A Strategy for Effective Alert Analysis at a Cyber Security Operations Center

  • Rajesh GanesanEmail author
  • Ankit Shah
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11170)


Alert data management entails several tasks at a Cyber Security Operations Center such as tasks related to alert analysis, those related to threat mitigation if an alert is deemed to be significant, signature update for an intrusion detection system, and so on. This chapter presents a metric for measuring the performance of the CSOC, and develop a strategy for effective alert data management that optimizes the execution of certain tasks pertaining to alert analysis. One of the important performance metrics pertaining to alert analysis include the processing of the alerts in a timely manner to maintain a certain Level of Operational Effectiveness (LOE). Maintaining LOE requires two foremost tasks among several others: (1) the dynamic optimal scheduling of CSOC analysts to respond to the uncertainty in the day-to-day demand for alert analysis, and (2) the dynamic optimal allocation of CSOC analyst resources to the sensors that are being monitored. However, the above tasks are inter-dependent because the daily allocation task per shift requires the availability of the analysts (resource) to meet the uncertainties in the demand for alert analysis at the CSOC due to varying alert generation and/or service rates, and the resource availability must be scheduled ahead of time, despite the above uncertainty, for practical implementation in the real-world. In this chapter, an optimization modeling framework is presented that schedules the analysts using historical and predicted demand patterns for alert analysis over a 14-day work-cycle, selects additional (on-call) analysts that are required in a shift, and optimally allocates all the required analysts on a day-to-day basis per each working shift. Results from simulation studies validate the optimization modeling framework, and show the effectiveness of the strategy for alert analysis in order to maintain the LOE of the CSOC at the desired level.



The authors would like to thank Dr. Sushil Jajodia of the Center for Secure Information Systems, Dr. Hasan Cam and Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research. Ganesan, and Shah were partially supported by the Army Research Office under grants W911NF-13-1-0421 and W911NF-15-1-0576 and by the Office of Naval Research grant N00014-15-1-2007.


  1. 1.
    Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17(2), 121–134 (2018)CrossRefGoogle Scholar
  2. 2.
    Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analysts for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52:1–52:32 (2017). Scholar
  3. 3.
    Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 4:1–4:21 (2016). Scholar
  4. 4.
    Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington (1980)Google Scholar
  5. 5.
    Denning, D.E.: An intrusion-detection model. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, pp. 118–131, May 1986Google Scholar
  6. 6.
    Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)CrossRefGoogle Scholar
  7. 7.
    Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)Google Scholar
  8. 8.
    Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems. ADIS, vol. 38. Springer, Boston (2008). Scholar
  9. 9.
    Subrahmanian, V.S., Ovelgönne, M., Dumitras, T., Prakash, B.A.: The Global Cyber-Vulnerability Report. TSC. Springer, Cham (2015). Scholar
  10. 10.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 305–316, May 2010Google Scholar
  11. 11.
    Barbará, D., Jajodia, S. (eds.): Application of Data Mining in Computer Security. ADIS, vol. 6. Springer, Boston (2002). Scholar
  12. 12.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)CrossRefGoogle Scholar
  13. 13.
    Zimmerman, C.: The strategies of a world-class cybersecurity operations center. The MITRE Corporation, McLean (2014)Google Scholar
  14. 14.
    Lesaint, D., Voudouris, C., Azarmi, N., Alletson, I., Laithwaite, B.: Field workforce scheduling. BT Technol. J. 21(4), 23–26 (2003)CrossRefGoogle Scholar
  15. 15.
    Nobert, Y., Roy, J.: Freight handling personnel scheduling at air cargo terminals. Transp. Sci. 32(3), 295–301 (1998)CrossRefGoogle Scholar
  16. 16.
    Reis, J., Mamede, N.: Multi-Agent Dynamic Scheduling and Re-Scheduling with Global Temporal Constraints. Kluwer Academic Publishers, Dordrecht (2002)Google Scholar
  17. 17.
    Zhou, F., Wang, J., Wang, J., Jonrinaldi, J.: A dynamic rescheduling model with multi-agent system and its solution method. J. Mech. Eng. 58(2), 81–92 (2012)CrossRefGoogle Scholar
  18. 18.
    Helm, J.E., AhmadBeygi, S., Van Oyen, M.P.: Design and analysis of hospital admission control for operational effectiveness. Prod. Oper. Manag. 20(3), 359–374 (2011)CrossRefGoogle Scholar
  19. 19.
    Chen, Z., King, W., Pearcey, R., Kerba, M., Mackillop, W.J.: The relationship between waiting time for radiotherapy and clinical outcomes: a systematic review of the literature. Radiother. Oncol. 87(1), 3–16 (2008)CrossRefGoogle Scholar
  20. 20.
    Guerriero, F., Guido, R.: Operational research in the management of the operating theatre: a survey. Health Care Manag. Sci. 14(1), 89–114 (2011)CrossRefGoogle Scholar
  21. 21.
    Tijms, H.: New and old results for the M/D/c queue. AEU-Int. J. Electron. Commun. 60(2), 125–130 (2006)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Marianov, V., Serra, D.: Location models for airline hubs behaving as M/D/c queues. Comput. Oper. Res. 30(7), 983–1003 (2003)CrossRefGoogle Scholar
  23. 23.
    DON CIO: Cyber Crime Handbook. Department of Navy, Washington, DC (2008)Google Scholar
  24. 24.
    Pinedo, M.L.: Planning and Scheduling in Manufacturing and Services. Springer, New York (2009). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.George Mason UniversityFairfaxUSA

Personalised recommendations