A decision engine for configuration of proactive defenses— challenges and concepts

Selecting appropriate cyber defense mechanisms for an enterprise network and correctly configuring them is a challenging problem. Identifying the set of defenses and their configurations in a way that maximizes security without exhausting system resources or causing unintended interference (a situation known as cyber friendly-fire) is a multi-criteria decision problem, which is difficult for humans to solve effectively and efficiently. Proactive defenses are especially difficult to configure due to their temporal nature. This paper describes the challenges and solution concepts for a decision engine that (1) intelligently searches for optimal cyber defense configurations in a way that leads to continuously improving solutions; (2) uses compute clusters to scale computation to realistic enterprise-level networks; and (3) presents meaningful choices to operators and incorporates their feedback to improve the suggested solutions.