Intrusion-detection policies for IT security breaches

Intrusion-detection systems (IDSs) form an important component of IT security architectures, but the low proportion of hackers in the user population severely limits the usefulness of IDSs. Thus, even when the IDS is good, an intrusion signal may not imply that the user is more likely to be a hacker than a normal user. Ignoring the low base rate for the proportion of hackers results in acting on every intrusion signal, which is costly because of the high rate of false alarms. This problem is known as the base-rate fallacy in IDSs. On the other hand, ignoring intrusion signals renders IDSs useless. We propose and analyze waiting-time policies, which specify a response to signals from IDSs. We formulate the problem as a stochastic dynamic programming model and derive the optimal waiting time before acting upon an intrusion signal. Because the optimal policy is difficult to implement in many situations, we also derive and theoretically analyze a myopic policy. Our simulations suggest that the behavior of the myopic policy is qualitatively similar to that of the optimal policy. Further, the myopic policy performs better than other policies often used in practice, such as the Bayes policy and m-strike policies. The myopic policy can be implemented easily in a decision support system that supplements an IDS to mitigate the base-rate fallacy and to improve the value of the IDS.