2019 Volume 27 Pages 234-243
Computer security has been getting more attention because a computer security incident may cause great damage on an organization. A quick and correct response against an incident is then important. One of the first possible responses is then locating and isolating a suspicious host. This isolation typically requires a manual operation that may cause a mistake or long delay. In order to solve these issues, this paper proposes a novel system to locate and isolate a suspicious host on an incident response adopting the Software Defined Network (SDN) approach. This SDN approach allows the proposed system to locate and isolate a suspicious host on-demand in a network that comprises different switches and routers of different makers. The proposed system then requires no host authentication configured, no IP address allocation/assignment database, no network topology map and no switch port list in advance. The proposed system, therefore, can reduce human manual operations. This paper then presents that human manual operations actually induce longer delays, more than 3 minutes on average, and also cause mistakes. This paper also presents that the proposed system can locate and isolate a suspicious host within 10 seconds right after an IP address of a suspicious host is given.