Understanding Tradeoffs Between Throughput, Quality, and Cost of Alert Analysis in a CSOC

You are here

Top Reasons to Join SPS Today!

1. IEEE Signal Processing Magazine
2. Signal Processing Digital Library*
3. Inside Signal Processing Newsletter
4. SPS Resource Center
5. Career advancement & recognition
6. Discounts on conferences and publications
7. Professional networking
8. Communities for students, young professionals, and women
9. Volunteer opportunities
10. Coming soon! PDH/CEU credits
Click here to learn more.

Understanding Tradeoffs Between Throughput, Quality, and Cost of Alert Analysis in a CSOC

Ankit Shah, Rajesh Ganesan, Sushil Jajodia, Hasan Cam

Intrusion detection systems (IDSs) analyze data that are collected by sensors, which monitor the network traffic. Any alert generated by the IDS is transmitted to a cybersecurity operations center (CSOC), which performs the important task of analyzing the alerts. In order to deliver a strong security against threats, an efficient CSOC requires the following characteristics: 1) all alerts must be analyzed in a timely manner; 2) there must be an ideal mix of analyst expertise levels in the organization because the quality of analysis performed depends on the mix; and 3) there must be adequate operating budget to hire the required number of analyst personnel. However, it is non-trivial for a CSOC manager to establish the parameter settings for the above characteristics for a desired CSOC efficiency, and current literature lacks a thorough analysis of the tradeoffs between them. This void is filled by this paper whose research objective is to develop an optimized tradeoff study model of the CSOC that studies and quantifies the interactions between the above characteristics, and to use the knowledge gained from the above study to provide the foundation principles to establish and operate an efficient CSOC. A constraint-optimization tradeoff study model is built to drive the decisions that optimize the above characteristics of the CSOC, which is then tested via several simulation runs of the alert arrival and service processes at the CSOC. The paper serves as the first step toward a unified tradeoff study model that integrates the throughput performance, the quality of analysis, and the cost metrics to design and establish an efficient CSOC. Results from the above optimization-simulation tests capture several valuable insights along with parameter settings of the metrics that explain how to operate an efficient CSOC, and quantifies the economic impact of scaling-up the CSOC operation.

SPS on Facebook

SPS on Twitter

SPS Videos

Signal Processing in Home Assistants


Multimedia Forensics

Careers in Signal Processing             


Under the Radar