Visible to the public SBE: Small: An optimization framework for prioritizing cyber-security mitigations for securing information technology infrastructureConflict Detection Enabled

Project Details

Lead PI

Performance Period

Sep 01, 2014 - Aug 31, 2018


University of Wisconsin-Madison

Award Number

Our nation's information technology (IT) infrastructure is vulnerable to numerous security risks, including security vulnerabilities within the IT supply chain. This research addresses the cyber-security risks and vulnerabilities that exist in the Federal IT infrastructure. It will provide new insights for prioritizing and deploying IT security mitigations in a budget-constrained environment. It will also develop tools that can be used by Federal decision-makers and other large organizations which make investments. These tools enable prioritizing, among numerous potential options, the cost-effective security implementations which reduce threats and secure IT infrastructure.

The research will introduce new models that capture the key facets of prioritizing IT security mitigations. The new optimization models are formulated as mixed integer linear programming models, robust optimization models, and bi-level programming interdiction models. They capture adversarial attack paths, overlapping security mitigation capabilities, tradeoffs between multiple criteria, robustness to data uncertainties, and the impact of adaptive adversaries. Models with adaptive adversaries are a major focus, and therefore, the models explore a range of adversarial strategic sophistication. The methodological contributions include an analysis of the model features, performance guarantees associated with proposed approximation algorithms, new valid inequalities to improve the ability to solve the models, and new techniques to obtain solutions robust to uncertainty of the functions used in a model. The overall goal is to protect Federal IT infrastructure by identifying the right mix of security mitigations that is effective with respect to cost, threat reduction, and consequence mitigation.