On-demand Suspicious Host Isolation Adopting Software Defined Network Approach on a Computer Security Incident Response

Abstract: Computer security has been getting more attention because a computer security incident may cause great damage on an organization. A quick and correct response against an incident is then important. One of the first possible responses is then locating and isolating a suspicious host. This isolation typically requires a manual operation that may cause a mistake or long delay. In order to solve these issues, this paper proposes a novel system to locate and isolate a suspicious host on an incident response adoptin… Show more

“…( 1 ) connect to a router, which is given in advance, ( 2 ) look up a route for an IP address of the suspicious host and VRF, ( 3 ) connect to the nexthop router of the route if the route is not directly connected, ( 4 ) repeat ( 2 ) and ( 3 ) until a directly connected route is found, i.e., locate a router that has a directly connected route for an IP address of the suspicious host and VRF, ( 5 ) identify a VLAN for the IP address at the router, ( 6 ) locate a directly connected router for the IP address on the VRF, ( 7 ) resolve a MAC address of the suspicious host from an Address Resolution Protocol (ARP) [3] table, ( 8 ) identify a port on which the MAC address is seen in a MAC address forwarding table, ( 9 ) discover a neighboring switch on the port, ( 10 ) repeat from ( 8 ) to ( 9 ) until a neighboring switch is not found, ( 11 ) finally locate a port on an edge switch accommodating the MAC address, and ( 12 ) produce location information of the suspicious host. The on-demand host locating system is described more in detail [4].…”

On Automation and Orchestration of an Initial Computer Security Incident Response by Introducing Centralized Incident Tracking System

“…( 1 ) connect to a router, which is given in advance, ( 2 ) look up a route for an IP address of the suspicious host and VRF, ( 3 ) connect to the nexthop router of the route if the route is not directly connected, ( 4 ) repeat ( 2 ) and ( 3 ) until a directly connected route is found, i.e., locate a router that has a directly connected route for an IP address of the suspicious host and VRF, ( 5 ) identify a VLAN for the IP address at the router, ( 6 ) locate a directly connected router for the IP address on the VRF, ( 7 ) resolve a MAC address of the suspicious host from an Address Resolution Protocol (ARP) [3] table, ( 8 ) identify a port on which the MAC address is seen in a MAC address forwarding table, ( 9 ) discover a neighboring switch on the port, ( 10 ) repeat from ( 8 ) to ( 9 ) until a neighboring switch is not found, ( 11 ) finally locate a port on an edge switch accommodating the MAC address, and ( 12 ) produce location information of the suspicious host. The on-demand host locating system is described more in detail [4].…”

On Automation and Orchestration of an Initial Computer Security Incident Response by Introducing Centralized Incident Tracking System

“…In order to handle a security incident or network failure, it is important to grasp a list of pairs of IP addresses and MAC addresses of hosts [1], [2]. For example, only an IP address of a suspicious host is alerted by an outer organization, Security Operations Center (SOC) or security equipment such as a nextgeneration firewall when a security incident occurs.…”

AXARPSC: Scalable ARP Snooping Using Policy-based Mirroring of Core Switches with ARP Log Contraction