Rule Mode Selection in Intrusion Detection and Prevention Systems

Protection and performance are the major requirements for any Intrusion Detection and/or Prevention System (IDPS). Existing IDPSs do not seem to provide a satisfactory method of achieving these two conflicting goals. Intrusion Detection Systems (IDSs) fulfill the network performance requirement but exhibit poor protection under successive attacks. On the other hand, Intrusion Prevention Systems (IPSs) can protect the network by dropping the malicious packets that match any attacking pattern; however, this can have a negative impact on network performance in terms of delay as the attacking patterns increase. This results in a tradeoff between security enforcement levels on one hand and the performance and usability of an enterprise information system on the other. This paper aims to study the impact of security enforcement levels on the performance and usability of an enterprise information system. We propose a rule mode selection optimization technique that aims to determine an appropriate IDPS configuration set in order to maximize the security enforcement levels while avoiding any unnecessary network performance degradation. Simulation was conducted to validate our proposed technique. The results demonstrate that it is desirable to strike a balance between system security and network performance.