Figure 6: Comparison of fitness score only with DAP and
fitness score with DAP, FA, F P, and CUD.
loads. Thirty different IDS rules have been identified
for deployment across these IDSs. Experiments on a
prototype implementation of our approach begin with
an initial population of solutions. Steady-state selec-
tion is used to choose parents, while elitism is main-
tained by carrying the best solutions from the current
generation to the next. As new solutions are gener-
ated, many exceed the IDS capacity and are replaced
with elite solutions from the previous generation.
In Figure 6, the fitness score changes with the in-
crease in the number of detected attack paths (DAP)
in the larger example. If only DAP is used to com-
pute the fitness score, it can lead to local maxima at
the initial stages of the solution. However, incorpo-
rating other factors (FA, FP, and CUD) eliminates
unpromising partial solutions. The figure plots the
number of detected attack paths (major) and the total
number of detected attack steps (minor) on the hori-
zontal axis. Values are shown up to a DAP value of 7;
beyond this, DAP becomes the dominant factor, and
both fitness score equations produce similar results.
8 CONCLUSIONS
In this paper, we formalized the rule deployment
problem within a multi-IDS environment, considering
capacity constraints on individual IDSs. We proposed
an effective strategy for rule deployment by leverag-
ing both the attack graph and the network graph. With
fixed IDS placements assumed, our aim was to maxi-
mize the detection of attack paths directed toward crit-
ical assets. We presented a genetic algorithm-based
solution to identify IDS rule deployments.
While our focus was on fixed IDS positions, fu-
ture plans include expanding this research to optimize
both IDS positioning and rule deployment strategies
concurrently. Given the growing importance of mon-
itoring and early detection of attacks targeting critical
assets, we plan to integrate the criticality of assets into
our analysis. Additionally, future efforts will con-
sider the possibility of attackers evading IDS detec-
tion, thus enhancing the robustness of our approach.
REFERENCES
Albanese, M., Jajodia, S., and Venkatesan, S. (2018). De-
fending from stealthy botnets using moving target de-
fenses. IEEE Security & Privacy, 16(1):92–97.
Babatope, L. O., Babatunde, L., and Ayobami, I. (2014).
Strategic sensor placement for intrusion detection in
network-based IDS. Intl. Journal of Intelligent Sys-
tems and Applications, 6(2):61.
Chen, H., Clark, J. A., Shaikh, S. A., Chivers, H., and No-
bles, P. (2010). Optimising IDS sensor placement. In
Proc. of the 2010 Intl. Conf. on Availability, Reliabil-
ity and Security (ARES 2010), pages 315–320.
Chou, D. and Jiang, M. (2021). A survey on data-driven
network intrusion detection. ACM Comp. Surveys,
54(9):1–36.
Gad, A. F. (2023). PyGAD: an intuitive genetic algorithm
Python library. Multimedia Tools and Applications.
He, K., Kim, D. D., and Asghar, M. R. (2023). Adversarial
machine learning for network intrusion detection sys-
tems: a comprehensive survey. IEEE Communications
Surveys & Tutorials.
Jajodia, S. and Noel, S. (2010). Topological Vulnerability
Analysis, pages 139–154. Springer.
Liao, H.-J., Lin, C.-H. R., Lin, Y.-C., and Tung, K.-Y.
(2013). Intrusion detection system: A comprehensive
review. Journal of Network and Computer Applica-
tions, 36(1):16–24.
Mukherjee, P., Thampi, S. M., Rohith, N., Poddar, B. K.,
and Sen, I. (2023). Detection and hardening strate-
gies to secure an enterprise network. In Proc. of the
19th Intl. Conf. on Information and Systems Security
(ICISS 2023), pages 91–108.
Noel, S. and Jajodia, S. (2008). Optimal IDS sensor place-
ment and alert prioritization using attack graphs. Jour-
nal of Network Syst. Management, 16:259–275.
Sequeiros, J. a. B. F., Chimuco, F. T., Samaila, M. G.,
Freire, M. M., and In
´
acio, P. R. M. (2020). Attack
and system modeling applied to IoT, cloud, and mo-
bile ecosystems: Embedding security by design. ACM
Comput. Surveys, 53(2).
S
¨
onmez, F.
¨
O., Hankin, C., and Malacaria, P. (2022). At-
tack dynamics: An automatic attack graph generation
framework based on system topology, CAPEC, CWE,
and CVE databases. Comput. Secur., 123:102938.
Stafford, V. (2020). Zero trust architecture. NIST special
publication, 800:207.
Venkatesan, S., Albanese, M., Chiang, C.-Y. J., Sapello, A.,
and Chadha, R. (2018). Debot: A novel network-
based mechanism to detect exfiltration by architec-
tural stealthy botnets. Security and Privacy, 1(6):e51.
Venkatesan, S., Albanese, M., and Jajodia, S. (2015). Dis-
rupting stealthy botnets through strategic placement of
detectors. In 2015 IEEE Conf. on Communications
and Network Security (CNS), pages 95–103. IEEE.
Improving the Efficiency of Intrusion Detection Systems by Optimizing Rule Deployment Across Multiple IDSs
543