

EP - 67

BT - Proceedings of the 9th International Conference on IT Security Incident Management & IT Forensics (IMF 2015)

PB - IEEE Computer Society

CY - USA

ER -

Ossenbühl S, Steinberger J, Baier H. Towards automated incident handling: how to select an appropriate response against a network-based attack? In Proceedings of the 9th International Conference on IT Security Incident Management & IT Forensics (IMF 2015). USA: IEEE Computer Society. 2015. p. 51-67 https://doi.org/10.1109/IMF.2015.13