A real-time intrusion detection system (IDS) has several performance objectives: Good detection coverage, economy in resource usage, resilience to stress, and resistance to attacks upon itself. In this paper, we argue that these objectives are trade-offs that must be considered not only in IDS design and implementation, but also in deployment and in an adaptive manner. We show that IDS performance trade-offs can be studied as classical optimization problems. We describe an IDS architecture with multiple dynamically configured front-end and back-end detection modules and a monitor. The IDS run-time performance is measured periodically, and detection strategies and workload are configured among the detection modules according to resource constraints and cost-benefit analysis. The back-end performs scenario (or trend) analysis to recognize on-going attack sequences, so that the predictions of the likely forthcoming attacks can be used to pro-actively and optimally configure the IDS.
CITATION STYLE
Lee, W., Cabrera, J. B. D., Thomas, A., Balwalli, N., Saluja, S., & Zhang, Y. (2002). Performance adaptation in real-time intrusion detection systems. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 2516, pp. 252–273). Springer Verlag. https://doi.org/10.1007/3-540-36084-0_14
Mendeley helps you to discover research relevant for your work.