Early Detection of Network Incident Using Open Security Information

Abstract

Network security incident (network incident) is an important topic in the around world. Network operators and security vendors tackle these network incidents consist of many cyber crimes. The types of threats are DDoS, phishing, malware, vulnerability attacks to take control a device, and extortion case. Network operators consider protecting their environment from threats. They have to observe a trend of threat, then could trace suspicious network traffic flows on what network. Some organization and individual persons publish open security information related to past a network incident. In order to identify which network covers on suspicious activity, we collect open security information as the dataset to analyze these for providing a summary of network operators' IP addresses lead to network incident. The result is not only useful information to get a trend of threat pattern, but also we quickly handle a countermeasure to it when real network incident has happened in their environment. In the evaluation, we verify the result of proposed framework could handle the trend of network incident cases. We determine the result whether provides security threat or not based on security vendors reports. The evaluation result shows the proposed framework could identify the SSH brute force attack and other attacks before the security vendor discloses it. It is useful for supporting of network operators and community to observe the latest network incident when it occurs in their environment.