International Journal of Information Security

, Volume 18, Issue 2, pp 199–218 | Cite as

A methodology for ensuring fair allocation of CSOC effort for alert investigation

  • Ankit Shah
  • Rajesh Ganesan
  • Sushil JajodiaEmail author
Regular Contribution


A Cyber Security Operations Center (CSOC) often sells services by entering into a service level agreement (SLA) with various customers (organizations) whose network traffic is monitored through sensors. The sensors produce data that are processed by automated systems (such as the intrusion detection system) that issue alerts. All alerts need further investigation by human analysts. The alerts are triaged into high-, medium-, and low-priority alerts, and the high-priority alerts are investigated first by cybersecurity analysts—a process known as priority queueing. In unexpected situations such as (i) higher than expected high-priority alert generation from some sensors, (ii) not enough analysts at the CSOC in a given time interval, and (iii) a new type of alert, which increases the time to analyze alerts from some sensors, the priority queueing mechanism leads to two major issues. The issues are: (1) some sensors with normal levels of alert generation are being analyzed less than those with excessive high-priority alerts, with the potential for complete starvation of alert analysis for sensors with only medium- or low-priority alerts, and (2) the above ad hoc allocation of CSOC effort to sensors with excessive high-priority alerts over other sensors results in SLA violations, and there is no enforcement mechanism to ensure the matching between the SLA and the actual service provided by a CSOC. This paper develops a new dynamic weighted alert queueing mechanism (DWQ) which relates the CSOC effort as per SLA to the actual allocated in practice, and ensures via a technical enforcement system that the total CSOC effort is proportionally divided among customers such that fairness is guaranteed in the long run. The results indicate that the DWQ mechanism outperforms priority queueing method by not only analyzing high-priority alerts first but also ensuring fairness in CSOC effort allocated to all its customers and providing a starvation-free alert investigation process.


Cybersecurity analysts Simulation Adaptive queueing Fair CSOC effort allocation Dynamic weighted queueing Deficit model Integrated queueing approach 



The authors would like to thank Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research.


  1. 1.
    Albanese, M., Molinaro, C., Persia, F., Picariello, A., Subrahmanian, V.S.: Discovering the top-k unexplained sequences in time-stamped observation data. IEEE Trans. Knowl. Data Eng. 26(3), 577–594 (2014)CrossRefGoogle Scholar
  2. 2.
    Altner, D.S., Rojas, A.C., Servi, L.D.: A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options. J. Sched. (2017). Google Scholar
  3. 3.
    Avi-Itzhak, B., Levy, H., Raz, D.: Quantifying fairness in queuing systems. Probab. Eng. Inf. Sci. 22(04), 495–517 (2008)CrossRefzbMATHGoogle Scholar
  4. 4.
    Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc, London (2005)Google Scholar
  5. 5.
    Bhatt, S., Manadhata, P.K., Zomlot, L.: The operational role of security information and event management systems. IEEE Secur. Priv. 12(5), 35–41 (2014)CrossRefGoogle Scholar
  6. 6.
    Bouchenak, S.: Automated control for SLA-aware elastic clouds. In: Proceedings of the Fifth International Workshop on Feedback Control Implementation and Design in Computing Systems and Networks, FeBiD’10, pp. 27–28 (2010)Google Scholar
  7. 7.
    Chandra, A., Adler, M., Goyal, P., Shenoy, P.: Surplus fair scheduling: a proportional-share CPU scheduling algorithm for symmetric multiprocessors. In: Proceedings of the 4th Conference on Symposium on Operating System Design & Implementation—Volume 4, OSDI’00 (2000)Google Scholar
  8. 8.
    CIO: DON cyber crime handbook. Department of Navy, Washington (2008)Google Scholar
  9. 9.
    Crothers, T.: Implementing Intrusion Detection Systems. Wiley Publishing Inc, Hoboken (2002)Google Scholar
  10. 10.
    D’Amico, A., Whitley, K.: VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security. Springer, Berlin, Chapter The Real Work of Computer Network Defense Analysts (2008)Google Scholar
  11. 11.
    Demers, A., Keshav, S., Shenker, S.: Analysis and simulation of a fair queueing algorithm. ACM SIGCOMM Comput. Commun. Rev. 19, 1–12 (1989)CrossRefGoogle Scholar
  12. 12.
    Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems, Advances in Information Security, vol. 38. Springer, Berlin (2008)Google Scholar
  13. 13.
    Erbacher, R.F., Hutchinson, S.E.: Extending case-based reasoning to network alert reporting. In: 2012 ASE International Conference on Cyber Security, pp. 187–194 (2012)Google Scholar
  14. 14.
    Faniyi, F., Bahsoon, R.: Engineering proprioception in SLA management for cloud architectures. In: 2011 Ninth Working IEEE/IFIP Conference on Software Architecture, pp. 336–340 (2011)Google Scholar
  15. 15.
    Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 4 (2016)CrossRefGoogle Scholar
  16. 16.
    Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analyst for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52 (2017)CrossRefGoogle Scholar
  17. 17.
    Huang, J., Bi, J.: A proportional fairness scheduling for wireless sensor networks. Pers. Ubiquitous Comput. 20(5), 695–703 (2016)CrossRefGoogle Scholar
  18. 18.
    Khamse-Ashari, J., Kesidis, G., Lambadaris, I., Urgaonkar, B., Zhao, Y.: Max-min fair scheduling of variable-length packet-flows to multiple servers by deficit round-robin. In: 2016 Annual Conference on Information Science and Systems (CISS), pp. 390–395. IEEE (2016)Google Scholar
  19. 19.
    Killcrece, G., Kossakowski, K.P., Ruefle, R., Zajicek, M.: State of the practice of computer security incident response teams (CSIRTs). Technical report CMU/SEI-2003-TR-001, Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2003)Google Scholar
  20. 20.
    Kiran, R.S., Babu, P.V., Krishna, B.M.: Optimizing CPU scheduling for real time applications using mean-difference round robin (MDRR) algorithm. In: ICT and Critical Infrastructure: Proceedings of the 48th Annual Convention of Computer Society of India, vol. I, pp 713–721. Springer (2014)Google Scholar
  21. 21.
    Newcomb, E.A., Hammell, R.J., Hutchinson, S.: Effective prioritization of network intrusion alerts to enhance situational awareness. In: IEEE Conference on Intelligence and Security Informatics (ISI), 2016, pp. 73–78. IEEE (2016)Google Scholar
  22. 22.
    Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)Google Scholar
  23. 23.
    Semeria, C.: Supporting differentiated service classes: queue scheduling disciplines. Juniper Netw. 11–14 (2001).
  24. 24.
    Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17, 121–134 (2017)CrossRefGoogle Scholar
  25. 25.
    Sharaf, S., Djemame, K.: Enabling service-level agreement renegotiation through extending WS-agreement specification. SOCA 9(2), 177–191 (2015)CrossRefGoogle Scholar
  26. 26.
    Shreedhar, M., Varghese, G.: Efficient fair queueing using deficit round robin. SIGCOMM Comput. Commun. Rev. 25(4), 231–242 (1995)CrossRefGoogle Scholar
  27. 27.
    Singh, A., Goyal, P., Batra, S.: An optimized round robin scheduling algorithm for CPU scheduling. Int. J. Comput. Sci. Eng. 2(07), 2383–2385 (2010)Google Scholar
  28. 28.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy , pp. 305–316 (2010)Google Scholar
  29. 29.
    Sundaramurthy, S.C., Bardas, A.G., Case, J., Ou, X., Wesch, M., McHugh, J., Rajagopalan, S.R.: A human capital model for mitigating security analyst burnout. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), USENIX Association, pp. 347–359 (2015)Google Scholar
  30. 30.
    Sundaramurthy, S.C., McHugh, J., Ou, X., Wesch, M., Bardas, A.G., Rajagopalan, S.R.: Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), USENIX Association (2016)Google Scholar
  31. 31.
    To, K., Padhye, J., Varghese, G., Firestone, D.: Controlling fair bandwidth allocation efficiently. US Patent App. 14/601,214 (2015)Google Scholar
  32. 32.
    Zimmerman, C.: The Strategies of a World-Class Cybersecurity Operations Center. The MITRE Corporation, McLean (2014)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA
  2. 2.Center for Secure Information Systems, Department of Systems Engineering and Operations ResearchGeorge Mason UniversityFairfaxUSA

Personalised recommendations