Apr 13, 2026

Intrusion Detection Latency : The Neglected Metric

  • 1Portland State University
Icon indicating open access to content
QR code linking to this content
Protocol CitationSandhyarani Dash, John M Acken 2026. Intrusion Detection Latency : The Neglected Metric. protocols.io https://dx.doi.org/10.17504/protocols.io.bp2l6jwyzvqe/v1
Manuscript citation:
Dash, S., Acken, J.M. Intrusion detection latency: the neglected metric. Cybersecurity 9, 144 (2026). https://doi.org/10.1186/s42400-026-00574-7

License: This is an open access  protocol  distributed under the terms of the  Creative Commons Attribution License,  which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited
Protocol status: Working
We use this protocol and it's working
Created: April 13, 2026
Last Modified: April 13, 2026
Protocol  Integer ID: 314872
Keywords: Intrusion detection systems, Latency, Cyber-physical systems, Network security, Evaluation metrics, Attack detection latency, intrusion detection latency, dominant evaluation metric in intrusion detection system, latency framework, timing of detection, determined latency, end latency, attacker dwell time, latency, intrusion, controlled latency, intrusion detection system, iot, end latency as the sum, internet of thing, attack, scope of adversarial activity, ids study, adversarial activity, attacker, computation time, id, benchmark, timing
Abstract
Accuracy remains the dominant evaluation metric in Intrusion Detection System (IDS) research, yet an IDS
that detects attacks too late is functionally equivalent to one that fails—particularly in Internet of Things (IoT) environments. In operational settings, the timing of detection shapes both the scope of adversarial activity and the feasibility of effective response. To the best of our knowledge, latency (the speed at which intrusions are identified) has received no systematic attention. Our analysis of published IDS papers reveals that latency is defined inconsistently—often referring to inference, communication, computation time, or combinations of these-leading to incomparable performance claims. To close this gap, we formally define end-to-end latency as the sum of three measurable components:
Attacker-Controlled Latency (ACL), IDS-Determined Latency (IDL), and Post-Detection Latency (PDL).
The framework further decomposes IDL into environment-specific sub-components, linking network topology and detection methodology to overall responsiveness. The framework provides a systematic mechanism to parameterize and vary these components across deployment environments (edge, cloud, federated learning). Using a Cyber-Physical dataset, we demonstrate the applicability of our latency framework to an existing dataset. By providing a mechanism to quantify detection timeliness, the proposed framework enables analysts to estimate attacker dwell time, benchmark real-time responsiveness, and standardize latency reporting across IDS studies.
Attachments
Introduction
The frequency and sophistication of cyberattacks have escalated with the rise of Generative AI (GenAI), which enables automated cyber-attacks such as phishing, impersonation, and payload creation with minimal effort (Usman et al. 2024). Accuracy remains the dominant benchmark in Intrusion Detection System (IDS) research, yet a detection that occurs too late is effectively a failure, as timing ultimately determines the extent of damage an attacker can inflict. Despite this, most IDS studies continue to prioritize accuracy while neglecting latency—often using the term inconsistently or without formal definition—which obscures comparability and real-time relevance. This gap is critical for Cyber-Physical Systems (CPS) and IoT environments, where even millisecond scale delays across power grids, autonomous vehicles, or medical devices can trigger cascading failures, underscoring the need for standardized latency definition for fair comparison across IDS designs and more informed
architectural decisions for latency reduction. These challenges motivate the following research questions:

1. RQ1: How is intrusion detection latency defined and used across existing IDS literature?
2. RQ2: Do current IDS datasets provide latency-complete temporal annotations necessary for accurate
latency calculation?
3. RQ3: How can end-to-end IDS latency be formally decomposed into measurable components?
4. RQ4: How do we measure latency?

Grounded in the research questions, the contributions of this work collectively elevate latency to a first-class metric in IDS research:

1. Systematic Evidence: A structured review of 90 IDS papers revealing inconsistent or undefined use of the term latency. Addressed in Sect. 2.1.
2. Root Cause Analysis: A dataset landscape analysis explaining why existing corpora are latency-partial
and outlining requirements for latency-complete datasets and multi-metric evaluation. Addressed in
Sect. 2.2.
3. Formal Framework and Case Studies: A mathematical decomposition of end-to-end latency into three
additive components—Attacker-Controlled Latency (ACL), IDS-Determined Latency (IDL), and Post-
Detection Latency (PDL)—with case studies illustrating latency optimization across environments, and
derivation of Attack Detection Latency (ADL) as the measurable operational subset for empirical evalua-
tion. Addressed in Sect. 3.
4. Empirical Demonstration: Application of the proposed framework to compute Attack Detection
Latency (ADL) on the ROSPaCe (Puccetti et al. 2024) CPS dataset. Addressed in Sect. 4.

The code and the feature-engineered ROSPaCe dataset used to generate the results reported in this table 7 of the published manuscript are publicly available at https://​github.​com/​Sandy​Dash19/​ Intru​sion-​Detec​tion-​Laten​cy-​The-​Negle​cted-​Metric.

Acknowledgements
The authors gratefully acknowledge Richard Atherton ([email protected])
for his critical and constructive review of the manuscript, and for providing
thoughtful and insightful feedback.