A cost-based analysis of intrusion detection system configuration under active or passive response

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review

10 Scopus Citations
View graph of relations


Related Research Unit(s)


Original languageEnglish
Pages (from-to)21-31
Journal / PublicationDecision Support Systems
Issue number1
Publication statusPublished - Dec 2010


This paper studies the joint decisions of IDS configuration and alarm investigation capacity under active and passive responses. In active response, alarm events are blocked immediately, whereas alarm events are allowed to access the information assets in the passive response. Despite facilitating information flow, passive response exposes the assets to attacks while the security analysts investigate the alarms. On the other hand, active response may unnecessarily delay the benign traffic since alarm events are blocked. We find closed-form formulas for the optimal investigation capacity and show the optimal configuration under active response is smaller than under passive response. We also provide expressions that can be used to evaluate security costs and benefits under various configurations, capacities and responses. Numerical studies are done to illustrate the sensitivity of the optimal decisions. © 2010 Elsevier B.V. All rights reserved.

Research Area(s)

  • IDS configuration, Information security, Intrusion response, Investigation capacity