Testing and evaluating computer intrusion detection systems
Communications of the ACM
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
Practical Intrusion Detection Handbook
Practical Intrusion Detection Handbook
Fighting Computer Crime
Toward cost-sensitive modeling for intrusion detection and response
Journal of Computer Security
Experience with EMERALD to Date
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Evaluation of Intrusion Detectors: A Decision Theory Approach
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
On the trail of intrusions into information systems
IEEE Spectrum
Cooperation modeling for intrusion detection system based on multi-SoftMan
ASID'09 Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication
Automated Anomaly Detector Adaptation using Adaptive Threshold Tuning
ACM Transactions on Information and System Security (TISSEC)
A novel approach to evaluate software vulnerability prioritization
Journal of Systems and Software
| Hi-index | 0.00 |
An intrusion detection system plays an important role in a firm's overall security protection. Its main purpose is to identify potentially intrusive events and alert the security personnel to the danger. A typical intrusion detection system, however, is known to be imperfect in detection of intrusive events, resulting in high false-alarm rates. Nevertheless, current intrusion detection models unreasonably assume that upon alerts raised by a system, an information security officer responds to all alarms without any delay and avoids damages of hostile activities. This assumption of responding to all alarms with no time lag is often impracticable. As a result, the benefit of an intrusion detection system can be overestimated by current intrusion detection models. In this article, we extend previous models by including an information security officer's alarm inspection under a constraint as a part of the process in determining the optimal intrusion detection policy. Given a potentially hostile environment for a firm, in which the intrusion rates and costs associated with intrusion and security officers' inspection can be estimated, we outline a framework to establish the optimal operating points for intrusion detection systems under security officers' inspection constraint. The optimal solution to the model will provide not only a basis of better evaluation of intrusion detection systems but also useful insights into operations of intrusion detection systems. The firm can estimate expected benefits for running intrusion detection systems and establish a basis for increase in security personnel to relax security officers' inspection constraint.