Understanding Tradeoffs Between Throughput, Quality, and Cost of Alert Analysis in a CSOC

You are here

Top Reasons to Join SPS Today!

1. IEEE Signal Processing Magazine
2. Signal Processing Digital Library*
3. Inside Signal Processing Newsletter
4. SPS Resource Center
5. Career advancement & recognition
6. Discounts on conferences and publications
7. Professional networking
8. Communities for students, young professionals, and women
9. Volunteer opportunities
10. Coming soon! PDH/CEU credits
Click here to learn more.

Understanding Tradeoffs Between Throughput, Quality, and Cost of Alert Analysis in a CSOC

Ankit Shah, Rajesh Ganesan, Sushil Jajodia, Hasan Cam

Intrusion detection systems (IDSs) analyze data that are collected by sensors, which monitor the network traffic. Any alert generated by the IDS is transmitted to a cybersecurity operations center (CSOC), which performs the important task of analyzing the alerts. In order to deliver a strong security against threats, an efficient CSOC requires the following characteristics: 1) all alerts must be analyzed in a timely manner; 2) there must be an ideal mix of analyst expertise levels in the organization because the quality of analysis performed depends on the mix; and 3) there must be adequate operating budget to hire the required number of analyst personnel. However, it is non-trivial for a CSOC manager to establish the parameter settings for the above characteristics for a desired CSOC efficiency, and current literature lacks a thorough analysis of the tradeoffs between them. This void is filled by this paper whose research objective is to develop an optimized tradeoff study model of the CSOC that studies and quantifies the interactions between the above characteristics, and to use the knowledge gained from the above study to provide the foundation principles to establish and operate an efficient CSOC. A constraint-optimization tradeoff study model is built to drive the decisions that optimize the above characteristics of the CSOC, which is then tested via several simulation runs of the alert arrival and service processes at the CSOC. The paper serves as the first step toward a unified tradeoff study model that integrates the throughput performance, the quality of analysis, and the cost metrics to design and establish an efficient CSOC. Results from the above optimization-simulation tests capture several valuable insights along with parameter settings of the metrics that explain how to operate an efficient CSOC, and quantifies the economic impact of scaling-up the CSOC operation.

SPS on Twitter

  • DEADLINE EXTENDED: The 2023 IEEE International Workshop on Machine Learning for Signal Processing is now accepting… https://t.co/NLH2u19a3y
  • ONE MONTH OUT! We are celebrating the inaugural SPS Day on 2 June, honoring the date the Society was established in… https://t.co/V6Z3wKGK1O
  • The new SPS Scholarship Program welcomes applications from students interested in pursuing signal processing educat… https://t.co/0aYPMDSWDj
  • CALL FOR PAPERS: The IEEE Journal of Selected Topics in Signal Processing is now seeking submissions for a Special… https://t.co/NPCGrSjQbh
  • Test your knowledge of signal processing history with our April trivia! Our 75th anniversary celebration continues:… https://t.co/4xal7voFER

IEEE SPS Educational Resources

IEEE SPS Resource Center

IEEE SPS YouTube Channel