Top

Service Oriented Computing and Applications

Published in:

06-04-2018 | Original Research Paper

Adaptive reallocation of cybersecurity analysts to sensors for balancing risk between sensors

Authors: Ankit Shah, Rajesh Ganesan, Sushil Jajodia, Hasan Cam

Published in: Service Oriented Computing and Applications | Issue 2/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Cyber Security Operations Center (CSOC) is a service-oriented system. Analysts work in shifts, and the goal at the end of each shift is to ensure that all alerts from each sensor (client) are analyzed. The goal is often not met because the CSOC is faced with adverse conditions such as variations in alert generation rates or in the time taken to thoroughly analyze new alerts. Current practice at many CSOCs is to pre-assign analysts to sensors based on their expertise, and the alerts from the sensors are triaged, queued, and presented to analysts. Under adverse conditions, some sensors have more number of unanalyzed alerts (backlogs) than others, which results in a major security gap for the clients if left unattended. Hence, there is a need to dynamically reallocate analysts to sensors; however, there does not exist a mechanism to ensure the following objectives: (i) balancing the number of unanalyzed alerts among sensors while maximizing the number of alerts investigated by optimally reallocating analysts to sensors in a shift, (ii) ensuring desirable properties of the CSOC: minimizing the disruption to the analyst to sensor allocation made at the beginning of the shift when analysts report to work, balancing of workload among analysts, and maximizing analyst utilization. The paper presents a technical solution to achieve the objectives and answers two important research questions: (i) detection of triggers, which determines when-to reallocate, and (ii) how to optimally reallocate analysts to sensors, which enable a CSOC manager to effectively use reallocation as a decision-making tool.

previous article Adaptive security architecture for protecting RESTful web services in enterprise computing environment

next article A multi-agent-based framework for cloud service discovery and selection using ontology

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Barbará D, Jajodia S (eds) (2002) Application of data mining in computer security, advances in information security, vol 6. Springer, New YorkMATH

Di Pietro R, Mancini LV (eds) (2008) Intrusion detection systems, advances in information security, vol 38. Springer, New York

Altner DS, Rojas AC, Servi LD (2017) A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options. J Sched. https://doi.org/10.1007/s10951-017-0554-9

Bejtlich R (2005) The tao of network security monitoring: beyond intrusion detection. Pearson Education Inc, London

Bhatt S, Manadhata PK, Zomlot L (2014) The operational role of security information and event management systems. IEEE Secur Priv 12(5):35–41CrossRef

Borovkov AA (2012) Stochastic processes in queueing theory, vol 4. Springer Science & Business Media, New York

Cio D (2008) Cyber crime handbook. Department of Navy, Washington

Cleveland B, Mayben J (1997) Call center management on fast forward: succeeding in today’s dynamic inbound environment. Call Center Press, Berkeley

Crothers T (2002) Implementing intrusion detection systems. Wiley, New York

10.

D’Amico A, Whitley K (2008) The Real Work of Computer Network Defense Analysts. In: VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security. Springer, Berlin Heidelberg

11.

Erbacher RF, Hutchinson SE (2012) Extending case-based reasoning to network alert reporting. In: 2012 ASE international conference on cyber security, pp 187–194

12.

Erlang AK (1909) The theory of probabilities and telephone conversations. Nyt Tidsskr Mat B 20(6):87–98

13.

Fomundam SF, Herrmann JW (2007) A survey of queuing theory applications in healthcare. Technical Report 2007-24, The Institute for Systems Research

14.

Ganesan R, Jajodia S, Shah A, Cam H (2016) Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans Intell Syst Technol 8(1):4:1–4:21

15.

Ganesan R, Jajodia S, Cam H (2017) Optimal scheduling of cybersecurity analyst for minimizing risk. ACM Trans Intell Syst Technol 8(4):52:1–52:32

16.

Goodall JR, Lutters WG, Komlodi A (2004) I know my network: collaboration and expertise in intrusion detection. In: Proceedings of the 2004 ACM conference on computer supported cooperative work, pp 342–345

17.

Hur D, Mabert VA, Bretthauer KM (2004) Real-time work schedule adjustment decisions: an investigation and evaluation. Prod Oper Manag 13(4):322–339

18.

Ignizio JP (1983) Generalized goal programming an overview. Comput Oper Res 10(4):277–289MathSciNetCrossRef

19.

Julisch K, Dacier M (2002) Mining intrusion detection alarms for actionable knowledge. In: Proceedings of the eighth ACM SIGKDD international conference on knowledge discovery and data mining, pp 366–375

20.

Kelton WD, Sadowski RP, Swets NB (2010) Simulation with arena, 5th edn. McGraw-Hill, New York

21.

Killcrece G, Kossakowski KP, Ruefle R, Zajicek M (2003) State of the practice of computer security incident response teams (csirts). Tech. Rep. CMU/SEI-2003-TR-001, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA

22.

Koole G, Mandelbaum A (2002) Queueing models of call centers: an introduction. Ann Oper Res 113(1):41–59MathSciNetCrossRefMATH

23.

Loucks JS, Jacobs FR (1991) Tour scheduling and task assignment of a heterogeneous work force: a heuristic approach. Decis Sci 22(4):719–738CrossRef

24.

Love RR, Hoey JM (1990) Management science improves fast-food operations. Interfaces 20(2):21–29CrossRef

25.

Menasce DA, Almeida VA, Dowdy LW, Dowdy L (2004) Performance by design: computer capacity planning by example. Prentice Hall Professional, Upper Saddle River

26.

Nelson RT, Holloway CA, Mei-Lun Wong R (1977) Centralized scheduling and priority implementation heuristics for a dynamic job shop model. AIIE Trans 9(1):95–102CrossRef

27.

Northcutt S, Novak J (2002) Network intrusion detection, 3rd edn. New Riders Publishing, Thousand Oaks

28.

O’Connor EJ, Peters LH, Rudolf CJ, Pooyan A (1982) Situational constraints and employee affective reactions: a partial field replication. Group Organ Stud 7(4):418–428CrossRef

29.

Rasoulifard A, Bafghi AG, Kahani M (2008) Incremental hybrid intrusion detection using ensemble of weak classifiers. In: Advances in computer science and engineering. Springer, pp 577–584

30.

Scarfone K, Mell P (2007) Guide to intrusion detection and prevention systems (IDPS). Special Publication 800-94, NIST

31.

Shah A, Ganesan R, Jajodia S, Cam H (2018) A methodology to measure and monitor level of operational effectiveness of a CSOC. Int J Inf Secur 17(2):121–134. https://doi.org/10.1007/s10207-017-0365-1 CrossRef

32.

Sommer R, Paxson V (2010) Outside the closed world: On using machine learning for network intrusion detection. In: Proceedings of IEEE symposium on security and privacy, pp 305–316

33.

Sundaramurthy SC, Bardas AG, Case J, Ou X, Wesch M, McHugh J, Rajagopalan SR (2015) A human capital model for mitigating security analyst burnout. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), USENIX Association, pp 347–359

34.

Sundaramurthy SC, McHugh J, Ou X, Wesch M, Bardas AG, Rajagopalan SR (2016) Turning contradictions into innovations or: How we learned to stop whining and improve security operations. In: Twelfth symposium on usable privacy and security (SOUPS 2016), USENIX Association, pp 237–250

35.

Vieira GE, Herrmann JW, Lin E (2003) Rescheduling manufacturing systems: a framework of strategies, policies, and methods. J Sched 6(1):39–62MathSciNetCrossRefMATH

36.

Winston W (2003) Operations research. Cengage Learning, New York

37.

Zimmerman C (2014) The strategies of a world-class cybersecurity operations center. The MITRE Corporation, McLean

Title: Adaptive reallocation of cybersecurity analysts to sensors for balancing risk between sensors
Authors: Ankit Shah
Rajesh Ganesan
Sushil Jajodia
Hasan Cam
Publication date: 06-04-2018
Publisher: Springer London
Published in: Service Oriented Computing and Applications / Issue 2/2018
Print ISSN: 1863-2386
Electronic ISSN: 1863-2394
DOI: https://doi.org/10.1007/s11761-018-0235-3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 2/2018

Associate multi-task scheduling algorithm based on self-adaptive inertia weight particle swarm optimization with disruption operator and chaos operator in cloud environment

A multi-agent-based framework for cloud service discovery and selection using ontology

Non-functional parameters and automatic generation and publishing for Web service description improvement

A Web service search engine for large-scale Web service discovery based on the probabilistic topic modeling and clustering

Adaptive security architecture for protecting RESTful web services in enterprise computing environment

Spatial-aware service management in a pervasive environment

Premium Partner