Optimization and control problems in Real-time Intrusion Detection

Real-time Intrusion Detection Systems attempt to detect and respond to attacks in real time, i.e. while they are unfolding. When the available computation time is scarce, we have a trade-off involving the computation time of the detection rules and: (1) the accuracy of the rules given by their detection and false alarm rates, (2) the likelihood that a given attack is present, which depends on the prior probability of the attacks, and (3) the damage costs and false alarm costs of the attacks. This paper describes a collection of 0/1 Integer Programming Problems that are associated with the selection of appropriate Rule Portfolios for Real Time Intrusion Detection Systems. The problems are shown to have Knapsack and Set Packing constraints. Due to the inherent uncertainty of the parameters in the cost models, a robust version of the problem is also studied, where parametric uncertainties are allowed to be present. The Linear Programming Relaxation of the robust problem is shown to be convex, opening the possibility of concrete utilization of the proposed methodology. Preliminary results on a research testbed are presented.