Optimal configuration of intrusion detection systems

Abstract

An important requirement of an intrusion detection system (IDS) is that it be effective and efficient; that is, it should detect a large percentage of intrusions, while still keeping the false alarm rate at an acceptable level. In order to meet this requirement, the model and algorithm used by the IDS need to be calibrated or configured. The optimal configuration depends on several factors. The first factor is the quality profile of the IDS as indicated by its ROC (receiver operating characteristics), curve that relates the detection accuracy and the false alarm rate. The shape of the ROC curve depends on the detection technology used by the IDS. The second factor is the cost structure of the firm using the IDS. The third factor is the strategic behavior of hackers. A hacker’s behavior is influenced by the likelihood that (s)he will be caught, which, in turn, is dependent on the configuration of the IDS. In this article, we present an economic optimization model based on game theory that provides insights into optimal configuration of IDS. We present analytical as well as computational results. Our work extends the growing literature on the economics of information security. The main innovation of our approach is the inclusion of strategic interactions between IDS, firm, and hackers in the determination of optimal configuration and algorithm to do so.

Appendices

Appendix

Proof of Result 2

The firm’s payoff is given by

$$\begin{gathered} F(\rho_{1} ,\rho_{2} ,\psi ) = (P_{F} + \psi \lambda (P_{D} - P_{F} ))\left[ - \right.\rho_{1} c - \eta_{1} (1 - \rho_{1} )d - \eta_{1} \rho_{1} (1 - \phi )d\left. ) \right] + \hfill \\ \;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;(1 - P_{F} - \psi \lambda (P_{D} - P_{F} ))\left[ - \right.\rho_{2} c - \eta_{2} (1 - \rho_{2} )d - \eta_{2} \rho_{2} (1 - \phi )d\left. ) \right] \hfill \\ \end{gathered}$$

(13)

A dishonest user’s payoff is

$$H(\rho_{1} ,\rho_{2} ,\psi ) = \psi \mu - \psi \beta (\rho_{1} P_{D} + \rho_{2} (1 - P_{D} ))$$

(14)

A dishonest user’s optimization condition is

$$\frac{\partial H}{{\partial \psi }} = \mu - \beta (\rho_{1} P_{D} + \rho_{2} (1 - P_{D} )) = 0$$

(15)

The firm’s optimization conditions are

$$\frac{\partial F}{{\partial \rho_{1} }} = P_{D} d\lambda \phi \psi - c(P_{F} + (P_{D} - P_{F} )\lambda \psi ) = 0$$

(16)

$$\frac{\partial F}{{\partial \rho_{2} }} = (1 - P_{D} )d\lambda \phi \psi - c((1 - P_{F} ) - (P_{D} - P_{F} )\lambda \psi ) = 0$$

(17)

There are parameter values for which all three conditions are not to be satisfied simultaneously. Consequently, we need to consider the corner solutions also. We analyze all possible solutions below and derive when each of these solutions occurs.

1. (a)

   \(\psi = 1,\rho_{1} = 0,\rho_{2} = 0\) is an equilibrium iff \(\frac{\partial F}{{\partial \rho_{i} }}\left| {_{\psi \to 1} } \right. < 0\) for i = 1,2 and \(\frac{\partial H}{{\partial \psi }}\left| {_{{\rho_{1} ,\rho_{2} \to 0}} } \right. > 0\). These conditions are satisfied only if (i) \(c > d\phi \frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) and (ii) \(c > d\phi \frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\). Since \(\frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) is greater than \(\frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\), (i) is enough for these conditions to be satisfied.

2. (b)

   \(\psi = 1,\rho_{1} = 1,\rho_{2} = 1\) is an equilibrium iff \(\frac{\partial F}{{\partial \rho_{i} }}\left| {_{\psi \to 1} } \right. > 0\) for i = 1,2 and \(\frac{\partial H}{{\partial \psi }}\left| {_{{\rho_{1} ,\rho_{2} \to 1}} } \right. > 0\). These conditions are satisfied only if (i) \(c < d\phi \frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) and (ii) \(c < d\phi \frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\) and (iii) \(\mu > \beta\). Since \(\frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) is greater than \(\frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\), (ii) and (iii) are sufficient for these conditions to be satisfied.

3. (c)

   \(\psi = 1,\rho_{1} = 1,\rho_{2} = 0\) is an equilibrium iff \(\frac{\partial F}{{\partial \rho_{1} }}\left| {_{\psi \to 1} } \right. > 0\) and \(\frac{\partial F}{{\partial \rho_{2} }}\left| {_{\psi \to 1} } \right. < 0\) and \(\frac{\partial H}{{\partial \psi }}\left| {_{{\rho_{1} \to 1,\rho_{2} \to 0}} } \right. > 0\). These conditions are satisfied only if (i) \(c < d\phi \frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) and (ii) \(c > d\phi \frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\) and (iii) \(\mu > P_{D} \beta\). Hence (i), (ii) and (iii) are all the necessary conditions for this equilibrium.

   Since ρ₁ and ρ₂ cannot both be less than 1 and ρ₁ ≥ ρ₂ (Result 1) the other possible equilibriums are (0 < ψ < 1, ρ₁ = 1, 0 < ρ₂ < 1) and (0 < ψ < 1, 0 < ρ₁ < 1, ρ₂ = 0).

4. (d)

   If (0 < ψ < 1, ρ₁ = 1, 0 < ρ₂ < 1) is an equilibrium, first order condition for the firm with respect to ρ₂ and first order condition for the user must be satisfied at zero. Equating (15) to zero gives the relationship between ρ₁ and ρ₂ as follows

   $$\frac{\mu }{\beta } = P_{D} (\rho_{1} - \rho_{2} ) + \rho_{2}$$

   (18)

   Plugging the equilibrium value of ρ₁ = 1 into above equation and solving for ρ₂ gives us

   $$\rho_{2} = \frac{\mu }{{\beta (1 - P_{D} )}} - \frac{{P_{D} }}{{1 - P_{D} }}$$

   (19)

   Equating (17) to zero and solving for ψ we get

   $$\psi = \frac{{c(1 - P_{F} )}}{{c(P_{D} - P_{F} )\lambda + (1 - P_{D} )d\lambda \phi }}$$

   (20)

   There are two constraints for this equilibrium to exist. First, equilibrium values found in (19) and (20) must be between zero and one. Second, equilibrium values must make the derivative of the payoff for the firm with respect to ρ₁ positive (since ρ₁ = 1). These constraints yield.

   $$P_{D} < \frac{\mu }{\beta } < 1\;{\text{and}}\;c < d\phi \frac{{(1 - P_{D} )\lambda }}{{(1 - P_{D} )\lambda + (1 - P_{F} )(1 - \lambda )}}$$
5. (e)

   If (0 < ψ < 1, 0 < ρ₁ < 1, ρ₂ = 0) is an equilibrium, first order condition for the firm with respect to ρ₁ and first order condition for the intruder must be satisfied at zero. Equating (15) to zero gives the relationship between ρ₁ and ρ₂ as given in (18). Plugging the equilibrium value of ρ₂ = 0 into Eq (18) and solving for ρ₁ gives us

   $$\rho_{1} = \frac{\mu }{{P_{D} \beta }}$$

   (21)

   Equating (17) to zero and solving for ψ we get

   $$\psi = \frac{{cP_{F} }}{{P_{D} d\lambda \phi - c(P_{D} - P_{F} )\lambda }}$$

   (22)

   There are also two constraints for this equilibrium. First, equilibrium values found in (21) and (22) must be between zero and one. Second, equilibrium values must make the derivative of the payoff for the firm with respect to ρ₂ negative (since ρ₂ = 0). These constraints yield.

   \(0 < \frac{\mu }{\beta } < P_{D}\) and \(c < d\phi \frac{{P_{D} \lambda }}{{P_{D} \lambda + P_{F} (1 - \lambda )}}\).