Intrusion detection latency: the neglected metric

Abstract Accuracy remains the dominant evaluation metric in Intrusion Detection System (IDS) research, yet an IDS that detects attacks too late is functionally equivalent to one that fails—particularly in Internet of Things (IoT) environments. In operational settings, the timing of detection shapes both the scope of adversarial activity and the feasibility of effective response. To the best of our knowledge, latency (the speed at which intrusions are identified) has received no systematic attention. Our analysis of published IDS papers reveals that latency is defined inconsistently—often referring to inference, communication, computation time, or combinations of these-leading to incomparable performance claims. To close this gap, we formally define end-to-end latency as the sum of three measurable components: Attacker-Controlled Latency (ACL), IDS-Determined Latency (IDL), and Post-Detection Latency (PDL). The framework further decomposes IDL into environment-specific sub-components, linking network topology and detection methodology to overall responsiveness. The framework provides a systematic mechanism to parameterize and vary these components across deployment environments (edge, cloud, federated learning). Using a Cyber-Physical dataset, we demonstrate the applicability of our latency framework to an existing dataset. By providing a mechanism to quantify detection timeliness, the proposed framework enables analysts to estimate attacker dwell time, benchmark real-time responsiveness, and standardize latency reporting across IDS studies.