Optimal Thresholds for Intrusion Detection Systems
Aron Laszka, Waseem Abbas, Shankar Sastry, Yevgeniy Vorobeychik, Xenofon Koutsoukos

Citation
Aron Laszka, Waseem Abbas, Shankar Sastry, Yevgeniy Vorobeychik, Xenofon Koutsoukos. "Optimal Thresholds for Intrusion Detection Systems". 3rd Annual Symposium and Bootcamp on the Science of Security (HotSoS), April, 2016.

Abstract
In recent years, we have seen a number of successful attacks against high-profile targets, some of which have even caused severe physical damage. These examples have shown us that resourceful and determined attackers can penetrate virtually any system, even those that are secured by the "air-gap." Consequently, in order to minimize the impact of stealthy attacks, defenders have to focus not only on strengthening the first lines of defense but also on deploying effective intrusion-detection systems. Intrusion-detection systems can play a key role in protecting sensitive computer systems since they give defenders a chance to detect and mitigate attacks before they could cause substantial losses. However, an over-sensitive intrusion-detection system, which produces a large number of false alarms, imposes prohibitively high operational costs on a defender since alarms need to be manually investigated. Thus, defenders have to strike the right balance between maximizing security and minimizing costs. Optimizing the sensitivity of intrusion detection systems is especially challenging in the case when multiple interdependent computer systems have to be defended against a strategic attacker, who can target computer systems in order to maximize losses and minimize the probability of detection. We model this scenario as an attacker-defender security game and study the problem of finding optimal intrusion detection thresholds.

Electronic downloads


Internal. This publication has been marked by the author for FORCES-only distribution, so electronic downloads are not available without logging in.
Citation formats  
  • HTML 
    Aron Laszka, Waseem Abbas, Shankar Sastry, Yevgeniy
Vorobeychik, Xenofon Koutsoukos. <a
href="http://www.cps-forces.org/pubs/114.html"
>Optimal Thresholds for Intrusion Detection
Systems</a>, 3rd Annual Symposium and Bootcamp on the
Science of Security (HotSoS), April, 2016.
  • Plain text 
    Aron Laszka, Waseem Abbas, Shankar Sastry, Yevgeniy
Vorobeychik, Xenofon Koutsoukos. "Optimal Thresholds
for Intrusion Detection Systems". 3rd Annual Symposium
and Bootcamp on the Science of Security (HotSoS), April,
2016.
  • BibTeX 
    @inproceedings{LaszkaAbbasSastryVorobeychikKoutsoukos16_OptimalThresholdsForIntrusionDetectionSystems,
    author = {Aron Laszka and Waseem Abbas and Shankar Sastry
              and Yevgeniy Vorobeychik and Xenofon Koutsoukos},
    title = {Optimal Thresholds for Intrusion Detection Systems},
    booktitle = {3rd Annual Symposium and Bootcamp on the Science
              of Security (HotSoS)},
    month = {April},
    year = {2016},
    abstract = {In recent years, we have seen a number of
              successful attacks against high-profile targets,
              some of which have even caused severe physical
              damage. These examples have shown us that
              resourceful and determined attackers can penetrate
              virtually any system, even those that are secured
              by the "air-gap." Consequently, in order to
              minimize the impact of stealthy attacks, defenders
              have to focus not only on strengthening the first
              lines of defense but also on deploying effective
              intrusion-detection systems. Intrusion-detection
              systems can play a key role in protecting
              sensitive computer systems since they give
              defenders a chance to detect and mitigate attacks
              before they could cause substantial losses.
              However, an over-sensitive intrusion-detection
              system, which produces a large number of false
              alarms, imposes prohibitively high operational
              costs on a defender since alarms need to be
              manually investigated. Thus, defenders have to
              strike the right balance between maximizing
              security and minimizing costs. Optimizing the
              sensitivity of intrusion detection systems is
              especially challenging in the case when multiple
              interdependent computer systems have to be
              defended against a strategic attacker, who can
              target computer systems in order to maximize
              losses and minimize the probability of detection.
              We model this scenario as an attacker-defender
              security game and study the problem of finding
              optimal intrusion detection thresholds.},
    URL = {http://cps-forces.org/pubs/114.html}
}

Posted by Aron Laszka on 15 Mar 2016.
For additional information, see the Publications FAQ or contact webmaster at cps-forces org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.