Gnatyuk V. Methods for Cyberincidents Processing in Information & Telecommunication Systems

Thesis is devoted to applied scientific research task to develop and study new effective methods for cyberincidents processing in information & telecommunication systems during its life cycle for extending CSIRT (Computer Security Incident Response Team) functional possibilities from viewpoint of cyberincidents response. In the thesis modern approaches to cyberincidents processing in information & telecommunication systems was analyzed using multicriteriality. As follows from the analysis the disadvantages of existing methods, models and systems were defined. These issues disagree to international standards requirements of incident-management particularly ISO 27035, ITIL, NIST 800-61, ITU-T Е.409 and don't give possibility to implement procedures of cyberincidents detection, categorization, monitoring and prediction in information & telecommunication systems and also to realize CSIRT audit. Method for cyberincidents categorization was developed using plain data processing by misuse and anomaly detection, Big Data specialized procedures, entropy decreasing (information amplifying) and categorization quality metrics calculation. This method allows to define cyberincidents categories in information & telecommunication systems more accurate and provide Е2 and Е3 phases of cyberincident life cycle in accordance to ITU-T Е.409. Also software for cyberincidents categorization was developed and this can be used as both autonomous CSIRT tool and also SIEM module (from viewpoint of data aggregation, correlation and expert analysis) to categorize cyberincidents with accuracy of 99.96% (for some cyberincidents categories). Besides practical guidelines for response and counteraction implementation was created to localize different categories of cyberattacks / cyberincidents. Method for CSIRT efficiency assessment in context of cyberincidents processing was developed. It gives possibility to realize CSIRT (and also others technical support centers for information & telecommunication systems) audit and provide Н2.2 phase of cyberincident life cycle in accordance to ITU-T Е.409. This method uses parameters (indicators) defining, key performance indicators identifying by multifactor correlation and regression analysis, indicator panel creation, KPI / Е visualization. Also the system of basic indicators was developed and can be used for CSIRT and others technical support centers like Service Desk, Help Desk etc. The concept and method for network centric cyberincidents monitoring, it uses cyberattacks classification, parameters comparison with standards, basic extrapolation rules forming, cyberattack classes and cyberincident categories communication based on statistics, security objects identifying and cyberincidents criticality ranking. It gives possibility to define most critical security objects (components of information & telecommunication systems or cybersecurity segments), to predict cyberincidents categories and its criticality level and also provide Н1 and Н2 phases of cyberincident life cycle in accordance to ITU-T Е.409. Also software for cyberincidents monitoring using statistical data and connection to KDD 99, CAPEC bases was developed. Method for set of cyberincidents extrapolation rules forming was developed and it defines cyberattacks types and cyberincidents categories, forms cyberincidents realization probability matrixes, make cyberincidents ranking and indicators of cyberincidents appearance. This method allows to automate network centric cyberincidents monitoring with high accuracy level provide Е5.1 phase of cyberincident life cycle in accordance to ITU-T Е.409. Also the system of basic rules was developed and it can be used for cyberincidents identifying based on cyberattack statistics.