Cloud Incident Response Framework and AI-Based Forensics Using Reinforcement Learning and Graph Neural Networks

Cloud Incident Response Framework and AI-Based Forensics Using Reinforcement Learning and Graph Neural Networks

연구 분야: Safety

학회: 2024 IEEE 15th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON)

In today’s digital landscape, cloud computing is crucial for modern enterprises, but it also introduces significant challenges in Digital Forensics and Incident Response (DFIR). This paper presents a Cloud Incident Response Framework, built on the NIST Incident Response Framework, that addresses the unique complexities of cloud environments. The proposed framework not only spans the four key IR phases - preparation; detection & analysis; containment, eradication, & recovery; and post-incident activities, but also introduces a detailed set of specific activities for each phase, which offers a comprehensive actionable guide tailored to the unique demands of cloud environments. The study employs a rigorous qualitative approach by incorporating insights from industry and academic participants, alongside an in-depth examination of a verity of articles to enhance cloud incident response and digital forensics. The study concludes by outlining the experimental setup for a novel AI-based cloud forensics mechanism that leverages a hybrid model of Reinforcement Learning (RL) and Graph Neural Networks (GNNs) to reduce the noise in cloud logs so practitioners can focus on investigating true positives. Preliminary results from initial tests have demonstrated a potential reduction in false positives by approximately 15-20%. The paper also highlights potential avenues for further research in this critical domain. By doing so, this paper contributes to our collective understanding of the complex panorama of cloud incident response. Testing and validating this framework along with the proposed AI-Cloud Forensics mechanism in real-world cloud environments would be essential to ensure their effectiveness in addressing the evolving challenges of cloud-based forensics and Incident Response.