A Game-Theoretic Approach for Alert Prioritization

The quantity of information that is collected and stored in computer systems continues to grow rapidly. At the same time, the sensitivity of such information (e.g., detailed medical records) often makes such information valuable to both external attackers, who may obtain information by compromising a system, and malicious insiders, who may misuse information by exercising their authorization. To mitigate compromises and deter misuse, the security administrators of these resources often deploy various types of intrusion and misuse detection systems, which provide alerts of suspicious events that are worthy of follow-up review. However, in practice, these systems may generate a large number of false alerts, wasting the time of investigators. Given that security administrators have limited budget for investigating alerts, they must prioritize certain types of alerts over others. An important challenge in alert prioritization is that adversaries may take advantage of such behavior to evade detection — specifically by mounting attacks that trigger alerts that are less likely to be investigated. In this paper, we model alert prioritization with adaptive adversaries using a Stackelberg game and introduce an approach to compute the optimal prioritization of alert types. We evaluate our approach using both synthetic data and a real-world dataset of alerts generated from the audit logs of an electronic medical record system in use at a large academic medical center.

[1]  Andrew P. Moore,et al.  Common Sense Guide to Mitigating Insider Threats 4th Edition , 2012 .

[2]  Gabriel Maciá-Fernández,et al.  A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[3]  Eugene H. Spafford,et al.  Understanding insiders: An analysis of risk-taking behavior , 2013, Inf. Syst. Frontiers.

[4]  Nicolas Christin,et al.  Audit Games with Multiple Defender Resources , 2014, AAAI.

[5]  Vincent Conitzer,et al.  Stackelberg vs. Nash in Security Games: An Extended Investigation of Interchangeability, Equivalence, and Uniqueness , 2011, J. Artif. Intell. Res..

[6]  Daniel Fabbri,et al.  Explanation-Based Auditing , 2011, Proc. VLDB Endow..

[7]  Neminath Hubballi,et al.  False alarm minimization techniques in signature-based intrusion detection systems: A survey , 2014, Comput. Commun..

[8]  Dario A Giuse,et al.  Integrating best evidence into patient care: a process facilitated by a seamless integration with informatics tools. , 2010, Journal of the Medical Library Association : JMLA.

[9]  Nicolas Christin,et al.  Audit Games , 2013, IJCAI.

[10]  D. Fabbri,et al.  Explaining accesses to electronic medical records using diagnosis information , 2013, J. Am. Medical Informatics Assoc..

[11]  Lillian Røstad,et al.  A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[12]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .