Quicker intrusion detection can mitigate this problem,
however, reducing detection latency without sacrificing the
false alarm rate or the detection rate is very difficult, if not
impossible. When the detection rate is decreased, more
damage is left unrepaired. When the false alarm rate is
increased, more denial-of-service will be caused. These two
outcomes contradict the goal of Architecture I.
Architecture II, as shown in Figure 2, integrates a novel
isolation technique to tackle this problem. In particular, first,
the Intrusion Detector will raise two levels of alarms: when
the (synthesized) anomaly of a transaction (or session) is
above Level 1 anomaly threshold THm, the transaction is
reported malicious; when the anomaly is above Level 2
anomaly threshold THs (but below THm), the transaction is
reported suspicious. (The values of THm and THs are
determined primarily based on the statistics about previous
attacks). Suspicious transactions should have a significant
probability that they are an attack. Second, when
a malicious transaction is reported, the system works in the
same way as Architecture I. When a suspicious transaction Ts is reported, the Mediator, with the help of the Isolation
Manager, will redirect Ts (and the following transactions
submitted by the user that submits Ts) to a virtually
separated database environment where the user will be
isolated. Later on, if the user is proven malicious, the
Isolation Manager will discard the effects of the user; if the
user is shown innocent, the Isolation Manager will merge
the effects of the user back into the main database. In this
way, damage spreading can be dramatically reduced
without sacrificing the detection rate or losing the
availability to good transactions.