Abstract

In this chapter, we propose and analyze a cohesive minimax detection (MAD) mechanism for modern computing systems, e.g., a computer or a network of computers. MAD monitors system-level activities across the entire system in order to assess them together. It evaluates system-level activities at two orthogonal directions, in terms of their likeliness (similar to anomaly detection) and riskiness (similar to signature-based detection). It also provides analytical guarantees for minimax performance, i.e., minimizes the system’s detection cost that is maximized by an adversary, called MAX, seeking to intervene into the system. To this end, we model the interaction between MAD and MAX by a zero-sum game. A major challenge, however, is the comprehensive assessment of activities across the entire system, which corresponds to a game at an enormous size. To address this challenge, we model MAD as evaluating the system’s activities within a hierarchical tree. This enables us to decompose the game into a nested structure and therefore we can compute minimax detection strategies via a dynamic program similar to backward induction in extensive form games.