A cost-based analysis of intrusion detection system configuration under active or passive response

Authors:
Wei T. Yue;Metin Çakanyıldırım
Affiliations:
Department of Information Systems, City University of Hong Kong, Tat Chee Avenue, Kowloon Tong, Hong Kong;School of Management, University of Texas at Dallas, P. O. Box830688, Richardson, TX 75083-0688, United States
Venue:
Decision Support Systems
Year:
2010

Citing 16
Cited 2

The base-rate fallacy and the difficulty of intrusion detection

ACM Transactions on Information and System Security (TISSEC)
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A framework for constructing features and models for intrusion detection systems

ACM Transactions on Information and System Security (TISSEC)
Simple, state-based approaches to program-based anomaly detection

ACM Transactions on Information and System Security (TISSEC)
Toward cost-sensitive modeling for intrusion detection and response

Journal of Computer Security
Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection

IEEE Transactions on Computers
Honeypots for Distributed Denial of Service Attacks

WETICE '02 Proceedings of the 11th IEEE International Workshops on Enabling Technologies: nfrastructure for Collaborative Enterprises
Evaluating the Impact of Automated Intrusion Response Mechanisms

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Intrusion Detection with Snort

Intrusion Detection with Snort
Intrusion damage control and assessment: a taxonomy and implementation of automated responses to intrusive behavior

Intrusion damage control and assessment: a taxonomy and implementation of automated responses to intrusive behavior
A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems

Decision Analysis
Intrusion Detection

Intrusion Detection
Introduction to Data Mining, (First Edition)

Introduction to Data Mining, (First Edition)
Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches

Decision Analysis
A virtual honeypot framework

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
SP 800-30. Risk Management Guide for Information Technology Systems

SP 800-30. Risk Management Guide for Information Technology Systems

Review: An intrusion detection and prevention system in cloud computing: A systematic review

Journal of Network and Computer Applications
A decision methodology for managing operational efficiency and information disclosure risk in healthcare processes

Decision Support Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper studies the joint decisions of IDS configuration and alarm investigation capacity under active and passive responses. In active response, alarm events are blocked immediately, whereas alarm events are allowed to access the information assets in the passive response. Despite facilitating information flow, passive response exposes the assets to attacks while the security analysts investigate the alarms. On the other hand, active response may unnecessarily delay the benign traffic since alarm events are blocked. We find closed-form formulas for the optimal investigation capacity and show the optimal configuration under active response is smaller than under passive response. We also provide expressions that can be used to evaluate security costs and benefits under various configurations, capacities and responses. Numerical studies are done to illustrate the sensitivity of the optimal decisions.