Intrusion-Detection Policies for IT Security Breaches

Intrusion-detection systems (IDSs) form an important component of IT security architectures, but the low proportion of hackers in the user population severely limits the usefulness of IDSs. Thus, even when the IDS is good, an intrusion signal may not imply that the user is more likely to be a hacker than a normal user. Ignoring the low base rate for the proportion of hackers results in acting on every intrusion signal, which is costly because of the high rate of false alarms. This problem is known as the base-rate fallacy in IDSs. On the other hand, ignoring intrusion signals renders IDSs useless. We propose and analyze waiting-time policies, which specify a response to signals from IDSs. We formulate the problem as a stochastic dynamic programming model and derive the optimal waiting time before acting upon an intrusion signal. Because the optimal policy is difficult to implement in many situations, we also derive and theoretically analyze a myopic policy. Our simulations suggest that the behavior of the myopic policy is qualitatively similar to that of the optimal policy. Further, the myopic policy performs better than other policies often used in practice, such as the Bayes policy and m-strike policies. The myopic policy can be implemented easily in a decision support system that supplements an IDS to mitigate the base-rate fallacy and to improve the value of the IDS.

[1]  Lawrence A. Gordon,et al.  Using information security as a response to competitor analysis systems , 2001, CACM.

[2]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[3]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[4]  Suresh L. Konda,et al.  A Simulation Model for Managing Survivability of Networked Information Systems , 2000 .

[5]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004 .

[6]  Greg Shipley,et al.  ISS RealSecure pushes past newer IDS players , 1999 .

[7]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004, Decis. Anal..

[8]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[9]  Charles Iheagwara The effect of intrusion detection management methods on the return on investment , 2004, Comput. Secur..

[10]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[11]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[12]  Harvey Diamond,et al.  Minimax Policies for Unobservable Inspections , 1982, Math. Oper. Res..

[13]  Biswanath Mukherjee,et al.  A Software Platform for Testing Intrusion Detection Systems , 1997, IEEE Softw..

[14]  Harold Joseph Highland,et al.  A Pattern Matching Model for Misuse Intrusion Detection , 1995 .

[15]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[16]  Paul Helman,et al.  An immunological approach to change detection: algorithms, analysis and implications , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[17]  G. T. Gangemi,et al.  Computer Security Basics , 2006 .

[18]  Terry Dwain Escamilla,et al.  Intrusion detection: network security beyond the firewall , 1998 .

[19]  Zhang Rui A Survey of Intrusion Detection Systems , 2002 .

[20]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[21]  Süleyman Özekici,et al.  Optimal Scheduling of Inspections: A Delayed Markov Model with False Positives and Negatives , 1991, Oper. Res..

[22]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[23]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[24]  Huseyin Cavusoglu,et al.  Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches , 2004, Decis. Anal..

[25]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[26]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[27]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[28]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[29]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.