Don't Bury your Head in Warnings: A Game-Theoretic Approach for Intelligent Allocation of Cyber-security Alerts

In recent years, there have been a number of successful cyber attacks on enterprise networks by malicious actors. These attacks generate alerts which must be investigated by cyber analysts to determine if they are an attack. Unfortunately, there are magnitude more alerts than cyber analysts a trend expected to continue into the future creating a need to find optimal assignments of the incoming alerts to analysts in the presence of a strategic adversary. We address this challenge with the four following contributions: (1) a cyber allocation game (CAG) model for the cyber network protection domain, (2) an NP-hardness proof for computing the optimal strategy for the defender, (3) techniques to find the optimal allocation of experts to alerts in CAG in the general case and key special cases, and (4) heuristics to achieve significant scale-up in CAGs with minimal loss in solution quality.

[1]  Manish Jain,et al.  Security Games with Arbitrary Schedules: A Branch and Price Approach , 2010, AAAI.

[2]  Peter Kulchyski and , 2015 .

[3]  Jianfa Wu,et al.  Network Intrusion Detection Based on a General Regression Neural Network Optimized by an Improved Artificial Immune Algorithm , 2015, PloS one.

[4]  Milind Tambe,et al.  Security and Game Theory - Algorithms, Deployed Systems, Lessons Learned , 2011 .

[5]  Vincent Conitzer,et al.  Complexity of Computing Optimal Stackelberg Strategies in Security Resource Allocation Games , 2010, AAAI.

[6]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[7]  Milind Tambe,et al.  One Size Does Not Fit All: A Game-Theoretic Approach for Dynamically and Effectively Screening for Threats , 2016, AAAI.

[8]  Thomas E. Potok,et al.  Hierarchical clustering and visualization of aggregate cyber data , 2011, 2011 7th International Wireless Communications and Mobile Computing Conference.

[9]  Vincent Conitzer,et al.  Stackelberg vs. Nash in security games: interchangeability, equivalence, and uniqueness , 2010, AAMAS.

[10]  Alice M. Obenchain-Leeson,et al.  Volume 6 , 1998 .

[11]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[12]  R. Lathe Phd by thesis , 1988, Nature.

[13]  Manish Jain,et al.  Computing optimal randomized resource allocations for massive security games , 2009, AAMAS.

[14]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  Stephanie Forrest,et al.  An immunological model of distributed detection and its application to computer security , 1999 .

[16]  Paul R. Milgrom,et al.  Designing Random Allocation Mechanisms: Theory and Applications , 2013 .

[17]  Branislav Bosanský,et al.  Approximate Solutions for Attack Graph Games with Imperfect Information , 2015, GameSec.

[18]  Yevgeniy Vorobeychik,et al.  Multi-Defender Strategic Filtering Against Spear-Phishing Attacks , 2016, AAAI.

[19]  Vincent Conitzer,et al.  Solving Security Games on Graphs via Marginal Probabilities , 2013, AAAI.

[20]  E. Balas Disjunctive programming and a hierarchy of relaxations for discrete optimization problems , 1985 .

[21]  Sokratis K. Katsikas,et al.  Methods for post-processing of alerts in intrusion detection: A survey , 2013 .

[22]  Manish Jain,et al.  Software Assistants for Randomized Patrol Planning for the LAX Airport Police and the Federal Air Marshal Service , 2010, Interfaces.

[23]  Wenjie Hu,et al.  Robust Anomaly Detection Using Support Vector Machines , 2003 .