Michael Bloem

Intrusion Response as a Resource Allocation Problem

We study intrusion response in access control systems as a resource allocation problem, and address it within a decision and control framework. By modeling the interaction between malicious attacker(s) and the intrusion detection system (IDS) as a noncooperative non-zero sum game, we develop an algorithm for optimal allocation of the system administrators time available for responding to attacks, which is treated as a scarce resource. This algorithm, referred to as the automatic or administrator response (AOAR) algorithm, applies neural network and LP optimization tools. Finally, we implement an IDS prototype in MATLAB based on a game theoretical framework, and demonstrate its operation under various scenarios with and without the AOAR algorithm. Our approach and the theory developed are general and can be applied to a variety of IDSs and computer networks

Optimally and equitably distributing delays with the aggregate flow model

The aggregate flow model is used to determine how to distribute predeparture delays among air traffic control centers and across time to optimally satisfy constraints on airspace capacity and departure rates. To do so, a quadratic cost on cumulative departure delays is introduced, resulting in an optimization problem that can be quickly solved using convex optimization tools. Simulations using the model demonstrate the behavior of the national airspace system (NAS) when implementing optimal departure delays for a particular constraint scenario. These results show that capacity-constrained air traffic control Centers suffer the highest delays. Three approaches for increasing the equity of the distribution of delays across the NAS are investigated. The first involves setting an upper bound on the Gini coefficient, a quasi-convex measure of inequality. Another is to make delays in some centers more costly than in others. The last approach is to put an upper bound on the delay per departure for each center. Simulation results demonstrate that bounding delay per departure effectively reduces the delays for the constrained center. Enforcing an upper bound on the Gini coefficient and increasing the weight on delays in some centers may impose large delays on other centers when reducing the delays in the constrained center.

Malware Filtering for Network Security Using Weighted Optimality Measures

We study the deployment and configuration of the next generation of network traffic filters within a quantitative framework. Graph-theoretic and optimization methods are utilized to find optimal network traffic filtering strategies that achieve various security or cost objectives subject to hardware or security level constraints. We rely on graph-theoretic concepts such as centrality measures to assess the importance of individual routers within the network, given a traffic pattern. In addition, we consider several possible objectives involving financial costs associated with traffic filtering, the cost of failing to filter traffic, a utility associated with filtering traffic, and combinations of these costs and this utility. These optimization problems are solved taking into account constraints on network-wide filtering capabilities, individual filter capabilities, and also lower and upper bounds on the effective sampling rate for source-destination pairs. Centralized but dynamic solutions of the resulting problems are obtained under varying network traffic flows. The resulting optimal filtering strategies are simulated in MATLAB using real traffic data obtained from the Abilene project. Simulations comparing these strategies with some heuristic approaches demonstrate that they are more effective in achieving network traffic filtering objectives.

An optimal control approach to malware filtering

We study and develop an optimal control theoretic approach to malware filtering in the context of network security. We investigate the malware filtering problem by capturing the tradeoff between increased security on one hand and continued usability of the network on the other. We analyze the problem using a linear control system model with a quadratic cost structure and develop algorithms based on Hinfin-optimal control theory. A dynamic feedback filter is derived and shown to be an improvement over various heuristic approaches to malware filtering via numerical analysis. The results obtained are verified and demonstrated with packet level simulations on the Ns-2 network simulator.

Air Traffic Control Area Configuration Advisories from Near-Optimal Distinct Paths

Area of specialization supervisors dynamically configure available air traffic control resources so that air traffic can operate safely and efficiently. It is proposed to assist supervisors with this process by presenting them with a set of near-optimal and meaningfully different configuration advisories. To find such a set of advisories, a problem is defined that is equivalent to finding optimal and other near-optimal and distinct paths in a time-expanded graph. It is shown that this problem is nondeterministic polynomial-time hard, and then four algorithms are motivated and specified. One is a benchmark that solves the problem to optimality, one is a novel heuristic based on value iteration, and a third is a novel heuristic based on the A* algorithm. The fourth algorithm solves to optimality the lowest-cost paths problem relaxation of the problem. When used to solve realistic problem instances, the lowest-cost paths algorithm rarely returned feasible solutions and the optimal algorithm required excessiv...

An Approach for Finding Multiple Area of Specialization Configuration Advisories

Area of specialization supervisors dynamically configure a set of air traffic control resources so that air traffic in the area can operate safely and effi ciently. These resources include airspace sectors, air traffic control positions staffed by controllers, and physical air traffic control equipment. In this paper, we motivate and demonstrate an approach for finding multiple advisories that can assist area supervisors as they accomplish this task. The first motivating factor is that a preference for multiple good and also distinct advisories has been documented in similar contexts, including some air traffic management problems. The second factor that motivates our approach is that the model, problem statement, and algorithm used to generate a single advisory are incomplete and do not perfectly represent reality. The third factor, which we speculate is primarily a result of the second factor, is that area supervisors have indicated a preference for multiple (usually two or three) advisories over a single advisory. Area supervisors have further indicated that each proposed advisory should be different from the other proposed advisories. We investigate the set of advisories that perform best according to a particular objective function for some realistic problem instances. The best few advisories are typically not meaningfully different and therefore should not be presented together to supervisors, and this is the fourth and final factor that motivates our approach. Based on these motivating factors, we define a problem statement which requests multiple good advisories that are all sufficiently different from each other. We briefly describe a heuristic algorithm that was developed for this problem. To more concretely illustrate and motivate the proposed approach, we present the advisories provided by this algorithm for a sample problem instance. We also demonstrate that the proposed heuristic can find feasible second advisories for as many realistic problem instances (15 of 18) as a nearly-exhaustive search. When executed on a desktop workstation computer, the proposed heuristic returns advisories for these realistic problem instances in less than one second per problem instance.

Robust airspace design methods for uncertain traffic and weather

We present a robust optimization framework for performing Dynamic Airspace Configuration (DAC) integrated with Traffic Flow Management (TFM) under weather uncertainties. We extend the existing cell-based Mixed Integer Programming (MIP) model along with the GeoSect sectorization method to incorporate probabilistic weather predictions in airspace sectorization. An ensemble generation method is devised to take a probabilistic weather forecast and generate weather ensembles. The weather ensembles are then fed into a TFM agent developed to compute weather avoidance 4D trajectories (4DT) and to create traffic ensembles. Robust sectorization algorithms use traffic and weather ensembles to produce robust sector boundaries that are feasible and close to optimal for each of the traffic ensembles. Several experiments are presented for testing the degree of robustness of generated sectors across different traffic ensembles.

Approximating the likelihood of historical airline actions to evaluate airline delay cost functions

Delay cost functions that quantify the cost of delay to airlines are essential to air traffic management research. Seventeen delay cost functions from previous research are evaluated with airline actions in Airspace Flow Programs. Airlines are assumed to solve a minimum cost perfect matching problem when matching flights to slots. Unobserved aspects of airline costs are accounted for by adding a noise term to the cost functions. The goal of this research is to find the cost function and corresponding noise parameters that maximize the likelihood of airline actions during 32 Airspace Flow Programs in the summer of 2006. A heuristic is developed that finds cost noise parameters that maximize an approximation of the log-likelihood of the airline actions. When applied to sample estimation problem instances generated by solving linear programming problems with known noise parameters, the heuristic can more accurately estimate noise parameters than a simple simulation-based approach. Validation efforts based on synthetic airline action data generated with known delay cost functions and noise parameters demonstrate that the heuristic is in many cases able to correctly identify as most likely the delay cost function that was in fact used to generate the synthetic data. However, the heuristic also under-estimates the magnitude of the cost noise variance on these estimation problem instances. Delay costs that are proportional to the length of delay, but with larger proportionality constants for flights bound for hub airports, maximize the approximation of the log-likelihood of the historical airline actions. The estimated standard deviations of the cost noise, expressed as a fraction of the average assignment cost for the historical matchings, ranged from 0.1 to 0.7 for cost functions that achieved relatively large approximate log-likelihoods.

Coordinated tactical air traffic and airspace management

Air traffic management and airspace management reduce air traffic congestion to maintain safety. Managing traffic induces costs on airspace users and managing airspace causes additional work for air traffic controllers. This paper proposes and simulates algorithms for tactically reducing airspace congestion with coordinated air traffic and airspace management. A modified version of the Projective Cone Scheduling algorithm performs tactical air traffic management. An algorithm based on approximate dynamic programming accomplishes tactical airspace management. Three types of coordination between these air traffic and airspace management algorithms are investigated. Monte Carlo simulations of a simple problem instance involving severe congestion indicate that increased coordination between air traffic and airspace management can lead to lower costs with no increase in algorithm computation time.