Using temporal probabilistic logic for optimal monitoring of security events with limited resources

Sushil Jajodia*, Noseong Park, Edoardo Serra, V. S. Subrahmanian

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

6 Scopus citations


Managed security services (MSS) are becoming increasingly popular today. In MSS, enterprises contract a security firm such as Symantec or IBM to manage security of their enterprise network. MSS vendors thus have a small pool of cybersecurity analysts who must monitor many different alerts. In this paper, we study the problem of allocating cybersecurity analysts to alerts generated by intrusion detection systems and other security software. In particular, given an enterprise network (or set of enterprise networks) and information about the value of assets stored at a node (e.g. computer, router) in the network, together with probabilities of compromising a neighbor of a compromised vertex, we show that annotated probabilistic temporal (APT) logic programs allow a defender to express knowledge about the network that captures the probabilities that different nodes will be attacked. In addition, certain APT logic computations, in conjunction with a Stackelberg game theoretic formalization, enable us to capture the attacker's maximal probability of success as well as his ability to maximize damage. We show how the defender can come up with optimal allocations of tasks to cybersecurity analysts, taking both network information into account as well as a behavioral model of the attacker into account. We show correctness and complexity theorems for both the attacker and the defender. We develop a prototype implementation of three algorithms for the defender that optimize the defender's objectives and show that these algorithms work well on realistic network sizes.

Original languageEnglish (US)
Pages (from-to)735-791
Number of pages57
JournalJournal of Computer Security
Issue number6
StatePublished - 2016
Externally publishedYes


  • Enterprise systems
  • behavior modeling
  • computer security
  • logic programs

ASJC Scopus subject areas

  • Software
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Computer Networks and Communications


Dive into the research topics of 'Using temporal probabilistic logic for optimal monitoring of security events with limited resources'. Together they form a unique fingerprint.

Cite this