Intrusion-detection for incident-response, using a military battlefield-intelligence process

A network device is considered compromised when one of its security mechanisms is defeated by an attacker. For many networks, an attacker can compromise many devices before being discovered. However, investigating devices for compromise is costly and time-consuming, making it difficult to investigate all, or even most, of a network's devices. Further, investigation can yield false-negative results. This paper describes an intrusion-detection (ID) technique for incident-response. During an attack, the attacker reveals information about himself and about network vulnerabilities. This information can be used to identify the network's likely compromised devices (LCDs). Knowledge of LCDs is useful when limited resources allow only some of the network's devices to be investigated. During an on-going attack, knowledge of LCDs is also useful for tactical planning. The ID technique is based on the US military's battlefield-intelligence process. Models are constructed of the network, as the battlespace. Also, models are constructed of the attacker's capabilities, intentions, and courses-of-action. The Economics of Crime, a theory which explains criminal behavior, is used to model the attacker's courses-of-action. The models of the network and the attacker are used to identify the devices most likely to be compromised.