Characterizing and Managing Intrusion Detection System (IDS) Alerts with Multi-Server/Multi-Priority Queuing Theory
AIR FORCE INSTITUTE OF TECHNOLOGY WRIGHT-PATTERSON AFB OH GRADUATE SCHOOL OF ENGINEERING AND MANAGEMENT
Pagination or Media Count:
The DoD sets forth an objective to employ an active cyber defense capability to prevent intrusions onto DoD networks and systems. Intrusion Detection Systems IDS are a critical part of network defense architectures, but their alerts can be difficult to manage. This research applies Queuing Theory to the management of IDS alerts, seeking to answer how analysts and priority schemes effect alert processing performance. To characterize the effect of these two variables on queue wait times, a MATLAB simulation was developed to allow parametric analysis under two scenarios. The first varies the number of analysts and the second varies the number of alert priority levels. Results indicate that two analysts bring about drastic improvements a 41 decrease in queue wait times from 116.1 to 49.8 minutes compared to a single analyst, due to the reduced potential for bottlenecks, with diminishing returns thereafter. In the second scenario, it was found that three priority levels are sufficient to realize the benefits of prioritization, and that a five level priority scheme did not result in shorter wait queue times for Priority 1 alerts. Queuing models offer an effective approach to make IDS resource decisions in keeping with DoD goals for Active Cyber Defense.
- Computer Systems Management and Standards