The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A framework for constructing features and models for intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Simple, state-based approaches to program-based anomaly detection
ACM Transactions on Information and System Security (TISSEC)
Toward cost-sensitive modeling for intrusion detection and response
Journal of Computer Security
Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection
IEEE Transactions on Computers
Honeypots for Distributed Denial of Service Attacks
WETICE '02 Proceedings of the 11th IEEE International Workshops on Enabling Technologies: nfrastructure for Collaborative Enterprises
Evaluating the Impact of Automated Intrusion Response Mechanisms
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Intrusion Detection with Snort
Intrusion Detection with Snort
Intrusion damage control and assessment: a taxonomy and implementation of automated responses to intrusive behavior
Intrusion Detection
Introduction to Data Mining, (First Edition)
Introduction to Data Mining, (First Edition)
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
SP 800-30. Risk Management Guide for Information Technology Systems
SP 800-30. Risk Management Guide for Information Technology Systems
Review: An intrusion detection and prevention system in cloud computing: A systematic review
Journal of Network and Computer Applications
Hi-index | 0.00 |
This paper studies the joint decisions of IDS configuration and alarm investigation capacity under active and passive responses. In active response, alarm events are blocked immediately, whereas alarm events are allowed to access the information assets in the passive response. Despite facilitating information flow, passive response exposes the assets to attacks while the security analysts investigate the alarms. On the other hand, active response may unnecessarily delay the benign traffic since alarm events are blocked. We find closed-form formulas for the optimal investigation capacity and show the optimal configuration under active response is smaller than under passive response. We also provide expressions that can be used to evaluate security costs and benefits under various configurations, capacities and responses. Numerical studies are done to illustrate the sensitivity of the optimal decisions.