Decision Analysis in Network Security

11.1 Introduction

Decision analysis, a derivative of game theory, was introduced by Von Neumann in the early 1920s and was adopted in Economics in the late 1940s (Von Neumann and Morgenstern, 1947). It is a systematically quantitative approach for assessing the relative value of one or more different decision options based on existing and new information and knowledge. Figure 1 shows a general decision-marking process graphically.

Figure 1.

A general decision-making process

Network security relates both offline and online decision-making processes. The offline decision-making process involves fundamental security issues, such as determining the thresholds of classification, selecting sampling methods and sampling sizes for collecting network traffic, and deciding baseline patterns for profiling. Offline decisions usually require more statistical analyses and take more time to reach a not just reasonable, good or better, but the “best” solution. The online decision-making process, however, usually requires a response quickly, which could make it more difficult to achieve a good solution. For instance, when an alarm emerging, an immediate action is needed to decide if this alarm is an indication for a real attack or it is a false alarm? In such a circumstance, we do not have much time to conduct a complex analysis but we have to take an action on that alarm instantaneously. Many online decisions could be analyzed complexly and be involved a sequence of compositely interrelated decisions that we may not be able to encompass quickly. As a result, the aim of online decision-making is more likely to focus on a reasonable, a good or a better solution rather than the best solution. In particular, given the uncertainty in decision-making processes, we may never be able to reach the best solution for either offline or online decision-marking processes in many circumstances of network security. Decision-making also associates with network management that is about knowledge—if we know what our network and servers are doing, making decisions could be easier.

The primary challenge in the decision-making process is uncertainty. To address this issue of uncertainty, we need to assess risks—risk assessment that utilizes the theory of probability is a fundamental element of decision analysis (Figure .2). There is no doubt that risk and uncertainty are important concepts to address for supporting decision-making in many situations. Our goals for decision analysis are the ability to define what may happen in the future and to choose the “best” (or at least a good or better) solution form among alternatives.

Figure 2.

A flowchart of risk assessment

Under the primary challenge of uncertainty, decision analysis has several tasks, including how to describe and assess risks, how to measure uncertainties, how to model them and how to communicate with them. All these tasks are not easy to accomplish due to the task themselves, which cannot be clearly defined. For example, even though we have a general idea of what risk means, if we were asked to measure it, we would find little consensus on the definition. Nevertheless, decision analysis provides a tool for us to find a solution in confusing and uncertain territory. It gives us a technique for finding a robust and better solution from many alternatives. In this chapter, we will introduce some methods on decision analysis including analyzing uncertainty, statistical control charts and statistical ranking methods, but we will not discuss the decision tree, a classical decision analysis technique, in this chapter. Readers who are interested in obtaining essential decision analysis information (e.g., decision tree) should refer to Raiffa (1968), Hattis & Burmaster (1994), Zheng & Frey (2004), Gelman, Carlin, Stern & Rubin (2004), Aven (2005), and Lindley (2006).