Date of Award

12-26-2014

Document Type

Thesis

Degree Name

Master of Science in Systems Engineering

Department

Department of Systems Engineering and Management

First Advisor

John M. Colombi, PhD.

Abstract

The DoD sets forth an objective to employ an active cyber defense capability to prevent intrusions onto DoD networks and systems. Intrusion Detection Systems (IDS) are a critical part of network defense architectures, but their alerts can be difficult to manage. This research applies Queuing Theory to the management of IDS alerts, seeking to answer how analysts and priority schemes effect alert processing performance. To characterize the effect of these two variables on queue wait times, a MATLAB simulation was developed to allow parametric analysis under two scenarios. The first varies the number of analysts and the second varies the number of alert priority levels. Results indicate that two analysts bring about drastic improvements (a 41% decrease) in queue wait times (from 116.1 to 49.8 minutes) compared to a single analyst, due to the reduced potential for bottlenecks, with diminishing returns thereafter. In the second scenario, it was found that three priority levels are sufficient to realize the benefits of prioritization, and that a five level priority scheme did not result in shorter wait queue times for Priority 1 alerts. Queuing models offer an effective approach to make IDS resource decisions in keeping with DoD goals for Active Cyber Defense.

AFIT Designator

AFIT-ENV-MS-14-D-24

DTIC Accession Number

ADA612469

Download

Share

COinS