Forensic Investigative Process for Situational Awareness in Information Security

As a starting point for the development of a common visualization of the forensics process by the members of an investigating team, this chapter provides algorithms that provide guidance and step by step instructions on how to deal with computer forensics and the investigations they carry out. A general introductory overview of computer forensics is provided, and the framework of a forensic investigation is summarized. On the basis of this framework, three algorithms are provided, one for each phase of a forensic investigation, which cover the different aspects of computer forensics and address key elements to be considered when attacked systems are investigated.

PITWALL

The continuous growth in the Internet’s size, the amount of data traffic, and the complexity of processing this traffic give rise to new challenges in building high performance network devices. Such an exponential growth, coupled with the increasing sophistication of attacks, is placing stringent demands on the performance of network Information Systems. These challenges require new designs, architecture, and algorithms for raising situational awareness, and hence, providing performance improvements on current network devices and cyber systems. In this research, the author focuses on the design of architecture and algorithms for optimization of network defense systems, specifically firewalls, to aid not only adaptive and real-time packet filtering but also fast content based routing (differentiated services) for today’s data-driven networks.

Cyber Situation Awareness through Instance-Based Learning

In a corporate network, the situation awareness (SA) of a security analyst is of particular interest. The current work describes a cognitive Instance-Based Learning (IBL) model of an analyst’s recognition and comprehension processes in a cyber-attack scenario. The IBL model first recognizes network events based upon events’ situation attributes and their similarity to past experiences (instances) stored in the model’s memory. Then, the model comprehends a sequence of observed events as being a cyber-attack or not, based upon instances retrieved from its memory, similarity mechanism used, and the model’s risk-tolerance. The execution of the model generates predictions about the recognition and comprehension processes of an analyst in a cyber-attack. A security analyst’s decisions in the model are evaluated based upon two cyber-SA metrics of accuracy and timeliness. The chapter highlights the potential of this research for design of training and decision support tools for security analysts.

Designing Information Systems and Network Components for Situational Awareness

Operators need situational awareness (SA) of their organisation’s computer networks and Information Systems in order to identify threats, estimate impact of attacks, evaluate risks, understand situations, and make sound decisions swiftly and accurately on what to protect against, and how to address incidents that may impact valued assets. Enterprise computer networks are often huge and complex, spanning across several WANs and supporting a number of distributed services. Understanding situations in such dynamic and complex networks is time-consuming and challenging. Operators SA are enhanced through a number of ways, one of which is through the use of situation-aware systems and technology. Designing situation-aware systems for computer network defence (CND) is difficult without understanding basic situational awareness design requirements of network applications and systems. Thus, this chapter investigates pertinent features that are foundation, essential, and beneficial for designing situation-aware systems, software, and network applications for CND.

The Contributions of Information Security Culture and Human Relations to the Improvement of Situational Awareness

The chapter gives an overview of business practices and how people and human relations influence situational awareness and information security in an organization. There is still a long way to go in training employees in information security and improving employees’ information security awareness. Motivated and trained employees have the ability to detect and report security weaknesses and breaches, including near-miss incidents, and in this way, they may provide a valuable defense-in-depth-capability that is often lacking. The chapter discusses two approaches to overcome the barriers to building situational awareness promulgated in the general deterrence theory and socio-technical theory.

Review of Situational Awareness for Computer Network Defense

The importance of situational awareness to air traffic control, and hence the safety and security of aircraft, is evident, demonstrable, and has been hugely significant. The main purpose of this book is to convey an understanding of the impact of situational awareness on the design of the next generation computer systems, network architectures, and platform infrastructures. The book achieves its purpose by presenting principles, methods, and applications of situational awareness for computer network defense; in doing so, it makes clear the benefits situational awareness can provide for information security, computer security and computer network defense. This book contributes to cross-multidisciplinary discussion among researchers, academia, and practitioners who are engaged objectively in sharing, contributing, and showcasing how situational awareness can be adapted to computer systems, network infrastructure designs, and architecture patterns. The goal of this chapter is to explain situational awareness for computer network defense from the point of view of its most basic foundations as a spring board to discuss how situational awareness can be relevant to computer network defense, whose operations and environment are similar to air traffic control where the application of situational awareness has been hugely successful.

Usefulness of Sensor Fusion for Security Incident Analysis

Intrusion Detection Systems form an important component of network defense. Because of the heterogeneity of the attacks, it has not been possible to make a single Intrusion Detection System that is capable of detecting all types of attacks with acceptable levels of accuracy. In this chapter, the distinct advantage of sensor fusion over individual IDSs is proved. The detection rate and the false positive rate quantify the performance benefit obtained through the fixing of threshold bounds. Also, the more independent and distinct the attack space is for the individual IDSs, the better the fusion of Intrusion Detection Systems performs. A simple theoretical model is initially illustrated and later supplemented with experimental evaluation. The chapter demonstrates that the proposed fusion technique is more flexible and also outperforms other existing fusion techniques such as OR, AND, SVM, and ANN, using the real-world network traffic embedded with attacks.

Information Security for Situational Awareness in Computer Network Defense

Situational awareness – the perception of “what is going on” – is crucial in every field of human endeavor, especially so in the cyber world where most of the protections afforded by physical time and distance are taken away. Since ancient times, military science emphasized the importance of preserving your awareness of the battlefield and at the same time preventing your adversary from learning the true situation for as long as possible. Today cyber is officially recognized as a contested military domain like air, land, and sea. Therefore situational awareness in computer networks will be under attacks of military strength and will require military-grade protection. This chapter describes the emerging threats for computer SA, and the potential avenues of defense against them.

An Alternative Framework for Research on Situational Awareness in Computer Network Defense

In this chapter the authors present a new framework for the study of situation awareness in computer network defense (cyber-SA). While immensely valuable, the research to date on cyber-SA has overemphasized an algorithmic level of analysis to the exclusion of the human actor. Since situation awareness, and therefore cyber-SA, is a human cognitive process and state, it is essential that future cyber-SA research account for the human-in-the-loop. To that end, the framework in this chapter presents a basis for examining cyber-SA at the cognitive, system, work, and enterprise levels of analysis. In describing the framework, the authors present examples of research that are emblematic of each type of analysis.

Advanced Security Incident Analysis with Sensor Correlation

This chapter explores the general problem of the poorly detected attacks with Intrusion Detection Systems. The poorly detected attacks reveal the fact that they are characterized by features that do not discriminate them much. The poor performance of the detectors has been improved by discriminative training of anomaly detectors and incorporating additional rules into the misuse detector. This chapter proposes a new approach of machine learning method where corresponding learning problem is characterized by a number of features. This chapter discusses the improved performance of multiple Intrusion Detection Systems using Data-dependent Decision fusion. The Data-dependent Decision fusion approach gathers an in-depth understanding about the input traffic and also the behavior of the individual Intrusion Detection Systems by means of a neural network learner unit. This information is used to fine-tune the fusion unit since the fusion depends on the input feature vector. Thus fusion implements a function that is local to each region in the feature space. It is well-known that the effectiveness of sensor fusion improves when the individual IDSs are uncorrelated. The training methodology adopted in this work takes note of this fact. For illustrative purposes, the DARPA 1999 data set as has been used. The Data-dependent Decision fusion shows a significantly better performance with respect to the performance of individual Intrusion Detection Systems.