A game-theoretic approach for alert prioritization

Aron Laszka, Yevgeniy Vorobeychik, Daniel Fabbri, Chao Yan, Bradley Malin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Scopus citations

Abstract

The quantity of information that is collected and stored in computer systems continues to grow rapidly. At the same time, the sensitivity of such information (e.g., detailed medical records) often makes such information valuable to both external attackers, who may obtain information by compromising a system, and malicious insiders, who may misuse information by exercising their authorization. To mitigate compromises and deter misuse, the security administrators of these resources often deploy various types of intrusion and misuse detection systems, which provide alerts of suspicious events that are worthy of follow-up review. However, in practice, these systems may generate a large number of false alerts, wasting the time of investigators. Given that security administrators have limited budget for investigating alerts, they must prioritize certain types of alerts over others. An important challenge in alert prioritization is that adversaries may take advantage of such behavior to evade detection - specifically by mounting attacks that trigger alerts that are less likely to be investigated. In this paper, we model alert prioritization with adaptive adversaries using a Stackelberg game and introduce an approach to compute the optimal prioritization of alert types. We evaluate our approach using both synthetic data and a real-world dataset of alerts generated from the audit logs of an electronic medical record system in use at a large academic medical center.

Original languageEnglish (US)
Title of host publicationWS-17-01
Subtitle of host publicationArtificial Intelligence and Operations Research for Social Good; WS-17-02: Artificial Intelligence, Ethics, and Society; WS-17-03: Artificial Intelligence for Connected and Automated Vehicles; WS-17-04: Artificial Intelligence for Cyber Security; WS-17-05: Artificial Intelligence for Smart Grids and Buildings; WS-17-06: Computer Poker and Imperfect Information Games; WS-17-07: Crowdsourcing, Deep Learning and Artificial Intelligence Agents; WS-17-08: Distributed Machine Learning; WS-17-09: Joint Workshop on Health Intelligence; WS-17-10: Human-Aware Artificial Intelligence; WS-17-11: Human-Machine Collaborative Learning; WS-17-12: Knowledge-Based Techniques for Problem Solving and Reasoning; WS-17-13: Plan, Activity, and Intent Recognition; WS-17-14: Symbolic Inference and Optimization; WS-17-15: What's Next for AI in Games?
PublisherAI Access Foundation
Pages195-202
Number of pages8
ISBN (Electronic)9781577357865
StatePublished - 2017
Event31st AAAI Conference on Artificial Intelligence, AAAI 2017 - San Francisco, United States
Duration: Feb 4 2017Feb 10 2017

Publication series

NameAAAI Workshop - Technical Report
VolumeWS-17-01 - WS-17-15

Other

Other31st AAAI Conference on Artificial Intelligence, AAAI 2017
Country/TerritoryUnited States
CitySan Francisco
Period2/4/172/10/17

All Science Journal Classification (ASJC) codes

  • General Engineering

Fingerprint

Dive into the research topics of 'A game-theoretic approach for alert prioritization'. Together they form a unique fingerprint.

Cite this