View article

Intrusion detection system (IDS) plays a vital role in defending our cyberspace against attacks. Either misuse-based IDS or anomaly-based IDS, or their combinations, however, can only partially reflect the true system state due to excessive false alerts, low detection rate, and inaccurate incident diagnosis. An automated response component built upon IDS therefore must consider the stale and imperfect picture inferred from them and takes action accordingly. This article presents an approach for measuring attack impact with the evidence of IDS alerts, with the objective to suggest rational response by cost-benefit analysis. More specifically, based on a very realistic assumption that a system evolves as a Markov decision process conditioned upon the current system state, imperfect observation, and action, we use partially observable Markov decision process to model the efficacy of IDS as providing a probabilistic …