A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems

Authors:
Jacob W. Ulvila;John E. Gaffney
Affiliations:
-;-
Venue:
Decision Analysis
Year:
2004

Citing 0
Cited 14

Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches

Decision Analysis
Autonomous decision on intrusion detection with trained BDI agents

Computer Communications
Evaluation of Intrusion Detection Systems Under a Resource Constraint

ACM Transactions on Information and System Security (TISSEC)
Intrusion Prevention in Information Systems: Reactive and Proactive Responses

Journal of Management Information Systems
Maintaining Diagnostic Knowledge-Based Systems: A Control-Theoretic Approach

Management Science
Investments in Information Security: A Real Options Perspective with Bayesian Postaudit

Journal of Management Information Systems
Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

Information Systems Research
An Analysis of the Impact of Passenger Profiling for Transportation Security

Operations Research
A cost-based analysis of intrusion detection system configuration under active or passive response

Decision Support Systems
When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination

Information Systems Research
Effectiveness evaluation of data mining based IDS

ICDM'06 Proceedings of the 6th Industrial Conference on Data Mining conference on Advances in Data Mining: applications in Medicine, Web Mining, Marketing, Image and Signal Mining
From the Editors: Probability Approximations, Anti-Terrorism Strategy, and Bull's-Eye Display for Performance Feedback

Decision Analysis
Passenger Profiling and Screening for Aviation Security in the Presence of Strategic Attackers

Decision Analysis
IT security auditing: A performance evaluation decision model

Decision Support Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents a decision analysis method for evaluating computer intrusion detection systems. The method integrates and extends receiver operating characteristic (ROC) and cost analysis methods to provide an expected cost metric. We demonstrate that both the ROC analysis and cost analysis methods are incomplete. Furthermore, we demonstrate how a decision tree can combine and extend the ROC and cost analysis methods to provide an expected cost metric that reflects the intrusion detection system's ROC curve, costs, and assessments of the hostility of the environment as summarized by the prior probability of intrusion. We further demonstrate how this method can be used to decide the optimal operating point on an intrusion detector's ROC curve, choose the best intrusion detection system, compare the value of one intrusion detection system with another's, determine the value of an intrusion detector over no detector, and determine how to adjust the operation of an intrusion detector to respond to changes in its environment. General results are given and the method is illustrated in several numerical examples that involve both hypothetical and real intrusion detection systems. We demonstrate that, contrary to common advice, the value of an intrusion detection system depends not only on its ROC curve, but also on various costs (such as those associated with making incorrect decisions about detection) and the hostility of the operating environment. Conclusions are drawn about the design and evaluation of intrusion detection systems and the role for decision analysis in that design and evaluation.