Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


Electrical and Computer Engineering

Committee Chair

Seong-Moo Yoo

Committee Member

Jatinder N.D. Gupta

Committee Member

David W. Pan

Committee Member

David J. Coe

Committee Member

Thomas C. Jannett


Computer crimes., Forensic sciences., Computer security., Data protection.


The Internet is a source of information, communication and entertainment, which makes it impossible for us to imagine a world without being connected. However, there has been a tremendous growth of crimes targeting any form of digital medium. The main objective of this dissertation is to develop and empirically evaluate computational optimization models for investigating digital crime and computer/network intrusion. The first research problem considered in this dissertation relates to the Crime Scene Investigation (CSI) in digital forensics. First, a mixed integer linear programming (MILP) model is proposed to allocate optimal investigation times for evidence, thereby maximizing the overall effectiveness of a forensic investigation procedure. Second, since the proposed general problems are NP-hard, two heuristic algorithms for the sequential digital forensic model with a single investigator and one heuristic algorithm for the sequential digital forensic model with multiple investigators are proposed and empirically evaluated to solve the described general problems. The second research problem addressed in this dissertation involves the investigation of alarms generated by an Intrusion Detection System (IDS) with limited resources. One of the significant challenges presented by IDSs is how network managers prioritize and commit resources to investigating IDS notifications (alarms) of potential threats to the network. In this dissertation, the passive IDS alarm investigation problem is modeled using MILP. More specifically, the model focuses on minimizing the total expected cost incurred by a firm in investigating IDS alarms by assisting a security administrator in making an optimal decision with which to choose: the alarms that need to be investigated and the sequence in which they should be investigated. To simplify the presentation, the case involving a single investigator is considered, even though the analysis can be extended to cover multiple investigators. In view of the NP-hard nature of the problem, a greedy heuristic algorithm is proposed and empirically evaluated to solve the described general problem.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.