1
|
- Wei T. Yue, Metin Cakanyildirim,&n=
bsp;
Young U. Ryu
- Department of Information Systems and Operations Management
- School of Management
- The University of Texas at Dallas
- Richardson, Texas 75083-0688, USA
|
2
|
- Traditional IDS response tends to be passive – “passive
response”
- Secondary investigation required because IDS is still imperfect
- Secondary investigation may not occur instantaneously
- These days, IDS can be set up to respond to events automatically =
8211;
“active response”
|
3
|
- Active response – dropping connection, reconfiguring networki=
ng
devices (firewalls, routers), additional intelligence mining (honey=
pots)
- We only consider terminating connection
|
4
|
- In the intrusion detection process, IDS configuration decision and =
the
alarm investigation decision are related
- Alarm investigation resource would affect the delays in response in=
both
active and passive response
- If multiple alarm types involved, which alarm to investigate is an =
issue
|
5
|
- Finding the corresponding configuration and investigation decision =
for
the active and passive response approach
- Determine the “switching” policy on intrusion response<=
/li>
|
6
|
- Passive response
- potential damage cost - resulting from alarmed events not investig=
ated
immediately
- low false alarm costs since alarmed events are not disrupted
|
7
|
- Active response
- It could prevent attack damage because the events are terminated
immediately
- higher false alarm costs contingent on the performance of the IDS<=
/li>
|
8
|
|
9
|
- Undetected, or non-alarmed intrusive events are assumed to be the s=
ame
for the two response approach
- Given the parameter values, the decisions involved with the active =
and
passive response approaches are different
|
10
|
- A representation of IDS quality – detection rates (W(PF<=
/sub>))
and false alarm rate (PF)
- IDS quality can be determined experimentally – MIT Lincoln Lab
(Lippman et al 2000a 200b), Columbia IDS group (Lee and Stolfo, 200=
0),
etc
|
11
|
|
12
|
- Benign and intrusive event arrivals – Independent Poisson pro=
cess
with rate lB and lI
- N – number of investigator
- µ - investigation rate
- E(W(PF,N)) =3D1/{N µ-PF lB
-W
(PF) lI}
|
13
|
|
14
|
|
15
|
- We rewrite the N in terms of slack service rate S
|
16
|
|
17
|
|
18
|
|
19
|
|
20
|
- Derive optimal intrusion detection decisions with linear piecewise
function
- Extend the study with other types of ROC functions
- Include multiple types of alarm
|