Showing papers by "Hiroki Takakura published in 2018"
14 Dec 2018
TL;DR: The SPINZ system analyzes internal-network flows and outputs an incident zone, which is composed of devices related to the incident, and it is confirmed that the SPinZ system can detect an incident Zone, but removing unrelated devices from an incident zones is an issue requiring further investigated.
Abstract: Organizations introducing computer and network systems need to quickly and accurately respond to information security incidents to counter intense cyber attacks. However, computer security incident response teams (CSIRTs) in organizations receive a large amount of alerts and logs that they have to investigate. Such a situation increases incident handling time. Our previous research revealed that the triage process in incident handling failed in many incident cases. In our consideration, the triage process lacks the ability to assess overall risks to modern cyber attacks. Zoning of local area networks by measuring internal-network traffic in response to such risks is important. Therefore, we propose the SPeculating INcident Zone (SPINZ) system for supporting the triage process. The SPINZ system analyzes internal-network flows and outputs an incident zone, which is composed of devices related to the incident. We evaluated the performance of the SPINZ system through simulations using two incident-flow dataset generated from two types of internal-network datasets and malicious-activity flows generated from legitimate commands. We confirm that the SPINZ system can detect an incident zone, but removing unrelated devices from an incident zone is an issue requiring further investigated.
1 citations
07 Aug 2018
TL;DR: A SPeculating INcident Zone (SPINZ) system for supporting the triage process that analyzes internal network flows and outputs an incident zone, which is composed of devices related to the incident.
Abstract: Triage process in the incident handling lacks the ability to assess overall risks to modern cyber attacks. Zoning of local area networks by measuring internal network traffic in response to such risks is important. Therefore, we propose a SPeculating INcident Zone (SPINZ) system for supporting the triage process. The SPINZ analyzes internal network flows and outputs an incident zone, which is composed of devices related to the incident. We evaluate the performance of the SPINZ through simulations using incident flow datasets generated from internal traffic open data and lateral movement traffic. As a result, we confirm that the SPINZ has the capability to detect an incident zone, but removing unrelated devices from an incident zone is an issue to be further investigated.