| With the continuous development of Internet technology, applications on the Internet increases ceaselessly, and the number of network security incident also shows the trend of augment, which leads to the expansion of serious influence and loss. The response of related security incident is an essential part of network security architecture, and international research/service in this field has developed for more than ten years. Although this working field is relatively new to China, it had catched the eyesight of the government, education/academic institutions and industries. This thesis studied and designed an Incident Response Information System based on the requirement of Cernet Eastern China(North) Network Center.Security incident response relates to many actions. Though most of them are the direct responses of incidents, they also relate with the preparation part of dealing incidents and how to make people work more efficiently, so incident response regulation become the first research content. Irregular response actions may result in more serious loss than incidents themselves, so it's very important to adopt systemic, reasonable, and pre-defined process to handle security incidents. The procedure of incidents response is an important part of Incidents Response Information System. This thesis brings forward a set of incident response procedures that fit for the requirement of Cernet Eastern China(North) Network Center, based on the whole frame of the most authoritative PDCERF six phases incident response procedure in the world, the pre-defined security policies, and the practice of NJCERT in Cernet Eastern China(North) Network Center.Through the incidents response regulation, we can have detailed knowledge of the work before, in, and after the response process. It can guide related people to response security incidents in an orderly way. Then which response actions are the most suitable ones in response process? So the second research topic is response decision. Response decision algorithm makes decisions for reported security incidents and builds response proposals, then administrators handle those incidents based on the proposals. This thesis gives out a Response Decision Model based on classifying and Wenke Lee's cost sensitive model, integrates some uncertain factors in response decision process such as: incidents alert confidence, security state of attacked objects, and feedback of response benefit etc, and puts forward an optimized response decision algorithm based on classifying. This algorithm considers the harmness of incidents, the cost of response and the feedback of response effect, and selects the best solution from the entire consideration. With the response effect involves in response decision, it can greatly enhance the agility and adaptability of response decision. Three classes of cost are considered. They are residue damage cost, response operation cost and response negative cost. This thesis offers the concrete quantification method of residue damage cost, and converts the quantification of the other two costs into damage cost, so as to unifies the quantification of all three classes of cost. The immunity judgment filter function of response decision can combine the securitystate of incidents with that of attacked objects, filter security incidents totally immune from attacked objects, which reduces the side effect brought on by IDS's neglect of concrete attacked object features in detecting security incidents. Incident alert confidence revolving in response decision can reduce this side effect, too.This thesis realizes the offered response decision algorithm in Incidents Response Information System. The analysis shows that this algorithm considers various factors, and can judge the immunity and cost of incidents to make response benefit sequence for all feasible response ways of security incidents that need response, in order to select the best-fit response actions. The produced response proposal has attacked objects pertinence, it can adapt easily according to the change of environment, and has good possibility to extend for new response actions. The tests show that this response decision algorithm reached the expected results both in functions and capabilities.At the end of the thesis, we make an expectation for the research of future incident response information system, pointing out that looking for detailed, feasible response regulations is key to the response actions. Furthermore, expert system technology and compound attack recognition and early warning could be applied in the response decision making process. |
PDF Full Text Request