Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Queuing Formulation of Intrusion Detection with Active and Passive Responses Wei T. Yue, Metin Cakanyildirim, Young U. Ryu Department of Information.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Queuing Formulation of Intrusion Detection with Active and Passive Responses Wei T. Yue, Metin Cakanyildirim, Young U. Ryu Department of Information."— Presentation transcript:

1 1 A Queuing Formulation of Intrusion Detection with Active and Passive Responses Wei T. Yue, Metin Cakanyildirim, Young U. Ryu Department of Information Systems and Operations Management School of Management The University of Texas at Dallas Richardson, Texas 75083-0688, USA

2 2 Introduction Traditional IDS response tends to be passive – “passive response” Secondary investigation required because IDS is still imperfect Secondary investigation may not occur instantaneously These days, IDS can be set up to respond to events automatically – “active response”

3 3 Introduction Active response – dropping connection, reconfiguring networking devices (firewalls, routers), additional intelligence mining (honeypots) We only consider terminating connection

4 4 Introduction In the intrusion detection process, IDS configuration decision and the alarm investigation decision are related Alarm investigation resource would affect the delays in response in both active and passive response If multiple alarm types involved, which alarm to investigate is an issue

5 5 Research Goals Finding the corresponding configuration and investigation decision for the active and passive response approach Determine the “switching” policy on intrusion response

6 6 Problem Description Passive response potential damage cost - resulting from alarmed events not investigated immediately low false alarm costs since alarmed events are not disrupted

7 7 Problem Description Active response It could prevent attack damage because the events are terminated immediately higher false alarm costs contingent on the performance of the IDS

8 8 Problem Description - Active response: false alarm cost is related to delay - Passive response: damage cost is related to delay

9 9 Problem Description Undetected, or non-alarmed intrusive events are assumed to be the same for the two response approach Given the parameter values, the decisions involved with the active and passive response approaches are different

10 10 IDS Quality: ROC curve A representation of IDS quality – detection rates ((P F )) and false alarm rate (P F ) IDS quality can be determined experimentally – MIT Lincoln Lab (Lippman et al 2000a 200b), Columbia IDS group (Lee and Stolfo, 2000), etc

11 11 IDS Quality: ROC curve

12 12 A Queuing Model of Intrusion Detection Benign and intrusive event arrivals – Independent Poisson process with rate B and I N – number of investigator µ - investigation rate E(W(P F,N)) =1/{N µ-P F B -  (P F ) I }

13 13 A Queuing Model of Intrusion Detection: Active Response

14 14 A Queuing Model of Intrusion Detection: Passive Response

15 15 A Queuing Model of Intrusion Detection We rewrite the N in terms of slack service rate S S = N-P F B -(P F ) I

16 16 Linear Piecewise ROC

17 17 Optimal Configuration and Investigation

18 18 Hybrid Response

19 19 Hybrid Response

20 20 Derive optimal intrusion detection decisions with linear piecewise function Extend the study with other types of ROC functions Include multiple types of alarm Conclusion

Download ppt "1 A Queuing Formulation of Intrusion Detection with Active and Passive Responses Wei T. Yue, Metin Cakanyildirim, Young U. Ryu Department of Information."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Using Robots as Fire-fighting Agents Anindita Das Department of Electrical and Computer Engineering University of Texas at Austin

Using Robots as Fire-fighting Agents Anindita Das Department of Electrical and Computer Engineering University of Texas at Austin
The World of Access Controls

The World of Access Controls
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
1 Dynamic Adaptation of Temporal Event Correlation Rules Rean Griffith‡, Gail Kaiser‡ Joseph Hellerstein*, Yixin Diao* Presented by Rean Griffith

1 Dynamic Adaptation of Temporal Event Correlation Rules Rean Griffith‡, Gail Kaiser‡ Joseph Hellerstein*, Yixin Diao* Presented by Rean Griffith
AMS-OMS Integration: From an Operations Point of View Chris Darby Distribution Operation Center Manager 1.

AMS-OMS Integration: From an Operations Point of View Chris Darby Distribution Operation Center Manager 1.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Analyzing Multi-channel MAC Protocols for Underwater Sensor Networks Presenter: Zhong Zhou.

Analyzing Multi-channel MAC Protocols for Underwater Sensor Networks Presenter: Zhong Zhou.
1 An Experimental Analysis of BGP Convergence Time Timothy Griffin AT&T Research & Brian Premore Dartmouth College.

1 An Experimental Analysis of BGP Convergence Time Timothy Griffin AT&T Research & Brian Premore Dartmouth College.
TH EDA NTHU-CS VLSI/CAD LAB 1 Re-synthesis for Reliability Design Shih-Chieh Chang Department of Computer Science National Tsing Hua University.

TH EDA NTHU-CS VLSI/CAD LAB 1 Re-synthesis for Reliability Design Shih-Chieh Chang Department of Computer Science National Tsing Hua University.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
seminar on Intrusion detection system

seminar on Intrusion detection system
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Similar presentations

Ads by Google