The challenges of using an intrusion detection system: is it worth the effort?

An intrusion detection system (IDS) can be a key component of security incident response within organizations. Traditionally, intrusion detection research has focused on improving the accuracy of IDSs, but recent work has recognized the need to support the security practitioners who receive the IDS alarms and investigate suspected incidents. To examine the challenges associated with deploying and maintaining an IDS, we analyzed 9 interviews with IT security practitioners who have worked with IDSs and performed participatory observations in an organization deploying a network IDS. We had three main research questions: (1) What do security practitioners expect from an IDS?; (2) What difficulties do they encounter when installing and configuring an IDS?; and (3) How can the usability of an IDS be improved? Our analysis reveals both positive and negative perceptions that security practitioners have for IDSs, as well as several issues encountered during the initial stages of IDS deployment. In particular, practitioners found it difficult to decide where to place the IDS and how to best configure it for use within a distributed environment with multiple stakeholders. We provide recommendations for tool support to help mitigate these challenges and reduce the effort of introducing an IDS within an organization.

[1]  Janice Ginny Redish,et al.  Expanding usability testing to evaluate complex systems , 2007 .

[2]  Steven Furnell,et al.  Security Admin. Tools: Helping us to help ourselves , 2004 .

[3]  Wayne G. Lutters,et al.  The Work of Intrusion Detection: Rethinking the Role of Security Analysts , 2004, AMCIS.

[4]  M. Sandelowski Focus on Research Methods Whatever Happened to Qualitative Description? , 2022 .

[5]  Kasia Muldner,et al.  Searching for the Right Fit: Balancing IT Security Management Model Trade-Offs , 2008, IEEE Internet Computing.

[6]  William Yurcik,et al.  Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection , 2007, CHI.

[7]  Wayne G. Lutters,et al.  I know my network: collaboration and expertise in intrusion detection , 2004, CSCW.

[8]  C. H. Germain Ethnography: Step By Step , 1990 .

[9]  Kasia Muldner,et al.  Identifying Differences between Security and other IT Professionals: a Qualitative Analysis , 2008, HAISA.

[10]  Rossouw von Solms,et al.  Information security obedience: a definition , 2005, Comput. Secur..

[11]  Eser Kandogan,et al.  Field studies of computer system administrators: analysis of system management tools and practices , 2004, CSCW.

[12]  Eben M. Haber Security Administration Tools and Practices , 2005 .

[13]  Marcus Nohlberg,et al.  User-centred security applied to the development of a management information system , 2007, Inf. Manag. Comput. Secur..

[14]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[15]  Kirstie Hawkey,et al.  Human, Organizational and Technological Challenges of Implementing IT Security in Organizations , 2007, International Symposium on Human Aspects of Information Security and Assurance.

[16]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, CHI Extended Abstracts.

[17]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[18]  William Yurcik,et al.  Network Intrusion Detection Cognitive Task Analysis: Textual and Visual Tool Usage and Recommendations , 2006 .

[19]  John R. Goodall,et al.  A user-centered look at glyph-based security visualization , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[20]  Eben M. Haber,et al.  Design guidelines for system administration tools developed through ethnographic field studies , 2007, CHIMIT '07.

[21]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[22]  Matt Brown,et al.  Invited talk , 2007 .

[23]  Kasia Muldner,et al.  Human, organizational, and technological factors of IT security , 2008, CHI Extended Abstracts.

[24]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[25]  Eser Kandogan,et al.  Usable autonomic computing systems: The system administrators' perspective , 2005, Adv. Eng. Informatics.

[26]  S. McGann An Analysis of Security Threats and Tools in SIP-Based VoIP Systems , 2005 .

[27]  Ajith Abraham,et al.  Feature deduction and ensemble design of intrusion detection systems , 2005, Comput. Secur..

[28]  Kouichi Sakurai,et al.  Interactively combining 2D and 3D visualization for network traffic monitoring , 2006, VizSEC '06.

[29]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.