nach oben

International Journal of Information Security

Erschienen in:

09.05.2018 | Regular Contribution

A methodology for ensuring fair allocation of CSOC effort for alert investigation

verfasst von: Ankit Shah, Rajesh Ganesan, Sushil Jajodia

Erschienen in: International Journal of Information Security | Ausgabe 2/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

A Cyber Security Operations Center (CSOC) often sells services by entering into a service level agreement (SLA) with various customers (organizations) whose network traffic is monitored through sensors. The sensors produce data that are processed by automated systems (such as the intrusion detection system) that issue alerts. All alerts need further investigation by human analysts. The alerts are triaged into high-, medium-, and low-priority alerts, and the high-priority alerts are investigated first by cybersecurity analysts—a process known as priority queueing. In unexpected situations such as (i) higher than expected high-priority alert generation from some sensors, (ii) not enough analysts at the CSOC in a given time interval, and (iii) a new type of alert, which increases the time to analyze alerts from some sensors, the priority queueing mechanism leads to two major issues. The issues are: (1) some sensors with normal levels of alert generation are being analyzed less than those with excessive high-priority alerts, with the potential for complete starvation of alert analysis for sensors with only medium- or low-priority alerts, and (2) the above ad hoc allocation of CSOC effort to sensors with excessive high-priority alerts over other sensors results in SLA violations, and there is no enforcement mechanism to ensure the matching between the SLA and the actual service provided by a CSOC. This paper develops a new dynamic weighted alert queueing mechanism (DWQ) which relates the CSOC effort as per SLA to the actual allocated in practice, and ensures via a technical enforcement system that the total CSOC effort is proportionally divided among customers such that fairness is guaranteed in the long run. The results indicate that the DWQ mechanism outperforms priority queueing method by not only analyzing high-priority alerts first but also ensuring fairness in CSOC effort allocated to all its customers and providing a starvation-free alert investigation process.

Vorheriger Artikel Multi-device anonymous authentication

Nächster Artikel Scalable non-deterministic clustering-based k-anonymization for rich networks

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Albanese, M., Molinaro, C., Persia, F., Picariello, A., Subrahmanian, V.S.: Discovering the top-k unexplained sequences in time-stamped observation data. IEEE Trans. Knowl. Data Eng. 26(3), 577–594 (2014)CrossRef

Altner, D.S., Rojas, A.C., Servi, L.D.: A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options. J. Sched. (2017). https://doi.org/10.1007/s10951-017-0554-9

Avi-Itzhak, B., Levy, H., Raz, D.: Quantifying fairness in queuing systems. Probab. Eng. Inf. Sci. 22(04), 495–517 (2008)CrossRefMATH

Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc, London (2005)

Bhatt, S., Manadhata, P.K., Zomlot, L.: The operational role of security information and event management systems. IEEE Secur. Priv. 12(5), 35–41 (2014)CrossRef

Bouchenak, S.: Automated control for SLA-aware elastic clouds. In: Proceedings of the Fifth International Workshop on Feedback Control Implementation and Design in Computing Systems and Networks, FeBiD’10, pp. 27–28 (2010)

Chandra, A., Adler, M., Goyal, P., Shenoy, P.: Surplus fair scheduling: a proportional-share CPU scheduling algorithm for symmetric multiprocessors. In: Proceedings of the 4th Conference on Symposium on Operating System Design & Implementation—Volume 4, OSDI’00 (2000)

CIO: DON cyber crime handbook. Department of Navy, Washington (2008)

Crothers, T.: Implementing Intrusion Detection Systems. Wiley Publishing Inc, Hoboken (2002)

10.

D’Amico, A., Whitley, K.: VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security. Springer, Berlin, Chapter The Real Work of Computer Network Defense Analysts (2008)

11.

Demers, A., Keshav, S., Shenker, S.: Analysis and simulation of a fair queueing algorithm. ACM SIGCOMM Comput. Commun. Rev. 19, 1–12 (1989)CrossRef

12.

Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems, Advances in Information Security, vol. 38. Springer, Berlin (2008)

13.

Erbacher, R.F., Hutchinson, S.E.: Extending case-based reasoning to network alert reporting. In: 2012 ASE International Conference on Cyber Security, pp. 187–194 (2012)

14.

Faniyi, F., Bahsoon, R.: Engineering proprioception in SLA management for cloud architectures. In: 2011 Ninth Working IEEE/IFIP Conference on Software Architecture, pp. 336–340 (2011)

15.

Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 4 (2016)CrossRef

16.

Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analyst for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52 (2017)CrossRef

17.

Huang, J., Bi, J.: A proportional fairness scheduling for wireless sensor networks. Pers. Ubiquitous Comput. 20(5), 695–703 (2016)CrossRef

18.

Khamse-Ashari, J., Kesidis, G., Lambadaris, I., Urgaonkar, B., Zhao, Y.: Max-min fair scheduling of variable-length packet-flows to multiple servers by deficit round-robin. In: 2016 Annual Conference on Information Science and Systems (CISS), pp. 390–395. IEEE (2016)

19.

Killcrece, G., Kossakowski, K.P., Ruefle, R., Zajicek, M.: State of the practice of computer security incident response teams (CSIRTs). Technical report CMU/SEI-2003-TR-001, Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2003)

20.

Kiran, R.S., Babu, P.V., Krishna, B.M.: Optimizing CPU scheduling for real time applications using mean-difference round robin (MDRR) algorithm. In: ICT and Critical Infrastructure: Proceedings of the 48th Annual Convention of Computer Society of India, vol. I, pp 713–721. Springer (2014)

21.

Newcomb, E.A., Hammell, R.J., Hutchinson, S.: Effective prioritization of network intrusion alerts to enhance situational awareness. In: IEEE Conference on Intelligence and Security Informatics (ISI), 2016, pp. 73–78. IEEE (2016)

22.

Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)

23.

Semeria, C.: Supporting differentiated service classes: queue scheduling disciplines. Juniper Netw. 11–14 (2001). http://www.juniper.net/techpubs

24.

Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17, 121–134 (2017)CrossRef

25.

Sharaf, S., Djemame, K.: Enabling service-level agreement renegotiation through extending WS-agreement specification. SOCA 9(2), 177–191 (2015)CrossRef

26.

Shreedhar, M., Varghese, G.: Efficient fair queueing using deficit round robin. SIGCOMM Comput. Commun. Rev. 25(4), 231–242 (1995)CrossRef

27.

Singh, A., Goyal, P., Batra, S.: An optimized round robin scheduling algorithm for CPU scheduling. Int. J. Comput. Sci. Eng. 2(07), 2383–2385 (2010)

28.

Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy , pp. 305–316 (2010)

29.

Sundaramurthy, S.C., Bardas, A.G., Case, J., Ou, X., Wesch, M., McHugh, J., Rajagopalan, S.R.: A human capital model for mitigating security analyst burnout. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), USENIX Association, pp. 347–359 (2015)

30.

Sundaramurthy, S.C., McHugh, J., Ou, X., Wesch, M., Bardas, A.G., Rajagopalan, S.R.: Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), USENIX Association (2016)

31.

To, K., Padhye, J., Varghese, G., Firestone, D.: Controlling fair bandwidth allocation efficiently. US Patent App. 14/601,214 (2015)

32.

Zimmerman, C.: The Strategies of a World-Class Cybersecurity Operations Center. The MITRE Corporation, McLean (2014)

Titel: A methodology for ensuring fair allocation of CSOC effort for alert investigation
verfasst von: Ankit Shah
Rajesh Ganesan
Sushil Jajodia
Publikationsdatum: 09.05.2018
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 2/2019
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-018-0407-3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2019

Hiding information against structural re-identification

Cryptanalytic time–memory trade-off for password hashing schemes

Enhanced Tacit Secrets: System-assigned passwords you can’t write down, but don’t need to

Multi-device anonymous authentication

Scalable non-deterministic clustering-based k-anonymization for rich networks

Identifier discrimination: realizing selective-ID HIBE with authorized delegation and dedicated encryption privacy