Abstract
An important requirement of an intrusion detection system (IDS) is that it be effective and efficient; that is, it should detect a large percentage of intrusions, while still keeping the false alarm rate at an acceptable level. In order to meet this requirement, the model and algorithm used by the IDS need to be calibrated or configured. The optimal configuration depends on several factors. The first factor is the quality profile of the IDS as indicated by its ROC (receiver operating characteristics), curve that relates the detection accuracy and the false alarm rate. The shape of the ROC curve depends on the detection technology used by the IDS. The second factor is the cost structure of the firm using the IDS. The third factor is the strategic behavior of hackers. A hacker’s behavior is influenced by the likelihood that (s)he will be caught, which, in turn, is dependent on the configuration of the IDS. In this article, we present an economic optimization model based on game theory that provides insights into optimal configuration of IDS. We present analytical as well as computational results. Our work extends the growing literature on the economics of information security. The main innovation of our approach is the inclusion of strategic interactions between IDS, firm, and hackers in the determination of optimal configuration and algorithm to do so.
Similar content being viewed by others
Notes
Axelsson [8] measures performance on the effectiveness dimension. An IDS is effective if it detects a substantial percentage of intrusions while still keeping the false alarm rate at an acceptable level.
The game-theoretic aspect of IT security was first noted by Jajodia and Millen [25, p. 85], “Computer security is a kind of game between two parties, the designer of a secure system, and a potential attacker.” Gordon and Loeb [19] also highlight these aspects. Bashir, Serafini, and Wall [9, p. 30] refer to this as the “cat-and-mouse game” between the hacker and the firm. An excellent demonstration of how firms and hackers play the game can also be found at http://www.msnbc.com/modules/hack_attack/hack.swf.
For example, Sriram [55] discusses how to choose a threshold value to detect attacks by computer viruses in Novell BorderManager.
Configuration management tools are much broader in scope than the configuration task we consider in this paper. They support related tasks such as version control support and configuration process management support.
We assume to be exogenous in our model. Theoretically, can be controlled. For example, can be reduced by using firewalls to limit entry by outsiders, and by hiring ethical employees to limit the proportion of insider hackers.
We consider passive IDSs. Passive IDSs are those that only give signals but do not take any action on their own. On the contrary, active IDSs take actions such as logging off the user once they deem that a transaction is illegal. An active IDS can be modeled very easily in our framework by making minor changes.
We can extend the model easily to the case when manual investigation is not 100% effective. The results will not change qualitatively.
References
Abraham A, Thomas J (2006) Distributed intrusion detection systems: A computational intelligence approach. Applications of Information Systems to Homeland Security and Defense: pp. 107–137
Adamu TD, Rao VS (2014) A cost sensitive machine learning approach for intrusion detection. Global Journal of Computer Science and Technology
Aljawarneh S, Aldwairi M, Yassein MB (2018) Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. J ComputSci 25:152–160
Allen J, Christie A, Fithen W, McHugh J, Pickel J (2000) State of the practice of intrusion detection technologies (No. CMU/SEI-99-TR-028). CMU Pittsburg, PA, Software Engineering Inst
Anderson JP (1980) Computer security threat and monitoring surveillance. Technical Report 79F26400, James P. Anderson Co, Fort Washington, PA
Axelsson S (1998) Research in intrusion detection systems: a survey. Technical Report 98–17, Dept. of Computer Eng. Chalmers University, Goteborg, Sweden
Axelsson S (2000a) Intrusion detection systems: A taxonomy and survey. Technical Report 99–15, Dept. of Computer Eng. Chalmers University, Goteborg, Sweden
Axelsson S (2000) The base-rate fallacy and the difficulty of intrusion detection. ACM Trans InfSystSecur 3(3):186–205
Bashir I, Serafini E, Wall K (2001) Securing network software applications: Introduction. Commun ACM 44(2):29–30
Cavusoglu H, Mishra B, Raghunathan S (2004) A model for evaluating IT security investments. Commun ACM 47(7):87–92
Cepheli Ö, Büyükçorak S, Karabulut Kurt G (2016) Hybrid intrusion detection system for ddos attacks. J ElectrComputEng 2016:1
CERT (Computer Emergency Response Team) Coordination Center (2001) Security for information technology service contracts. CERT Security Improvement Modules
D’haeseleer P, Forrest S, Helman P (1996) An immunological approach to change detection: Algorithms, analysis, and implications. In: IEEE symposium on security and privacy
Durst R, Champion T, Witten B, Miller E, Spagnuolo L (1999) Testing and evaluating computer intrusion detection systems. Commun ACM 42(7):53–61
Estevez-Tapiador JM, Garcia-Teodoro P, Diaz-Verdejo JE (2004) Anomaly detection methods in wired networks: a survey and taxonomy. ComputCommun 27(16):1569–1584
Garcia-Teodoro P, Diaz-Verdejo J, Maciá-Fernández G, Vázquez E (2009) Anomaly-based network intrusion detection: techniques, systems and challenges. ComputSecur 28(1–2):18–28
Garvey TD, Lunt TF (1991) Model-based intrusion detection. In: Proceedings of the 14th national computer security conference
Ghali NI (2009) Feature selection for effective anomaly-based intrusion detection. Int J ComputSciNetwSecur 9(3):285–289
Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans InfSystSecur 5(4):438–457
Guo C, Ping Y, Liu N, Luo SS (2016) A two-level hybrid approach for intrusion detection. Neurocomputing 214:391–400
Halme L, Kahn B (1988) Building a security monitor with adaptive user work profiles. In: Proceedings of the 11th national computer security conference. National Institute of Standards and Technology, Gaithersburg, MD
Hubballi N, Suryanarayanan V (2014) False alarm minimization techniques in signature-based intrusion detection systems: a survey. ComputCommun 49:1–17
Hwang K, Cai M, Chen Y, Qin M (2007) Hybrid intrusion detection with weighted signature generation over anomalous internet episodes. IEEE Trans Depend Secure Comput 4(1):41–55
Ilgun K (1992) Ustat: A real-time intrusion detection system for unix. Master’s Thesis, Computer Science Department, UCSB
Jajodia S, Millen J (1993) Editor’s preface. J ComputSecur 2(2/3):85
Jonsson E, Olovsson T (1997) A quantitative model of security intrusion process based on attacker behavior. IEEE Trans SoftwEng 23(4):235–245
Jyothsna V, Prasad VVR, Prasad KM (2011) A review of anomaly based intrusion detection systems. Int J ComputAppl 28(7):26–35
Kabiri P, Ghorbani AA (2005) Research on intrusion detection and response: A survey. IJ Network Security 1(2):84–102
Kemmerer RA, Vigna G (2002) Intrusion detection: a brief history and overview. Computer 35(4):l27–l30
Kim G, Lee S, Kim S (2014) A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert SystAppl 41(4):1690–1700
Kruegel C, Toth T (2003) Using decision trees to improve signature-based intrusion detection. In: International workshop on recent advances in intrusion detection. Springer, Berlin, Heidelberg
Kumar G (2014) Evaluation metrics for intrusion detection systems–a study. Evaluation 2(11):11
Kumar S, Spafford EH (1996) A pattern matching model for misuse intrusion detection. The COAST Project. Purdue University, West Lafayette
Lazarevic A, Kumar V, Srivastava J (2005) Managing cyber threats: Issues, approaches, and challenges. Springer, New York
Lee W, Fan W, Miller M, Stolfo SJ, Zadok E (2002) Toward cost-sensitive modeling for intrusion detection and response. J ComputSecur 10(1–2):5–22
Lee W, Fan W, Stolfo SJ, Miller M (2006) Cost-sensitive modeling for intrusion detection. Machine learning and data mining for computer security. Springer, London, pp 125–136
Liao HJ, Lin CHR, Lin YC, Tung KY (2013) Intrusion detection system: a comprehensive review. J NetwComputAppl 36(1):16–24
Lunt TF (1990) Ides: an intelligent system for detecting intruders. In: Proceedings of the symposium: computer security, threat and countermeasures.
Lunt TF (1993) A survey of intrusion detection systems. ComputSecur 12:405–418
Lunt TF, Jagannathan R (1988) A prototype real-time intrusion detection system. In: Proceedings of the 1988 IEEE symposium on security and privacy.
Lunt TF (1988) Automated audit trial analysis and intrusion detection. In: Proceedings of the 11th national computer security conference. National Institute of Standards and Technology, Gaithersburg, MD
Lunt TF, Tamaru A, Gilham F, Jagannathan R, Jalali RC, Javitz H, Valdos A, Neumann P, Garvey T (1992) A real-time intrusion detection expert system. Technical Report, Consumer Science Laboratory, SRI International
McCarthy L (1998) Intranet security-stories from the trenches. Sun Microsystems Press, California
McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans InfSystSecur 3(4):262–294
Meng W, Li W, Kwok LF (2014) EFM: enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism. ComputSecur 43:189–204
Nathiya T, Suseendran G (2019) An effective hybrid intrusion detection system for use in security monitoring in the virtual network layer of cloud computing technology. Data management, analytics and innovation. Springer, Singapore, pp 483–497
NMAB (National Materials Advisory Board), (1998) Configuration management and performance verification of explosives-detection systems, Publication NMAB-482-3. National Academy Press, Washington
Ortalo R, Deswarte Y, Kaâniche M (1999) Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans SoftwEng 25(5):633–650
Patcha A, Park JM (2007) An overview of anomaly detection techniques: existing solutions and latest technological trends. ComputNetw 51(12):3448–3470
Porras PA, Kemmerer RA (1992) Penetration state transition analysis–a rule-based intrusion detection approach. In: IEEE eight annual computer security applications conference
Porras PA, Neumann PG (1997) Emerald: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th national information systems security conference
Provost F, Fawcett T (1997) Analysis and visualization of classifier performance: comparison under imprecise class and cost distributions. In: Proceedings of KDD-97. AAAI Press
Sarkar S, Sriram RS (2001) Bayesian models for early warnings of bank failures. ManagSci 47(11):1457–1475
Singh D, Patel D, Borisaniya B, Modi C (2016) Collaborative ids framework for cloud. Int J NetwSecur 18(4):699–709
Sriram T (2002) Blocking virus requests in Novell bordermanager’s HTTP accelerator. Feature article, Novell Appnotes, Waltham
Stakhanova N, Strasburg C, Basu S, Wong JS (2012) Towards cost-sensitive assessment of intrusion response selection. J ComputSecur 20(2–3):169–198
Stavroulakis P, Stamp M (2010) Handbook of information and communication security. Springer, New York
Steingold S, Wherry R, Piatetsky-Shapiro G (2001) Measuring real-time predictive models. In: Proceedings of IEEE international conference on data mining
Tesfahun A, Bhaskari DL (2015) Effective hybrid intrusion detection system: a layered approach. Int J ComputNetwInfSecur 7(3):35–41
Uddin M, Rahman AA, Uddin N, Memon J, Alsaqour RA, Kazi S (2013) Signature-based multi-layer distributed intrusion detection system using mobile agents. IJ NetwSecur 15(2):97–105
Van Trees HL (2001) Detection, estimation and modulation theory–part I. Wiley, New York
Verton D (2000) Attorneys debate making cybercrime laws tougher. Computerworld 34(47):16
Xenakis C, Panos C, Stavrakakis I (2011) A comparative evaluation of intrusion detection architectures for mobile ad hoc networks. ComputSecur 30:63–80
Zhang N, Zeng FP, Jiang F (2006) Research on the intrusion response system based on cost-sensitive model. ComputSimul 23(5):249–253
Acknowledgements
We thank Prof. R. Srinivasan and Prof. H. Cavusoglu for their contributions to earlier versions of the paper and the reviewers and participants of ICIS 2003 in Seattle, WA, and Workshop on Secure Knowledge Management 2006 in New York, NY where it received the best paper award. We are greatly indebted to participants at a conference in Cal Poly Pomona.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix
Proof of Result 2
The firm’s payoff is given by
A dishonest user’s payoff is
A dishonest user’s optimization condition is
The firm’s optimization conditions are
There are parameter values for which all three conditions are not to be satisfied simultaneously. Consequently, we need to consider the corner solutions also. We analyze all possible solutions below and derive when each of these solutions occurs.
-
(a)
\(\psi = 1,\rho_{1} = 0,\rho_{2} = 0\) is an equilibrium iff \(\frac{\partial F}{{\partial \rho_{i} }}\left| {_{\psi \to 1} } \right. < 0\) for i = 1,2 and \(\frac{\partial H}{{\partial \psi }}\left| {_{{\rho_{1} ,\rho_{2} \to 0}} } \right. > 0\). These conditions are satisfied only if (i) \(c > d\phi \frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) and (ii) \(c > d\phi \frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\). Since \(\frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) is greater than \(\frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\), (i) is enough for these conditions to be satisfied.
-
(b)
\(\psi = 1,\rho_{1} = 1,\rho_{2} = 1\) is an equilibrium iff \(\frac{\partial F}{{\partial \rho_{i} }}\left| {_{\psi \to 1} } \right. > 0\) for i = 1,2 and \(\frac{\partial H}{{\partial \psi }}\left| {_{{\rho_{1} ,\rho_{2} \to 1}} } \right. > 0\). These conditions are satisfied only if (i) \(c < d\phi \frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) and (ii) \(c < d\phi \frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\) and (iii) \(\mu > \beta\). Since \(\frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) is greater than \(\frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\), (ii) and (iii) are sufficient for these conditions to be satisfied.
-
(c)
\(\psi = 1,\rho_{1} = 1,\rho_{2} = 0\) is an equilibrium iff \(\frac{\partial F}{{\partial \rho_{1} }}\left| {_{\psi \to 1} } \right. > 0\) and \(\frac{\partial F}{{\partial \rho_{2} }}\left| {_{\psi \to 1} } \right. < 0\) and \(\frac{\partial H}{{\partial \psi }}\left| {_{{\rho_{1} \to 1,\rho_{2} \to 0}} } \right. > 0\). These conditions are satisfied only if (i) \(c < d\phi \frac{{P_{D} \lambda }}{{P_{F} + (P_{D} - P_{F} )\lambda }}\) and (ii) \(c > d\phi \frac{{(1 - P_{D} )\lambda }}{{(1 - P_{F} ) - (P_{D} - P_{F} )\lambda }}\) and (iii) \(\mu > P_{D} \beta\). Hence (i), (ii) and (iii) are all the necessary conditions for this equilibrium.
Since ρ1 and ρ2 cannot both be less than 1 and ρ1 ≥ ρ2 (Result 1) the other possible equilibriums are (0 < ψ < 1, ρ1 = 1, 0 < ρ2 < 1) and (0 < ψ < 1, 0 < ρ1 < 1, ρ2 = 0).
-
(d)
If (0 < ψ < 1, ρ1 = 1, 0 < ρ2 < 1) is an equilibrium, first order condition for the firm with respect to ρ2 and first order condition for the user must be satisfied at zero. Equating (15) to zero gives the relationship between ρ1 and ρ2 as follows
$$\frac{\mu }{\beta } = P_{D} (\rho_{1} - \rho_{2} ) + \rho_{2}$$(18)Plugging the equilibrium value of ρ1 = 1 into above equation and solving for ρ2 gives us
$$\rho_{2} = \frac{\mu }{{\beta (1 - P_{D} )}} - \frac{{P_{D} }}{{1 - P_{D} }}$$(19)Equating (17) to zero and solving for ψ we get
$$\psi = \frac{{c(1 - P_{F} )}}{{c(P_{D} - P_{F} )\lambda + (1 - P_{D} )d\lambda \phi }}$$(20)There are two constraints for this equilibrium to exist. First, equilibrium values found in (19) and (20) must be between zero and one. Second, equilibrium values must make the derivative of the payoff for the firm with respect to ρ1 positive (since ρ1 = 1). These constraints yield.
$$P_{D} < \frac{\mu }{\beta } < 1\;{\text{and}}\;c < d\phi \frac{{(1 - P_{D} )\lambda }}{{(1 - P_{D} )\lambda + (1 - P_{F} )(1 - \lambda )}}$$ -
(e)
If (0 < ψ < 1, 0 < ρ1 < 1, ρ2 = 0) is an equilibrium, first order condition for the firm with respect to ρ1 and first order condition for the intruder must be satisfied at zero. Equating (15) to zero gives the relationship between ρ1 and ρ2 as given in (18). Plugging the equilibrium value of ρ2 = 0 into Eq (18) and solving for ρ1 gives us
$$\rho_{1} = \frac{\mu }{{P_{D} \beta }}$$(21)Equating (17) to zero and solving for ψ we get
$$\psi = \frac{{cP_{F} }}{{P_{D} d\lambda \phi - c(P_{D} - P_{F} )\lambda }}$$(22)There are also two constraints for this equilibrium. First, equilibrium values found in (21) and (22) must be between zero and one. Second, equilibrium values must make the derivative of the payoff for the firm with respect to ρ2 negative (since ρ2 = 0). These constraints yield.
\(0 < \frac{\mu }{\beta } < P_{D}\) and \(c < d\phi \frac{{P_{D} \lambda }}{{P_{D} \lambda + P_{F} (1 - \lambda )}}\).
Rights and permissions
About this article
Cite this article
Mishra, B., Smirnova, I. Optimal configuration of intrusion detection systems. Inf Technol Manag 22, 231–244 (2021). https://doi.org/10.1007/s10799-020-00319-z
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10799-020-00319-z