An Efficient Easy Computer Emergency Response Team ... - UKSim

2015 17th UKSIM-AMSS International Conference on Modelling and Simulation

$Q(IILFLHQW(DV\&RPSXWHU(PHUJHQF\5HVSRQVH7HDP0DOZDUH5HVHUYRLU6\VWHP H=&(57   0DGLKDK0RKG6DXGL1XUOLGD%DVLU1)1DELOD)DULGD5LG]XDQ6DNLQDK$OL3LWFKD\

)DFXOW\RI6FLHQFHDQG7HFKQRORJ\)67  8QLYHUVLWL6DLQV,VODP0DOD\VLD86,0  %DQGDU%DUX1LODL1LODL0DOD\VLD ^PDGLKDKQXUOLGDIDWLQIDULGDVDNLQDKDOL`#XVLPHGXP\   Abstract - 3ULRU FRQGXFWLQJ PDOZDUH DQDO\VLV PDQ\ 7KHH=&(57KDVEHHQGHYHORSHGWRHQFRXQWHUPDOZDUHV UHVHDUFKHUVZHUHIDFLQJGLIILFXOWLHVWRFOHDQXSWKHGDWDVHWDQG LVVXHV E\ SURYLGLQJ D FRPSUHKHQVLYH VWDQGDUG RSHUDWLQJ WKH\WRRNORQJHUWLPHWRFRPSOHWHWKHVHSURFHVVHVGXHWRODFNRI SURFHGXUHV 623  LQ DQDO\]LQJ PDOZDUH GDWDVHW DQG LQ PDOZDUHGDWDVHWWKDWDUHIUHHIURPDQ\QRLVHRUDQ\LUUHOHYDQW HQFRXQWHULQJVXFKWKUHDWV,WDOVRKDVWKHFDSDELOLW\WRGHWHFW GDWDDQGODFNRIPDOZDUHDQDO\VLVVNLOO7KHUHIRUHDQHIILFLHQW DQG UHVSRQG WR PDOZDUH DWWDFNV HIILFLHQWO\ E\ XVLQJ WKH (DV\ &RPSXWHU (PHUJHQF\ 5HVSRQVH 7HDP 0DOZDUH FDVHEDVHG UHDVRQLQJ &%5  DQG DSRSWRVLV FRQFHSW 7R 5HVHUYRLU 6\VWHP H=&(57  KDV EHHQ GHYHORSHG WR RYHUFRPH HQVXUH WKH V\VWHP LV LQWHOOLJHQW HQRXJK WR ILQG VROXWLRQ IRU VXFKSUREOHPV,WLVDFRPSUHKHQVLYHDQGDQHIILFLHQWPDOZDUHV DQ\PDOZDUHLQFLGHQWWKDWUHTXLUHQRXSGDWHVWKH&%5KDV LQFLGHQW KDQGOLQJ V\VWHP ZKHUH LW FRQVLVWV RI VWDQGDUG EHHQLQWHJUDWHG7KH&%5LVWKHPRVWVXLWDEOHWHFKQLTXHIRU RSHUDWLQJSURFHGXUHV623 IRUPDOZDUHLQFLGHQWKDQGOLQJ,W DOVR KDV WKH FDSDELOLW\ WR GHWHFW DQG UHVSRQG WR PDOZDUH WKHH=&(57DQGWKH&%5VWUHQJWKOLHVLQLWVVLPLODULW\DQG DWWDFNV)XUWKHUPRUHWKHQRYHOW\RIWKLVV\VWHPLVEDVHGRQWKH DGDSWDWLRQ PRGXOH FRPSDUHG WR RWKHU WHFKQLTXH VXFK DV LQWHJUDWLRQ RI WKH LQFLGHQW UHVSRQVH DSRSWRVLV FDVHEDVHG IX]]\ ORJLF :KLOH DSRSWRVLV LV D FRQFHSW LQ KXPDQ UHDVRQLQJ &%5  DQG .QRZOHGJH 'DWD 'LVFRYHU\ .''  7KH LPPXQRORJ\ V\VWHP +,6  ZKHUH LW LV DOVR NQRZQ DV FHOO HYDOXDWLRQWHVWLQJUHVXOWVKRZHGWKDWWKHH=&(57PDQDJHGWR SURJUDPPHG GHDWK ZKHUH LW KDV EHHQ PDSSHG LQ QHWZRUN SURGXFHDEHWWHUDFFXUDF\GHWHFWLRQUDWH+HQFHWKLVH=&(57 VHFXULW\SHUVSHFWLYH2QFHDFRPSXWHUKDVEHHQLQIHFWHGE\ FDQ EH XVHG DVWKH EDVLVJXLGHOLQH IRU PDOZDUH UHVHDUFKHUV LQ DPDOZDUHLWZLOOVWRSWKHZRUPIURPIXUWKHUSURSDJDWHE\ EXLOGLQJPDOZDUHGDWDVHWDQGGRLQJPDOZDUHDQDO\VLV GLVFRQQHFWLQJLWVHOIIURPWKHQHWZRUN$SDUWIURPWKDWWKLV Keywords  malware analysis, standard operating procedures V\VWHPDLPVWRHGXFDWHXVHUVLQKDQGOLQJPDOZDUHLQFLGHQW (SOP), Knowldege Data Discovery (KDD), dataset, case-based 7KLV SDSHU LV RUJDQLVHG DV IROORZV 6HFWLRQ  SUHVHQWV reasoning (CBR.) UHODWHG ZRUNV ZLWK PDOZDUH DQDO\VLV GHWHFWLRQ DQG  UHVSRQVH 6HFWLRQ  H[SODLQV WKH PHWKRGRORJ\ XVHG LQ WKLV UHVHDUFK SDSHU 6HFWLRQ  SUHVHQWV WKH ILQGLQJV RI WKH , ,1752'8&7,21 H=&(57 DQG HYDOXDWLRQ RI WKH SURSRVHG V\VWHP 6HFWLRQ  1RZDGD\VPDOZDUHLVVHHQDVRQHRIWKHPRVWGDQJHURXV FRQFOXGHV DQG VXPPDULVHV WKH IXWXUH ZRUN RI WKLV UHVHDUFK F\EHU WKUHDWV $FFRUGLQJ WR D VWXG\ FRQGXFWHG E\ SDSHU .DVSHUVN\\HDUVDZDGUDPDWLFLQFUHDVHLQWKHQXPEHU RI ILQDQFLDO PDOZDUHV DWWDFN ZLWK  PLOOLRQ DWWDFNV >@ )LQDQFLDO PDOZDUHV VXFK DV =HXV 6K\ORFN DQG DWWDFNV UHODWHG ZLWK %LWFRLQ KDYH LQFUHDVHG WUHPHQGRXVO\ DQG FDXVLQJ SURGXFWLYLW\ DQG PRQH\ ORVV WR WKH YLFWLPV 0RUHRYHU LQ  WKH ILQDQFLDO PDOZDUHV WDUJHWHG WR WKH XVHUV RI $QGURLGEDVHG GHYLFHV DQG KDYH ULVHQ  WLPHV FRPSDUHG WR \HDU  7URMDQ606$QGURLG262SIDNH DQG 6K\ORFN ERWQHW VHQW VSDP FRQWDLQLQJ D OLQN WR WKH PDOZDUH WR WKH YLFWLP¶V OLVW RI FRQWDFWV DQG VWHDO PRQH\ IURPWKHYLFWLP¶VVPDUWSKRQH>@7KHUHIRUHDVWUDWHJLFDQG DQ LQWHOOLJHQW WHFKQLTXH WR HQFRXQWHU VXFK F\EHU WKUHDWV LV WKHIRFXVRIWKLVUHVHDUFKSDSHU 7KHREMHFWLYHRIWKLVUHVHDUFKSDSHULVWRLQYHVWLJDWHDQG HYDOXDWH DQ\ H[LVWLQJ V\VWHPV WKDW DUH UHODWHG WR PDOZDUH DQDO\VLVGHWHFWLRQDQGUHVSRQVH6HFRQGO\WRGHYHORSDQHZ V\VWHPWRDQDO\VHGHWHFWDQGUHVSRQGWRPDOZDUHDWWDFNVE\ LQWHJUDWLQJ WKH &%5 DQG DSRSWRVLV FRQFHSW DQG WR HYDOXDWH WKHSURSRVHGV\VWHP

978-1-4799-8713-9/15 $31.00 © 2015 IEEE DOI 10.1109/UKSim.2015.88

,,

5(/$7(':25.6

0XFKUHVHDUFKKDVEHHQFRQGXFWHGLQWKHSDVWIHZ\HDUV UHODWHG WR ZRUP DQDO\VLV GHWHFWLRQ DQG UHVSRQVH DV VXPPDUL]HG LQ 7DEOH  (DFK RI WKHVH ZRUNV KDV LWV RZQ VWUHQJWKV DQG JDSV WKDW FDQ EH IXUWKHU LPSURYHG ,W LV VXJJHVWHG WKDW RQH ILHOG WKDW ODFN RI UHVHDUFK QHHGV WR EH H[SORUHGLQGHSWKLVLQFLGHQWUHVSRQVH,QFLGHQWUHVSRQVHLV GHILQHG DV WKH SURFHVV WKDW DLPV WR PLQLPLVH WKH GDPDJH FDXVHG E\ VHFXULW\ LQFLGHQWV DQG PDOIXQFWLRQV ,PSURYHPHQWV DQG QRYHO VWDQGDUG RSHUDWLQJ SURFHGXUHV SDUWLFXODUO\ ZLWKLQ WKH GHWHFWLRQ DQDO\VLV DQG GLVLQIHFWLRQ SKDVHV DUH VHHQ DV DUHDV IRU SRWHQWLDO UHVHDUFK DQG H[SORUDWLRQ >@ ([DPSOHV RI ZRUN UHODWHG WR LQFLGHQW UHVSRQVHDUHFDUULHGRXWE\>@    

142

ZRUPLQFLGHQWDQGWKHQHHGIRUDPDOZDUHUHVSRQVHV\VWHP WKDWFRXOGDYRLGWKHPDOZDUHIURPIXUWKHUSURSDJDWHRQFHLW KDVLQIHFWHGWKHFRPSXWHU7KLVLVRQHRIWKHSUHFHSWVRIWKH IRUPDWLRQRIWKHH=&(57ZKHUHLQFLGHQWUHVSRQVHLVDSDUW 

7$%/(6800$5,=$7,212)5(/$7(':25.6  5HODWHG:RUN 0DOZDUH'HWHFWLRQRU5HVSRQVH 7HFKQLTXH +HQFKLULDQG-DSNRZLF] 'HYHORSHG9LUXV&ODVVLILHU8VLQJ7KH  >@ 1*UDP0HWKRG)RU9LUXV$QDO\VLV DQG'HWHFWLRQ 7VHQJDQG/LQ >@ 'HYHORSHGµ9DULDQW2EMHFWV 'LVFRYHULQJ$FTXLVLWLRQ¶92'.$  )RU:RUP'HWHFWLRQ $JRVWDet al. >@ 'HYHORSHG$Q$GDSWLYH(QG+RVW $QRPDO\'HWHFWRU)RU:RUP 'HWHFWLRQ 0RVNRYLWFKet al.D >@ ,GHQWLILHG%D\HVLDQ1HWZRUN$V7KH %HVW$OJRULWKP)RU:RUP'HWHFWLRQ 6LGGLTXLet al. >@ 8VHG7KH6WDWLF)HDWXUHV2I$:RUP 3URJUDP)RU:RUP'HWHFWLRQ 'DLet al. >@ ,QFRUSRUDWHG'\QDPLF,QVWUXFWLRQ 6HTXHQFH0LQLQJ7HFKQLTXHV ,QYROYLQJ7KH5XQWLPH)HDWXUHV2I$ :RUP3URJUDP)RU:RUP'HWHFWLRQ 6WRSHOet al. >@ 8VHG$UWLILFLDO1HXUDO1HWZRUNV $11 )RU:RUP'HWHFWLRQ .XULDNRVH-9LQRG 8VHG5DQNHG/LQHDU'LVFULPLQDQW 3 >@ $QDO\VLV)HDWXUHV)RU0DOZDUH  'HWHFWLRQ ;LDRMXQ7RQJet al.  $QDO\VHG:RUP%\8VLQJ/HDS6W\OH >@ $QG&UHDWHV1HZ5XOHV)RU:RUP 'HWHFWLRQ &RQQHOOet al. >@ 'HYHORSHG&HUHEUR$Q([WHQVLEOH /DUJH6FDOH$QDO\VLV3ODWIRUP 'HVLJQHG7R)XVH6WUXFWXUHG'RPDLQ 6SHFLILF,QIRUPDWLRQ'HFLVLRQ 6XSSRUW$QG&ROODERUDWLRQ,Q$Q $XWRPDWHG)DVKLRQ)RU:RUP 'HWHFWLRQ$QG5HVSRQVH  'HYHORSHG2QOLQH5HDO7LPH 6X0LQJ@ 3URSRVHG$*HQHULF,QFLGHQW5HVSRQVH 3URFHVV:LWKLQ$&RUSRUDWH (QYLURQPHQW *RHODQG*DQJROO\ >@ 3URSRVHG$7ZR7LHU0RGHO:RUN%\ ,QWHJUDWLQJ$Q,PPXQRORJ\$QG$Q (SLGHPLRORJ\$SSURDFK:LWK$ 'LVWULEXWHG'DWDEDVH)RU+DQGOLQJ 0DOZDUH 9DVXGHYDQ >@ 'HYHORSHG0DLWUDN&DSDEOH2I 7UDFNLQJ0DOZDUH:LWKRXW8VLQJ$Q\ 6LJQDWXUH%DVH(OLPLQDWLQJ7KH 0DOZDUH$QG5HWXUQLQJ,W7R,WV3ULRU &OHDQ6WDWH .LPet al. >@ 3URSRVHG$Q,QFLGHQW5HVSRQVH 6\VWHP%DVHG2Q'66)UDPHZRUN :KLFK$SSOLHG5HFHQF\)UHTXHQF\ $QG0RQHWDU\5)0 $QDO\VLV 0HWKRGRORJ\$QG&DVH%DVHG 5HDVRQLQJ&%5   'HVLJQHG$6\VWHP8VLQJ$Q /LXet al. >@ 2QWRORJLFDO$SSURDFK$QG&%5

,,,

0(7+2'2/2*@ +HQFKLUL2DQG-DSNRZLF]1³$)HDWXUH6HOHFWLRQDQG(YDOXDWLRQ 6FKHPH IRU &RPSXWHU 9LUXV 'HWHFWLRQ´ 3URF RI WKH 6L[WK ,QWHUQDWLRQDO&RQIHUHQFHRQ'DWD0LQLQJ,(((;SORUHSS  >@ 7VHQJ 66 DQG 6& /LQ ³92'.$ 9DULDQW REMHFWV GLVFRYHULQJ NQRZOHGJHDFTXLVLWLRQ´Expert Systems with Applications,3DUW  SS >@ $JRVWD-0 'LXN:DVVHU& &KDQGUDVKHNDU- DQG /LYLGDV& ³$Q $GDSWLYH $QRPDO\ 'HWHFWRU )RU :RUP 'HWHFWLRQ´ 3URF QG 86(1,; :RUNVKRS RQ 7DFNOLQJ &RPSXWHU 6\VWHPV 3UREOHPV ZLWK 0DFKLQH/HDUQLQJ7HFKQLTXHV6@ 0RVNRYLWFK5 6WRSHO' )HKHU& 1LVVLP1 -DSNRZLF] 1 DQG (ORYLFL@ 6WRSHO ' 0RVNRYLWFK5 %RJHU= 6KDKDU@ &RQQHOO $ 3DONR 7 DQG @ 6X0LQJ@ *RHO 6 DQG *DQJROO\ - 6 ³2Q 'HFLVLRQ 6XSSRUW )RU 'LVWULEXWHG 6\VWHPV 3URWHFWLRQ $ 3HUVSHFWLYH %DVHG 2Q 7KH +XPDQ ,PPXQH 5HVSRQVH 6\VWHP $QG (SLGHPLRORJ\´ International Journal of Information Management SS >@ 9DVXGHYDQ $ ³0DO75$. 7UDFNLQJ DQG (OLPLQDWLQJ 8QNQRZQ 0DOZDUH´3URFRIWKH$QQXDO&RPSXWHU6HFXULW\$SSOLFDWLRQV &RQIHUHQFH $QDKHLP &$  'HFHPEHU  ,((( ;SORUH SS  >@ .LP+. ,P.+ DQG 3DUN 6& ³'66 )RU &RPSXWHU 6HFXULW\ ,QFLGHQW 5HVSRQVH $SSO\LQJ &%5 $QG &ROODERUDWLYH 5HVSRQVH´ Expert Systems with ApplicationsSS± >@ /LX3+