The ever-evolving landscape of attacks, coupled with the growing complexity of ICT systems, makes crafting anomaly-based intrusion detectors (ID) and error detectors (ED) a difficult task: they must accurately detect attacks, and they should promptly perform detections. Although improving and comparing the detection capability is the focus of most research works, the timeliness of the detection is less considered and often insufficiently evaluated or discussed. In this paper, we argue the relevance of measuring the temporal latency of attacks and errors, and we propose an evaluation approach for detectors to ensure a pragmatic trade-off between correct and in-time detection. Briefly, the approach relates the false positive rate with the temporal latency of attacks and errors, and this ultimately leads to guidelines for configuring a detector. We apply our approach by evaluating different ED and ID solutions in two industrial cases: i) an embedded railway on-board system that optimizes public mobility, and ii) an edge device for the Industrial Internet of Things. Our results show that considering latency in addition to traditional metrics like the false positive rate, precision, and coverage gives an additional fundamental perspective on the actual performance of the detector and should be considered when assessing and configuring anomaly detectors.

翻译：不断演变的攻击态势，加之信息与通信技术（ICT）系统日益增长的复杂性，使得构建基于异常的入侵检测器（ID）与错误检测器（ED）成为一项艰巨任务：它们必须精确地检测攻击，并且应当及时地完成检测。尽管提升和比较检测能力是多数研究的关注焦点，但检测的及时性却较少被考虑，往往未能得到充分评估或讨论。本文论证了衡量攻击与错误时间延迟的相关性，并提出了一种检测器的评估方法，以在正确检测与及时检测之间实现务实权衡。简而言之，该方法将假阳性率与攻击和错误的时间延迟相关联，并最终为检测器的配置提供指导方针。我们通过评估两种工业场景下的不同ED与ID解决方案来应用该方法：i) 优化公共交通的嵌入式铁路车载系统，以及ii) 面向工业物联网的边缘设备。我们的结果表明，在假阳性率、精确率和覆盖率等传统指标之外，将延迟纳入考量，能为检测器的实际性能提供一个额外的基本视角，因而在评估和配置异常检测器时应当予以考虑。