Risk-driven aggregation and transmission prioritization of cyber alerts over mobile networks

Alert Aggregation in mobile networks plays an important role in mitigating the adverse impact of alert generation by reducing the amount of communication and security data to be transmitted. However, it is not guaranteed that the bandwidth necessary to transmit all aggregated alerts is always available, which usually result in the transmission of a portion of the alerts, while others are discarded or queued. The transmission of insufficient alert information hinders making correct decisions about attacks, leading to compromising network security. In order to maximize the benefits of data aggregation while minimizing the impact of partial alerts, this paper presents a risk-driven real-time transmission prioritization technique for implementing lossy and lossless aggregation of cyber alerts. Lossy alert aggregation and transmission are managed adaptively by allowing the prioritization and transmission of aggregated alerts according to the risk assessment of such alerts. This paper also presents a risk-driven utilization model that further adapts the aggregation and prioritization in response to dynamic network conditions. The performance results of the proposed techniques are obtained by running simulations on data collected from a mobile network. Simulation results for the aggregation of raw alerts have shown an average reduction of 51% in data storage space and bandwidth usage.