A Cyber Security Operations Center (CSOC) often sells services by entering into a service level agreement (SLA) with various customers (organizations) whose network traffic is monitored through sensors. The sensors produce data that are processed by automated systems (such as the intrusion detection system) that issue alerts. All alerts need further investigation by human analysts. The alerts are triaged into high-, medium-, and low-priority alerts, and the high-priority alerts are investigated first by cybersecurity analysts—a process known as priority queueing. In unexpected situations such as (i) higher than expected high-priority alert generation from some sensors, (ii) not enough analysts at the CSOC in a given time interval, and (iii) a new type of alert, which increases the time to analyze alerts from some sensors, the priority queueing mechanism leads to two major issues. The issues are: (1) some sensors with normal levels of alert generation are being analyzed less than those with excessive high-priority alerts, with the potential for complete starvation of alert analysis for sensors with only medium- or low-priority alerts, and (2) the above ad hoc allocation of CSOC effort to sensors with excessive high-priority alerts over other sensors results in SLA violations, and there is no enforcement mechanism to ensure the matching between the SLA and the actual service provided by a CSOC. This paper develops a new dynamic weighted alert queueing mechanism (DWQ) which relates the CSOC effort as per SLA to the actual allocated in practice, and ensures via a technical enforcement system that the total CSOC effort is proportionally divided among customers such that fairness is guaranteed in the long run. The results indicate that the DWQ mechanism outperforms priority queueing method by not only analyzing high-priority alerts first but also ensuring fairness in CSOC effort allocated to all its customers and providing a starvation-free alert investigation process.
This is a preview of subscription content, log in to check access.
Buy single article
Instant access to the full article PDF.
Price includes VAT for USA
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
This is the net price. Taxes to be calculated in checkout.
Albanese, M., Molinaro, C., Persia, F., Picariello, A., Subrahmanian, V.S.: Discovering the top-k unexplained sequences in time-stamped observation data. IEEE Trans. Knowl. Data Eng. 26(3), 577–594 (2014)
Altner, D.S., Rojas, A.C., Servi, L.D.: A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options. J. Sched. (2017). https://doi.org/10.1007/s10951-017-0554-9
Avi-Itzhak, B., Levy, H., Raz, D.: Quantifying fairness in queuing systems. Probab. Eng. Inf. Sci. 22(04), 495–517 (2008)
Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc, London (2005)
Bhatt, S., Manadhata, P.K., Zomlot, L.: The operational role of security information and event management systems. IEEE Secur. Priv. 12(5), 35–41 (2014)
Bouchenak, S.: Automated control for SLA-aware elastic clouds. In: Proceedings of the Fifth International Workshop on Feedback Control Implementation and Design in Computing Systems and Networks, FeBiD’10, pp. 27–28 (2010)
Chandra, A., Adler, M., Goyal, P., Shenoy, P.: Surplus fair scheduling: a proportional-share CPU scheduling algorithm for symmetric multiprocessors. In: Proceedings of the 4th Conference on Symposium on Operating System Design & Implementation—Volume 4, OSDI’00 (2000)
CIO: DON cyber crime handbook. Department of Navy, Washington (2008)
Crothers, T.: Implementing Intrusion Detection Systems. Wiley Publishing Inc, Hoboken (2002)
D’Amico, A., Whitley, K.: VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security. Springer, Berlin, Chapter The Real Work of Computer Network Defense Analysts (2008)
Demers, A., Keshav, S., Shenker, S.: Analysis and simulation of a fair queueing algorithm. ACM SIGCOMM Comput. Commun. Rev. 19, 1–12 (1989)
Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems, Advances in Information Security, vol. 38. Springer, Berlin (2008)
Erbacher, R.F., Hutchinson, S.E.: Extending case-based reasoning to network alert reporting. In: 2012 ASE International Conference on Cyber Security, pp. 187–194 (2012)
Faniyi, F., Bahsoon, R.: Engineering proprioception in SLA management for cloud architectures. In: 2011 Ninth Working IEEE/IFIP Conference on Software Architecture, pp. 336–340 (2011)
Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 4 (2016)
Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analyst for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52 (2017)
Huang, J., Bi, J.: A proportional fairness scheduling for wireless sensor networks. Pers. Ubiquitous Comput. 20(5), 695–703 (2016)
Khamse-Ashari, J., Kesidis, G., Lambadaris, I., Urgaonkar, B., Zhao, Y.: Max-min fair scheduling of variable-length packet-flows to multiple servers by deficit round-robin. In: 2016 Annual Conference on Information Science and Systems (CISS), pp. 390–395. IEEE (2016)
Killcrece, G., Kossakowski, K.P., Ruefle, R., Zajicek, M.: State of the practice of computer security incident response teams (CSIRTs). Technical report CMU/SEI-2003-TR-001, Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2003)
Kiran, R.S., Babu, P.V., Krishna, B.M.: Optimizing CPU scheduling for real time applications using mean-difference round robin (MDRR) algorithm. In: ICT and Critical Infrastructure: Proceedings of the 48th Annual Convention of Computer Society of India, vol. I, pp 713–721. Springer (2014)
Newcomb, E.A., Hammell, R.J., Hutchinson, S.: Effective prioritization of network intrusion alerts to enhance situational awareness. In: IEEE Conference on Intelligence and Security Informatics (ISI), 2016, pp. 73–78. IEEE (2016)
Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)
Semeria, C.: Supporting differentiated service classes: queue scheduling disciplines. Juniper Netw. 11–14 (2001). http://www.juniper.net/techpubs
Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17, 121–134 (2017)
Sharaf, S., Djemame, K.: Enabling service-level agreement renegotiation through extending WS-agreement specification. SOCA 9(2), 177–191 (2015)
Shreedhar, M., Varghese, G.: Efficient fair queueing using deficit round robin. SIGCOMM Comput. Commun. Rev. 25(4), 231–242 (1995)
Singh, A., Goyal, P., Batra, S.: An optimized round robin scheduling algorithm for CPU scheduling. Int. J. Comput. Sci. Eng. 2(07), 2383–2385 (2010)
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy , pp. 305–316 (2010)
Sundaramurthy, S.C., Bardas, A.G., Case, J., Ou, X., Wesch, M., McHugh, J., Rajagopalan, S.R.: A human capital model for mitigating security analyst burnout. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), USENIX Association, pp. 347–359 (2015)
Sundaramurthy, S.C., McHugh, J., Ou, X., Wesch, M., Bardas, A.G., Rajagopalan, S.R.: Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), USENIX Association (2016)
To, K., Padhye, J., Varghese, G., Firestone, D.: Controlling fair bandwidth allocation efficiently. US Patent App. 14/601,214 (2015)
Zimmerman, C.: The Strategies of a World-Class Cybersecurity Operations Center. The MITRE Corporation, McLean (2014)
The authors would like to thank Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research.
Shah, Ganesan, and Jajodia were partially supported by the Army Research Office under Grants W911NF-13-1-0421 and W911NF-15-1-0576 and by the Office of Naval Research under Grant N00014-15-1-2007.
In this appendix, the algorithm for executing the DWQ model is presented (Algorithm 1).
About this article
Cite this article
Shah, A., Ganesan, R. & Jajodia, S. A methodology for ensuring fair allocation of CSOC effort for alert investigation. Int. J. Inf. Secur. 18, 199–218 (2019). https://doi.org/10.1007/s10207-018-0407-3
- Cybersecurity analysts
- Adaptive queueing
- Fair CSOC effort allocation
- Dynamic weighted queueing
- Deficit model
- Integrated queueing approach