Dynamic intrusion detection in resource-constrained cyber networks

Author

Liu, Keqin ; Zhao, Qing

Author_Institution

Electr. & Comput. Eng., Univ. of California, Davis, CA, USA

fYear

2012

fDate

1-6 July 2012

Firstpage

970

Lastpage

974

Abstract

We consider a large-scale cyber network with N components. Each component is either in a healthy state (0) or an abnormal state (1). Due to intrusions, the state of each component transits from 0 to 1 over time according to an arbitrary stochastic process. At each time, a subset of K (K <; N) components are probed and those observed in abnormal states are fixed. The objective is to design a dynamic probing strategy that minimizes the long-term network cost incurred at all abnormal components. We formulate the problem as a Restless Multi-Armed Bandit (RMAB) process. We show that this class of RMAB is indexable and Whittle index can be obtained in closed-form. For homogeneous networks, we show that Whittle index policy achieves the optimal performance with a simple structure that does not require any prior knowledge on the intrusion processes.

Keywords

security of data; stochastic processes; N components; RMAB process; Whittle index policy; arbitrary stochastic process; dynamic intrusion detection; dynamic probing strategy; large-scale cyber network; resource-constrained cyber networks; restless multiarmed bandit process; Complexity theory; Dynamic scheduling; Equations; Indexes; Intrusion detection; Probes; Stochastic processes;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Theory Proceedings (ISIT), 2012 IEEE International Symposium on

Conference_Location

Cambridge, MA

ISSN

2157-8095

Print_ISBN

978-1-4673-2580-6

Electronic_ISBN

2157-8095

Type

conf

DOI

10.1109/ISIT.2012.6284708

Filename

6284708