{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T14:32:11Z","timestamp":1773412331029,"version":"3.50.1"},"reference-count":23,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2008,7,1]],"date-time":"2008-07-01T00:00:00Z","timestamp":1214870400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2008,7]]},"abstract":"<jats:p>An intrusion detection system plays an important role in a firm's overall security protection. Its main purpose is to identify potentially intrusive events and alert the security personnel to the danger. A typical intrusion detection system, however, is known to be imperfect in detection of intrusive events, resulting in high false-alarm rates. Nevertheless, current intrusion detection models unreasonably assume that upon alerts raised by a system, an information security officer responds to all alarms without any delay and avoids damages of hostile activities. This assumption of responding to all alarms with no time lag is often impracticable. As a result, the benefit of an intrusion detection system can be overestimated by current intrusion detection models. In this article, we extend previous models by including an information security officer's alarm inspection under a constraint as a part of the process in determining the optimal intrusion detection policy. Given a potentially hostile environment for a firm, in which the intrusion rates and costs associated with intrusion and security officers' inspection can be estimated, we outline a framework to establish the optimal operating points for intrusion detection systems under security officers' inspection constraint. The optimal solution to the model will provide not only a basis of better evaluation of intrusion detection systems but also useful insights into operations of intrusion detection systems. The firm can estimate expected benefits for running intrusion detection systems and establish a basis for increase in security personnel to relax security officers' inspection constraint.<\/jats:p>","DOI":"10.1145\/1380564.1380566","type":"journal-article","created":{"date-parts":[[2008,8,5]],"date-time":"2008-08-05T13:35:10Z","timestamp":1217943310000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Evaluation of Intrusion Detection Systems Under a Resource Constraint"],"prefix":"10.1145","volume":"11","author":[{"given":"Young U.","family":"Ryu","sequence":"first","affiliation":[{"name":"The University of Texas at Dallas"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hyeun-Suk","family":"Rhee","sequence":"additional","affiliation":[{"name":"The University of Texas at Dallas"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2008,7]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.5555\/872016.872155"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/357830.357849"},{"key":"e_1_2_1_3_1","volume-title":"Technical Report 2003-47, Department of Electrical and Computer Engineering","author":"Cardenas A. A.","year":"2003","unstructured":"Cardenas , A. A. , Ramezani , V. , and Baras , J. S . 2003 . HMM sequential hypothesis tests for intrusion detection in MANETs . Technical Report 2003-47, Department of Electrical and Computer Engineering , Maryland University .]] Cardenas, A. A., Ramezani, V., and Baras, J. S. 2003. HMM sequential hypothesis tests for intrusion detection in MANETs. Technical Report 2003-47, Department of Electrical and Computer Engineering, Maryland University.]]"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1287\/deca.1040.0022"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/306549.306571"},{"key":"e_1_2_1_6_1","volume-title":"Emeryville, CA: McGraw-Hill\/Osborne.]]","author":"Endorf C.","year":"2004","unstructured":"Endorf , C. , Schultz , E. , and Mellander , J . 2004 . Intrusion Detection & Prevention . Emeryville, CA: McGraw-Hill\/Osborne.]] Endorf, C., Schultz, E., and Mellander, J. 2004. Intrusion Detection & Prevention. Emeryville, CA: McGraw-Hill\/Osborne.]]"},{"key":"e_1_2_1_7_1","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (SP'01)","author":"Gaffney J. E.","unstructured":"Gaffney , J. E. and Ulvila , J. W . 2001. Evaluation of intrusion detectors: A decision theory approach . In Proceedings of IEEE Symposium on Security and Privacy (SP'01) . Oakland, CA, 50--61.]] Gaffney, J. E. and Ulvila, J. W. 2001. Evaluation of intrusion detectors: A decision theory approach. In Proceedings of IEEE Symposium on Security and Privacy (SP'01). Oakland, CA, 50--61.]]"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2002.1012428"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/6.887597"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.5555\/597917.597919"},{"key":"e_1_2_1_11_1","volume-title":"Results of the DARPA 1998 off-line intrusion detection evaluation. In Proceedings of the 2nd International Workshop on the Recent Advances in Intrusion Detection (RAID'99)","author":"Lippmann R. P.","unstructured":"Lippmann , R. P. , Cunningham , R. K. , Fried , D. J. , Graf , I. , Kendall , K. R. , Webster , S. E. , and Zissman , M. A . 1999 . Results of the DARPA 1998 off-line intrusion detection evaluation. In Proceedings of the 2nd International Workshop on the Recent Advances in Intrusion Detection (RAID'99) . West Lafayette, IN.]] Lippmann, R. P., Cunningham, R. K., Fried, D. J., Graf, I., Kendall, K. R., Webster, S. E., and Zissman, M. A. 1999. Results of the DARPA 1998 off-line intrusion detection evaluation. In Proceedings of the 2nd International Workshop on the Recent Advances in Intrusion Detection (RAID'99). West Lafayette, IN.]]"},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX'00)","volume":"2","author":"Lippmann R. P.","unstructured":"Lippmann , R. P. , Fried , D. J. , Graf , I. , Haines , J. W. , Kendall , K. R. , McClung , D. , Weber , D. , Webster , S. E. , Wyschogrod , D. , Cunningham , R. K. , and Zissman , M. A . 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation . In Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX'00) . Vol. 2 . Hilton Head, SC, 1012--1026.]] Lippmann, R. P., Fried, D. J., Graf, I., Haines, J. W., Kendall, K. R., McClung, D., Weber, D., Webster, S. E., Wyschogrod, D., Cunningham, R. K., and Zissman, M. A. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX'00). Vol. 2. Hilton Head, SC, 1012--1026.]]"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0001-2998(78)80014-2"},{"key":"e_1_2_1_14_1","volume-title":"Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring (ID'99)","author":"Neumann P. G.","unstructured":"Neumann , P. G. and Porras , P. A . 1999. Experience with EMERALD to date . In Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring (ID'99) . Santa Clara, CA. 73--80.]] Neumann, P. G. and Porras, P. A. 1999. Experience with EMERALD to date. In Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring (ID'99). Santa Clara, CA. 73--80.]]"},{"key":"e_1_2_1_15_1","volume-title":"Fighting Computer Crime","author":"Parker D. B.","unstructured":"Parker , D. B. 1983. Fighting Computer Crime . New York : Charles Scribner's Sons .]] Parker, D. B. 1983. Fighting Computer Crime. New York: Charles Scribner's Sons.]]"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the 20th NIST-NCSC National Information Systems Security Conference (NISSC'97)","author":"Porras P. A.","unstructured":"Porras , P. A. and Neumann , P. G . 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances . In Proceedings of the 20th NIST-NCSC National Information Systems Security Conference (NISSC'97) . Baltimore, MD, 353--365.]] Porras, P. A. and Neumann, P. G. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th NIST-NCSC National Information Systems Security Conference (NISSC'97). Baltimore, MD, 353--365.]]"},{"key":"e_1_2_1_17_1","volume-title":"The Practical Intrusion Detection Handbook","author":"Proctor P. E.","unstructured":"Proctor , P. E. 2000. The Practical Intrusion Detection Handbook . Prentice Hall , Englewood Cliffs, NJ .]] Proctor, P. E. 2000. The Practical Intrusion Detection Handbook. Prentice Hall, Englewood Cliffs, NJ.]]"},{"key":"e_1_2_1_18_1","unstructured":"Ryu Y. U. and Yue W. T. 2003. A risk-based evaluation of intrusion detection systems in the presence of the base-rate fallacy. Working paper Department of Information Systems and Operations Management School of Management The University of Texas at Dallas.]]  Ryu Y. U. and Yue W. T. 2003. A risk-based evaluation of intrusion detection systems in the presence of the base-rate fallacy. Working paper Department of Information Systems and Operations Management School of Management The University of Texas at Dallas.]]"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/604264.604267"},{"key":"e_1_2_1_20_1","unstructured":"The Snort Project. 2007. Snort#8482; User Manual 2.6.1. Sourcefire Inc.]]  The Snort Project. 2007. Snort#8482; User Manual 2.6.1 . Sourcefire Inc.]]"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1287\/deca.1030.0001"},{"key":"e_1_2_1_22_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (SP'99)","author":"Warrender C.","unstructured":"Warrender , C. , Forrest , S. , and Pearlmutter , B . 1999. Detecting intrusions using system calls: Alternative data models . In Proceedings of the IEEE Symposium on Security and Privacy (SP'99) . Oakland, CA, 133--145.]] Warrender, C., Forrest, S., and Pearlmutter, B. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the IEEE Symposium on Security and Privacy (SP'99). Oakland, CA, 133--145.]]"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1093\/clinchem\/39.4.561"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1380564.1380566","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1380564.1380566","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T13:57:45Z","timestamp":1750255065000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1380564.1380566"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,7]]},"references-count":23,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2008,7]]}},"alternative-id":["10.1145\/1380564.1380566"],"URL":"https:\/\/doi.org\/10.1145\/1380564.1380566","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2008,7]]},"assertion":[{"value":"2006-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-07-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}