Citation
Aron Laszka, Yevgeniy Vorobeychik, Daniel Fabbri, Chao Yan, Bradley Malin. "A Game-Theoretic Approach for Alert Prioritization". AAAI-17 Workshop on Artificial Intelligence for Cyber Security (AICS), February, 2017.

Abstract
The quantity of information that is collected and stored in computer systems continues to grow rapidly. At the same time, the sensitivity of such information (e.g., detailed medical records) often makes such information valuable to both external attackers, who may obtain information by compromising a system, and malicious insiders, who may misuse information by exercising their authorization. To mitigate compromises and deter misuse, the security administrators of these resources often deploy various types of intrusion and misuse detection systems, which provide alerts of suspicious events that are worthy of follow-up review. However, in practice, these systems may generate a large number of false alerts, wasting the time of investigators. Given that security administrators have limited budget for investigating alerts, they must prioritize certain types of alerts over others. An important challenge in alert prioritization is that adversaries may take advantage of such behavior to evade detection - specifically by mounting attacks that trigger alerts that are less likely to be investigated. In this paper, we model alert prioritization with adaptive adversaries using a Stackelberg game and introduce an approach to compute the optimal prioritization of alert types. We evaluate our approach using both synthetic data and a real-world dataset of alerts generated from the audit logs of an electronic medical record system in use at a large academic medical center.

Electronic downloads

• http://aronlaszka.com/papers/laszka2017game.pdf

• HTML

  Aron Laszka, Yevgeniy Vorobeychik, Daniel Fabbri, Chao Yan,
  Bradley Malin. <a
  href="http://www.cps-forces.org/pubs/248.html"
  >A Game-Theoretic Approach for Alert
  Prioritization</a>, AAAI-17 Workshop on Artificial
  Intelligence for Cyber Security (AICS), February, 2017.

• Plain text

  Aron Laszka, Yevgeniy Vorobeychik, Daniel Fabbri, Chao Yan,
  Bradley Malin. "A Game-Theoretic Approach for Alert
  Prioritization". AAAI-17 Workshop on Artificial
  Intelligence for Cyber Security (AICS), February, 2017.

• BibTeX

  @inproceedings{LaszkaVorobeychikFabbriYanMalin17_GameTheoreticApproachForAlertPrioritization,
      author = {Aron Laszka and Yevgeniy Vorobeychik and Daniel
                Fabbri and Chao Yan and Bradley Malin},
      title = {A Game-Theoretic Approach for Alert Prioritization},
      booktitle = {AAAI-17 Workshop on Artificial Intelligence for
                Cyber Security (AICS)},
      month = {February},
      year = {2017},
      abstract = {The quantity of information that is collected and
                stored in computer systems continues to grow
                rapidly. At the same time, the sensitivity of such
                information (e.g., detailed medical records) often
                makes such information valuable to both external
                attackers, who may obtain information by
                compromising a system, and malicious insiders, who
                may misuse information by exercising their
                authorization. To mitigate compromises and deter
                misuse, the security administrators of these
                resources often deploy various types of intrusion
                and misuse detection systems, which provide alerts
                of suspicious events that are worthy of follow-up
                review. However, in practice, these systems may
                generate a large number of false alerts, wasting
                the time of investigators. Given that security
                administrators have limited budget for
                investigating alerts, they must prioritize certain
                types of alerts over others. An important
                challenge in alert prioritization is that
                adversaries may take advantage of such behavior to
                evade detection - specifically by mounting attacks
                that trigger alerts that are less likely to be
                investigated. In this paper, we model alert
                prioritization with adaptive adversaries using a
                Stackelberg game and introduce an approach to
                compute the optimal prioritization of alert types.
                We evaluate our approach using both synthetic data
                and a real-world dataset of alerts generated from
                the audit logs of an electronic medical record
                system in use at a large academic medical center.},
      URL = {http://cps-forces.org/pubs/248.html}
  }
  

Posted by Waseem Abbas on 2 Mar 2017.
Groups: forces
For additional information, see the Publications FAQ or contact webmaster at cps-forces org.