Quantifying resiliency and detection latency of intrusion detection structures

A network intrusion detection (ID) system detects malicious behavior by analyzing network traffic. Malicious behavior may target the disruption of communications, infrastructure services, and applications. A number of ID techniques proposed for dynamic wireless networks (e.g., sensor, ad-hoc and mobile ad-hoc networks) are based on the creation of an overlay hierarchy or other structure to organize the collection and processing of ID data. The particular structure chosen may significantly impact the ID system´s performance with respect to network overhead, responsiveness, scalability, detection latency, resiliency to failures, and other factors. In this paper, we propose the formal definition and quantification of resiliency and detection latency. Specifically, we introduce analytical expressions that map ID structures to the metric space of real numbers. We define this mapping for a) various types of tree structures that have been proposed previously for dynamic wireless systems and b) a hypercube structure that presents promising resiliency characteristics. This analysis reveals important tradeoffs among the various ID structures under consideration.