3rd International Conference Recent treads in Engineering and Technology (ICRET'2015) Sept. 2-3, 2015 Istanbul (Turkey)
Application of Case Based Reasoning in IT Security Incident Response Wira Zanoramy A. Zakaria
significant damage took place. In this research, a CBR system that is capable to recommend procedure how to handle a specific security incident is proposed. The input to this system is the information about the reported incident. Meanwhile, the output the recommender system is a list of steps of incident handling. This paper is further divided in the following sections: Section II described about the important of information sharing between Incident Handlers. Section III discussed on the motivations of this research. Section IV introduced the concepts behind the CBR methodology and the existing related works. Section V laid out the proposed system in this research and finally Section VI described the outcome of this research and possible future works.
Abstract—This research explores the possible utilization of the Case-based Reasoning (CBR) technique to realize a CBR system for the domain of cyber security incidents handling and response. The proposed CBR system is intended to assist incident handlers, be it the rookies or even the seniors, in responding to incidents. The CBR recommender system mimics the way of an experienced incident handlers in responding to security incidents. This research investigates other related works on CBR in the area of cyber security. This work also research on the development of case storage and case representation for the domain of incident response. Keywords—Case based reasoning, recommender intelligent system, incident response, CERT.
system,
I. INTRODUCTION
S
ECURITY incident is an adverse event that is done to bring damage to networks and computing resources. In other words, an incident is defined as an event that indicates harm or attempt to do harm on computing systems. Even some attackers break into the defenses of any organizations regardless how good the defences strategy has been implemented. The advancement in technology and sophistication of cyber-attacks had contributed to the growing number of reported security incidents worldwide [1]. Based on Malaysia CERT (MyCERT) yearly statistics, there are a total of 11918 number of reported incidents for the year 2014. There is an increased of 12% from year 2013. Internet fraud, intrusion and spam remains the main three highest reported cases to MyCERT. In 2014 only the are 67 spam emails that contains malware has been reported to us [2]. Besides that, there is also a rise in cyberharassment and ransomware cases from year to year. This reported incidents came from many entities, including individuals, companies, organizations and government agencies. With all this statistics presented, it is firm that, for any targetted organizations, staying alive in cyberattack is a very important task. The time to respond to the attacks and incidents must be taken seriously in order to maintain the good image, stable operations and business activities of the organization. It is the job of Incident Handlers to make sure that the incident is properly identified and contained before
II. THE IMPORTANCE OF INFORMATION SHARING AMONG INCIDENT HANDLERS Security incident handling is an important task for any organizations and most importantly the CERT organizations. Hence, Incident Handlers, those IT security personnels who are expert in incident handling and response, are great assets at MyCERT. On daily basis, they spent most of their time handling and responding to cyber security incidents reported by Malaysian individuals, private sectors, government agencies, security feeds, foreign security organizations and foreign CERTs. Besides that, MyCERT also responds to incident reported by foreign security organization [1]. MyCERT received thousands of incident report every year. The huge amount of incident reports received by MYCERT is a big challenge for the Incident Handlers to pick up and respond as effective as possible. This is the first reasons on why skill and information sharing is important between them. The second reason is the dynamic behavior of the security threats itself. In a covert manner at the underground level, the cyber criminals are known to be very cooperative when it comes to sharing information about exploits and 0-days. They even have a sort of black markets selling stolen sensitive records, exploit kits and malware templates. This shown that they have a very supportive and sharing nature between them. Furthermore, the attackers community have most of their resources attacking and penetrating into software and systems. In contrary to the Incident Handlers, which is most of them have other roles to fulfill within their organization,
Wira Zanoramy A. Zakaria is a Senior Analyst at Malaysia Computer Emergency Response Team (MyCERT), Cybersecurity Malaysia. (e-mail:
[email protected]).
106
3rd International Conference Recent treads in Engineering and Technology (ICRET'2015) Sept. 2-3, 2015 Istanbul (Turkey)
have a limited resources to handle any incidents in shortest time possible. Due to this, in order to win or at least to be on par of this never ending arms race, the Incident Handlers are advisable to share their experiences, best practices, skills and tricks with other Incident Handlers.
reasoning process commonly applied by human in solving problems in real life. Human beings used their past memories in order to solve new problems or situations [7]. The remembering, reasoning and making decision process in humans are mimicked by representing it through the implementation of four CBR steps – Retrieve, Reuse, Revise and Retain. Fig. 1 show the CBR cycle and the 4R steps. Listed below are the description of the 4R steps in a CBR system.
III. MOTIVATIONS In the age of big data, where we have a super huge amount of security incidents tickets and feeds, there is a challenge for Incident Handlers, especially the rookies, to rapidly pick up the knowledge and basic skills in handling incidents. Furthermore, as a human, even a highly skilled Incident Handlers cannot run from doing a mistake. With the assistance of this type of AI system, we could leverage the issue to a minimum level. When experienced staff left the company, they bring along with them the valuable skills and years of experience in incident handling. Since a CBR system records every piece of domain experience in the form of cases, we can store the experience in a system that later reuse it to as a training ground for rookie level Incident Handlers. Additionally, this kind of tool also can be used as a companion for any level of Incident Handlers in order to provide a line of reference while responding to incidents. Furthermore, with assistance from this kind of system could reduce the time to respond to incidents, assist in auto-respond when there is lack of resources, promotes automation in security incident response and also could help Incident Handlers in the event of cyber crisis. To overcome this shortcomings, there is a need for an intelligent system that can record and learn in the domain of security incident response and handling.
RETRIEVE, from the case storage, a list of most similar past cases based on the given problem description. All similar cases will be assigned a similarity score that will show which case is the most similar. The case that have highest score will be selected. REUSE the solution contained within the selected retrieved case in order to solve the described problem. If needed, REVISE the proposed solution from Step REUSE. RETAIN is a step where new case is formed and it is being added to the case storage. Every new problem solving experience will be treated as a new case and it is retained into the case storage for future problem solving. Through this step, it is said that the CBR system has learned a new problem solving experience, and this experience collection will keep growing from time to time.
IV. CASE BASED REASONING After the success of expert systems, Case-based reasoning (CBR) is another popular artificial intelligence (AI) technique in realizing an intelligent system. Expert system mostly known as utilizing human expert knowledge in the form of rules, while in CBR, all recorded knowledge are in the form of experiences. CBR is a problem solving and learning technique that solves new problem by reusing past successful experiences [3]–[5]. CBR make use of past experiences in order to understand and to solve new problems. Different from the expert system where it reasons using knowledge and rules, CBR system reasons and make decision through the use of past experiences. The basic idea behind the CBR methodology is it mimics the process done by human mind everytime when dealing with a decision making situation. Human uses their memory to find any similar past experiences and tweaks the previous solution so that it can fit into the current problem in hand. In other words, the main principle behind CBR is based on the concept of similar problems have similar solutions [6], [7]. This sort of problem solving methodology is similar to 107
CBR is suitable to be applied for the domain where past cases are available. It is also applicable for domains that are not well understood, unstructured and ill-defined [8]. CBR has been proven to work in areas such as helpdesks, business, diagnosis, military control, classification, recommendation, prediction, gaming, learning, designing and planning systems [9], [10]. For this research, CBR method is applicable because MyCERT received and archived thousands of incidents on a yearly basis. All of the responded incidents data are well kept for future references. With this good repository of past reported incidents, it is easy for us to retrieve it back and to transform the selected successful incident data into the form of cases. V. CBR APPLICATIONS IN IT SECURITY During the past years, there are a few research works that implemented CBR technique to solve problems in the domain of IT security. For instance, [11] successfully applied CBR in the domain of intrusion detections. On the other hand, [12] approached the issues in intrusion detection by applying swarm intelligence. Since spam or junk email is a serious problem in modern communication, [13] and [14] proved that CBR is suitable for handling the spam domain. Both research utilized the machine learning approach for building an email spam filter. [15] proposed the use of CBR methodology for building an intelligent reasoner that can manage the
3rd International Conference Recent treads in Engineering and Technology (ICRET'2015) Sept. 2-3, 2015 Istanbul (Turkey)
deployments of low-interaction honeypots in the network. The research made full use of the rapid CBR development tool, Jcolibri [16], to realized a CBR recommender system for the domain of honeypot configuration. The research produced positive result in which the honeypot configured by the CBR is successfully detected in the network. [17] proposed the use CBR method for detecting computer virus. The case storage of the system is filled up with virus signatures cases. Each of the virus signature cases, contained the solution for that particular signature. So in the future, whenever the CBR system is queried by a new virus signature, the retrieval algorithm with search for the most similar virus signature cases that matches the new signature [17].
Case ID Problem
Solution Fig. 2 Basic structure of a case
B. Case Representation For this research, the cases are related to incident handling and response. In CBR methodology, all recorded experiences are represented in the form of cases. A case is a knowledge model for a particular experience in a particular domain. It is a method for representing experiences. Basically, a case consists of two segments: problem and solution. Fig. 2 shows the diagram of a case’s basic structure. The first segment contains the description about a problem or situation. In this research, the first segment of a case contains all the attributes that represents an incident description. The second segment contains the description on the solution for that particular problem. Thus, this segment contains the attributes that describes on the action taken by the Incident Handler. Case ID PROBLEM: INCIDENT DESCRIPTION Time of incident Incident category Incident subcategory Reported URL Reported IP SOLUTION: RESPONSE Time of response Type of action Eradication Steps Notification contacts Notified entities Advisory Fig. 3 Attributes in an incident response case
Fig. 1 CBR cycle
VI. PROPOSED SYSTEM In this research, we proposed a CBR system for assisting Incident Handlers. The case base will contain past experiences of successful incident handling. The experiences are represented in the form of cases which later can be used by the CBR reasoner. Before the proposed CBR system can be developed, listed below are the tasks that need to be addressed:
These cases are retained and indexed inside the case storage. Thus, selecting the most suitable case representation approach for the cases and picking the right attributes to be included within the cases is a vital process. In this research, the cases contains past successful experiences of incident handlers. For the domain of incident response, there are twelve attributes contained in a case including the Case ID attribute. The Case ID attribute assists in indexing the cases inside the case storage. It also acts as a referral value in order to retrieve and maintain the cases from time to time. These twelve attributes describes about the past incident and it’s corresponding response made by the incident handler. Fig. 3 shows a conceptual structure of an incident response case
A. Case Storage For a decision support system, the program instructions will refer to a database in order to make decision and this database usually stores lots of data in tables and columns. Meanwhile in CBR, a case base is used. This case base or case storage keeps a list of past experiences in the form of cases that represents a specific domain [9]. The case-base is populated by a collection of previous successful experiences represented in the form of cases [18]. A case is a contextual piece of information that describes a successful experience for a particular problem or situation in the past. 108
3rd International Conference Recent treads in Engineering and Technology (ICRET'2015) Sept. 2-3, 2015 Istanbul (Turkey) [10] Recio-Garcia, J.A., Diaz-Agudo, B., Gonzalez-Calero, P.A., "Boosting the Performance of CBR Applications with jCOLIBRI," Tools with Artificial Intelligence, 2009. ICTAI '09. 21st International Conference on , pp.276283, 2-4 Nov. 2009 [11] Micarelli, A., Sansonetti, G. (2007). A Case-Based Approach to Anomaly Intrusion Detection, 434–448. [12] Kolias, C., Kambourakis, G., Maragoudakis, M. (2011). Swarm intelligence in intrusion detection: A survey. Computers and Security, 30(8), 625–642. doi:10.1016/j.cose.2011.08.009 [13] Delany, S. J., Thesis (2006). Using case-based reasoning for spam filtering. [14] Alguliyev, R. (2012). Two Approaches on Implementation of CBR and CRM Technologies to the Spam Filtering Problem. Journal of Information Security, 03(01), 11–17. doi:10.4236/jis.2012.31002 [15] Zakaria WZA, Mat Kiah ML (2014). Implementing a CBR Recommender for Dynamic Honeypot using jCOLIBRI. 3rd International Conference on Computer Science and Computational Mathematics 2014, 8 – 9 May, Langkawi, Kedah, Malaysia. [16] Atanassov, A., Antonov, L. (2012). Comparative Analysis of Case Based Reasoning Software Frameworks jCOLIBRI and myCBR. Journal of the University of Chemical Technology and Metallurgy (1), pp. 83 – 90. [17] Berkat, A. (2011). Using Case-Based Reasoning ( CBR ) for detecting computer virus. Journal of Computer Science, 8(4), 606–610. [18] Mitra, R., & Basak, J. (2005). Methods of case adaptation: A survey. International Journal of Intelligent Systems, 20(6), 627–645.
developed for the proposed system. Table 1 shows the attributes, its data type and sample value. TABLE I LIST OF ATTRIBUTES, IT DATA TYPE AND SAMPLE VALUE
Attribute Case ID Time of incident Incident category Incident subcategory Reported URL
Type INTEGER INTEGER
Reported IP Time of Response Type of action Eradication Steps Notification contacts Notified entities Advisory
STRING INTEGER
Sample value 1137 20151019:0245
STRING
Online fraud
STRING
Phishing
STRING
http://domainname.com/xxx/ yy x.x.x.x 201510190309
STRING STRING STRING
Notify URL, bad IP Shutdown the suspected phishing website ISP email address
STRING
ISP, complainant
STRING
Refer to Doc13-2
VII. CONCLUSION AND FUTURE WORK In this research we proposed a CBR based intelligent recommender system that is able to reason and make decision in the domain of security incident response. With enough cases and modifications in the 4R steps, this system could autonomously handle large number of incidents in crisis situations. For future work, the proposed system will be implemented in a CBR development tool, for example jCOLIBRI or myCBR. The algorithm for case retrieval and case revise will be refine. The proposed system is planned to be tested with real incident data available at MyCERT. REFERENCES [1] [2] [3]
[4]
[5]
[6]
[7]
[8]
[9]
Automating Big Data Analysis: Malaysia CERT Experience, Tokyo International Conference on Engineering and Applied Sciences 2014. MyCERT Incident Statistics, www.mycert.org.my/statistics/2015.php Aamodt, A, Plaza, E (1994). Case-based reasoning: Foundational issues, methodological variations, and system approaches. Artificial Intelligence Communications, 7(1), 39 - 59. Kolodner, JL, Leake, D (1996) A tutorial introduction to case-based reasoning. In: LEAKE, D. (ed.) Case-Based Reasoning: Experiences, Lessons, and Future Directions, 31 - 65. AAAI Press/TheMIT Press. Watson, I (1999). Case-based reasoning is a methodology not a technology, Knowledge-Based Systems, Volume 12, Issues 5–6, October 1999, 303 - 308,10.1016/S0950-7051(99)00020-9. Fanoiki, T. O., Drummond, I., Sandri, S. (2010). Case-based reasoning retrieval and reuse using case resemblance hypergraphs. International Conference on Fuzzy Systems, 1–7. doi:10.1109/FUZZY.2010.5584854 Carmona, M. A., Barbancho, J., Larios, D. F., León, C. (2013). Applying case based reasoning for prioritizing areas of business management. Expert Systems with Applications, 40(9), pp. 3450–3458. Wang, C.S., Yang, H.L. (2012). A recommender mechanism based on case-based reasoning. Expert Systems with Applications, 39(4), pp. 4335 4343. Tsai, C., Chiu, C., Chen, J. (2005). A case-based reasoning system for PCB defect prediction. Expert Systems with Applications, 28(4), 813–822.
109
