An event correlation and incident response capability is necessary for rapidly detecting damaging and disruptive incidents, minimizing disclosure, alteration, and destruction of digital assets, mitigating the vulnerabilities that were exploited, and restoring computing services. The first line of defense in this war is fought by the Level I information security operators tasked with monitoring the various security software tools. Here we propose to develop an incident response Decision Aid (irDA) that will guide Level I operators in the analysis, verification, notification and remediation of security incidents. In particular, we propose to integrate belief -net based course of action planning technology with our security threat management correlation engine. The belief net-based irDA will fuse the outputs of security threat manager with other in-context digital evidence and dynamically in real time recommend the optimal course of action (i.e. analysis, containment, notification, eradication, recovery) to the operator. Given the relatively inexperienced frequently changing Level I security operator cadre in the DoD workforce, the development of our incident response decision aid will have a substantial impact on improving the risk posture of DoD information assets by providing a 24x7 online help to operators
