Using temporal probabilistic logic for optimal monitoring of security events with limited resources

Sushil Jajodia, Noseong Park, Edoardo Serra, V. S. Subrahmanian

Research output: Contribution to journalArticlepeer-review

5 Citations (Scopus)


Managed security services (MSS) are becoming increasingly popular today. In MSS, enterprises contract a security firm such as Symantec or IBM to manage security of their enterprise network. MSS vendors thus have a small pool of cybersecurity analysts who must monitor many different alerts. In this paper, we study the problem of allocating cybersecurity analysts to alerts generated by intrusion detection systems and other security software. In particular, given an enterprise network (or set of enterprise networks) and information about the value of assets stored at a node (e.g. computer, router) in the network, together with probabilities of compromising a neighbor of a compromised vertex, we show that annotated probabilistic temporal (APT) logic programs allow a defender to express knowledge about the network that captures the probabilities that different nodes will be attacked. In addition, certain APT logic computations, in conjunction with a Stackelberg game theoretic formalization, enable us to capture the attacker's maximal probability of success as well as his ability to maximize damage. We show how the defender can come up with optimal allocations of tasks to cybersecurity analysts, taking both network information into account as well as a behavioral model of the attacker into account. We show correctness and complexity theorems for both the attacker and the defender. We develop a prototype implementation of three algorithms for the defender that optimize the defender's objectives and show that these algorithms work well on realistic network sizes.

Original languageEnglish
Pages (from-to)735-791
Number of pages57
JournalJournal of Computer Security
Issue number6
Publication statusPublished - 2016

Bibliographical note

Funding Information:
Parts of this work were funded by the Army Research Office grants W911NF11103, W911NF09102, W911NF-13-1-0421, and W911NF-13-1-0317, by the Office of Naval Research grants N00014-13-1-0703 and N00014-15-1-2007, and by the Maryland Procurement Office contract H98230-14-C-0137.

Publisher Copyright:
© 2016 - IOS Press and the authors. All rights reserved.

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Computer Networks and Communications


Dive into the research topics of 'Using temporal probabilistic logic for optimal monitoring of security events with limited resources'. Together they form a unique fingerprint.

Cite this