{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,8,8]],"date-time":"2024-08-08T02:52:44Z","timestamp":1723085564623},"reference-count":20,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2023,1,22]],"date-time":"2023-01-22T00:00:00Z","timestamp":1674345600000},"content-version":"vor","delay-in-days":365,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"ONR","award":["N00014-18-1-2670, N00014-16-1-2896, and N00014-20-1-2407"]},{"name":"ARO","award":["W911NF-13-1-0421"]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Internet Technol."],"published-print":{"date-parts":[[2022,8,31]]},"abstract":"<jats:p>\n            We propose\n            <jats:sans-serif>PCAM<\/jats:sans-serif>\n            , a Probabilistic Cyber-Alert Management framework, that enables chief information security officers to better manage cyber-alerts. Workers in Cyber Security Operation Centers usually work in 8- or 12-hour shifts. Before a shift,\n            <jats:sans-serif>PCAM<\/jats:sans-serif>\n            analyzes data about all past alerts and true alerts during the shift time-frame to schedule a given set of analysts in accordance with workplace constraints so that the expected number of \u201cuncovered\u201d true alerts (i.e., true alerts not shown to an analyst) is minimized.\n            <jats:sans-serif>PCAM<\/jats:sans-serif>\n            achieves this by formulating the problem as a bi-level non-linear optimization problem and then shows how to linearize and solve this complex problem. We have tested\n            <jats:sans-serif>PCAM<\/jats:sans-serif>\n            extensively. Using statistics derived from 44 days of real-world alert data, we are able to minimize the expected number of true alerts that are not manually examined by a team consisting of junior, senior, and principal analysts. We are also able to identify the optimal mix of junior, senior, and principal analysts needed during both day and night shifts given a budget, outperforming some reasonable baselines. We tested\n            <jats:sans-serif>PCAM<\/jats:sans-serif>\n            \u2019s proposed schedule (from statistics on 44 days) on a further 6 days of data, using an off-the-shelf false alarm classifier to predict which alerts are real and which ones are false. Moreover, we show experimentally that\n            <jats:sans-serif>PCAM<\/jats:sans-serif>\n            is robust to various kinds of errors in the statistics used.\n          <\/jats:p>","DOI":"10.1145\/3511101","type":"journal-article","created":{"date-parts":[[2022,1,23]],"date-time":"2022-01-23T06:39:00Z","timestamp":1642919940000},"page":"1-24","update-policy":"http:\/\/dx.doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["PCAM: A Data-driven Probabilistic Cyber-alert Management Framework"],"prefix":"10.1145","volume":"22","author":[{"given":"Haipeng","family":"Chen","sequence":"first","affiliation":[{"name":"Harvard University, Boston, MA"}]},{"given":"Andrew","family":"Duncklee","sequence":"additional","affiliation":[{"name":"Clark University, Wooster, MA"}]},{"ORCID":"http:\/\/orcid.org\/0000-0003-3210-558X","authenticated-orcid":false,"given":"Sushil","family":"Jajodia","sequence":"additional","affiliation":[{"name":"George Mason University, Fairfax, VA"}]},{"given":"Rui","family":"Liu","sequence":"additional","affiliation":[{"name":"Dartmouth College, Hanover, NH"}]},{"given":"Sean","family":"Mcnamara","sequence":"additional","affiliation":[{"name":"Dartmouth College, Hanover, NH"}]},{"given":"V. S.","family":"Subrahmanian","sequence":"additional","affiliation":[{"name":"Northwestern University, Evanston, IL"}]}],"member":"320","published-online":{"date-parts":[[2022,1,22]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10951-017-0554-9"},{"key":"e_1_3_3_3_2","doi-asserted-by":"publisher","DOI":"10.5555\/993483"},{"issue":"2","key":"e_1_3_3_4_2","first-page":"1","article-title":"Comprehensive survey on distance\/similarity measures between probability density functions","volume":"1","author":"Cha Sung-Hyuk","year":"2007","unstructured":"Sung-Hyuk Cha. 2007. Comprehensive survey on distance\/similarity measures between probability density functions. City 1, 2 (2007), 1.","journal-title":"City"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/NCS.2018.00008"},{"key":"e_1_3_3_6_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-32430-8_11"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCI.2013.6612403"},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/VIZSEC.2017.8062200"},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/2914795"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-30719-6_9"},{"key":"e_1_3_3_11_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2014.04.012"},{"key":"e_1_3_3_12_2","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-160555"},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3407023.3409224"},{"key":"e_1_3_3_14_2","article-title":"Crying Wolf: Combatting Cybersecurity Alert Fatigue","author":"Masters Greg","year":"2017","unstructured":"Greg Masters. June 9 2017. Crying Wolf: Combatting Cybersecurity Alert Fatigue. SC Magazine. Retreived from https:\/\/www.scmagazine.com\/home\/security-news\/in-depth\/crying-wolf-combatting-cybersecurity-alert-fatigue\/.","journal-title":"SC Magazine"},{"key":"e_1_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.1080\/18756891.2013.802114"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSNW.2013.6615540"},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-018-0407-3"},{"key":"e_1_3_3_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/JSYST.2018.2809506"},{"key":"e_1_3_3_19_2","article-title":"Adaptive alert management for balancing optimal performance among distributed CSOCs using reinforcement learning","author":"Shah Ankit","year":"2019","unstructured":"Ankit Shah, Rajesh Ganesan, Sushil Jajodia, Pierangela Samarati, and Hasan Cam. 2019. Adaptive alert management for balancing optimal performance among distributed CSOCs using reinforcement learning. IEEE Trans. Parallel Distrib. Syst. 31, 1 (2019), 16\u201333.","journal-title":"IEEE Trans. Parallel Distrib. Syst."},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSC.2016.90"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.promfg.2019.06.197"}],"container-title":["ACM Transactions on Internet Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3511101","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3511101","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T18:51:59Z","timestamp":1672599119000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3511101"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,1,22]]},"references-count":20,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2022,8,31]]}},"alternative-id":["10.1145\/3511101"],"URL":"https:\/\/doi.org\/10.1145\/3511101","relation":{},"ISSN":["1533-5399","1557-6051"],"issn-type":[{"value":"1533-5399","type":"print"},{"value":"1557-6051","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,1,22]]},"assertion":[{"value":"2021-01-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-09-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-01-22","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}  <script>parent.window.postMessage('ixistenz.url:https://api.crossref.org/works/10.1145%2F3511101', '*'); </script> <div id='browserdiffcontainer' style='position: fixed; right: 10px; top: 10vh; min-width: 60px;  border: 1px solid white; background: rgb(251, 189, 0);; opacity: 0.9; font-family: helvetica, arial, sans serif;  font-size: 12px; z-index: 20001; padding-bottom: 20px;'><div onclick="toggle('browserdiffcontainerlist'); return false;" style='background: rgb(151, 89, 0);; color: white; '><strong>&nbsp; <span class='glyphicon glyphicon-minus'></span> NODES</strong></div><div id='browserdiffcontainerlist' style='padding-left: 10px; padding-right: 5px; max-height: 50vh; overflow: auto; '><div><a href='#diffid883' style='color: white;' onClick="parent.window.postMessage('ixistenz.opendiff:883', '*');; return false;" style='text-decoration: none; '>Association </a> <a style='color: white;' href='#diffid883'><sup>1</sup></a></div><div><a href='#diffid123' style='color: white;' onClick="parent.window.postMessage('ixistenz.opendiff:123', '*');; return false;" style='text-decoration: none; '>INTERN </a> <a style='color: white;' href='#diffid123'><sup>2</sup></a></div></div></div>
<script>
function toggle( divname ) {
  var x = document.getElementById( divname );
  if (x.style.display === 'none') {
    x.style.display = 'block';
  } else {
    x.style.display = 'none';
  }
} </script>