We consider a large-scale cyber network with N components (e.g., paths,
servers, subnets). Each component is either in a healthy state (0) or an
abnormal state (1). Due to random intrusions, the state of each component
transits from 0 to 1 over time according to certain stochastic process. At each
time, a subset of K (K < N) components are checked and those observed in
abnormal states are fixed. The objective is to design the optimal scheduling
for intrusion detection such that the long-term network cost incurred by all
abnormal components is minimized. We formulate the problem as a special class
of Restless Multi-Armed Bandit (RMAB) process. A general RMAB suffers from the
curse of dimensionality (PSPACE-hard) and numerical methods are often
inapplicable. We show that, for this class of RMAB, Whittle index exists and
can be obtained in closed form, leading to a low-complexity implementation of
Whittle index policy with a strong performance. For homogeneous components,
Whittle index policy is shown to have a simple structure that does not require
any prior knowledge on the intrusion processes. Based on this structure,
Whittle index policy is further shown to be optimal over a finite time horizon
with an arbitrary length. Beyond intrusion detection, these results also find
applications in queuing networks with finite-size buffers.Comment: 9 pages, 5 figure
