A cost-based analysis of intrusion detection system configuration under active or passive response
Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review
Author(s)
Related Research Unit(s)
Detail(s)
Original language | English |
---|---|
Pages (from-to) | 21-31 |
Journal / Publication | Decision Support Systems |
Volume | 50 |
Issue number | 1 |
Publication status | Published - Dec 2010 |
Link(s)
Abstract
This paper studies the joint decisions of IDS configuration and alarm investigation capacity under active and passive responses. In active response, alarm events are blocked immediately, whereas alarm events are allowed to access the information assets in the passive response. Despite facilitating information flow, passive response exposes the assets to attacks while the security analysts investigate the alarms. On the other hand, active response may unnecessarily delay the benign traffic since alarm events are blocked. We find closed-form formulas for the optimal investigation capacity and show the optimal configuration under active response is smaller than under passive response. We also provide expressions that can be used to evaluate security costs and benefits under various configurations, capacities and responses. Numerical studies are done to illustrate the sensitivity of the optimal decisions. © 2010 Elsevier B.V. All rights reserved.
Research Area(s)
- IDS configuration, Information security, Intrusion response, Investigation capacity
Citation Format(s)
A cost-based analysis of intrusion detection system configuration under active or passive response. / Yue, Wei T.; Çakanyildirim, Metin.
In: Decision Support Systems, Vol. 50, No. 1, 12.2010, p. 21-31.
In: Decision Support Systems, Vol. 50, No. 1, 12.2010, p. 21-31.
Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review