InfoSec Seminar: Towards Scientific Incident Response

Speaker: Jonathan Spring

Date/Time: 04-Oct-2018, 16:00 UTC

Venue: Robert 3.09



A scientific incident analysis is one with a methodical, justifiable approach to the human decision-making process. Incident analysis is a good target for additional rigor because it is the most human-intensive part of incident response. Our goal is to provide the tools necessary for specifying precisely the reasoning process in incident analysis. Such tools are lacking, and are a necessary (though not sufficient) component of a more scientific analysis process. To reach this goal, we adapt tools from program verification that can capture and test abductive reasoning. As Charles Peirce coined the term in 1900, ``Abduction is the process of forming an explanatory hypothesis. It is the only logical operation which introduces any new idea.'' We reference canonical examples as paradigms of decision-making during analysis. With these examples in mind, we design a logic capable of expressing decision-making during incident analysis. The result is that we can express, in machine-readable and precise language, the abductive hypotheses than an analyst makes, and the results of evaluating them. This result is beneficial because it opens up the opportunity of genuinely comparing analyst processes without revealing sensitive system details, as well as opening an opportunity towards improved decision-support via limited automation.




Jonathan Spring is a PhD student at UCL in PPLV, Infosec, and STS. He has about 5 years experience with the CERT program at Carnegie Mellon University's Software Engineering Institute, where he has studied network and DNS analysis and threat intelligence. He also has experience as a research fellow with ICANN's SSAC and an adjunct professor at the University of Pittsburgh.

Add to Calendar

This page was last modified on 27 Mar 2014.