Abstract

Intrusion detection systems (IDSs) have become a core component of a firm’s IT security architecture. While IDSs enable real time detection of intrusions, a common criticism has been the frequency of false alarms, which undermines their effectiveness. A fundamental problem with IDSs for intrusion detection is achieving the optimal balance between detection rate and false positive and false negative rates. Many firms use decision theoretic approaches to deal with the IDS configuration problem. While decision theoretic approaches are appropriate for configuring many types of machine learning and classification software that suffer from false positive and false negative errors, we argue that decision theoretic approaches have fundamental limitations for configuring IDSs. Decision theoretic approaches are based on the presumption that configuration does not influence the behavior of hackers. Game theoretic approaches recognize the fact that hackers do modify their strategies in response to firms’ actions. In this paper, we compare the decision and game theoretic approaches to the IDS configuration problem when firms are faced with strategic hackers. We find that under most circumstances firms incur lower costs when they use game theory as opposed to decision theory because decision theory approach frequently either over- or under-configures the IDS. However, firms incur the same or lower cost under decision theory approach compared to the game theory approach if configurations under decision theory and game theory are sufficiently close. A limitation of the game theory approach is that it requires user specific utility parameters, which are difficult to estimate. Decision theory, in contrast to game theory, requires the attack probability estimate, which is more easily obtained.

Download

Share

COinS