When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security

Author List: Ji, Yonghua; Kumar, Subodha; Mookerjee, Vijay S.;

Information Systems Research, 2016, Volume 27, Issue 4, Page 897_918.

We study operational and managerial problems arising in the context of security monitoring where sessions, rather than raw individual events, are monitored to prevent attacks. The objective of the monitoring problem is to maximize the benefit of monitoring minus the monitoring cost. The key trade-off in our model is that as more sessions are monitored, the attack costs should decrease. However, the monitoring cost would likely increase with the number of sessions being monitored. A key step in solving the problem is to derive the probability density of a system with n sessions being monitored with a session's age measured as the time elapsed since it last generated a suspicious event. We next optimize the number of sessions monitored by trading off the attack cost saved with the cost of monitoring. A profiling step is added prior to monitoring and a resulting two-dimensional optimization problem is studied. Through numerical simulation, we find that a simple size-based policy is quite robust for a very reasonable range of values and, under typical situations, performs almost as well as the two more sophisticated policies do. Also, we find that adopting a simplified policy without using the option of managing sessions using age threshold can greatly increase the ease of finding an optimal solution, and reduce operational overhead with little performance loss compared with a policy using such an option. The insights gained from the mechanics of profiling and monitoring are leveraged to suggest a socially optimal contract for outsourcing these activities in a reward-based contract. We also study penalty-based contracts. Such contracts (specifically, when the penalty is levied as a percentage of the monthly service fee) do not achieve the social optimum. We show how an appropriate penalty coefficient can be chosen to implement a socially optimal penalty-based contract. In addition, we provide a high-level comparison between reward- and penalty-based contracts. In a penalty-based contract, the setting of the fixed payment can be challenging because it requires additional knowledge of the total expected malicious event rate, which needs to be observed through a period of no monitoring.

Keywords: IT security; monitoring and profiling; outsourcing; optimization

Algorithm:

List of Topics

#40	0.370	increased increase number response emergency monitoring warning study reduce messages using reduced decreased reduction decrease act sessions cost good key
#97	0.120	set approach algorithm optimal used develop results use simulation experiments algorithms demonstrate proposed optimization present analytical distribution selection number existing
#70	0.114	contract contracts incentives incentive outsourcing hazard moral contracting agency contractual asymmetry incomplete set cost client parties examine effort structures double
#73	0.064	security threat information users detection coping configuration avoidance response firm malicious attack intrusion appraisal countermeasures benefit costs threats ability rate
#151	0.059	costs cost switching reduce transaction increase benefits time economic production transactions savings reduction impact services reduced affect expected optimal associated
#31	0.055	problem problems solution solving problem-solving solutions reasoning heuristic theorizing rules solve general generating complex example formulation heuristics effective given finding