Content uploaded by Wira Zanoramy Zakaria
Author content
All content in this area was uploaded by Wira Zanoramy Zakaria on Sep 29, 2015
Content may be subject to copyright.
Abstract—This research explores the possible utilization of the
Case-based Reasoning (CBR) technique to realize a CBR system for
the domain of cyber security incidents handling and response. The
proposed CBR system is intended to assist incident handlers, be it
the rookies or even the seniors, in responding to incidents. The CBR
recommender system mimics the way of an experienced incident
handlers in responding to security incidents. This research
investigates other related works on CBR in the area of cyber
security. This work also research on the development of case storage
and case representation for the domain of incident response.
Keywords—Case based reasoning, recommender system,
intelligent system, incident response, CERT.
I. INTRODUCTION
ECURITY incident is an adverse event that is done to
bring damage to networks and computing resources. In
other words, an incident is defined as an event that indicates
harm or attempt to do harm on computing systems. Even
some attackers break into the defenses of any organizations
regardless how good the defences strategy has been
implemented. The advancement in technology and
sophistication of cyber-attacks had contributed to the growing
number of reported security incidents worldwide [1].
Based on Malaysia CERT (MyCERT) yearly statistics,
there are a total of 11918 number of reported incidents for the
year 2014. There is an increased of 12% from year 2013.
Internet fraud, intrusion and spam remains the main three
highest reported cases to MyCERT. In 2014 only the are 67
spam emails that contains malware has been reported to us
[2]. Besides that, there is also a rise in cyberharassment and
ransomware cases from year to year. This reported incidents
came from many entities, including individuals, companies,
organizations and government agencies.
With all this statistics presented, it is firm that, for any
targetted organizations, staying alive in cyberattack is a very
important task. The time to respond to the attacks and
incidents must be taken seriously in order to maintain the
good image, stable operations and business activities of the
organization. It is the job of Incident Handlers to make sure
that the incident is properly identified and contained before
Wira Zanoramy A. Zakaria is a Senior Analyst at Malaysia Computer
Emergency Response Team (MyCERT), Cybersecurity Malaysia. (e-mail:
wira@cybersecurity.my).
significant damage took place.
In this research, a CBR system that is capable to
recommend procedure how to handle a specific security
incident is proposed. The input to this system is the
information about the reported incident. Meanwhile, the
output the recommender system is a list of steps of incident
handling. This paper is further divided in the following
sections: Section II described about the important of
information sharing between Incident Handlers. Section III
discussed on the motivations of this research. Section IV
introduced the concepts behind the CBR methodology and the
existing related works. Section V laid out the proposed system
in this research and finally Section VI described the outcome
of this research and possible future works.
II. THE IMPORTANCE OF INFORMATION SHARING AMONG
INCIDENT HANDLERS
Security incident handling is an important task for any
organizations and most importantly the CERT organizations.
Hence, Incident Handlers, those IT security personnels who
are expert in incident handling and response, are great assets
at MyCERT. On daily basis, they spent most of their time
handling and responding to cyber security incidents reported
by Malaysian individuals, private sectors, government
agencies, security feeds, foreign security organizations and
foreign CERTs. Besides that, MyCERT also responds to
incident reported by foreign security organization [1].
MyCERT received thousands of incident report every year.
The huge amount of incident reports received by MYCERT is
a big challenge for the Incident Handlers to pick up and
respond as effective as possible. This is the first reasons on
why skill and information sharing is important
betweenthem.
The second reason is the dynamic behavior of the security
threats itself. In a covert manner at the underground level, the
cyber criminals are known to be very cooperative when it
comes to sharing information about exploits and 0-days. They
even have a sort of black markets selling stolen sensitive
records, exploit kits and malware templates. This shown that
they have a very supportive and sharing nature between them.
Furthermore, the attackers community have most of their
resources attacking and penetrating into software and
systems. In contrary to the Incident Handlers, which is most
of them have other roles to fulfill within their organization,
Application of Case Based Reasoning in IT
Security Incident Response
Wira Zanoramy A. Zakaria
S
3rd International Conference Recent treads in Engineering and Technology (ICRET'2015) Sept. 2-3, 2015 Istanbul (Turkey)
106
have a limited resources to handle any incidents in shortest
time possible. Due to this, in order to win or at least to be on
par of this never ending arms race, the Incident Handlers are
advisable to share their experiences, best practices, skills and
tricks with other Incident Handlers.
III. MOTIVATIONS
In the age of big data, where we have a super huge amount
of security incidents tickets and feeds, there is a challenge for
Incident Handlers, especially the rookies, to rapidly pick up
the knowledge and basic skills in handling incidents.
Furthermore, as a human, even a highly skilled Incident
Handlers cannot run from doing a mistake. With the
assistance of this type of AI system, we could leverage the
issue to a minimum level. When experienced staff left the
company, they bring along with them the valuable skills and
years of experience in incident handling. Since a CBR
system records every piece of domain experience in the form
of cases, we can store the experience in a system that later
reuse it to as a training ground for rookie level Incident
Handlers.
Additionally, this kind of tool also can be used as a
companion for any level of Incident Handlers in order to
provide a line of reference while responding to incidents.
Furthermore, with assistance from this kind of system could
reduce the time to respond to incidents, assist in auto-respond
when there is lack of resources, promotes automation in
security incident response and also could help Incident
Handlers in the event of cyber crisis. To overcome this
shortcomings, there is a need for an intelligent system that
can record and learn in the domain of security incident
response and handling.
IV. CASE BASED REASONING
After the success of expert systems, Case-based reasoning
(CBR) is another popular artificial intelligence (AI) technique
in realizing an intelligent system. Expert system mostly
known as utilizing human expert knowledge in the form of
rules, while in CBR, all recorded knowledge are in the form
of experiences.CBR is a problem solving and learning
technique that solves new problem by reusing past successful
experiences [3]–[5]. CBR make use of past experiences in
order to understand and to solve new problems. Different
from the expert system where it reasons using knowledge and
rules, CBR system reasons and make decision through the use
of past experiences.
The basic idea behind the CBR methodology is it mimics
the process done by human mind everytime when dealing
with a decision making situation. Human uses their memory
to find any similar past experiences and tweaks the previous
solution so that it can fit into the current problem in hand.
In other words, the main principle behind CBR is based on
the concept of similar problems have similar solutions [6],
[7]. This sort of problem solving methodology is similar to
reasoning process commonly applied by human in solving
problems in real life. Human beings used their past memories
in order to solve new problems or situations [7]. The
remembering, reasoning and making decision process in
humans are mimicked by representing it through the
implementation of four CBR steps – Retrieve, Reuse, Revise
and Retain. Fig. 1 show the CBR cycle and the 4R steps.
Listed below are the description of the 4R steps in a CBR
system.
RETRIEVE, from the case storage, a list of most
similar past cases based on the given problem
description. All similar cases will be assigned a
similarity score that will show which case is the most
similar. The case that have highest score will be
selected.
REUSE the solution contained within the selected
retrieved case in order to solve the described
problem.
If needed, REVISE the proposed solution from Step
REUSE.
RETAIN is a step where new case is formed and it is
being added to the case storage. Every new problem
solving experience will be treated as a new case and
it is retained into the case storage for future problem
solving. Through this step, it is said that the CBR
system has learned a new problem solving
experience, and this experience collection will keep
growing from time to time.
CBR is suitable to be applied for the domain where past
cases are available. It is also applicable for domains that are
not well understood, unstructured and ill-defined [8]. CBR
has been proven to work in areas such as helpdesks, business,
diagnosis, military control, classification, recommendation,
prediction, gaming, learning, designing and planning systems
[9], [10]. For this research, CBR method is applicable because
MyCERT received and archived thousands of incidents on a
yearly basis. All of the responded incidents data are well kept
for future references. With this good repository of past
reported incidents, it is easy for us to retrieve it back and to
transform the selected successful incident data into the form
of cases.
V. CBR APPLICATIONS IN IT SECURITY
During the past years, there are a few research works that
implemented CBR technique to solve problems in the domain
of IT security. For instance, [11] successfully applied CBR in
the domain of intrusion detections. On the other hand, [12]
approached the issues in intrusion detection by applying
swarm intelligence. Since spam or junk email is a serious
problem in modern communication, [13] and [14] proved that
CBR is suitable for handling the spam domain. Both research
utilized the machine learning approach for building an email
spam filter. [15] proposed the use of CBR methodology for
building an intelligent reasoner that can manage the
3rd International Conference Recent treads in Engineering and Technology (ICRET'2015) Sept. 2-3, 2015 Istanbul (Turkey)
107
deployments of low-interaction honeypots in the network. The
research made full use of the rapid CBR development tool,
Jcolibri [16], to realized a CBR recommender system for the
domain of honeypot configuration. The research produced
positive result in which the honeypot configured by the CBR
is successfully detected in the network. [17] proposed the use
CBR method for detecting computer virus. The case storage
of the system is filled up with virus signatures cases. Each of
the virus signature cases, contained the solution for that
particular signature. So in the future, whenever the CBR
system is queried by a new virus signature, the retrieval
algorithm with search for the most similar virus signature
cases that matches the new signature [17].
Fig. 1 CBR cycle
VI. PROPOSED SYSTEM
In this research, we proposed a CBR system for assisting
Incident Handlers. The case base will contain past
experiences of successful incident handling. The experiences
are represented in the form of cases which later can be used
by the CBR reasoner. Before the proposed CBR system can be
developed, listed below are the tasks that need to be
addressed:
A. Case Storage
For a decision support system, the program instructions
will refer to a database in order to make decision and this
database usually stores lots of data in tables and columns.
Meanwhile in CBR, a case base is used. This case base or
case storage keeps a list of past experiences in the form of
cases that represents a specific domain [9]. The case-base is
populated by a collection of previous successful experiences
represented in the form of cases [18]. A case is a contextual
piece of information that describes a successful experience for
a particular problem or situation in the past.
Fig. 2 Basic structure of a case
B. Case Representation
For this research, the cases are related to incident handling
and response.In CBR methodology, all recorded
experiences are represented in the form of cases. A case is a
knowledge model for a particular experience in a particular
domain. It is a method for representing experiences.
Basically, a case consists of two segments: problem and
solution. Fig. 2 shows the diagram of a case’s basic structure.
The first segment contains the description about a problem or
situation. In this research, the first segment of a case contains
all the attributes that represents an incident description. The
second segment contains the description on the solution for
that particular problem. Thus, this segment contains the
attributes that describes on the action taken by the Incident
Handler.
Fig. 3 Attributes in an incident response case
These cases are retained and indexed inside the case
storage. Thus, selecting the most suitable case representation
approach for the cases and picking the right attributes to be
included within the cases is a vital process. In this research,
the cases contains past successful experiences of incident
handlers. For the domain of incident response, there are
twelve attributes contained in a case including the Case ID
attribute. The Case ID attribute assists in indexing the cases
inside the case storage. It also acts as a referral value in order
to retrieve and maintain the cases from time to time. These
twelve attributes describes about the past incident and it’s
corresponding response made by the incident handler. Fig. 3
shows a conceptual structure of an incident response case
Case ID
PROBLEM: INCIDENT
DESCRIPTION
Time of incident
Incident category
Incident subcategory
Reported URL
Reported IP
SOLUTION: RESPONSE
Time of response
Type of action
Eradication Steps
Notification contacts
Notified entities
Advisory
Case ID
Problem
Solution
3rd International Conference Recent treads in Engineering and Technology (ICRET'2015) Sept. 2-3, 2015 Istanbul (Turkey)
108
developed for the proposed system. Table 1 shows the
attributes, its data type and sample value.
TABLE I
LIST OF ATTRIBUTES, IT DATA TYPE AND SAMPLE VALUE
Attribute
Type
Sample value
Case ID
INTEGER
1137
Time of
incident
INTEGER
20151019:0245
Incident
category
STRING
Online fraud
Incident
subcategory
STRING
Phishing
Reported URL
STRING
http://domainname.com/xxx/
yy
Reported IP
STRING
x.x.x.x
Time of
Response
INTEGER
201510190309
Type of action
STRING
Notify URL, bad IP
Eradication
Steps
STRING
Shutdown the suspected
phishing website
Notification
contacts
STRING
ISP email address
Notified
entities
STRING
ISP, complainant
Advisory
STRING
Refer to Doc13-2
VII. CONCLUSION AND FUTURE WORK
In this research we proposed a CBR based intelligent
recommender system that is able to reason and make decision
in the domain of security incident response. With enough
cases and modifications in the 4R steps, this system could
autonomously handle large number of incidents in crisis
situations. For future work, the proposed system will be
implemented in a CBR development tool, for example
jCOLIBRI or myCBR. The algorithm for case retrieval and
case revise will be refine. The proposed system is planned to
be tested with real incident data available at MyCERT.
REFERENCES
[1] Automating Big Data Analysis: Malaysia CERT Experience, Tokyo
International Conference on Engineering and Applied Sciences 2014.
[2] MyCERT Incident Statistics, www.mycert.org.my/statistics/2015.php
[3] Aamodt, A, Plaza, E (1994). Case-based reasoning: Foundational issues,
methodological variations, and system approaches. Artificial Intelligence
Communications, 7(1), 39 - 59.
[4] Kolodner, JL, Leake, D (1996) A tutorial introduction to case-based
reasoning. In: LEAKE, D. (ed.) Case-Based Reasoning: Experiences,
Lessons, and Future Directions, 31 - 65. AAAI Press/TheMIT Press.
[5] Watson, I (1999). Case-based reasoning is a methodology not a
technology, Knowledge-Based Systems, Volume 12, Issues 5–6, October
1999, 303 - 308,10.1016/S0950-7051(99)00020-9.
[6] Fanoiki, T. O., Drummond, I., Sandri, S. (2010). Case-based reasoning
retrieval and reuse using case resemblance hypergraphs. International
Conference on Fuzzy Systems, 1–7. doi:10.1109/FUZZY.2010.5584854
[7] Carmona, M. A., Barbancho, J., Larios, D. F., León, C. (2013). Applying
case based reasoning for prioritizing areas of business management. Expert
Systems with Applications, 40(9), pp. 3450–3458.
[8] Wang, C.S., Yang, H.L. (2012). A recommender mechanism based on
case-based reasoning. Expert Systems with Applications, 39(4), pp. 4335 -
4343.
[9] Tsai, C., Chiu, C., Chen, J. (2005). A case-based reasoning system for
PCB defect prediction. Expert Systems with Applications, 28(4), 813–822.
[10] Recio-Garcia, J.A., Diaz-Agudo, B., Gonzalez-Calero, P.A., "Boosting the
Performance of CBR Applications with jCOLIBRI," Tools with Artificial
Intelligence, 2009. ICTAI '09. 21st International Conference on , pp.276-
283, 2-4 Nov. 2009
[11] Micarelli, A., Sansonetti, G. (2007). A Case-Based Approach to Anomaly
Intrusion Detection, 434–448.
[12] Kolias, C., Kambourakis, G., Maragoudakis, M. (2011). Swarm
intelligence in intrusion detection: A survey. Computers and Security,
30(8), 625–642. doi:10.1016/j.cose.2011.08.009
[13] Delany, S. J., Thesis (2006). Using case-based reasoning for spam filtering.
[14] Alguliyev, R. (2012). Two Approaches on Implementation of CBR and
CRM Technologies to the Spam Filtering Problem. Journal of Information
Security, 03(01), 11–17. doi:10.4236/jis.2012.31002
[15] Zakaria WZA, Mat Kiah ML (2014). Implementing a CBR Recommender
for Dynamic Honeypot using jCOLIBRI. 3rd International Conference on
Computer Science and Computational Mathematics 2014, 8 – 9 May,
Langkawi, Kedah, Malaysia.
[16] Atanassov, A., Antonov, L. (2012). Comparative Analysis of Case Based
Reasoning Software Frameworks jCOLIBRI and myCBR. Journal of the
University of Chemical Technology and Metallurgy (1), pp. 83 – 90.
[17] Berkat, A. (2011). Using Case-Based Reasoning ( CBR ) for detecting
computer virus. Journal of Computer Science, 8(4), 606–610.
[18] Mitra, R., & Basak, J. (2005). Methods of case adaptation: A survey.
International Journal of Intelligent Systems, 20(6), 627–645.
3rd International Conference Recent treads in Engineering and Technology (ICRET'2015) Sept. 2-3, 2015 Istanbul (Turkey)
109
