A Game-Theoretic Approach for Alert Prioritization Aron Laszka, - - PowerPoint PPT Presentation
A Game-Theoretic Approach for Alert Prioritization Aron Laszka, Yevgeniy Vorobeychik, Daniel Fabbri, Chao Yan, Bradley Malin Intrusion Detection Detection and mitigation of cyber-attacks is of crucial importance; however, attackers try to
they must also generate a large number of false alerts false alerts IDS attack alerts
budget B (available manpower, …)
Alerts
Alert types T t1 t2 t3 t4 Alerts
an intrusion detection system (e.g., Snort)
same type appear equally important
type t is Ra,t
Alert types T t1 t2 t3 t4 Alerts Attacks probability Ra,t attack a1 attack a2
Alert types T t1 t2 t3 t4 Alerts Naïve prioritization investigate (using budget B) attack
Alert types T t1 t2 t3 t4 Alerts
Random choice …
PI(o, k) = X
n: Cok +Pk
i=1 ni·Coi≤B
"
· ≤
·
k−1
Y
i=1
(Foi(ni) − Foi(ni − 1)) # ∈ PD(o,a) = X Y Y X
ˆ T ⊆T
Y
t∈ ˆ T
Ra,t Y
t∈T \ ˆ T
(1 − Ra,t) PI ⇣
T} ⌘ (4)
EG(p, a) = X
po · (1 − PD(o, a)) · Ga − Ka, EL(p, a) = X
po · (1 − PD(o, a)) · La.
BR(p) = argmax
a∈A
EG(p, a) min
p,a ∈ BR(p) EL(p, a)
PI(o, k) = X
n: Cok +Pk
i=1 ni·Coi≤B
"
· ≤
·
k−1
Y
i=1
(Foi(ni) − Foi(ni − 1)) # ∈ PD(o,a) = X Y Y X
ˆ T ⊆T
Y
t∈ ˆ T
Ra,t Y
t∈T \ ˆ T
(1 − Ra,t) PI ⇣
T} ⌘ (4)
exponential number of terms
Algorithm 1 Computing PD(o, a) Input: prioritization game, prioritization o, attack a
1: for b = 0, 1, . . . , B do 2:
PD(o, a, |T|, b) Ra,o|T | · F ⇤
4: for i = |T| 1, . . . , 2, 1 do 5:
for b = 0, 1, . . . , B do
6:
PD(o, a, i, b) Ra,oi ·F ⇤
bb/Coic
X
j=0
" (Foi(j) Foi(j 1))·PD(o, a, bj·Coi, i+1) #
7:
end for
8: end for 9: Return PD(o, a) := PD(o, a, 1, B)
2 max
p
X
po · PD(o, a) subject to 8 a0 2 A : X
po · D(o, a0) ∆ (Ka0) Algorithm 2 Greedy Column Generation Input: prioritization game, reduced cost function ¯ c
1: o ; 2: while 9 t 2 T \ o do 3:
c(o + t)
4: end while 5: Return o
X where D(o, a0) = [(1PD(o, a))Ga(1PD(o, a0))Ga0] . Once each is solved, we
can choose the solution p⇤
where
¯ c(o) = PD(o, a) + X
a02A
y( ¯ O, a0)D(o, a0)
where (i.e., reduced cost function) exponential number
Problem: Finding an improving column (i.e., ordering) is an NP-hard problem.
2 3 4 5 6 7 10−2 10−1 100 101 102 103 Optimal Greedy Column Generation 2 3 4 5 6 7 0.2 0.4 0.6 0.8 Optimal Greedy Column Generation
Defender’s expected loss Running time [s] Number of attack and alert types Number of attack and alert types Ka = 0, Ct = 1, B = 5|T|, Da and Ga were drawn at random from [0.5, 1], each Ra,t is either 0 (with probability 1/3) or drawn at random from [0, 1], and every Ft has a Poisson distribution whose mean is drawn at random from [5, 15].
affiliation, employment information, and home addresses patient record 1 patient record 2 patient record 3
Alert types T
Explanation Based Auditing System [1]
[1] Fabbri, D., and LeFevre, K. 2013. Explaining accesses to electronic medical records using diagnosis information. Journal of the American Medical Informatics Association 20(1):52–60.
Attacks A ~ potential misuses employees
0.2 0.4 0.6 0.8 1 1.2 0.2 0.4 0.6 0.8 1 Optimal Greedy Column Generation
Defender’s expected loss Defender’s budget
consecutive weeks of access logs from 2016
by 14,531 users to 161,426 patient records, leading to a total of 863,989 alerts
distributions of false alerts using Poisson distributions
strategies, we restricted the alerts to 12 randomly selected patients
·104