RADAMS: Resilient and Adaptive Alert and Attention Management Strategy against Informational Denial-of-Service (IDoS) Attacks

Attacks exploiting human attentional vulnerability have posed severe threats to cybersecurity. In this work, we identify and formally define a new type of proactive attentional attacks called Informational Denial-of-Service (IDoS) attacks that generate a large volume of feint attacks to overload human operators and hide real attacks among feints. We incorporate human factors (e.g., levels of expertise, stress, and efficiency) and empirical results (e.g., the Yerkes–Dodson law and the sunk cost fallacy) to model the operators’ attention dynamics and their decision-making processes along with the real-time alert monitoring and inspection. To assist human operators in timely and accurately dismissing the feints and escalating the real attacks, we develop a Resilient and Adaptive Data-driven alert and Attention Management Strategy (RADAMS) that deemphasizes alerts selectively based on the alerts’ observable features. RADAMS uses reinforcement learning to achieve a customized and transferable design for various human operators and evolving IDoS attacks. The integrated modeling and theoretical analysis lead to the Product Principle of Attention (PPoA), fundamental limits, and the tradeoff among crucial human and economic factors. Experimental results corroborate that the proposed strategy outperforms the default strategy and can reduce the IDoS risk by as much as 20%. Besides, the strategy is resilient to large variations of costs, attack frequencies, and human attention capacities. We have recognized interesting phenomena such as attentional risk equivalency, attacker’s dilemma, and the half-truth optimal attack strategy.

[1]  Hongsong Zhu,et al.  Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods , 2021, IEEE Access.

[2]  L. Jean Camp,et al.  Mitigating Inadvertent Insider Threats with Incentives , 2009, Financial Cryptography.

[3]  Sushil Jajodia,et al.  Understanding Tradeoffs Between Throughput, Quality, and Cost of Alert Analysis in a CSOC , 2019, IEEE Transactions on Information Forensics and Security.

[4]  John N. Tsitsiklis,et al.  Neuro-Dynamic Programming , 1996, Encyclopedia of Machine Learning.

[5]  James Cannady,et al.  Deep learning for prioritizing and responding to intrusion detection alerts , 2017, MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM).

[6]  Jessica S. Ancker,et al.  Effects of workload, work complexity, and repeated alerts on alert fatigue in a clinical decision support system , 2017, BMC Medical Informatics and Decision Making.

[7]  H. Arkes,et al.  The Psychology of Sunk Cost , 1985 .

[8]  Roy D. Yates,et al.  Age of Information: An Introduction and Survey , 2020, IEEE Journal on Selected Areas in Communications.

[9]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[10]  R. Green The psychology of human error. , 1999, European journal of anaesthesiology.

[11]  Gabriel Maciá-Fernández,et al.  A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[12]  Giovanni Vigna,et al.  An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[13]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[14]  Sushil Jajodia,et al.  A Two-Step Approach to Optimal Selection of Alerts for Investigation in a CSOC , 2019, IEEE Transactions on Information Forensics and Security.

[15]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[16]  Quanyan Zhu,et al.  INADVERT: An Interactive and Adaptive Counterdeception Platform for Attention Enhancement and Phishing Prevention , 2021, ArXiv.

[17]  Quanyan Zhu,et al.  Duplicity Games for Deception Design With an Application to Insider Threat Mitigation , 2021, IEEE Transactions on Information Forensics and Security.

[18]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[19]  Quanyan Zhu,et al.  Adaptive Honeypot Engagement through Reinforcement Learning of Semi-Markov Decision Processes , 2019, GameSec.

[20]  R. Yerkes,et al.  The relation of strength of stimulus to rapidity of habit‐formation , 1908 .

[21]  Robert J. Hammell,et al.  Effective prioritization of network intrusion alerts to enhance situational awareness , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[22]  Quanyan Zhu,et al.  Combating Informational Denial-of-Service (IDoS) Attacks: Modeling and Mitigation of Attentional Human Vulnerability , 2021, GameSec.

[23]  Huwaida Tagelsir Elshoush,et al.  Reducing false positives through fuzzy alert correlation in collaborative intelligent intrusion detection systems — A review , 2010, International Conference on Fuzzy Systems.

[24]  Quanyan Zhu,et al.  Farsighted Risk Mitigation of Lateral Movement Using Dynamic Cognitive Honeypots , 2020, GameSec.

[25]  Quanyan Zhu,et al.  A Dynamic Games Approach to Proactive Defense Strategies against Advanced Persistent Threats in Cyber-Physical Systems , 2019, Comput. Secur..

[26]  Kathleen Goeschel,et al.  Reducing false positives in intrusion detection systems using data-mining techniques utilizing support vector machines, decision trees, and naive Bayes for off-line analysis , 2016, SoutheastCon 2016.

[27]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[28]  Samuel Patton,et al.  An Achilles Heel in Signature-Based IDS : Squealing False Positives in SNORT , 2001 .

[29]  Lyndsey Franklin,et al.  Toward a visualization-supported workflow for cyber alert management using threat models and human-centered design , 2017, 2017 IEEE Symposium on Visualization for Cyber Security (VizSec).

[30]  Scott Miserendino,et al.  ThreatVectors: contextual workflows and visualizations for rapid cyber event triage , 2017, 2017 International Conference On Cyber Incident Response, Coordination, Containment & Control (Cyber Incident).

[31]  Fabio Roli,et al.  Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues , 2013, Inf. Sci..

[32]  Sokratis K. Katsikas,et al.  Reducing false positives in intrusion detection systems , 2010, Comput. Secur..

[33]  R. Scheines,et al.  Organizational Behavior and Human Decision Processes , 1977 .

[34]  Quanyan Zhu,et al.  Compliance signaling games: toward modeling the deterrence of insider threats , 2016, Comput. Math. Organ. Theory.