Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Quantifying the Effectivenness of Intrusion Detection Systems in Operation through Domain Experts
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.ORCID iD: 0000-0003-3922-9606
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.ORCID iD: 0000-0002-6590-6634
2014 (English)In: Journal of Information System Security, ISSN 1551-0123, E-ISSN 1551-0808, Vol. 10, no 2, 3-35 p.Article in journal (Refereed) Published
Abstract [en]

An intrusion detection system (IDS) is a security measure that can help system administrators in enterprise environments detect attacks made against computer networks. In order to be a good enterprise security measure, the IDS solution should be effective when it comes to making system operators aware of on-going cyber-attacks. However, it is difficult and costly to evaluate the effectiveness of IDSs by experiments or observations. This paper describes the result of an alternative approach to studying this topic. The effectiveness of 24 different IDS solution scenarios pertaining to remote arbitrary code exploits is evaluated by 165 domain experts. The respondents’ answers were then combined according to Cooke’s classical method, in which respondents are weighted based on how well they perform on a set of test questions. Results show that the single most important factor is whether either a host-based IDS, or a network-based IDS is in place. Assuming that either one or the other is in place, the most important course of action is to tune the IDS to its environment. The results also show that an updated signature database influences the effectiveness of the IDS less than if the vulnerability that is being exploited is well-known and is possible to patch or not.

Place, publisher, year, edition, pages
2014. Vol. 10, no 2, 3-35 p.
Keyword [en]
Intrusion Detection System, Security Architecture, Expert Judgment, Incident Handling, Signature-based Detection
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:kth:diva-165400OAI: oai:DiVA.org:kth-165400DiVA: diva2:808240
Note

QC 20150504

Available from: 2015-04-27 Created: 2015-04-27 Last updated: 2017-12-04Bibliographically approved

Open Access in DiVA

No full text

Authority records BETA

Ekstedt, MathiasHoneth, Nicholas

Search in DiVA

By author/editor
Sommestad, TeodorHolm, HannesEkstedt, MathiasHoneth, Nicholas
By organisation
Industrial Information and Control Systems
In the same journal
Journal of Information System Security
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

urn-nbn

Altmetric score

urn-nbn
Total: 40 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf