Configuration of intrusion prevention systems based on a legal user: the case for using intrusion prevention systems instead of intrusion detection systems

Abstract

An intrusion prevention system (IPS) acts as a new type of information security technology, the configuration and management of which are currently urgent problems; in particular, debate exists regarding the value of these systems. In this paper, we analyse whether a firm realizes a positive or negative value from using an IPS instead of an intrusion detection system (IDS) in a default configuration and an optimal configuration, respectively. Our results suggest: (a) an IPS could hurt the firm when not configured optimally; (b) the optimal configuration of the IPS depends not only on the cost parameters but also on the external environment (quality of the IDS) in which the firm is operating; (c) whether the IDS is optimally configured or not, the firm will make the same decisions between using the IPS instead of the IDS and continuing to use the IDS; and (d) except for the true positive rate of IDS being in a certain region and the blocking cost being sufficiently high, the firm realizes a strictly nonnegative value if the firm configures the IPS optimally.

Appendix

Proof of Proposition 1

It can be proved that \(\rho_{1} \ge \rho_{3} \ge \rho_{2}\) and that \(\rho_{1} ,\rho_{2}\) cannot be positive and less than one at the same time by a similar proof to result 3 in Cavusoglu and Raghunathan [20]. Similarly, \(\rho_{3}\) and \(\rho_{2}\) cannot be positive and less than one at the same time, and \(\rho_{1}\) and \(\rho_{3}\) cannot be positive and less than one at the same time. The following optimization conditions are obvious:

$$\frac{\partial M}{{\partial \rho_{1} }} = \left( {c - \eta_{S} d} \right)P\left( {S{\text{-}}alarm} \right)$$

(A1)

$$\frac{\partial M}{{\partial \rho_{2} }} = \left( {c - \eta_{n} d} \right)P\left( {no{\text{-}}alarm} \right)$$

(A2)

$$\frac{\partial M}{{\partial \rho_{3} }} = \left[ {c - \omega \left( {1 - \eta_{D} } \right)} \right]P\left( {D{\text{-}}alarm} \right)$$

(A3)

$$\frac{\partial H}{\partial \psi } = \left( {\mu - \beta \rho_{1} } \right)\left( {P_{D} - P_{D}^{F} } \right) + \left( {\mu - \beta \rho_{2} } \right)\left( {1 - P_{D} } \right) + \theta \left( {1 - \rho_{3} } \right)P_{F}^{F} - \beta \rho_{3} P_{D}^{F}$$

(A4)

We solve mixed equilibrium strategies.

1. (a)

   If (\(\rho_{1} = \rho_{3} = 1, 0 < \rho_{2} < 1, 1 < \psi < 1\)) is in equilibrium, the first-order conditions with respect to \(\psi\) and \(\rho_{2}\) must be satisfied. Given that \(\rho_{1} = \rho_{3} = 1\), equating (A2) and (A4) to zero yields

   $$\rho_{2}^{*} = \frac{{\mu \left( {1 - P_{D}^{F} } \right) - \beta P_{D} }}{{\beta \left( {1 - P_{D} } \right)}}$$

   (A5)
   $$\psi_{IPS}^{*} = \frac{{c\left( {1 - P_{F} } \right)}}{{c\left( {P_{D} - P_{F} } \right) + d\left( {1 - P_{D} } \right)}}$$

   (A6)

   Because \(0 < \rho_{2} < 1\) and \(1 < \psi < 1\), we obtain \(\mu \left( {1 - P_{D}^{F} } \right) > \beta P_{D}\) and \(1 > \frac{c}{d} > 0\).

2. (b)

   If (\(0 < \rho_{1} < 1, \rho_{2} = \rho_{3} = 0, 1 < \psi < 1\)) is in equilibrium, the first-order conditions with respect to \(\psi\) and \(\rho_{1}\) must be satisfied. Equating (A1) and (A4) to zero and substituting \(\rho_{2} = 0\) gives

   $$\rho_{1}^{*} = \frac{{\theta P_{F}^{F} + \mu \left( {1 - P_{D}^{F} } \right)}}{{\beta \left( {P_{D} - P_{D}^{F} } \right)}}$$

   (A7)
   $$\psi_{IPS}^{*} = \frac{{c\left( {P_{F} - P_{F}^{F} } \right)}}{{d\left( {P_{D} - P_{D}^{F} } \right) - c\left[ {\left( {P_{D} - P_{D}^{F} } \right) - \left( {P_{F} - P_{F}^{F} } \right)} \right]}}$$

   (A8)

   Because of \(0 < \rho_{1} < 1\) and \(1 < \psi < 1\), we obtain \(\mu \left( {1 - P_{D}^{F} } \right) \le \beta \left( {P_{D} - P_{D}^{F} } \right) - \theta P_{F}^{F}\) and \(1 > \frac{c}{d} > 0\).

3. (c)

   If (\(\rho_{1} = 1, \rho_{2} = 0, 0 < \rho_{3} < 1, 1 < \psi < 1\)) is in equilibrium, the first-order conditions with respect to \(\psi\) and \(\rho_{3}\) must be satisfied. Equating (A3) and (A4) to zero and substituting \(\rho_{1} = 1, \rho_{2} = 0\) yields

   $$\rho_{3}^{*} = \frac{{\theta P_{F}^{F} + \mu \left( {1 - P_{D} } \right) - \left( {\beta - \mu } \right)\left( {P_{D} - P_{D}^{F} } \right)}}{{\theta P_{F}^{F} + \beta P_{D}^{F} }}$$

   (A9)
   $$\psi_{IPS}^{*} = \frac{{\left( {\omega - c} \right)P_{F}^{F} }}{{\left( {\omega - c} \right)P_{F}^{F} + cP_{D}^{F} }}$$

   (A10)

   Because of \(0 < \rho_{3} < 1\) and \(1 < \psi < 1\), we obtain \(\beta P_{D} \ge \mu \left( {1 - P_{D}^{F} } \right) > \beta \left( {P_{D} - P_{D}^{F} } \right) - \theta P_{F}^{F}\) and \(\omega > c\).

Proof of Proposition 3

The following result compares the investigation rate, the probability of detecting a hacker and the hacking probability for the IPS and the IDS.

1. (1)

   The investigation rate

   The investigation rate when the IPS raises an S-alarm and the IDS raises an alarm are as follows.

   When \(\mu > \beta P_{D}\), that is, \(P_{D} < \frac{\mu }{\beta }\), then \(\rho_{1\_IPS} = \rho_{1\_IDS} = 1\).

   When \(\mu \left( {1 - P_{D}^{F} } \right) \le \beta \left( {P_{D} - P_{D}^{F} } \right) - \theta P_{F}^{F}\), that is, \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), then

   \(\rho_{1\_IPS}^{*}\) = \(\frac{{\theta P_{F}^{F} + \mu \left( {1 - P_{D}^{F} } \right)}}{{\beta \left( {P_{D} - P_{D}^{F} } \right)}}\), \(\rho_{1\_IDS}^{*}\) = \(\frac{\mu }{{\beta P_{D} }}\).

   When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta } > P_{D} \ge \frac{\mu }{\beta }\), then \(\rho_{1\_IPS}^{*}\) = \(1 \rho_{1\_IDS}^{*}\) = \(\frac{\mu }{{\beta P_{D} }}\).

   The investigation rate when the IPS and the IDS do not raise an alarm are as follows.

   When \(P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\), then \(\rho_{2\_IPS} = \frac{{\mu \left( {1 - P_{D}^{F} } \right) - \beta P_{D} }}{{\beta \left( {1 - P_{D} } \right)}}, \rho_{2\_IDS} = \frac{{\mu - \beta P_{D} }}{{\beta \left( {1 - P_{D} } \right)}}\).

   When \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), then \(\rho_{2\_IPS}^{*}\) = \(\rho_{2\_IDS}^{*}\) = \(0\).

   When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta } > P_{D} \ge \frac{\mu }{\beta }\), then \(\rho_{2\_IPS}^{*}\) = \(0 \rho_{2\_IDS}^{*}\) = \(\frac{\mu }{{\beta P_{D} }}\).

   When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta } \le P_{D} < \frac{\mu }{\beta }\), then \(\rho_{2\_IPS}^{*}\) = \(0 \rho_{2\_IDS}^{*}\) = \(\frac{{\mu - \beta P_{D} }}{{\beta \left( {1 - P_{D} } \right)}}\).

   Therefore, the comparative results for the IDS and IPS in investigation rates are shown as follows.

   \(\rho_{2\_IPS}^{*} < \rho_{2\_IDS}^{*}\) when \(P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), \(\rho_{2\_IPS} = \rho_{2\_IDS}\) when \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\).

   \(\rho_{1\_IPS} > \rho_{1\_IDS}\) when \(P_{D} > \frac{\mu }{\beta }\), \(\rho_{1\_IPS} = \rho_{1\_IDS}\) when \(P_{D} < \frac{\mu }{\beta }\).

2. (2)

   The probability of detecting a hacker

   The probability of detecting a hacker is given by \(\rho_{de\_IPS}^{*} = \rho_{1}^{*} \left( {P_{D} - P_{D}^{F} } \right) + \rho_{2}^{*}\)(\(1 - P_{D}\)) + \(\rho_{3}^{*} P_{D}^{F}\) for the IPS, and for the IDS, it is given by \(\rho_{de\_IDS}^{*} = \rho_{1}^{*} P_{D} + \rho_{2}^{*} \left( {1 - P_{D} } \right) = \mu /\beta\). Therefore, the comparative results for the IDS and IPS in detection rate are shown as follows.

   When \(P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\), then \(\rho_{de\_IPS}^{*} = \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\), \(\rho_{de\_IDS}^{*} > \rho_{de\_IPS}^{*}\).

   When \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), \(\rho_{de\_IPS}^{*} = \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} }}{\beta }\), \(\rho_{de\_IDS}^{*} > \rho_{de\_IPS}^{*}\).

   When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta } \le P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), \(\rho_{de\_IPS}^{*} = \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{{\theta P_{F}^{F} + \beta P_{D}^{F} }}\), \(\rho_{de\_IDS}^{*} > \rho_{de\_IPS}^{*}\).

3. (3)

   The hacking probability

   When \(P_{D} < \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\), then \(\psi_{IPS}^{*} = \psi_{IDS}^{*} = \frac{{c\left( {1 - P_{F} } \right)}}{{c\left( {P_{D} - P_{F} } \right) + d\left( {1 - P_{D} } \right)}}\).

   When \(P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\), \(\frac{{\partial \psi_{IPS}^{*} }}{{\partial P_{D}^{F} }} > 0\), then \(\psi_{IPS}^{*} \ge \psi_{IDS}^{*}\).

   When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta } > P_{D} \ge \frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta }\) then \(\psi_{IPS}^{*} < \psi_{IDS}^{*}\) because of \(\psi_{IPS}^{*} = \frac{{\left( {\omega - c} \right)P_{F}^{F} }}{{\left( {\omega - c} \right)P_{F}^{F} + cP_{D}^{F} }}\mathop \to \limits^{{P_{F}^{F} \to 0}} 0\)

Proof of Equation 27

The following result compares the firm’s expected costs for an IPS and an IDS in the condition of \(P_{D} > \frac{{\mu \left( {1 - P_{D}^{F} } \right) + \theta P_{F}^{F} + \beta P_{D}^{F} }}{\beta }\).

$$\begin{aligned} \frac{{\partial M_{IPS} }}{{\partial P_{D}^{F} }} & = \frac{{\begin{array}{*{20}c} {\omega \left[ {\left( {d - c} \right)^{2} L\left( {P_{D}^{F} } \right)^{L - 1} \left( {P_{D} - P_{D}^{F} } \right)^{2} + Lc\left( {d - c} \right)\left( {P_{D}^{F} } \right)^{L - 1} \left( {P_{D} - P_{D}^{F} } \right)P_{F} - c\left( {d - c} \right)P_{F}^{F} \left( {P_{F} - P_{F}^{F} } \right)} \right]} \\ { - \left[ {dc^{2} \left( {P_{F} - P_{F}^{F} } \right)^{2} + dcL\left( {P_{D}^{F} } \right)^{L - 1} \left( {d - c} \right)\left( {1 - P_{D}^{F} } \right)\left( {P_{D} - P_{D}^{F} } \right)} \right]} \\ \end{array} }}{{\left[ {\left( {d - c} \right)\left( {P_{D} - P_{D}^{F} } \right) + c\left( {P_{F} - P_{F}^{F} } \right)} \right]^{2} }} \\ & \Rightarrow \frac{{\partial M_{IPS} }}{{\partial P_{D}^{F} }}\left\{ {\begin{array}{*{20}c} { > 0, if \omega > V } \\ { < 0, if c < \omega < V} \\ \end{array} } \right. \\ \end{aligned}$$

$${\text{where}}\quad {\text{V}} = \frac{{dc^{2} \left( {P_{F} - P_{F}^{F} } \right)^{2} + dcL\left( {P_{D}^{F} } \right)^{L - 1} \left( {d - c} \right)\left( {1 - P_{D}^{F} } \right)\left( {P_{D} - P_{D}^{F} } \right)}}{{\left( {d - c} \right)^{2} L\left( {P_{D}^{F} } \right)^{L - 1} \left( {P_{D} - P_{D}^{F} } \right)^{2} + Lc\left( {d - c} \right)\left( {P_{D}^{F} } \right)^{L - 1} \left( {P_{D} - P_{D}^{F} } \right)P_{F} - c\left( {d - c} \right)P_{F}^{F} \left( {P_{F} - P_{F}^{F} } \right)}}.$$

When \(\omega > V\), the optimal \(P_{D}^{F}\) is \(P_{D}^{F*} = 0\), so the firm’s minimal expected costs for an IPS is that for an IDS. That is, \(M_{IPS} \ge M_{IDS}\). When \(c < \omega < V\), the firm’s maximal expected cost for an IPS is \(\left. {M_{IPS} } \right|_{{P_{D}^{F} = 0}} = M_{IDS}\), and the optimal \(P_{D}^{F}\) is \(P_{D}^{F*} = \left\{ {X |P_{D} = \frac{{\mu \left( {1 - X} \right) + \theta X^{L} + \beta X}}{\beta }} \right\}\), \(M_{IPS}^{*} = \left. {M_{IPS} } \right|_{{P_{D}^{F} = P_{D}^{F*} }} < \left. {M_{IPS} } \right|_{{P_{D}^{F} = 0}} = M_{IDS}\), so the firm’s expected cost for an IPS is smaller than that for an IDS, that is, \(M_{IPS} < M_{IDS}\).

Proof of Equation  29

The following result compares the firm’s expected costs for an IPS and an IDS in the condition of \(\frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta } < P_{D} \le \frac{\mu }{\beta }\).

When \(\frac{{\mu \left( {1 - P_{D}^{F} } \right)}}{\beta } < P_{D} \le \frac{\mu }{\beta }\), that is, \(\frac{\mu }{\beta } \ge P_{D} \ge P_{D}^{F} > 1 - P_{D} \frac{\beta }{\mu }\), \(P_{D}^{F*} \to 1 - P_{D} \frac{\beta }{\mu }\mathop \Rightarrow \limits^{{P_{D} = \mu /\beta }} P_{D}^{F*} \to 0\), so \(M_{IPS}^{*} = \left. {M_{IPS} } \right|_{{P_{D}^{F} \to 0}} \to {\text{c}}P_{F} < M_{IDS} = C\); that is, the firm’s minimal expected cost for an IPS is lower than that for an IDS.

$$M_{IDS} - M_{IPS} = c - cP_{F} - \frac{{\left[ {d\left( {1 - P_{D} } \right) + c\left( {P_{D} - P_{F} } \right)} \right]\left( {\omega - c} \right)P_{F}^{F} }}{{\left( {\omega - c} \right)P_{F}^{F} + cP_{D}^{F} }}\mathop \Rightarrow \limits^{{P_{D}^{F} = P_{D} }} M_{IDS} - M_{IPS} = \frac{{c^{2} P_{D} \left( {1 - P_{F} } \right) - \left( {d - c} \right)\left( {\omega - c} \right)P_{F} \left( {1 - P_{D} } \right)}}{{\left( {\omega - c} \right)P_{F} + cP_{D} }},$$

so the firm’s maximum expected cost for an IPS can be higher than that for an IDS if the blocking cost (\(\omega\)) is sufficiently high.