Prioritization In Sequential Decision-Making Under Uncertainty In Cyber Security Applications

Journal Title
Journal ISSN
Volume Title

This dissertation comprises three studies exploring the general topic of cyber security investigations, with a focus on identifying malicious elements such as vulnerabilities, techniques used by the attackers, and poisoning examples. The objective of these studies is to develop enhanced policies, superior prioritization methods, and improved strategies for conducting such investigations. The first study examines the data, while the second and third studies develop mathematical models. The first study focuses on bug bounty programs which are initiatives set up by organizations to encourage external security researchers to find security vulnerabilities or bugs in their products. However, it remains difficult to measure the benefits of bug bounty programs. The findings show the benefit of leveraging the collective expertise of external security experts. The second study addresses the challenge of prioritizing cyber-forensic investigation techniques to promptly discover how threat actors breached security during a cybersecurity incident. The goal is to assess the impact of the incident and develop countermeasures to protect against further attacks. This study formulates the decision-support problem as a Markov decision process and employs a k-nearest neighbor-based Monte Carlo tree search method. The method outperforms the state-of-the-art decision-support in terms of obtained benefit per effort spent. The third study investigates the detection of poisoned examples in deep learning datasets, which can pose serious threats to models trained on contaminated data. It introduces a principled defense approach that uses active search to identify poisoned elements crafted through targeted data poisoning attacks. The proposed method outperforms the two state-of-the-art defense methods in terms of attack success rate. It is also successful in detecting poisoned examples by investigating a small portion of the contaminated dataset. In conclusion, these data-driven studies offer valuable insights to cyber-security investigators, enabling them to improve policies, prioritize effectively, and develop better strategies. Furthermore, they consider the cost-benefit tradeoff to optimize resource allocation. The bug bounty program study helps organizations to develop a policy in running these programs that can increase the benefits of running bug bounty programs, while the cyber forensic investigation study and the study of poisoned examples seek to minimize effort while maximizing obtained benefit.

Prioritization, decision under uncertainty, cost-benefit tradeoff
Portions of this document appear in: Atefi S, Sivagnanam A, Ayman A, Grossklags J, Laszka A. The benefits of vulnerability discovery and bug bounty programs: Case studies of Chromium and Firefox. InProceedings of the ACM Web Conference 2023 2023 Apr 30 (pp. 2209-2219); and in: Atefi S, Panda S, Panaousis E, Laszka A. Principled data-driven decision support for cyber-forensic investigations. InProceedings of the AAAI Conference on Artificial Intelligence 2023 Jun 26 (Vol. 37, No. 4, pp. 5010-5017).