Enterprise threat management demands effective decision making for generating optimal responses against the reported threats, violations, and vulnerabilities. An optimization of the total response cost together with the effectiveness of the responses to the most critical of the actual security events is a key objective for any security administrator (SA). Apart from the multitude of factors to be considered by a SA, relative prioritization of the reported security events in order to optimize the response to these events with limited resources, is an important and critical problem faced by SAs.
The problem of prioritization of the security events is in general a difficult problem to solve since it requires numerous factors to be adequately considered and accurately assessed. Examples of these factors may include security policies, profile of the reporting user(s), reporting time, security infrastructure etc. Most of these factors vary across the organizations, across time, with security priorities of the organization, user base, other existing reported events etc. Often the way they impact the actual relative criticality of a reported security event varies dynamically and thus cannot be accurately predicted a priori using any static modeling approach.
Because of these difficulties, often security administrators use their own experience based reasoning to decide the appropriate prioritization and response. Such prioritization by an expert though might be the only option available at times, however need not be the best possible one. Also the undue dependence on the subjective decision making might result in inconsistent decisions. Also there may be the loss of such expertise once an expert leaves the organization. Therefore it is quite important to consider and formulate a principled approach to study and model the human expertize in responding to the emergent threats owing to security events. In this paper, we attempt to fill this gap.
1.1 Related Work
In contrast to the approach considered in this work, most of the solutions to enterprise threat management are preventive approaches [Bis03, Rea97]. These approaches only prescribe as to what should be done to prevent the security events or how to monitor the policy violations but not how to deal with these security events once they have already occurred. There are though interesting studies on how to manage security risks by modeling the dynamics of potential attacker in a game theoretic setting [CRY08, LW05]. For example, a recent work by Barth et al. [BRS09] presents an learning based game theoretic model to study the cost-benefit trade-offs for managing an enterprise’s (non-catastrophic) information security risks. Similarly Miura and Bambos [MKB07] propose a scheme for prioritizing vulnerabilities in networks based on the percentage of time a random attacker would spend trying to exploit them measured in terms of network topology and potential node interactions. Though these studies are interesting in their own right, however, they still do not address the question, central to ours, as to what should be done after an attack has actually occurred.
On the other hand there are solutions with relatively limited scope to generate automated responses for specific type of events (e.g., alarms, auto locking for resource access etc.) For example, in the context of intrusion detection, [AASB08] presents a fuzzy-logic based methodology to automatically prioritize the alerts. These solutions are primarily governed by the fixed set of rules which determine the detection of an event and generation of predefined responses accordingly [KV00]. To the best of author’s knowledge there do not appear significant (published) prior arts on the problem of adaptive prioritization of security events to generate effective responses for handling enterprise level threats on a wider scale.
Locasto et al. [LBB09] have recently examined the difficulty of (manually) recovering from large scale network intrusion attacks. They discuss, in particular, associated human factors, which could complicate the recovery process. There work can be considered as an important motivation and their case studies as further example scenarios for this paper.
Rest of the paper is organized as follows: Section 2 presents a system model (Section 2.1) and a technique to model the meta-knowledge of the security experts. Section 3 presents discussion on operationalizing the presented approach. Section 4 discusses potential challenges in realizing the approach in practice, underlying technical limitations, and possible alternative solution approaches to the problem. Finally, concluding remarks and directions for further work appear in Section 5.
2 The Model
We propose a linear adaptive learning based approach, which is aimed towards designing a system which could effectively assist the security administrators to prioritize the reported security events. Learning aspect specifies that the responses of the system should increasingly match against security experts’ responses over time.
2.1 The System Model
Let be the set of all reported but unfinished (i.e., no decision taken) instances of security events at some time point . It is assumed that occurrences of security events are (statistically) independent of each other. These instances of the security events in are to be suitably prioritized for optimal response. Let be the set of priorities to be assigned to the reported security events such that higher priority is represented by higher numerical value.
Also let be the set of all the environmental factors which impact the criticality level/relative priority of the reported security events. Examples of such factors may include:
Type of the associated security policies and their measured business value.
Profile of the reporting user(s):
Number of users reporting the same security event.
Mutual relationship between the reporting user(s).
Relationship of the reporting user(s) with the policy and violation based upon job role and responsibility: expected close relation/generic relationship/remote relation.
Past violation history and response rating for the event.
Type of the Violation:
Sensitive data manipulation.
Physical Access violations.
Unauthorized disclosure of strategic information (e.g., IP)
Intentional information hiding.
Business code of conduct violation.
Supporting evidence from the automated monitoring system, if available.
External factors including policy regulations, natural exigencies etc.
Based upon these, aim is to define a procedure:
where , , and . essentially denotes the decision making process ideally employed by a SA to determine the relative priority of a violation as compared to all other violations currently present in using the knowledge of the associated environmental factors.
Owing to the inherent difficulty in formulating a closed form solution i.e., an algorithm which completely solves the problem, we consider an adaptive learning based approach, which can approximately capture the desired effect of such a procedure.
Let us define a function as:
where are the environmental factors affecting the priority/criticality level of the reported violation and is the weight (coefficient) for the factor . These coefficients are initialized to in the beginning. is the measured value of at time-point w.r.t. violation . collects the sets of violations at time points till current and collects the corresponding sets of (relative) priorities assigned to these violations by the SA. Their role in Eq.(2) will become clear soon when we define .
The first term appearing in the r.h.s. in Eq. (2
) is the usual linear model used in regression analysis[DS98], however the second term is new to this approach. The second term, , is the average relative historical priority of the violation , which will be defined later.
Notice that the first term, , appearing in the r.h.s. in Eq. (2), only considers those factors which impact the violation . Sometimes it may not be sufficient to only consider these factors in isolation to determine the relative priority of a violation. In such scenarios a security expert needs to make a decision on the relative priority of , with the knowledge that
Many other types of violations are also present at the same time and different sets of factors may characterize these violations.
Some global ‘meta-level’ information is critical to consider e.g. current expertise of the security response team, underlying connectivity topology etc.
It is important to add that such context sensitive meta knowledge is assumed to be not expressible either algebraically or in statistical terms (e.g., correlation) using only the factors present in the linear terms, i.e., , and associated priorities , These correlations if present among the factors and the priorities would be dealt with using the standard partial least square regression learning as discussed later in Section 2.2. Let us consider an example to motivate the need for introducing the second term in the model:
Consider a scenario (Fig. 1) where security events , and have been reported. Suppose the key factor which is known about these security events is the distance of their occurrences from the security control room (point o in the figure) from where a security response team would be sent to attend these security events. Let these distances be , and such that . As per the linear term appearing in the r.h.s. of Eq. (2), system would determine the priorities as , where represents the priority given to event . However, a SA may use the knowledge of the fact that if is assigned higher priority over because point of occurrence of and have a connection, it would reduce the overall distance to be covered even though . Overall costs corresponding to the priorities given by the linear system model as well as the SA’s responses are illustrated in the Fig. 1. Such considerations demand that system should consider the overall cost of the response rather than the individual responses in isolation. Since in general the factors (or meta-considerations), which need to be considered globally across more than one violation are specific to the security events and other surrounding conditions, modeling them statically is infeasible and therefore we define the second term, , in the Eq. (2) to overcome this limitation.
, is the average relative historical priority associated with a violation as compared to other security events sharing the history with . In other words, captures the effect of earlier priorities assigned to the violation by the SA w.r.t. some other security events in , which were also present together with at those time points in the past. Formally, we define it as follows:
be ranged over by . contains the sets of security events, in past, containing . Let
, in turn, collects those security events in , which were also present together with at the time point . Let be the absolute priority assigned to a violation by the SA. Also let be the valuation of the Eq. (2), i.e., predicted priority, at time for violation .
Now define, for :
determines whether there is a directionality mismatch between the relative priorities assigned to security events and at time-point by the linear system model and the SA. indicates that there is a directionality mismatch, which is likely to be owing to the presence of some meta-factors as discussed before. The effect of these meta factors need to be suitably measured. The term defined next is one possible way to measure this.
Informally, represents total relative priority of the violation (as determined by the SA) as compared to all other security event present both in the current set of security events as well as in the set of security events at time-point .
In terms of the above, is defined as follows:
Notation: returns the smallest integer greater than . In the Eq. ( 4)
is the set of all those security events present at time point for which there was a directionality mismatch w.r.t. violation . Those , which are non empty, are collected in so that is the number of time points where at least one directionality mismatch was present for violation . estimates total relative priority of the violation as compared to all other security events in sharing history with it averaged over these past time points. , in turn, collects all these security events in , which have shared history with at any time-point in the past. Defined in terms of these, is the normalization factor estimating the fraction of , having shared history with and is the normalized relative priority for , which should asymptotically approach to the priority estimates by the SA over the course of time reflecting the numerical significance of the meta-factors.
2.2 Learning and Adaptation
We now discuss a learning scheme to estimate the coefficients appearing in the linear summation term of the function defined in Eq. (2).
We adapt the recursive partial least square regression (RPLS) technique defined in [Qin98]
. Multiple regression is a powerful statistical modeling and prediction tool which has found wide applications in biological, behavioral and social sciences to describe relationships between variables. Least square estimations (LSE) are among the most frequently used estimation techniques in multiple linear regression analysis[CPWA03], [DS98]. Intuitively, least square estimates aim to estimate the model parameters (coefficients) such that total sum of squared errors (deviation from the ideal system response of the model’s output) is minimized. Important feature of these LSE is that their derivations employ standard operations from matrix calculus, and therefore they bring with them the theoretical proofs of optimality. Partial Least Square (PLS) based regression is an extension of the basic LSE technique which can effectively analyze data with many noisy, collinear, and even incomplete variables as input or output. We now discuss the RPLS algorithm as adopted from [Qin98], which extends PLS to deal with online data.
Let be the history adapted response of the SA for violation in and
be the column vector collectingfor all the instances of the violation type present in .
Also define where is the value of the factor at time and . Note that, , where .
Now we can use the RPLS algorithm from [Qin98] to get the regression estimates for as presented in Algorithm 1. For theoretical considerations, RPLS estimation assumes that input data (i.e., ) is independently and identically distributed over time (thus precludes auto-correlations) and is independent of errors.
3 Operationalizing the Approach
The proposed adaptive learning framework can be operationalized by implementing the suggested model. At the beginning the system would need to be initialized by the SAs for the set of relevant security events deemed significant for the organization together with the set of environmental factors. The coefficients in Eq. (2) are initialized to in the beginning (or as specified by the SA).
Fig. 2 depicts a high level schematic representation of the overall system design The learning system need to be integrated with the database containing the list of reported security events and valuations for the associated factors. A suitable interface could be used to get inputs from the SA determining the expert assigned priorities to these security events. Based upon these inputs and the valuations of the associated factors, the system would calculate the relative priority of a reported security event. In turn the system would adapt the weights of the factors for those security events, where its calculated priorities had significant deviation from the expert assigned priorities. Various modes of execution for the system could be considered as below:
Online versus Offline Modes of Execution: The proposed model can be practiced both online as well as in offline modes. This depends upon the choice of the time intervals (updation periods) at which the implemented system is presented with the new data (reported security events) as decided by the SA at the time of system configuration. If the choice of the time interval is comparable (or less than) the delay with which new security events are being reported, the system would effectively work in an online mode, depicting the priorities as each new event is reported and adapting itself as per the expert response corresponding to the event. On the other hand if the time interval at which the system is presented with the new data is relatively large, the system would effectively operate in an offline mode using the batch of data. A choice of the updation period would determine when the learning system fetches the new set of data from the database of reported security events.
Real-time versus Non-Real-time Modes of Execution: The proposed model can be practiced both real-time as well as in non-real-time modes. This again depends upon the clock synchronization for the time intervals (updation periods) at which the implemented system is presented with the new data (reported security events) and the time at which it was actually reported. Thus for real-time execution, the learning system would need to be tightly coupled with the database of reported security events so that as and when a new event is being reported, the learning system can work with it. For this the database needs to be updated on real-time basis. For non-real-time mode of operation, the learning system could be presented the new data as per the settings defined by the SA.
Centralized versus Decentralized Modes of Execution: The proposed model can be practiced both centralized as well as in decentralized modes. The differentiation arises in the modes of maintaining the reported event database. In a decentralized case, local copies of the databases need to be maintained at different sites and multiple instances of the model can execute at these sites concurrently by integrating with the local database copies. Multiple processes could adapt for the same type of the security event at different sites. However, in order for these processes to synchronize with each other for those security events, which are exclusively being handled at only one site, the corresponding process needs to send the latest model (Eq. (2)) to the other processes together with the copy of the history database. After receiving the model as well as the history database, other process could start adapting the model hence after - this step is generally known as model aggregation [BA03]
. For those types of security events, for which different processes at different sites have evolved different models, a possible way when two processes synchronize is to keep that model which possibly have evolved using larger number of reported security events till that moment. Such decision need to be taken by the SA on a case to case basis. Another alternative is to send the copy of the history database, which can be used by other process to adapt its own model further and then communicate the updated model back to the original process for future application.
4 Challenges, Limitations, and Alternatives
The primary challenge in realizing the approach is to deal with the dynamics of the factors which determine the criticality of a security event at a specific time point. The presented solution demands that from the beginning all the (measurable) factors affecting the criticality of a (possible) security event should be known (or at least from the time, when such event is first reported/observed.) This might be difficult to achieve in practice since new factors for the same event (type) might come to light only over a course of time and might change owing to (often uncertain) environmental factors e.g., introduction of new legal governmental policies etc. In such cases, estimates owing to RPLS for the regression coefficients for that security event might become incorrect for the future use - thus necessitating to restart the estimation process discarding the existing estimates. Another challenge is to ensure the reliability of the SA’s responses since this may well vary with the experience of the SA and might be different for different administrators. The final challenge is to ensure the numerical preciseness in measuring the values for various factors for a security event.
Apart from these challenges a statistical learning methodology has its own limitations. One limitation is that it can not work with symbolic or linguistic information. For example, at times it is possible that a SA applies certain meta rules instead of the meta factors considered in this work. Such meta rules might not be expressible using only the factor or the linear factorial model. However, there are approaches proposed in the literature for overcoming this limitation e.g., Fuzzy Sets [KY95]. A potential extension to the presented model could be considered as fuzzy RPLS regression approach [Sav91].
Next, let us discuss some of the possible alternative models for defining (1): Under the linear modeling framework only plausible way to alternatively model term is to make the model dynamically add explicit new measures for meta factors in the set as and when they are identified by the SA and further include these factors suitably in the linear summation term . Such an approach would necessarily demand adequate technical know-how on the linear modeling approaches on the part of the SAs. It is also possible that the actual underlying model of the specification Eq. (1) is a non-linear model on , which will invariably result into prediction errors when using a linear model as in Eq. (2).
term also may not be sufficient to capture the effect of such non-linearities. In such cases adoption of a non-linear learning model (e.g., Neural Networks[Hay08]SC08] etc.) in place of the linear summation term in Eq. (2) is possibly necessary. Even with these non-linear predictive models, it is possible that there are meta-factors present in the environment, for which term might be required as an approximate measure.
There are alternatives to RPLS estimation as well. For example, state space based models [DK01] can be used when auto-correlations exist in the time-series for environmental factors in . These state space models can be either deterministic or stochastic in nature. Similarly there are non-linear alternative to PLS, e.g., kernel-PLS [LGW93], which can be used in Algorithm 1, in particular, in steps [R1] and [R2].
It is important to add that, apart from the simplicity, a linear model is often a preferred choice for its explanatory property. This means, if a SA intends to know how the system has arrived at a a specific priority level, the factorial analysis would generally provide an easily comprehensible explanation extracted from the linear model when compared to other modeling approaches, in particular, the non-linear ones.
5 Conclusion and Further Work
We have presented a method for designing an adaptive system to prioritize reported security events. This prioritization might eventually result into dashboard display indicating the degree of criticality of the reported events in order to generate an optimal response. The proposed method specifies design of an adaptive learning system as a linear model employing the factorial analysis of the security events in terms of all the organization specific measurable factors associated with these events. Furthermore, we specify a method for estimating and learning global context sensitive meta-knowledge employed by the security expert for assigning relative priorities to the security events, which otherwise are difficult to capture in a factorial model. The system can identify the possible presence of global context sensitive knowledge used by a SA for optimizing the responses to the security events and in turn can use that in future.
Owing to the optimality of the RPLS technique and the averaging definition given to the factor in terms of the historical response data, the overall system optimally minimizes the overall error as compared to the SA’s responses in an asymptotic sense. By nature, it is difficult to acquire data for empirically evaluating performance of the presented system (e.g., convergence rate, average error rate etc.) unless a fully operational tool realizing the model is deployed in a relatively large organization. So the expectation is that by design the model should be correct and optimality of the parameter estimation should follow from the theoretical grounds. A formal proof towards establishing these performance parameters need to be considered in future together with using the data generated from the deployment of the model in a realistic scenario.
- [AASB08] K. Alsubhi, E. Al-Shaer, and R. Boutaba. Alert prioritization in Intrusion Detection Systems. In Proc. of the IEEE Network Operations and Management Symposium, pages 33–40. IEEE, 2008.
- [BA03] Z. Barutguoglu and E. Alpaydin. A Comparison of Model Aggregation Methods for Regression. In Proc. of the 13 ICANN/ICONIP, volume 2714 of LNCS, pages 76–83. Springer, 2003.
- [Bis03] Matt Bishop. Computer Security: Art and Science. Addison Wesley, 1st edition, 2003.
- [BRS09] A. Barth, B.I.P. Rubinstein, M. Sundararajan, J.C. Mitchell, D. Song, and P.L. Bartlett. A Learning-Based Approach to Reactive Security. Arxiv preprint arXiv:0912.1155, 2009.
- [CPWA03] J. Cohen, Cohen P., S.G. West, and L.S. Aiken. Applied Multiple Regression/Correlation Analysis for the Behavioral Sciences. Lawrence Erlbaum Associates, Hillsdale, NJ, 2nd edition, 2003.
- [CRY08] H. Cavusoglu, S. Raghunathan, and W.T. Yue. Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2):281–304, 2008.
- [DK01] J. Durbin and S.J. Koopman. Time Series Analysis by State Space Methods. Oxford Univ Press, 2001.
N.R. Draper and H. Smith.
Applied Regression Analysis.
Wiley Series in Probability and Statistics. Addison Wesley, 1998.
- [Hay08] S. Haykin. Neural Networks: a Comprehensive Foundation. Prentice Hall, 2008.
- [KV00] J. Koene and H. Vedam. Alarm management and rationalization. In Proc. of the 3rd International Conference on Loss Prevention, 2000.
- [KY95] G.J. Klir and B. Yuan. Fuzzy sets and fuzzy logic: theory and applications. Prentice Hall Upper Saddle River, NJ, 1995.
- [LBB09] Michael E. Locasto, Matthew Burnside, and Darrell Bethea. Pushing Boulders Uphill: The Difficulty of Network Intrusion Recovery. In Proc. of the 23rd Large Installation System Administration Conference, pages 1–13. USENIX Association, 2009.
- [LGW93] F. Lindgren, P. Geladi, and S. Wold. The kernel algorithm for PLS. Journal of Chemometrics, 7:45–45, 1993.
- [LW05] K.W. Lye and J.M. Wing. Game strategies in network security. International Journal of Information Security, 4(1):71–86, 2005.
- [MKB07] R. Miura-Ko and N. Bambos. SecureRank: A risk-based vulnerability management scheme for computing infrastructures. In Proc. of IEEE International Conference on Communications, pages 1455–1460. IEEE, 2007.
- [Qin98] S. J. Qin. Recursive PLS Algorithms for Adaptive Data Modeling. Computers and Chemical Engineering, 22(4/5):503–514, 1998.
- [Rea97] JT Reason. Managing the Risks of Organizational Accidents. Ashgate Publishing, 1997.
- [Sav91] D. Savic. Evaluation of fuzzy linear regression models. Fuzzy Sets and Systems, 39(1):51–63, 1991.
- [SC08] I. Steinwart and A. Christmann. Support Vector Machines. Springer Verlag, 2008.