Palantir: a framework for collaborative incident response and investigation

Symposium on Identity and Trust on the Internet Pub Date : 2009-04-14 DOI:10.1145/1527017.1527023

H. Khurana, J. Basney, Mehedi Bakht, D. M. Freemon, Von Welch, R. Butler

{"title":"Palantir: a framework for collaborative incident response and investigation","authors":"H. Khurana, J. Basney, Mehedi Bakht, D. M. Freemon, Von Welch, R. Butler","doi":"10.1145/1527017.1527023","DOIUrl":null,"url":null,"abstract":"Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-04-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"35","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Symposium on Identity and Trust on the Internet","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1527017.1527023","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 35

Abstract

Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Palantir:协作事件响应和调查的框架

拥有网络基础设施资产的组织经常面临大规模的分布式攻击。面对这类攻击日益增加的复杂性和频率，我们认为仅依靠组织事件响应团队甚至可信的协调响应团队是不够的。相反，需要制定一个框架，使应对者能够在多个组织和法律实体之间建立信任并实现有效的协作应对和调查过程，以跟踪对手，消除威胁并追究肇事者的责任。在这项工作中，我们开发了这样一个有效合作的框架。我们的方法是由我们处理2004年发生的大规模分布式攻击的经验所激发的，该攻击被称为事件216。基于我们的方法，我们提出了包含概念和技术能力的Palantir系统，以充分应对此类攻击。据我们所知，这是第一个为协作多站点事件响应和调查工作提出系统模型和实现的工作。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Symposium on Identity and Trust on the Internet

自引率

0.00%

发文量