Abstract
An intrusion prevention system (IPS) acts as a new type of information security technology, the configuration and management of which are currently urgent problems; in particular, debate exists regarding the value of these systems. In this paper, we analyse whether a firm realizes a positive or negative value from using an IPS instead of an intrusion detection system (IDS) in a default configuration and an optimal configuration, respectively. Our results suggest: (a) an IPS could hurt the firm when not configured optimally; (b) the optimal configuration of the IPS depends not only on the cost parameters but also on the external environment (quality of the IDS) in which the firm is operating; (c) whether the IDS is optimally configured or not, the firm will make the same decisions between using the IPS instead of the IDS and continuing to use the IDS; and (d) except for the true positive rate of IDS being in a certain region and the blocking cost being sufficiently high, the firm realizes a strictly nonnegative value if the firm configures the IPS optimally.
Similar content being viewed by others
References
Farahmand F, Navathe SB, Sharp GP, Enslow PH (2005) A management perspective on risk of security threats to information systems. Inf Technol Manag 6(2–3):203–225
Nguyen HV, Shin S, Choi Y (2011) An integrated approach to the optimal selection of security tools using analytic hierarchy process and goal programming. Int J Technol Manag 54(2/3):229–251
Corona I, Giacinto G, Roli F (2013) Adversarial attacks against intrusion detection systems: taxonomy, solutions and open issues. Inf Sci 239:201–225
Gao X, Zhong WJ, Mei SE (2013) A game-theory approach to configuration of detection software with decision errors. Reliab Eng Syst Saf 119:35–43
Zhao LR, Mei SE, Zhong WJ (2014) Game analysis on optimal configuration strategies of virtual private network and intrusion detection systems. J Ind Eng Eng Manag 4:025 (In Chinese)
Punithavathani DS, Sujatha K, Jain JM (2015) Surveillance of anomaly and misuse in critical networks to counter insider threats using computational intelligence. Clust Comput 18(1):435–451
Cavusoglu H, Raghunathan S, Cavusoglu H (2009) Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems. Inf Syst Res 20(2):198–217
Zhao LR, Mei SE, Zhong WJ (2014) Configuration strategy of two information security technologies based on risk preference. J Syst Eng 29(3):324–325 (in Chinese)
Ogut H, Cavusoglu H, Raghunathan S (2008) Intrusion-detection policies for IT security breaches. INFORMS J Comput 20(1):112–123
Öğüt H (2013) The configuration and detection strategies for information security systems. Comput Math Appl 65(9):1234–1253
Ashoor AS, Gore S (2011) Difference between intrusion detection system (IDS) and intrusion prevention system (IPS). In: International conference on network security and applications. Springer, Berlin, pp 497–501
Zhang H (2014) Intrusion prevention system based real-time network application flow monitoring method, involves performing application flow monitoring process in real-time by adopting visual policy, and determining application flow rate. China: CN104052738-A, 17 Sept
Cavusoglu H, Mishra B, Raghunathan S (2005) The value of intrusion detection systems in information technology security architecture. Inf Syst Res 16(1):28–46
Liao HJ, Lin CHR, Lin YC, Tung KY (2013) Intrusion detection system: a comprehensive review. J Netw Comput Appl 36(1):16–24
Moayedi BZ, Azgomi MA (2012) A game theoretic framework for evaluation of the impacts of hackers diversity on security measures. Reliab Eng Syst Saf 99:45–54
Yue WT, Cakanyildirim M (2007) Intrusion prevention in information systems: reactive and proactive responses. J Manag Inf Syst 24(1):329–353
Qassim Q, Patel A, Mohd-Zin A (2014) Strategy to reduce false alarms in intrusion detection and prevention systems. Int Arab J Inf Technol (IAJIT) 11(5):500–502
Yu W, Chang YCI, Park E (2014) A modified area under the ROC curve and its application to marker selection and classification. J Korean Stat Soc 43(2):161–175
Nze Ossima AD, Daurès JP, Bessaoud F, Trétarre B (2015) The generalized Lehmann ROC curves: Lehmann family of ROC surfaces. J Stat Comput Simul 85(3):596–607
Cavusoglu H, Raghunathan S (2004) Configuration of detection software: a comparison of decision and game theory approaches. Decis Anal 1(3):131–148
Li TM, Zhong WJ, Mei SE (2008) Inspection game analysis of intrusion prevention system management and configuration. J Syst Eng 23(5):590–594
Kenkre PS, Pai A, Colaco L (2015) Real time intrusion detection and prevention system. In: Proceedings of the 3rd international conference on frontiers of intelligent computing: theory and applications (FICTA). Springer, Cham, pp 405–411
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
Proof of Proposition 1
It can be proved that \(\rho_{1} \ge \rho_{3} \ge \rho_{2}\) and that \(\rho_{1} ,\rho_{2}\) cannot be positive and less than one at the same time by a similar proof to result 3 in Cavusoglu and Raghunathan [20]. Similarly, \(\rho_{3}\) and \(\rho_{2}\) cannot be positive and less than one at the same time, and \(\rho_{1}\) and \(\rho_{3}\) cannot be positive and less than one at the same time. The following optimization conditions are obvious:
We solve mixed equilibrium strategies.
-
(a)
If (\(\rho_{1} = \rho_{3} = 1, 0 < \rho_{2} < 1, 1 < \psi < 1\)) is in equilibrium, the first-order conditions with respect to \(\psi\) and \(\rho_{2}\) must be satisfied. Given that \(\rho_{1} = \rho_{3} = 1\), equating (A2) and (A4) to zero yields
$$\rho_{2}^{*} = \frac{{\mu \left( {1 - P_{D}^{F} } \right) - \beta P_{D} }}{{\beta \left( {1 - P_{D} } \right)}}$$(A5)$$\psi_{IPS}^{*} = \frac{{c\left( {1 - P_{F} } \right)}}{{c\left( {P_{D} - P_{F} } \right) + d\left( {1 - P_{D} } \right)}}$$(A6)Because \(0 < \rho_{2} < 1\) and \(1 < \psi < 1\), we obtain \(\mu \left( {1 - P_{D}^{F} } \right) > \beta P_{D}\) and \(1 > \frac{c}{d} > 0\).
-
(b)
If (\(0 < \rho_{1} < 1, \rho_{2} = \rho_{3} = 0, 1 < \psi < 1\)) is in equilibrium, the first-order conditions with respect to \(\psi\) and \(\rho_{1}\) must be satisfied. Equating (A1) and (A4) to zero and substituting \(\rho_{2} = 0\) gives
$$\rho_{1}^{*} = \frac{{\theta P_{F}^{F} + \mu \left( {1 - P_{D}^{F} } \right)}}{{\beta \left( {P_{D} - P_{D}^{F} } \right)}}$$(A7)$$\psi_{IPS}^{*} = \frac{{c\left( {P_{F} - P_{F}^{F} } \right)}}{{d\left( {P_{D} - P_{D}^{F} } \right) - c\left[ {\left( {P_{D} - P_{D}^{F} } \right) - \left( {P_{F} - P_{F}^{F} } \right)} \right]}}$$(A8)Because of \(0 < \rho_{1} < 1\) and \(1 < \psi < 1\), we obtain \(\mu \left( {1 - P_{D}^{F} } \right) \le \beta \left( {P_{D} - P_{D}^{F} } \right) - \theta P_{F}^{F}\) and \(1 > \frac{c}{d} > 0\).
-
(c)
If (\(\rho_{1} = 1, \rho_{2} = 0, 0 < \rho_{3} < 1, 1 < \psi < 1\)) is in equilibrium, the first-order conditions with respect to \(\psi\) and \(\rho_{3}\) must be satisfied. Equating (A3) and (A4) to zero and substituting \(\rho_{1} = 1, \rho_{2} = 0\) yields
$$\rho_{3}^{*} = \frac{{\theta P_{F}^{F} + \mu \left( {1 - P_{D} } \right) - \left( {\beta - \mu } \right)\left( {P_{D} - P_{D}^{F} } \right)}}{{\theta P_{F}^{F} + \beta P_{D}^{F} }}$$(A9)$$\psi_{IPS}^{*} = \frac{{\left( {\omega - c} \right)P_{F}^{F} }}{{\left( {\omega - c} \right)P_{F}^{F} + cP_{D}^{F} }}$$(A10)Because of \(0 < \rho_{3} < 1\) and \(1 < \psi < 1\), we obtain \(\beta P_{D} \ge \mu \left( {1 - P_{D}^{F} } \right) > \beta \left( {P_{D} - P_{D}^{F} } \right) - \theta P_{F}^{F}\) and \(\omega > c\).
Proof of Proposition 3
The following result compares the investigation rate, the probability of detecting a hacker and the hacking probability for the IPS and the IDS.
-
(1)
The investigation rate
The investigation rate when the IPS raises an S-alarm and the IDS raises an alarm are as follows.
When \(\mu > \beta P_{D}\), that is, \(P_{D} < \frac{\mu }{\beta }\), then \(\rho_{1\_IPS} = \rho_{1\_IDS} = 1\).
When \(\mu \left( {1 - P_{D}^{F} } \right) \le \beta \left( {P_{D} - P_{D}^{F} } \right) - \theta P_{F}^{F}\), that is, \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), then
\(\rho_{1\_IPS}^{*}\) = \(\frac{{\theta P_{F}^{F} + \mu \left( {1 - P_{D}^{F} } \right)}}{{\beta \left( {P_{D} - P_{D}^{F} } \right)}}\), \(\rho_{1\_IDS}^{*}\) = \(\frac{\mu }{{\beta P_{D} }}\).
When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta } > P_{D} \ge \frac{\mu }{\beta }\), then \(\rho_{1\_IPS}^{*}\) = \(1 \rho_{1\_IDS}^{*}\) = \(\frac{\mu }{{\beta P_{D} }}\).
The investigation rate when the IPS and the IDS do not raise an alarm are as follows.
When \(P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\), then \(\rho_{2\_IPS} = \frac{{\mu \left( {1 - P_{D}^{F} } \right) - \beta P_{D} }}{{\beta \left( {1 - P_{D} } \right)}}, \rho_{2\_IDS} = \frac{{\mu - \beta P_{D} }}{{\beta \left( {1 - P_{D} } \right)}}\).
When \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), then \(\rho_{2\_IPS}^{*}\) = \(\rho_{2\_IDS}^{*}\) = \(0\).
When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta } > P_{D} \ge \frac{\mu }{\beta }\), then \(\rho_{2\_IPS}^{*}\) = \(0 \rho_{2\_IDS}^{*}\) = \(\frac{\mu }{{\beta P_{D} }}\).
When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta } \le P_{D} < \frac{\mu }{\beta }\), then \(\rho_{2\_IPS}^{*}\) = \(0 \rho_{2\_IDS}^{*}\) = \(\frac{{\mu - \beta P_{D} }}{{\beta \left( {1 - P_{D} } \right)}}\).
Therefore, the comparative results for the IDS and IPS in investigation rates are shown as follows.
\(\rho_{2\_IPS}^{*} < \rho_{2\_IDS}^{*}\) when \(P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), \(\rho_{2\_IPS} = \rho_{2\_IDS}\) when \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\).
\(\rho_{1\_IPS} > \rho_{1\_IDS}\) when \(P_{D} > \frac{\mu }{\beta }\), \(\rho_{1\_IPS} = \rho_{1\_IDS}\) when \(P_{D} < \frac{\mu }{\beta }\).
-
(2)
The probability of detecting a hacker
The probability of detecting a hacker is given by \(\rho_{de\_IPS}^{*} = \rho_{1}^{*} \left( {P_{D} - P_{D}^{F} } \right) + \rho_{2}^{*}\)(\(1 - P_{D}\)) + \(\rho_{3}^{*} P_{D}^{F}\) for the IPS, and for the IDS, it is given by \(\rho_{de\_IDS}^{*} = \rho_{1}^{*} P_{D} + \rho_{2}^{*} \left( {1 - P_{D} } \right) = \mu /\beta\). Therefore, the comparative results for the IDS and IPS in detection rate are shown as follows.
When \(P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\), then \(\rho_{de\_IPS}^{*} = \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\), \(\rho_{de\_IDS}^{*} > \rho_{de\_IPS}^{*}\).
When \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), \(\rho_{de\_IPS}^{*} = \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} }}{\beta }\), \(\rho_{de\_IDS}^{*} > \rho_{de\_IPS}^{*}\).
When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta } \le P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), \(\rho_{de\_IPS}^{*} = \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{{\theta P_{F}^{F} + \beta P_{D}^{F} }}\), \(\rho_{de\_IDS}^{*} > \rho_{de\_IPS}^{*}\).
-
(3)
The hacking probability
When \(P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\), then \(\psi_{IPS}^{*} = \psi_{IDS}^{*} = \frac{{c\left( {1 - P_{F} } \right)}}{{c\left( {P_{D} - P_{F} } \right) + d\left( {1 - P_{D} } \right)}}\).
When \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), \(\frac{{\partial \psi_{IPS}^{*} }}{{\partial P_{D}^{F} }} > 0\), then \(\psi_{IPS}^{*} \ge \psi_{IDS}^{*}\).
When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta } > P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\) then \(\psi_{IPS}^{*} < \psi_{IDS}^{*}\) because of \(\psi_{IPS}^{*} = \frac{{\left( {\omega - c} \right)P_{F}^{F} }}{{\left( {\omega - c} \right)P_{F}^{F} + cP_{D}^{F} }}\mathop \to \limits^{{P_{F}^{F} \to 0}} 0\)
Proof of Equation 27
The following result compares the firm’s expected costs for an IPS and an IDS in the condition of \(P_{D} > \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\).
When \(\omega > V\), the optimal \(P_{D}^{F}\) is \(P_{D}^{F*} = 0\), so the firm’s minimal expected costs for an IPS is that for an IDS. That is, \(M_{IPS} \ge M_{IDS}\). When \(c < \omega < V\), the firm’s maximal expected cost for an IPS is \(\left. {M_{IPS} } \right|_{{P_{D}^{F} = 0}} = M_{IDS}\), and the optimal \(P_{D}^{F}\) is \(P_{D}^{F*} = \left\{ {X |P_{D} = \frac{{\mu \left( {1 - X} \right) + \theta X^{L} + \beta X}}{\beta }} \right\}\), \(M_{IPS}^{*} = \left. {M_{IPS} } \right|_{{P_{D}^{F} = P_{D}^{F*} }} < \left. {M_{IPS} } \right|_{{P_{D}^{F} = 0}} = M_{IDS}\), so the firm’s expected cost for an IPS is smaller than that for an IDS, that is, \(M_{IPS} < M_{IDS}\).
Proof of Equation 29
The following result compares the firm’s expected costs for an IPS and an IDS in the condition of \(\frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta } < P_{D} \le \frac{\mu }{\beta }\).
When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta } < P_{D} \le \frac{\mu }{\beta }\), that is, \(\frac{\mu }{\beta } \ge P_{D} \ge P_{D}^{F} > 1 - P_{D} \frac{\beta }{\mu }\), \(P_{D}^{F*} \to 1 - P_{D} \frac{\beta }{\mu }\mathop \Rightarrow \limits^{{P_{D} = \mu /\beta }} P_{D}^{F*} \to 0\), so \(M_{IPS}^{*} = \left. {M_{IPS} } \right|_{{P_{D}^{F} \to 0}} \to {\text{c}}P_{F} < M_{IDS} = C\); that is, the firm’s minimal expected cost for an IPS is lower than that for an IDS.
so the firm’s maximum expected cost for an IPS can be higher than that for an IDS if the blocking cost (\(\omega\)) is sufficiently high.
Rights and permissions
About this article
Cite this article
Cai, C., Mei, S. & Zhong, W. Configuration of intrusion prevention systems based on a legal user: the case for using intrusion prevention systems instead of intrusion detection systems. Inf Technol Manag 20, 55–71 (2019). https://doi.org/10.1007/s10799-018-0291-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10799-018-0291-6