Abstract
An intrusion detection system plays an important role in a firm's overall security protection. Its main purpose is to identify potentially intrusive events and alert the security personnel to the danger. A typical intrusion detection system, however, is known to be imperfect in detection of intrusive events, resulting in high false-alarm rates. Nevertheless, current intrusion detection models unreasonably assume that upon alerts raised by a system, an information security officer responds to all alarms without any delay and avoids damages of hostile activities. This assumption of responding to all alarms with no time lag is often impracticable. As a result, the benefit of an intrusion detection system can be overestimated by current intrusion detection models. In this article, we extend previous models by including an information security officer's alarm inspection under a constraint as a part of the process in determining the optimal intrusion detection policy. Given a potentially hostile environment for a firm, in which the intrusion rates and costs associated with intrusion and security officers' inspection can be estimated, we outline a framework to establish the optimal operating points for intrusion detection systems under security officers' inspection constraint. The optimal solution to the model will provide not only a basis of better evaluation of intrusion detection systems but also useful insights into operations of intrusion detection systems. The firm can estimate expected benefits for running intrusion detection systems and establish a basis for increase in security personnel to relax security officers' inspection constraint.
- Anderson, R. 2001. Why information security is hard---An economic perspective. In Proceedings of the Seventeenth Annual Computer Security Applications Conference (ACSAC'01). New Orleans, LA.]] Google Scholar
Digital Library
- Axelsson, S. 2000. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inform. Syst. Secur. 3, 3, 186--205.]] Google Scholar
Digital Library
- Cardenas, A. A., Ramezani, V., and Baras, J. S. 2003. HMM sequential hypothesis tests for intrusion detection in MANETs. Technical Report 2003-47, Department of Electrical and Computer Engineering, Maryland University.]]Google Scholar
- Cavusoglu, H. and Raghunathan, S. 2004. Configuration of detection software: A comparison of decision and game theory approaches. Decis. Anal. 1, 3, 131--148.]] Google Scholar
Digital Library
- Durst, R., Champion, T., Witten, B., Miller, E., and Spagnuolo, L. 1999. Testing and evaluating computer intrusion detection systems. Comm. ACM 42, 7, 53--61.]] Google Scholar
Digital Library
- Endorf, C., Schultz, E., and Mellander, J. 2004. Intrusion Detection & Prevention. Emeryville, CA: McGraw-Hill/Osborne.]]Google Scholar
- Gaffney, J. E. and Ulvila, J. W. 2001. Evaluation of intrusion detectors: A decision theory approach. In Proceedings of IEEE Symposium on Security and Privacy (SP'01). Oakland, CA, 50--61.]] Google Scholar
Digital Library
- Kemmerer, R. A. and Vigna, G. 2002. Intruder detection: A brief history and overview. Secur. Privacy, Suppl. Comput. 0, 27--30.]] Google Scholar
Digital Library
- Kent, S. 2000. On the trail of intrusions into information systems. IEEE Spectrum 37, 12, 52--56.]] Google Scholar
Digital Library
- Lee, W., Fan, W., Miller, M., Stolfo, S. J., and Zadok, E. 2002. Toward cost-sensitive modeling for intrusion detection and response. J. Comput. Secur. 10, 5--22.]] Google Scholar
Digital Library
- Lippmann, R. P., Cunningham, R. K., Fried, D. J., Graf, I., Kendall, K. R., Webster, S. E., and Zissman, M. A. 1999. Results of the DARPA 1998 off-line intrusion detection evaluation. In Proceedings of the 2nd International Workshop on the Recent Advances in Intrusion Detection (RAID'99). West Lafayette, IN.]] Google Scholar
Digital Library
- Lippmann, R. P., Fried, D. J., Graf, I., Haines, J. W., Kendall, K. R., McClung, D., Weber, D., Webster, S. E., Wyschogrod, D., Cunningham, R. K., and Zissman, M. A. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX'00). Vol. 2. Hilton Head, SC, 1012--1026.]]Google Scholar
- Metz, C. E. 1978. Basic principles of ROC analysis. Seminars in Nuclear Medicine 8, 4, 283--298.]]Google Scholar
- Neumann, P. G. and Porras, P. A. 1999. Experience with EMERALD to date. In Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring (ID'99). Santa Clara, CA. 73--80.]] Google Scholar
Digital Library
- Parker, D. B. 1983. Fighting Computer Crime. New York: Charles Scribner's Sons.]] Google Scholar
Digital Library
- Porras, P. A. and Neumann, P. G. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th NIST-NCSC National Information Systems Security Conference (NISSC'97). Baltimore, MD, 353--365.]]Google Scholar
- Proctor, P. E. 2000. The Practical Intrusion Detection Handbook. Prentice Hall, Englewood Cliffs, NJ.]] Google Scholar
Digital Library
- Ryu, Y. U. and Yue, W. T. 2003. A risk-based evaluation of intrusion detection systems in the presence of the base-rate fallacy. Working paper, Department of Information Systems and Operations Management, School of Management, The University of Texas at Dallas.]]Google Scholar
- Stolfo, S. J., Lee, W., Chan, P. K., Fan, W., and Eskin, E. 2001. Data mining-based intrusion detectors: An overview of the Columbia IDS project. SIGMOD Record 30, 4 (December), 5--14.]] Google Scholar
Digital Library
- The Snort Project. 2007. Snort#8482; User Manual 2.6.1. Sourcefire, Inc.]]Google Scholar
- Ulvila, J. W. and Gaffney, J. E. 2004. A decision analysis method for evaluating computer intrusion detection systems. Decis. Anal. 1, 1, 35--50.]] Google Scholar
Digital Library
- Warrender, C., Forrest, S., and Pearlmutter, B. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the IEEE Symposium on Security and Privacy (SP'99). Oakland, CA, 133--145.]]Google Scholar
- Zweig, M. H. and Campbell, G. 1993. Receiver-operating characteristic (ROC) plots: A fundamental evaluation tool in clinical medicine. Clin. Chem. 39, 561--577.]]Google Scholar
Cross Ref
Index Terms
Evaluation of Intrusion Detection Systems Under a Resource Constraint
Recommendations
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
On random-inspection-based intrusion detection
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion DetectionMonitoring at the system-call-level interface has been an important tool in intrusion detection. In this paper, we identify the predictable nature of this monitoring mechanism as one root cause that makes system-call-based intrusion detection systems ...
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...






Comments