Improving Intrusion Prevention Models: Dual-Threshold and Dual-Filter Approaches

Intrusion detection, once considered as the last line of defense in the layered architecture for technical security, is observed not to deliver the promised protection. It suffers from high false–alarm rates and puts too much of a burden on the information security officers. Intrusion prevention has evolved from intrusion detection technologies to overcome difficulties faced in intrusion detection and more actively encounter ever–increasing attacks. While intrusion prevention provides immediate/real–time protection, it suffers from two deficiencies, which are the sensitivity and specificity trade–off and the accuracy and efficiency trade–off. To address these issues, we introduce two models of intrusion prevention. The first model is for a hybrid system playing both detection and protection roles. The second model suggests the use of dual filters in the evaluation of activities. Mathematical programming formulations for both models are developed and optional configuration solutions are proposed.