This item is licensed Korea Open Government License
dc.contributor.author
이행곤
dc.contributor.author
송중석
dc.contributor.author
최상수
dc.date.accessioned
2019-08-28T07:41:27Z
dc.date.available
2019-08-28T07:41:27Z
dc.date.issued
2013-07-01
dc.identifier.issn
0916-8516
dc.identifier.uri
https://repository.kisti.re.kr/handle/10580/14239
dc.description.abstract
In order to cope with the continuous evolution in cyber threats, many security products (e.g., IDS/IPS, TMS, Firewalls) are being deployed in the network of organizations, but it is not so easy to monitor and analyze the security events triggered by the security products constantly and effectively. Thus, in many cases, real-time incident analysis and response activities for each organization are assigned to an external dedicated security center. However, since the external security center deploys its security appliances to only the boundary or the single point of the network, it is very difficult to understand the entire network situation and respond to security incidents rapidly and accurately if they depend on only a single type of security information. In addition, security appliances trigger an unmanageable amount of alerts (in fact, by some estimates, several thousands of alerts are raised everyday, and about 99% of them are false positives), this situation makes it difficult for the analyst to investigate all of them and to identify which alerts are more serious and which are not. In this paper, therefore, we propose an advanced incident response methodology to overcome the limitations of the existing incident response scheme. The main idea of our methodology is to utilize polymorphic security events which can be easily obtained from the security appliances deployed in each organization, and to subject them to correlation analysis. We evaluate the proposed methodology using diverse types of real security information and the results show the effectiveness and superiority of the proposed incident response methodology.
dc.language
eng
dc.relation.ispartofseries
IEICE transactions on communications
dc.title
An Advanced Incident Response Methodology Based on Correlation Analysis of Polymorphic Security Events