Paper Info
Title
A cost-based analysis of intrusion detection system configuration under active or passive response
Abstract
This paper studies the joint decisions of IDS configuration and alarm investigation capacity under active and passive responses. In active response, alarm events are blocked immediately, whereas alarm events are allowed to access the information assets in the passive response. Despite facilitating information flow, passive response exposes the assets to attacks while the security analysts investigate the alarms. On the other hand, active response may unnecessarily delay the benign traffic since alarm events are blocked. We find closed-form formulas for the optimal investigation capacity and show the optimal configuration under active response is smaller than under passive response. We also provide expressions that can be used to evaluate security costs and benefits under various configurations, capacities and responses. Numerical studies are done to illustrate the sensitivity of the optimal decisions.
Year
DOI
Venue
2010
10.1016/j.dss.2010.06.001
Decision Support Systems
Keywords
Field
DocType
intrusion response,active response,intrusion detection system configuration,alarm investigation capacity,information flow,passive response,ids configuration,optimal configuration,investigation capacity,optimal decision,cost-based analysis,alarm event,optimal investigation capacity,information security,information asset,costs and benefits,intrusion detection system
Data mining,Information flow (information theory),Optimal decision,Expression (mathematics),Asset (computer security),Computer science,Computer security,ALARM,Information access,Information security,Real-time computing,Intrusion detection system
Journal
Volume
Issue
ISSN
50
1
Decision Support Systems
Citations 
PageRank 
References 
6
0.40
12
Authors
2
Name
Order
Citations
PageRank
Wei T. Yue111312.11
Metin Çakanyildirim215012.59