The Research On Decision Support System For Security Incident Response And Its Application

Recently, as hacking attempts increase dramatically; most enterprises are forced to employ some safeguards for hacking proof. Firewall or IPS (Intrusion Prevention System) selectively accepts the incoming packets, and IDS (Intrusion Detection System) detects the attack attempts from network. The latest version of firewall works in cooperation with IDS to immediately response to hacking attempts. However, it may make false alarms that misjudge normal traffic as hacking traffic and cause network problems to block the normal IP address by false alarms. By these false alarms made by IDS, system administrators or CSOs make wrong decisions and important data may be exposed or the availability of network or server system may be exhausted. Therefore, it is important to minimize the false alarms.In response to these problems, this paper presents a security incident decision support system framework for the real-time protection of system, and can improve the safety performance of the whole system. Firstly, we analysis the whole system structure, then, analysis the typical system modules. This structure is conducive to the realization of the function of system with strong practical feasibility. Through this framework, we can make the abnormal situation to minimize, response rapidly, reduce the of hacker attacks, effectively improve the security of the system.We used the log files as the basis of analysis, this paper presents a security incident analysis principle, to analysis security incident log, according to the different log analysis techniques performancing the system anomaly detection. This article will use the RFM (Recency, Frequency, Monetary) analysis, using statistical process control chart to analyse the last access time, frequency and cost of log files to derive an intuitive anomaly detection result and misuse incident report, and it will effectively reduce false positives.In addition, in response to hacker attacks, we will use the CBR technology, to found similarities between the new types of hacker attacks and the previous types of hacker attacks. When the RFM analysis module found the unknown virus or worm, the CBR-based decision support system find the most similar case to match from the database based cases. System administrators can easily access repair methods, and the information that we deal with previously.