The Value of Intrusion Detection Systems in Information Technology Security Architecture

The increasing significance of information technology (IT) security to firms is evident from their growing IT security budgets. Firms rely on security technologies such as firewalls and intrusion detection systems (IDSs) to manage IT security risks. Although the literature on the technical aspects of IT security is proliferating, a debate exists in the IT security community about the value of these technologies. In this paper, we seek to assess the value of IDSs in a firm's IT security architecture. We find that the IDS configuration, represented by detection (true positive) and false alarm (false positive) rates, determines whether a firm realizes a positive or negative value from the IDS. Specifically, we show that a firm realizes a positive value from an IDS only when the detection rate is higher than a critical value, which is determined by the hacker's benefit and cost parameters. When the firm realizes a positive (negative) value, the IDS deters (sustains) hackers. However, irrespective of whether the firm realizes a positive or negative value from the IDS, the IDS enables the firm to better target its investigation of users, while keeping the detection rate the same. Our results suggest that the positive value of an IDS results not from improved detection per se, but from an increased deterrence enabled by improved detection. Finally, we show that the firm realizes a strictly nonnegative value if the firm configures the IDS optimally based on the hacking environment.

[1]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[2]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[3]  Aaron E Miller Editor's preface , 2004, Cancer and Metastasis Reviews.

[4]  Terry Dwain Escamilla,et al.  Intrusion detection: network security beyond the firewall , 1998 .

[5]  Steven Shavell,et al.  Specific versus General Enforcement of Law , 1989, Journal of Political Economy.

[6]  Biswanath Mukherjee,et al.  A Software Platform for Testing Intrusion Detection Systems , 1997, IEEE Softw..

[7]  Gregory B. White,et al.  Secure Computers and Networks: Analysis, Design, and Implementation , 2000 .

[8]  G. T. Gangemi,et al.  Computer Security Basics , 2006 .

[9]  J. Harsanyi Games with Incomplete Information Played by “Bayesian” Players Part II. Bayesian Equilibrium Points , 1968 .

[10]  Paul E. Proctor,et al.  Practical Intrusion Detection Handbook , 2000 .

[11]  Clifford S. Russell,et al.  GAME MODELS FOR STRUCTURING MONITORING AND ENFORCEMENT SYSTEMS , 1990 .

[12]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[14]  Robert K. Cunningham,et al.  Evaluating Intrusion Detection Systems Without Attacking Your Friends: The 1998 DARPA Intrusion Detection Evaluation , 1999 .

[15]  J. Harsanyi Games with Incomplete Information Played by 'Bayesian' Players, Part III. The Basic Probability Distribution of the Game , 1968 .

[16]  Greg Shipley,et al.  ISS RealSecure pushes past newer IDS players , 1999 .

[17]  Birendra K. Mishra,et al.  Environmental regulations and incentives for compliance audits , 1997 .

[18]  Gary Ford,et al.  Detecting Signs of Intrusion. , 1997 .

[19]  G. Feichtinger A Differential Games Solution to a Model of Competition Between a Thief and the Police , 1983 .

[20]  F. Meade A Guide to Understanding Audit in Trusted Systems , 1988 .

[21]  Chandra Kanodia Stochastic Monitoring and Moral Hazard , 1985 .

[22]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[23]  R. Dye Optimal Monitoring Policies in Agencies , 1986 .

[24]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[25]  Stein Weissenberger Deterrence and the design of treaty verification systems , 1992, IEEE Trans. Syst. Man Cybern..

[26]  D. Marc Kilgour,et al.  Site selection for on‐site inspection in arms control , 1992 .

[27]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[28]  Steven Shavell,et al.  The Optimal Tradeoff between the Probability and Magnitude of Fines , 1981 .

[29]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[30]  P. Newman,et al.  Allocating audit resources to detect fraud , 1996 .

[31]  Harold Joseph Highland,et al.  A Pattern Matching Model for Misuse Intrusion Detection , 1995 .

[32]  Edward G. Amoroso Intrusion Detection , 1999 .

[33]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[34]  Imran Bashir,et al.  Securing network software applications: introduction , 2001, CACM.

[35]  Paul Helman,et al.  An immunological approach to change detection: algorithms, analysis and implications , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[36]  John McHugh,et al.  Defending Yourself: The Role of Intrusion Detection Systems , 2000, IEEE Software.

[37]  Michael Maschler,et al.  The inspector's non‐constant‐sum game: Its dependence on a system of detectors , 1967 .

[38]  Peter Mell,et al.  NIST Special Publication on Intrusion Detection Systems , 2001 .

[39]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[40]  Suresh P. Sethi Optimal Pilfering Policies for Dynamic Continuous Thieves , 1979 .

[41]  J. Szep,et al.  Games with incomplete information , 1985 .

[42]  James N. Menendez,et al.  A Guide to Understanding Audit in Trusted Systems , 1988 .

[43]  R. Panko Corporate Computer and Network Security , 2003 .

[44]  Eugene H. Spafford,et al.  New directions for the AAFID architecture , 1999, Recent Advances in Intrusion Detection.

[45]  Richard P. Lippmann,et al.  An Overview of Issues in Testing Intrusion Detection Systems , 2003 .

[46]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[47]  Dilip Mookherjee,et al.  Monitoring vis-a-vis Investigation in Enforcement of Law , 1992 .

[48]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[49]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[50]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[51]  Stanley Baiman Agency research in managerial accounting: a survey , 1982 .

[52]  George J. Stigler,et al.  The Optimum Enforcement of Laws , 1970, Journal of Political Economy.

[53]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[54]  Marc D. Goodman,et al.  The Emerging Consensus on Criminal Conduct in Cyberspace , 2002, Int. J. Law Inf. Technol..

[55]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[56]  Jan Killmeyer Tudor,et al.  Information Security Architecture , 2000 .

[57]  Harry L. Van Trees,et al.  Detection, Estimation, and Modulation Theory, Part I , 1968 .

[58]  H. Javitz,et al.  IDES : The Enhanced Prototype A Real-Time Intrusion-Detection Expert System , 1988 .

[59]  Marlin U. Thomas,et al.  An infiltration game with time dependent payoff , 1976 .

[60]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[61]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[62]  Greg Shipley,et al.  Cover story: dragon claws its way to the top , 2001 .

[63]  Zhang Rui A Survey of Intrusion Detection Systems , 2002 .

[64]  Michael Maschler,et al.  A price leadership method for solving the inspector's non-constant-sum game , 1966 .

[65]  CavusogluHuseyin,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005 .

[66]  D. Fudenberg,et al.  The Theory of Learning in Games , 1998 .