Abstract
A scientific incident analysis is one with a methodical, justifiable approach to the human decision-making process. Incident analysis is a good target for additional rigor because it is the most human-intensive part of incident response. Our goal is to provide the tools necessary for specifying precisely the reasoning process in incident analysis. Such tools are lacking, and are a necessary (though not sufficient) component of a more scientific analysis process. To reach this goal, we adapt tools from program verification that can capture and test abductive reasoning. As Charles Peirce coined the term in 1900, “Abduction is the process of forming an explanatory hypothesis. It is the only logical operation which introduces any new idea.” We reference canonical examples as paradigms of decision-making during analysis. With these examples in mind, we design a logic capable of expressing decision-making during incident analysis. The result is that we can express, in machine-readable and precise language, the abductive hypotheses than an analyst makes, and the results of evaluating them. This result is beneficial because it opens up the opportunity of genuinely comparing analyst processes without revealing sensitive system details, as well as opening an opportunity towards improved decision-support via limited automation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Any given \(\left\{ \phi \right\} \mathcal {C}\left\{ \psi \right\} \) for a program will be treated as a hypothesis, and one that given sufficient evidence might be overturned and modified.
References
Alberts, C., Dorofee, A., Killcrece, G., Ruefle, R., Zajicek, M.: Defining incident management processes for CSIRTS: a work in progress. Technical report. CMU/SEI-2004-TR-015, Software Engineering Institute, CMU 2004 (2004)
Bergman, M., Paavola, S.: ‘Abduction’: Term in The Commens Dictionary: Peirce’s Terms in His Own Words. New Edition, 14 July 2016. http://www.commens.org/dictionary/term/abduction
Brotherston, J., Villard, J.: Sub-classical Boolean bunched logics and the meaning of par. In: Proceedings of CSL, vol. 24, pp. 325–342. LIPIcs (2015)
Calcagno, C., Distefano, D., O’Hearn, P.W., Yang, H.: Compositional shape analysis by means of bi-abduction. J. ACM 58(6), 26:1–26:66 (2011)
Caltagirone, S., Pendergast, A., Betz, C.: The diamond model of intrusion analysis. Technical report, Center for Cyber Intelligence Analysis and Threat Research (2013). http://www.threatconnect.com/methodology/diamond_model_of_intrusion_analysis
Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers, and The Internet. Academic press, Cambridge (2000)
Dear, P.: The Intelligibility of Nature: How Science Makes Sense of the World. University of Chicago Press, Chicago (2006)
Galmiche, D., Méry, D., Pym, D.: The semantics of BI and resource tableaux. Math. Struct. Comp. Sci. 15(06), 1033–1088 (2005)
Henderson, L.: The problem of induction. In: Zalta, E.N. (ed.) The Stanford Encyclopedia of Philosophy. Metaphysics Research Lab, Stanford University, Summer 2018 edn. (2018)
Heuer, R.J.: Psychology of Intelligence Analysis. US Central Intelligence Agency (1999)
Horneman, A.: How to think like an analyst, 17 July 2017. https://insights.sei.cmu.edu/sei_blog/2017/07/how-to-think-like-an-analyst.html
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inform. Warfare Secur. Res. 1, 80 (2011)
Ishtiaq, S.S., O’Hearn, P.W.: BI as an assertion language for mutable data structures. In: Principles of Programming Languages, pp. 14–26. ACM, London (2001). https://doi.org/10.1145/360204.375719
Kent, K., Chevalier, S., Grance, T., Dang, H.: Guide to integrating forensic techniques into incident response. Technical report, SP 800–86, National Institute of Standards and Technology, August 2006
Lamport, L.: What good is temporal logic? In: Mason, R. (ed.) IFIP Congress, pp. 657–668. Elsevier (1983)
Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Wesley, Boston (2002)
Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems. Springer, New York (1992). https://doi.org/10.1007/978-1-4612-0931-7
O’Hearn, P.W.: From categorical logic to Facebook engineering. In: Logic in Computer Science (LICS), pp. 17–20. IEEE (2015)
O’Hearn, P.W., Pym, D.J.: The logic of bunched implications. Bull. Symbolic Logic 5(2), 215–244 (1999)
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security Symposium, pp. 113–128 (2005)
von Plato, J.: The development of proof theory. In: Zalta, E.N. (ed.) The Stanford Encyclopedia of Philosophy. Metaphysics Research Lab, Stanford University, Winter 2016 edn. (2016)
Pym, D., Spring, J.M., O’Hearn, P.: Why separation logic works. Philosophy and Technology (2018). https://doi.org/10.1007/s13347-018-0312-8
Pym, D.J., O’Hearn, P.W., Yang, H.: Possible worlds and resources: the semantics of BI. Theor. Comput. Sci. 315(1), 257–305 (2004)
Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Logic in Computer Science, pp. 55–74. IEEE (2002)
Roesch, M.: Snort: lightweight intrusion detection for networks. In: Large Installation Systems Admin, pp. 229–238. USENIX, Seattle, November 1999
Shirey, R.: Internet Security Glossary, Version 2. RFC 4949, August 2007
Spring, J.M., Hatleback, E.: Thinking about intrusion kill chains as mechanisms. J. Cybersecur. 3(3), 185–197 (2017)
Spring, J.M., Illari, P.: Review of human decision-making during incident analysis. Under review (2018)
Spring, J.M., Moore, T., Pym, D.: Practicing a science of security: a philosophy of science perspective. In: New Security Paradigms Workshop, Santa Cruz, 1–4 October 2017
Stoll, C.: The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pan Books, London (1989)
Tambe, M.: Security and Game Theory: Algorithms, Deployed Systems, Lessons Learned. Cambridge University Press, Cambridge (2011)
Acknowledgements
Spring is supported by University College London’s Overseas Research Scholarship and Graduate Research Scholarship. Thanks to Simon Docherty for discussion and constructive comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Spring, J.M., Pym, D. (2018). Towards Scientific Incident Response. In: Bushnell, L., Poovendran, R., Başar, T. (eds) Decision and Game Theory for Security. GameSec 2018. Lecture Notes in Computer Science(), vol 11199. Springer, Cham. https://doi.org/10.1007/978-3-030-01554-1_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-01554-1_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01553-4
Online ISBN: 978-3-030-01554-1
eBook Packages: Computer ScienceComputer Science (R0)