Optimal Thresholds for Anomaly-Based Intrusion Detection in Dynamical Environments
Amin Ghafouri, Waseem Abbas, Aron Laszka, Yevgeniy Vorobeychik, Xenofon Koutsoukos

Citation
Amin Ghafouri, Waseem Abbas, Aron Laszka, Yevgeniy Vorobeychik, Xenofon Koutsoukos. "Optimal Thresholds for Anomaly-Based Intrusion Detection in Dynamical Environments". 2016 Conference on Decision and Game Theory for Security (GameSec 2016), November, 2016.

Abstract
In recent years, we have seen a number of successful attacks against high-profile targets, some of which have even caused severe physical damage. These examples have shown us that resourceful and determined attackers can penetrate virtually any system, even those that are secured by the "air-gap." Consequently, in order to minimize the impact of stealthy attacks, defenders have to focus not only on strengthening the first lines of defense but also on deploying effective intrusion-detection systems. Intrusion-detection systems can play a key role in protecting sensitive computer systems since they give defenders a chance to detect and mitigate attacks before they could cause substantial losses. However, an over-sensitive intrusion-detection system, which produces a large number of false alarms, imposes prohibitively high operational costs on a defender since alarms need to be manually investigated. Thus, defenders have to strike the right balance between maximizing security and minimizing costs. Optimizing the sensitivity of intrusion detection systems is especially challenging in the case when multiple inter-dependent computer systems have to be defended against a strategic attacker, who can target computer systems in order to maximize losses and minimize the probability of detection. We model this scenario as an attacker-defender security game and study the problem of finding optimal intrusion detection thresholds.

Electronic downloads

Internal. This publication has been marked by the author for FORCES-only distribution, so electronic downloads are not available without logging in.

Citation formats

• HTML

  Amin Ghafouri, Waseem Abbas, Aron Laszka, Yevgeniy
  Vorobeychik, Xenofon Koutsoukos. <a
  href="http://www.cps-forces.org/pubs/234.html"
  >Optimal Thresholds for Anomaly-Based Intrusion Detection
  in Dynamical Environments</a>, 2016 Conference on
  Decision and Game Theory for Security (GameSec 2016),
  November, 2016.

• Plain text

  Amin Ghafouri, Waseem Abbas, Aron Laszka, Yevgeniy
  Vorobeychik, Xenofon Koutsoukos. "Optimal Thresholds
  for Anomaly-Based Intrusion Detection in Dynamical
  Environments". 2016 Conference on Decision and Game
  Theory for Security (GameSec 2016), November, 2016.

• BibTeX

  @inproceedings{GhafouriAbbasLaszkaVorobeychikKoutsoukos16_OptimalThresholdsForAnomalyBasedIntrusionDetectionIn,
      author = {Amin Ghafouri and Waseem Abbas and Aron Laszka and
                Yevgeniy Vorobeychik and Xenofon Koutsoukos},
      title = {Optimal Thresholds for Anomaly-Based Intrusion
                Detection in Dynamical Environments},
      booktitle = {2016 Conference on Decision and Game Theory for
                Security (GameSec 2016)},
      month = {November},
      year = {2016},
      abstract = {In recent years, we have seen a number of
                successful attacks against high-profile targets,
                some of which have even caused severe physical
                damage. These examples have shown us that
                resourceful and determined attackers can penetrate
                virtually any system, even those that are secured
                by the "air-gap." Consequently, in order to
                minimize the impact of stealthy attacks, defenders
                have to focus not only on strengthening the first
                lines of defense but also on deploying effective
                intrusion-detection systems. Intrusion-detection
                systems can play a key role in protecting
                sensitive computer systems since they give
                defenders a chance to detect and mitigate attacks
                before they could cause substantial losses.
                However, an over-sensitive intrusion-detection
                system, which produces a large number of false
                alarms, imposes prohibitively high operational
                costs on a defender since alarms need to be
                manually investigated. Thus, defenders have to
                strike the right balance between maximizing
                security and minimizing costs. Optimizing the
                sensitivity of intrusion detection systems is
                especially challenging in the case when multiple
                inter-dependent computer systems have to be
                defended against a strategic attacker, who can
                target computer systems in order to maximize
                losses and minimize the probability of detection.
                We model this scenario as an attacker-defender
                security game and study the problem of finding
                optimal intrusion detection thresholds.},
      URL = {http://cps-forces.org/pubs/234.html}
  }
  

Posted by Waseem Abbas on 2 Mar 2017.
Groups: forces
For additional information, see the Publications FAQ or contact webmaster at cps-forces org.