Optimal Monitoring of Security Events
V.S. Subrahmanian (Dartmouth) with S. Jajodia (George Mason), N. Park (University of North Carolina), E. Serra (Boise State)
- Security analysts are swamped by false alarms, leading to considerable wastage of time. They only examine “major alerts, leading to easy strategies for attackers to compromise an enterprise.
- Help managed security service providers
- Understand how the adversary may use this asymmetry
- to better target an enterprise
- Develop methods for the defender to allocate cybersecurity analysts to scrutinize alerts from machines
Key Science Methods & Advances
- Use annotated probabilistic temporal (APT) logic programs to capture information about a network.
- Formalize adversary’s behavior as a set of exploit actions directed at nodes that either maximize probability of success, or maximize expected damage.
- Develop integer program based solutions for attacker.
- Defender must allocate analysts to monitor alerts on machines so as to minimize either the maximal success probability of the attacker or the maximal expected damage cause. We develop linear program based solutions together with column generation methods to solve the problem effectively in practice.
- Develop a highly scalable greedy algorithm as well.
Results & Impact
- Forecasts are regularly utilized by USG, UN, NGOs and foreign governments around the world
- Project profiled in major media outlets