Skip to main content
SpringerLink
Log in

A methodology for ensuring fair allocation of CSOC effort for alert investigation

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

A Cyber Security Operations Center (CSOC) often sells services by entering into a service level agreement (SLA) with various customers (organizations) whose network traffic is monitored through sensors. The sensors produce data that are processed by automated systems (such as the intrusion detection system) that issue alerts. All alerts need further investigation by human analysts. The alerts are triaged into high-, medium-, and low-priority alerts, and the high-priority alerts are investigated first by cybersecurity analysts—a process known as priority queueing. In unexpected situations such as (i) higher than expected high-priority alert generation from some sensors, (ii) not enough analysts at the CSOC in a given time interval, and (iii) a new type of alert, which increases the time to analyze alerts from some sensors, the priority queueing mechanism leads to two major issues. The issues are: (1) some sensors with normal levels of alert generation are being analyzed less than those with excessive high-priority alerts, with the potential for complete starvation of alert analysis for sensors with only medium- or low-priority alerts, and (2) the above ad hoc allocation of CSOC effort to sensors with excessive high-priority alerts over other sensors results in SLA violations, and there is no enforcement mechanism to ensure the matching between the SLA and the actual service provided by a CSOC. This paper develops a new dynamic weighted alert queueing mechanism (DWQ) which relates the CSOC effort as per SLA to the actual allocated in practice, and ensures via a technical enforcement system that the total CSOC effort is proportionally divided among customers such that fairness is guaranteed in the long run. The results indicate that the DWQ mechanism outperforms priority queueing method by not only analyzing high-priority alerts first but also ensuring fairness in CSOC effort allocated to all its customers and providing a starvation-free alert investigation process.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

References

  1. Albanese, M., Molinaro, C., Persia, F., Picariello, A., Subrahmanian, V.S.: Discovering the top-k unexplained sequences in time-stamped observation data. IEEE Trans. Knowl. Data Eng. 26(3), 577–594 (2014)

    Article  Google Scholar 

  2. Altner, D.S., Rojas, A.C., Servi, L.D.: A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options. J. Sched. (2017). https://doi.org/10.1007/s10951-017-0554-9

    Google Scholar 

  3. Avi-Itzhak, B., Levy, H., Raz, D.: Quantifying fairness in queuing systems. Probab. Eng. Inf. Sci. 22(04), 495–517 (2008)

    Article  MATH  Google Scholar 

  4. Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc, London (2005)

    Google Scholar 

  5. Bhatt, S., Manadhata, P.K., Zomlot, L.: The operational role of security information and event management systems. IEEE Secur. Priv. 12(5), 35–41 (2014)

    Article  Google Scholar 

  6. Bouchenak, S.: Automated control for SLA-aware elastic clouds. In: Proceedings of the Fifth International Workshop on Feedback Control Implementation and Design in Computing Systems and Networks, FeBiD’10, pp. 27–28 (2010)

  7. Chandra, A., Adler, M., Goyal, P., Shenoy, P.: Surplus fair scheduling: a proportional-share CPU scheduling algorithm for symmetric multiprocessors. In: Proceedings of the 4th Conference on Symposium on Operating System Design & Implementation—Volume 4, OSDI’00 (2000)

  8. CIO: DON cyber crime handbook. Department of Navy, Washington (2008)

    Google Scholar 

  9. Crothers, T.: Implementing Intrusion Detection Systems. Wiley Publishing Inc, Hoboken (2002)

    Google Scholar 

  10. D’Amico, A., Whitley, K.: VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security. Springer, Berlin, Chapter The Real Work of Computer Network Defense Analysts (2008)

  11. Demers, A., Keshav, S., Shenker, S.: Analysis and simulation of a fair queueing algorithm. ACM SIGCOMM Comput. Commun. Rev. 19, 1–12 (1989)

    Article  Google Scholar 

  12. Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems, Advances in Information Security, vol. 38. Springer, Berlin (2008)

    Google Scholar 

  13. Erbacher, R.F., Hutchinson, S.E.: Extending case-based reasoning to network alert reporting. In: 2012 ASE International Conference on Cyber Security, pp. 187–194 (2012)

  14. Faniyi, F., Bahsoon, R.: Engineering proprioception in SLA management for cloud architectures. In: 2011 Ninth Working IEEE/IFIP Conference on Software Architecture, pp. 336–340 (2011)

  15. Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 4 (2016)

    Article  Google Scholar 

  16. Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analyst for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52 (2017)

    Article  Google Scholar 

  17. Huang, J., Bi, J.: A proportional fairness scheduling for wireless sensor networks. Pers. Ubiquitous Comput. 20(5), 695–703 (2016)

    Article  Google Scholar 

  18. Khamse-Ashari, J., Kesidis, G., Lambadaris, I., Urgaonkar, B., Zhao, Y.: Max-min fair scheduling of variable-length packet-flows to multiple servers by deficit round-robin. In: 2016 Annual Conference on Information Science and Systems (CISS), pp. 390–395. IEEE (2016)

  19. Killcrece, G., Kossakowski, K.P., Ruefle, R., Zajicek, M.: State of the practice of computer security incident response teams (CSIRTs). Technical report CMU/SEI-2003-TR-001, Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2003)

  20. Kiran, R.S., Babu, P.V., Krishna, B.M.: Optimizing CPU scheduling for real time applications using mean-difference round robin (MDRR) algorithm. In: ICT and Critical Infrastructure: Proceedings of the 48th Annual Convention of Computer Society of India, vol. I, pp 713–721. Springer (2014)

  21. Newcomb, E.A., Hammell, R.J., Hutchinson, S.: Effective prioritization of network intrusion alerts to enhance situational awareness. In: IEEE Conference on Intelligence and Security Informatics (ISI), 2016, pp. 73–78. IEEE (2016)

  22. Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)

    Google Scholar 

  23. Semeria, C.: Supporting differentiated service classes: queue scheduling disciplines. Juniper Netw. 11–14 (2001). http://www.juniper.net/techpubs

  24. Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17, 121–134 (2017)

    Article  Google Scholar 

  25. Sharaf, S., Djemame, K.: Enabling service-level agreement renegotiation through extending WS-agreement specification. SOCA 9(2), 177–191 (2015)

    Article  Google Scholar 

  26. Shreedhar, M., Varghese, G.: Efficient fair queueing using deficit round robin. SIGCOMM Comput. Commun. Rev. 25(4), 231–242 (1995)

    Article  Google Scholar 

  27. Singh, A., Goyal, P., Batra, S.: An optimized round robin scheduling algorithm for CPU scheduling. Int. J. Comput. Sci. Eng. 2(07), 2383–2385 (2010)

    Google Scholar 

  28. Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy , pp. 305–316 (2010)

  29. Sundaramurthy, S.C., Bardas, A.G., Case, J., Ou, X., Wesch, M., McHugh, J., Rajagopalan, S.R.: A human capital model for mitigating security analyst burnout. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), USENIX Association, pp. 347–359 (2015)

  30. Sundaramurthy, S.C., McHugh, J., Ou, X., Wesch, M., Bardas, A.G., Rajagopalan, S.R.: Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), USENIX Association (2016)

  31. To, K., Padhye, J., Varghese, G., Firestone, D.: Controlling fair bandwidth allocation efficiently. US Patent App. 14/601,214 (2015)

  32. Zimmerman, C.: The Strategies of a World-Class Cybersecurity Operations Center. The MITRE Corporation, McLean (2014)

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research.

Author information

Authors and Affiliations

  1. Center for Secure Information Systems, George Mason University, Mail Stop 5B5, Fairfax, VA, 22030-4422, USA

    Ankit Shah & Sushil Jajodia

  2. Center for Secure Information Systems, Department of Systems Engineering and Operations Research, George Mason University, Mail Stop 4A6, Fairfax, VA, 22030-4422, USA

    Rajesh Ganesan

Authors
  1. Ankit Shah
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rajesh Ganesan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sushil Jajodia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sushil Jajodia.

Additional information

Shah, Ganesan, and Jajodia were partially supported by the Army Research Office under Grants W911NF-13-1-0421 and W911NF-15-1-0576 and by the Office of Naval Research under Grant N00014-15-1-2007.

APPENDIX

APPENDIX

In this appendix, the algorithm for executing the DWQ model is presented (Algorithm 1).

figure a

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shah, A., Ganesan, R. & Jajodia, S. A methodology for ensuring fair allocation of CSOC effort for alert investigation. Int. J. Inf. Secur. 18, 199–218 (2019). https://doi.org/10.1007/s10207-018-0407-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-018-0407-3

Keywords

Search

Navigation