On Incident Handling and Response: A state-of-the-art approach

Computers and Security

Volumn 25, Issue 5, 2006, Pages 351-370

  Mitropoulos, Sarandis ^a   Patsos, Dimitrios ^a   Douligeris, Christos ^a  

^a UNIVERSITY OF PIRAEUS   (Greece)

Author keywords

Computer forensics; Incident Handling; Incident Response; Internet forensics; Software forensics; Trace back mechanisms

Indexed keywords

COMPUTER NETWORKS; COMPUTER SOFTWARE; DATA HANDLING; INFORMATION MANAGEMENT; NETWORK PROTOCOLS; SOCIAL ASPECTS;

COMPUTER FORENSICS; INCIDENT HANDLING; INCIDENT RESPONSE; INTERNET FORENSICS; SOFTWARE FORENSICS; TRACE-BACK MECHANISMS;

SECURITY OF DATA;

EID: 33746748784     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2005.09.006     Document Type: Article

References (52)

1. Adams C. Request for comments (RFC) 2510 - Internet X.509 public key infrastructure certificate management protocols. Available from:. http://www.ietf.org
2. Allen J. CERT guide to system and network security practices. Addison-Wesley (2001)
3. Baba T., and Matsuda S. Tracing network attacks to their sources. IEEE Internet Computing 6 3 (2002)
4. Bellovin S.M. Security problems in the TCP/IP protocol suite. Computer Communication Review 19 2 (April 1989) 32-48
5. Bellovin SM. ICMP traceback messages, Internet draft (work in progress); February 2003.
6. Berghel H. The discipline of Internet forensics. Communications of the ACM 46 8 (August 2003)
7. BSI. Information security management, BS7799, part 1: code of practice for information security management; 1999.
8. CERT/CC. Security of the Internet [online]. Available from:. http://www.cert.org/encyc_article/tocencyc.html [3/01/2005]
9. Council of Europe. Convention on cyber crime. In: European treaty series - no. 185, Budapest; 2001.
10. Feiertag R., Kahn C., Porras P., Schnackenberg D., Staniford-Chen S., and Tung B. A common intrusion specification language. Available from: (June 1999). http://people.emich.edu/pstephen/other_papers/CISL-Original.PDF
11. Global Reach. Global Internet statistics. Available from:. http://www.glreach.com/globstats/ [3/01/2005]
12. Harris Interactive. Identity theft new survey & trend report. Commissioned by Privacy & American Business; August 2003.
13. Hiltz SR, Han HJ, Briller V. Public attitudes towards a national identity "Smart Card:" privacy and security concerns. In: Proceedings of the 36th Hawaii international conference on system sciences (HICSS'03). Hilton Waikoloa Village, Island of Hawaii, January 6-9; 2003.
14. Information Security Team, DePaul University. A framework for incident response (draft) (13th December 2002).
15. International Standards Organization. Code of practice for information security management (2000) ISO/IEC 17799
16. Internet Engineering Task Force, Request for Comments (RFC) 1305. Network time protocol (version 3) - specification, implementation and analysis. Available from: (March 1992). http://www.ietf.org
17. Internet Engineering Task Force, Request for Comments (RFC) 2350. Expectations for computer security incident response. Available from: (June 1998). http://www.ietf.org
18. Jung HT, Kim HL, Seo YM, Choe G, Min SL, Kim CS, et al. Caller identification system in the Internet environment. In: Proceedings of fourth USENIX security symposium; 1993.
19. Kent S., and Atkinson R. Request for comments (RFC) 2401 - security architecture for the Internet protocol. Available from: (November 1998). http://www.ietf.org
20. Killcrece G., Kossakowski K.P., Ruefle R., and Zajicek M. Organizational models for computer incident response teams (CSIRTs). Report: CMU/SEI-2003-HB-001 (December 2003), Carnegie Melon University/Software Engineering Institute
21. Kossakowski K.P., Allen J., Alberts C., Cohen C., Ford G., Fraser B., et al. Responding to intrusions. Report: CMU/SEI-SIM-006 (February 1999), Carnegie Melon University/Software Engineering Institute
22. Kruse W., and Heiser J. Computer forensics (2002), Addison-Wesley, Canada
23. Lemos R. Study: sites attacked 4,000 times a week. CNET News. Available from: (22 May 2001). http://news.com.com/2100-1001-258093.html?legacy=cnet
24. Mandia K., and Procise C. Incident response: investigating computer crime (2002), Osborne/McGraw-Hill, NY
25. Mankin A, Massey D, Wu CL, Zhang L. On design and evaluation of intention-driven ICMP traceback. In: IEEE international conference on computer communications and networks (ICCCN); October 2001.
26. McClure S., Scambray J., and Kurtz G. Hacking exposed (2001), McGraw-Hill
27. McGraw, and Felten. Securing Java: getting down to business with mobile code (1999), Wiley, NY
28. Microsoft Corporation. Introduction to code signing.
29. National Institute of Standards and Technology. Computer security incident handling guide (January 2004) NIST Special Publication 800-61
30. Nong Y, Giordano J, Feldman J, Zhong Q. Information fusion techniques for network intrusion detection. In: IEEE information technology conference, information environment for the future, Syracuse, NY, USA; September 1998
31. OMB's Circular No. A-130. Appendix III online. Available from:. http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html [05/01/2005]
32. Park K, Lee H. On the effectiveness of probabilistic packet marking for IP traceback. In: Proceedings of 2001 conference on applications, technologies, architectures and protocols for computer communication, ACM SIGCOMM'01. San Francisco, US; August 2001.
33. Patsos D. A strategic approach to incident response, M.Sc. thesis. London: Department of Mathematics/Information Security Group, Royal Holloway University of London; 2002.
34. Postel J. Request for comments (RFC) 791 - Internet protocol. Available from: (September, 1981). http://www.ietf.org
35. Rekhter Y., and Watson T.J. A border gateway protocol 4 (BGP-4). Available from:. http://www.ietf.org
36. Savage S, Wetherall D, Karlin A, Anderson T. Practical network support for IP traceback. In: Proceedings of SIGCOMM'00. Stockholm, Sweden; August 2000.
37. Schnackenberg D, Djahandari K, Reid T, Wilson B. Cooperative intrusion traceback and response architecture (CITRA), Boeing Phantom Works and NAI Labs, prepared under contract N66001-01-C-8048 for Space and Naval Warfare System Center (SSC), San Diego; February 2002.
38. Schultz E. Incident response teams need to change. Computers and Security Journal 23 (January 2004) 87-88
39. Solove DJ. The legal construction of identity theft. In: Symposium: digital cops in a virtual environment Yale law school; March 26-28, 2004.
40. Song DX, Perrig A. Advanced and authenticated marking schemes for IP traceback. In: Proceeding of the IEEE INFOCOM01. Anchorage, Alaska; April 2001.
41. Spafford EH, Weeber SA. Software forensics: can we track code to its authors? Purdue Technical Report CSD-TR 92-010; February 1992.
42. Staniford-Chen S, Heberlein LT. Holding intruders accountable on the Internet. In: Proceedings of IEEE symposium on security and privacy; 1995.
43. Stoll C. The cuckoo's egg, pocket; reprint edition; November 1, 1990.
44. Stone R. CenterTrack: an IP overlay network for tracking DoS floods. In: Proceedings of 9th Usenix security symposium; August 2000.
45. United States Code, Chapter 35 of Title 44, Subchapter III - Information Security, Federal Information Security Management Act (FISMA) of 2002.
46. US Department of Commerce. Federal Information Processing Standards Publication 198, The Keyed-Hash Message Authentication Code (HMAC); March 6, 2002.
47. Van Wyk K., and Forno R. Incident response (2001), O'Reilly, NY
48. Wang XY, Reeves DS, Wu SF, Yuill J. Sleepy watermark tracing: an active intrusion response framework. In: Proceedings of the 16th international information security conference (IFIP/Sec'01); June 2001.
49. West-Brown M.J., Stikvoort D., and Kossakowski K.P. Handbook for computer security incident response teams (CSIRTs). Report: CMU/SEI-98-HB-001 (December 1998), Carnegie Melon University/Software Engineering Institute
50. Whalen S. An introduction to ARP spoofing, (white paper). Available from:. http://www.gmx.net
51. Yasincac, and Manzano Y. Policies to enhance computer and network forensics. Proceedings of the 2001 IEEE workshop on information assurance and security (June 2001), United States Military Academy, West Point, NY 5-6
52. Zhang Y, Paxson V. Detecting stepping stones. In: Proceedings of the 9th USENIX security symposium. Denver, Colorado, August 14-17; 2000.