A Two-Step Approach to Optimal Selection of Alerts for Investigation in a CSOC

A Cyber Security Operations Center (CSOC) is responsible for investigating all the alerts generated from the intrusion detection systems to identify suspicious activities in a timely manner. There exists a critical gap between the time needed (demand) and the time available (limited analyst resource) for alert investigation at a CSOC. Hence, alert prioritization is important, for which CSOCs employ ad-hoc filtering methods to prune and triage the alerts that are presented to the analysts for investigation. One of the major drawbacks of the ad-hoc methods is that they do not comprehensively take into consideration the organization-specific factors such as mission and asset criticality, CSOC resource availability, demand variations, and the desired CSOC performance metrics. Hence, an ad-hoc triaging (or prioritization) method is insufficient, and an intelligent method for optimal selection of alerts that considers the above-mentioned organization-specific factors must be developed, which is described as a two-step process in this paper. First, a composite risk score of each alert is determined using a quantitative value function hierarchy process, which takes into account several organization-specific factors. Second, an optimization model selects a list of alerts for investigation that optimizes the CSOC performance metrics for a given demand subject to its resource constraints. Experimental results show that the alerts that pertain to mission criticalities are handled in a timelier manner as compared to current practices at the CSOCs. The average persistence time of an alert in the CSOC system is also shown to significantly reduce with this new approach, which is a paradigm shift in providing a stronger cyber-defense system by protecting the critical constituents of an organization.

[1]  Sushil Jajodia,et al.  Optimal Assignment of Sensors to Analysts in a Cybersecurity Operations Center , 2019, IEEE Systems Journal.

[2]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[3]  Robert T. Clemen,et al.  Making Hard Decisions with DecisionTools , 2013 .

[4]  Stephen Northcutt,et al.  Network intrusion detection , 2003 .

[5]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[6]  Robert J. Hammell,et al.  A Fuzzy Logic Utility Framework (FLUF) to Support Information Assurance , 2016 .

[7]  Sushil Jajodia,et al.  A methodology to measure and monitor level of operational effectiveness of a CSOC , 2017, International Journal of Information Security.

[8]  B. Moor,et al.  Mixed integer programming for multi-vehicle path planning , 2001, 2001 European Control Conference (ECC).

[9]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[10]  Kusum Deep,et al.  A real coded genetic algorithm for solving integer and mixed integer optimization problems , 2009, Appl. Math. Comput..

[11]  John McHugh,et al.  Turning Contradictions into Innovations or: How We Learned to Stop Whining and Improve Security Operations , 2016, SOUPS.

[12]  Tadeusz Sawik,et al.  Selection of optimal countermeasure portfolio in IT security planning , 2013, Decis. Support Syst..

[13]  Sushil Jajodia,et al.  Dynamic Optimization of the Level of Operational Effectiveness of a CSOC Under Adverse Conditions , 2018, ACM Trans. Intell. Syst. Technol..

[14]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[15]  Robin M. Ruefle,et al.  Handbook for Computer Security Incident Response Teams (CSIRTs) , 2003 .

[16]  Feruza Sattarova Yusufovna,et al.  Implementing Intrusion Detection System against Insider Attacks , 2009 .

[17]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[18]  Wayne G. Lutters,et al.  I know my network: collaboration and expertise in intrusion detection , 2004, CSCW.

[19]  Laurence A. Wolsey,et al.  Mixed Integer Programming , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[20]  Robert F. Erbacher,et al.  Extending Case-Based Reasoning to Network Alert Reporting , 2012, 2012 International Conference on Cyber Security.

[21]  Douglas S. Altner,et al.  A Two-Stage Stochastic Shift Scheduling Model for Cybersecurity Workforce Optimization with On Call Options , 2016 .

[22]  I. Borosh,et al.  Bounds on positive integral solutions of linear Diophantine equations , 1976 .

[23]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[24]  Robin M. Ruefle,et al.  State of the Practice of Computer Security Incident Response Teams (CSIRTs) , 2003 .

[25]  Clyde L. Monma,et al.  On the Computational Complexity of Integer Programming Problems , 1978 .

[26]  Myong H. Kang,et al.  A Framework for Event Prioritization in Cyber Network Defense , 2014 .

[27]  S. Thomas McCormick,et al.  Integer Programming and Combinatorial Optimization , 1996, Lecture Notes in Computer Science.

[28]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[29]  R. N. Adams,et al.  Optimal planning of power networks using mixed-integer programming. Part 1: Static and time-phased network synthesis , 1974 .

[30]  Christos H. Papadimitriou,et al.  On the complexity of integer programming , 1981, JACM.

[31]  Thomas L. Saaty,et al.  DECISION MAKING WITH THE ANALYTIC HIERARCHY PROCESS , 2008 .

[32]  Sushil Jajodia,et al.  Optimal Scheduling of Cybersecurity Analysts for Minimizing Risk , 2017, ACM Trans. Intell. Syst. Technol..

[33]  Mitsuo Gen,et al.  Genetic algorithm for non-linear mixed integer programming problems and its applications , 1996 .

[34]  Robert J. Hammell,et al.  Effective prioritization of network intrusion alerts to enhance situational awareness , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[35]  Michelle. Catlin CARESOPV + HKIM AN OVERVIEW OF THE CARVER PLUS SHOCK METHOD FOR FOOD SECTOR VULNERABILITY ASSESSMENTS , 2005 .

[36]  Daniel R. Tesone,et al.  Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts , 2005 .