The management of intrusion detection: Configuration, inspection, and investment

This paper analyzes intrusion detection decisions in the presence of multiple alarm types, which differ in occurrence probabilities, damage and investigation costs. Specifically, multi-period optimization models are used to study three critical decisions associated with intrusion detection: (i) Allocation of the investigation budget to different periods and to different alarm types; (ii) Configuration of an intrusion detection system (IDS), i.e. choosing a false alarm rate for a given IDS; and (iii) Allocation of an appropriate amount of the investigation budget in the presence of alternative investment opportunities. Three models that cascade onto each other are presented. We minimize the sum of security costs including damages, due to ignored alarms, the investigation cost and the undetected intrusion cost. We show that it can be optimal to ignore non-critical alarms in order to allocate more of the investigation budget to critical alarms that may occur in the future. We establish that the security costs decrease as the investigation budget increases. Our last model deals with security investments--in the form of an investigation budget. The investigation budget must be increased until the rate of increase in savings in security costs due to the additional budget are equal to the internal rate of return of an organization. These analyses are done with explicit (derived) cost functions, as opposed to implicit (assumed) cost functions. We conclude by providing additional managerial insights and numerical examples.

[1]  Mohamed Hamdi,et al.  A decisional framework system for computer network intrusion detection , 2007, Eur. J. Oper. Res..

[2]  Rebecca Gurley Bace,et al.  Intrusion Detection , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[3]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[4]  Jack Koziol Intrusion Detection with Snort , 2003 .

[5]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[6]  Charles Iheagwara The effect of intrusion detection management methods on the return on investment , 2004, Comput. Secur..

[7]  Kevin Mandia,et al.  Incident Response: Investigating Computer Crime , 2001 .

[8]  M. Zweig,et al.  Receiver-operating characteristic (ROC) plots: a fundamental evaluation tool in clinical medicine. , 1993, Clinical chemistry.

[9]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[10]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[11]  Huseyin Cavusoglu,et al.  Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches , 2004, Decis. Anal..

[12]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[13]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[14]  R. Power CSI/FBI computer crime and security survey , 2001 .

[15]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004 .

[16]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004, Decis. Anal..

[17]  C. Metz Basic principles of ROC analysis. , 1978, Seminars in nuclear medicine.