Adaptive Alert Management for Balancing Optimal Performance among Distributed CSOCs using Reinforcement Learning

Large organizations typically have Cybersecurity Operations Centers (CSOCs) distributed at multiple locations that are independently managed, and they have their own cybersecurity analyst workforce. Under normal operating conditions, the CSOC locations are ideally staffed such that the alerts generated from the sensors in a work-shift are thoroughly investigated by the scheduled analysts in a timely manner. Unfortunately, when adverse events such as increase in alert arrival rates or alert investigation rates occur, alerts have to wait for a longer duration for analyst investigation, which poses a direct risk to organizations. Hence, our research objective is to mitigate the impact of the adverse events by dynamically and autonomously re-allocating alerts to other location(s) such that the performances of all the CSOC locations remain balanced. This is achieved through the development of a novel centralized adaptive decision support system whose task is to re-allocate alerts from the affected locations to other locations. This re-allocation decision is non-trivial because the following must be determined: (1) timing of a re-allocation decision, (2) number of alerts to be re-allocated, and (3) selection of the locations to which the alerts must be distributed. The centralized decision-maker (henceforth referred to as agent) continuously monitors and controls the level of operational effectiveness-LOE (a quantified performance metric) of all the locations. The agent's decision-making framework is based on the principles of stochastic dynamic programming and is solved using reinforcement learning (RL). In the experiments, the RL approach is compared with both rule-based and load balancing strategies. By simulating real-world scenarios, learning the best decisions for the agent, and applying the decisions on sample realizations of the CSOC's daily operation, the results show that the RL agent outperforms both approaches by generating (near-) optimal decisions that maintain a balanced LOE among the CSOC locations. Furthermore, the scalability experiments highlight the practicality of adapting the method to a large number of CSOC locations.

[1]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[2]  Enda Barrett,et al.  A reinforcement learning approach for the scheduling of live migration from under utilised hosts , 2016, Memetic Computing.

[3]  Abhijit Gosavi,et al.  Simulation-Based Optimization: Parametric Optimization Techniques and Reinforcement Learning , 2003 .

[4]  Robert J. Hammell,et al.  Effective prioritization of network intrusion alerts to enhance situational awareness , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[5]  Robin M. Ruefle,et al.  State of the Practice of Computer Security Incident Response Teams (CSIRTs) , 2003 .

[6]  Pratyusa K. Manadhata,et al.  The Operational Role of Security Information and Event Management Systems , 2014, IEEE Security & Privacy.

[7]  Pengcheng Zhang,et al.  A novel multi-agent reinforcement learning approach for job scheduling in Grid computing , 2011, Future Gener. Comput. Syst..

[8]  Sean R Eddy,et al.  What is dynamic programming? , 2004, Nature Biotechnology.

[9]  Sushil Jajodia,et al.  Optimal Scheduling of Cybersecurity Analysts for Minimizing Risk , 2017, ACM Trans. Intell. Syst. Technol..

[10]  Roozbeh Farahbod,et al.  Dynamic Resource Allocation in Computing Clouds Using Distributed Multiple Criteria Decision Analysis , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[11]  Sushil Jajodia,et al.  Cyber Situational Awareness - Issues and Research , 2009, Cyber Situational Awareness.

[12]  Warren B. Powell,et al.  Approximate Dynamic Programming - Solving the Curses of Dimensionality , 2007 .

[13]  Hua Zou,et al.  A dynamic load balancing strategy for cloud computing platform based on exponential smoothing forecast , 2011, 2011 IEEE International Conference on Cloud Computing and Intelligence Systems.

[14]  Sushil Jajodia,et al.  Dynamic Optimization of the Level of Operational Effectiveness of a CSOC Under Adverse Conditions , 2018, ACM Trans. Intell. Syst. Technol..

[15]  Jian Xie,et al.  Independent Tasks Scheduling Based on Genetic Algorithm in Cloud Computing , 2009, 2009 5th International Conference on Wireless Communications, Networking and Mobile Computing.

[16]  Marie-Elisabeth Paté-Cornell,et al.  Cyber Risk Analysis for a Smart Grid: How Smart is Smart Enough? A Multi-Armed Bandit Approach , 2017, Singapore Cyber-Security Conference.

[17]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[18]  George Cybenko,et al.  Dynamic Load Balancing for Distributed Memory Multiprocessors , 1989, J. Parallel Distributed Comput..

[19]  Sushil Jajodia,et al.  A methodology to measure and monitor level of operational effectiveness of a CSOC , 2017, International Journal of Information Security.

[20]  Jacob A. Abraham,et al.  Load Balancing in Distributed Systems , 1982, IEEE Transactions on Software Engineering.

[21]  Guigang Zhang,et al.  Deep Learning , 2016, Int. J. Semantic Comput..

[22]  Mohsen Kahani,et al.  Incremental Hybrid Intrusion Detection Using Ensemble of Weak Classifiers , 2008 .

[23]  Jean-Louis Deneubourg,et al.  Aggregation Dynamics in Overlay Networks and Their Implications for Self-Organized Distributed Applications , 2009, Comput. J..

[24]  Leslie D. Servi,et al.  A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options , 2017, Journal of Scheduling.

[25]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[26]  Benjamin Edwards,et al.  Hype and Heavy Tails: A Closer Look at Data Breaches , 2016, WEIS.

[27]  Medhat A. Tawfeek,et al.  Cloud task scheduling based on ant colony optimization , 2013, 2013 8th International Conference on Computer Engineering & Systems (ICCES).

[28]  Robin M. Ruefle,et al.  Handbook for Computer Security Incident Response Teams (CSIRTs) , 2003 .

[29]  Feruza Sattarova Yusufovna,et al.  Implementing Intrusion Detection System against Insider Attacks , 2009 .

[30]  John McHugh,et al.  Turning Contradictions into Innovations or: How We Learned to Stop Whining and Improve Security Operations , 2016, SOUPS.

[31]  Enda Barrett,et al.  An advanced reinforcement learning approach for energy-aware virtual machine consolidation in cloud data centers , 2017, 2017 12th International Conference for Internet Technology and Secured Transactions (ICITST).

[32]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[33]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[34]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[35]  Pasi Liljeberg,et al.  Energy-Efficient Virtual Machines Consolidation in Cloud Data Centers Using Reinforcement Learning , 2014, 2014 22nd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing.