Research of the case analysis algorithm in the classification of problem of information security incidents

The article is devoted to solution of the actual practical task of determining the strategy for responding to information security incidents in information systems with the help of case analysis. The author examines the process approach to incident management and its main stages. Incident management process, according to regulatory requirements, involves four steps: detection of an incident, incident response, investigation, corrective actions. At the second stage there is an urgent problem of a prompt response to information security incidents. It is necessary to decide which strategy should be chosen from a variety of specific strategies or to determine that there is no appropriate strategy and therefore it should be formed. As a solution of the problem of the response strategy selection it is proposed to use the case based analysis apparatus. To solve this problem it is supposed to use a simplified cycle of reasoning based on cases and not including the stage of response scenarios adaptation. The classification is based on the number of found analogies and the value of the similarity degree. Incidents are compared with case classes on the basis of similarities found in each class. According to the degree of similarity an incident corresponds to a specific case in the class and the response strategy associated with it. A new algorithm for classification of information security incidents in information systems based on the case and statistical analysis was worked out in accordance with the proposed concept of incidents analysis. The developed algorithm differs from the well-known ones in automatic selection of the optimal threshold value using ROC-analysis. The algorithm allows the selection of the criterion of classifier maximum quality depending on the permissible value of errors of the first and second kind under the given circumstances. The assessment of the developed algorithm effectiveness was carried out. The proposed concept of building the case based system of information security incidents increases responsiveness and allows repetitive using of the previous experience in the process of information security incidents management.