Analysis of risks and costs in intruder detection with Markov Decision Processes

Let us assume that defence mechanisms are so strong that the average outcome of a hacking attack is unsuccessful. How to calculate the costs arising from false positives and false negatives in intruder detection? Is it better for the hacker to make fewer but more effective attacks rather than several but less effective attacks? How to calculate the difference between these alternative strategies?

The goal is obtaining a formula for the variance of the cost, a scalar variable for cost describing the sum of all expenses, as is customary in the Markov Decision Theory, is not sufficient. Instead, in this modelling method the cost variable r appears as a state variable and the state of the system is a triplet ) , , ( r q n . The probability of ) , , ( r q n is denoted by  ( We can derive the following result for t n → , where t is a continuous time parameter. These results assume that in the initial state at 0 = t the state probabilities q are in a stationary state and the total cost is zero.
This solution form satisfies This is easily solved with the generating function where 0 , , Let us write the equation as Then by assigning can be taken as a constant. There are The solution starts from an initial value 0 = t where the Markov chain for state probabilities (obtained by summing (4) over r ) is in a stationary state and the total cost in the process is zero. Formula (18) has summation over a set of partitions, but a good approximation is not very difficult to evaluate: the term !
We have derived (6). Let us now consider the effect of using one strong attack or many smaller attacks. The 4 average cost is not affected but the cost distribution is changed. The numbers give the cost distribution. If we use several small attacks, the analysis proceeds in the same way as above, with the exception that there will be for each We obtained the expression (7).
Formulas (6) and (7) are rather complicated. The following theorem allows easier comparison.
Let us assume the attacker is using K less effective attacks, each causing cost Let us mention that there is a purely combinatorial proof of (22), i.e. without knowledge of the product form solution [22] for a multiservice network. Let us first notice that   . Let the combined arrival rate of the smaller attacks be K times large. This is obtained by setting The user traffic is not affected, but it is also divided to K types in (21). In order to keep the total arrival rate constant, let us set . Service times and detection probabilities are not changed: Let us sum over all combinations of i j q , giving in order to combine the results. The summation is complicated and we will do it in small parts. From (24) follows Let us simplify the term The coefficients in the case of many small attacks are We have already summed the terms over i and in the summation index for r in the case of small attacks we can take any index i , for instance 1 , since all small attacks are identical. We get The numbers A and A are chosen so that the total probability is one. Let us mention that the solution is 6 not unique, by selecting different initial values the solution takes different forms, but the selected initial values lead into relatively easy closed form formulas. This finishes the proof of Theorem 2.

Conclusion
We derived expressions (6) and (7) from which the cost distribution can be calculated and simplified the result into (22), (23). Formulas (22) and (23) are still complicated, but let us look at the range of the index r in (22). It takes higher values in (22) than in (23). This shows that using many small attacks decreases variance even though the average effect is the same. The morale is the same as in [1], you should gamble with high bets if chances of winning are small, but the example in this paper is more difficult than those in [21]. Expressions for risks in this kind of a gamble remain complicated, but can be derived. For other applications of MDP models in telecommunications, see [23]. MDP models have also been used in intruder detection previously, e.g. in [24].