Efficient Matching Algorithms between Logs and Indicators for Automatic Incident Response System

Abstract

Cyber Threat Information (so-called indicator) sharing plays an important role in rapid incident response, and ISAC and MISP provide information sharing schemes. Companies and organizations receive indicators and check whether their employees' computers and servers are exposed to threats by referring to their proxy and access logs. We have already proposed an incident response scheme that automates this sequence of procedures. Meanwhile, the amount of logs generated per day in large companies and organizations is enormous. In addition, the number of indicators received is expected to increase. In that situation, a naive matching algorithm between indicators and logs can take a considerable amount of time and delay incident response seriously, even when using our proposed system. Therefore, we propose a more effective matching algorithm. We also implemented the algorithms and measured their elapsed time and memory consumption. In addition, we compare our algorithms with basic and naive matching algorithms from both a theoretical and practical perspective. As a result, our proposed algorithm ran faster with a little additional memory consumption. Combining this algorithm and our previously proposed incident response system, we achieve a more effective one than before.