ABSTRACT: Intrusion prevention requires effective identification of and response to malicious events. In this paper, we model two important managerial decisions involved in the intrusion prevention process: the configuration of the detection component, and the response by the reaction component. The configuration decision affects the number of alarms the firm has to investigate. It is well known that the traditional intrusion detection system generates too many false alarms. The response decision determines whether alarms are going to be investigated or rejected outright. By jointly optimizing these two decision variables, a firm may apply different strategies in protecting its informational assets: slow but accurate, rapid but inaccurate, or a mixture of the two strategies. We use the optimal control approach to study the problem. Unlike previous literature, which studied the problem with a static model, in our model, the decision on balancing the desire to detect all malicious events with the opportunity costs required to do so is time dependent. Furthermore, we show how the choice of an optimal mixture of reactive and proactive responses depends on the values of cost parameters and investigation rate parameters. We find that in our model, a high damage cost does not immediately translate to a preference of proactive response, or a high false rejection cost does not translate to a preference of proactive response. The dynamics of the problem, such as how fast alarms accumulate and how fast they can be cleared, also affect the decisions.
Key words and phrases: information security, intrusion detection, intrusion prevention, intrusion response