The base-rate fallacy and the difficulty of intrusion detection

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

The base-rate fallacy and the difficulty of intrusion detection

Full text

Pdf (124 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 3 , Issue 3 (August 2000) table of contents

Pages: 186 - 205

Year of Publication: 2000

ISSN:1094-9224

Author

Stefan Axelsson

Ericsson Mobile Data Design AB

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 37, Downloads (12 Months): 269, Citation Count: 33

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/357830.357849 What is a DOI?

ABSTRACT

Many different demands can be made of intrusion detection systems. An important requirement is that an intrusion detection system be effective; that is, it should detect a substantial percentage of intrusions into the supervised system, while still keeping the false alarm rate at an acceptable level. This article demonstrates that, for a reasonable set of assumptions, the false alarm rate is the limiting factor for the performance of an intrusion detection system. This is due to the base-rate fallacy phenomenon, that in order to achieve substantial values of the Bayesian detection rate P(Intrusion***Alarm), we have to achieve a (perhaps in some cases unattainably) low false alarm rate. A selection of reports of intrusion detection performance are reviewed, and the conclusion is reached that there are indications that at least some types of intrusion detection have far to go before they can attain such low false alarm rates.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	ANDERSON, J. P. 1980. Computer security threat monitoring and surveillance. 79F26400 26 Feb revised April 15.
	2	AXELSSON, S. 1998. Research in intrusion-detection systems: A survey. 98--17.
	3	AXELSSON, S. 2000. Intrusion-detection systems: A taxonomy and survey. 99-15 (March).
	4	AXELSSON, S. 2000. A preliminary attempt to apply detection and estimation theory to intrusion detection. 00--4 (March).
	5	AXELSSON, S., LINDQVIST, U., GUSTAFSON, U., AND JONSSON, E. 1998. An approach to UNIX security logging. In Proceedings of the 21st NIST-NCSC National Conference on Informa-tion Systems Security (Crystal City, Arlington, VA, Oct. 5-8). National Institute of Standards and Technology, Gaithersburg, MD, 62-75.
	6	DEATHERAGE, B. H. 1972. Auditory and other sensory forms of information. In Human Engineering Guide to Equipment Design: Army, Navy, Air Force, H. Van Cott and R. Kinkade, Eds.
	7	Herve DEBAR , Monique BECKER , Didier SIBONI, A Neural Network Component for an Intrusion Detection System, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.240, May 04-06, 1992
	8	Dorothy E. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, v.13 n.2, p.222-232, Feb. 1987 [doi>10.1109/TSE.1987.232894]
	9	DENNING,D.E.AND NEUMANN, P. G. 1985. Requirements and model for IDES: A real-time intrusion detection system.
	10	HALME,L.AND KAHN, B. 1988. Building a security monitor with adaptive user work profiles. In Proceedings of the 11th National Computer Security Conference (NIST-NCSC, Baltimore, Maryland, Oct.17-20). National Institute of Standards and Technology, Gaithersburg, MD, 000-000.
	11	P. Helman , G. Liepins, Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse, IEEE Transactions on Software Engineering, v.19 n.9, p.886-901, September 1993 [doi>10.1109/32.241771]
	12	Terran Lane , Carla E. Brodley, Temporal sequence learning and data reduction for anomaly detection, ACM Transactions on Information and System Security (TISSEC), v.2 n.3, p.295-331, Aug. 1999 [doi>10.1145/322510.322526]
	13	LEE, W. 1999. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Computer Society Symposium on Research in Security and Privacy (Berkeley, CA, May). IEEE Computer Society Press, Los Alamitos, CA, 120-132.
	14	LIPPMANN,R.P.,FRIED, D., GRAF, I., ET AL. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In Proceedings of the DARPA Informa-tion Survivability Conference and Exposition (DISCEX '00, Hilton Head, South Carolina, Jan. 25-27). IEEE Computer Society Press, Los Alamitos, CA, 12-26.
	15	LUNT, T. F. 1988. Automated audit trail analysis and intrusion detection. In Proceedings of the on 11th National Computer Security Conference (NIST-NCSC, Baltimore, Maryland, Oct.17-20). National Institute of Standards and Technology, Gaithersburg, MD, 65-73.
	16	MATTHEWS, R. 1996. Base-rate errors and rain forecasts. Nature 382, 6594, 766.
	17	MATTHEWS, R. 1997. Decision-theoretic limits on earthquake prediction. Geophys. J. Int. 131, 3 (Dec.), 526-529.
	18	MCHUGH, J. 2000. Testing intrusion detection systems: A critique of the 1998 and 1999 Lincoln Laboratory evaluations. ACM Trans. Inf. Syst. Secur. 3.
	19	NYGREN, E. 1994. Moderna tider: teknikutveckling inom medicinsk service.
	20	PIERCE, G. M. 1943. Destruction by demolition, incendiaries and sabotage: Field training manual, Fleet Marine Force, US Marine Corps.
	21	Jens Rasmussen, Information Processing and Human-Machine Interaction: An Approach to Cognitive Engineering, Elsevier Science Inc., New York, NY, 1986
	22	Stuart J. Russell , Peter Norvig, Artificial intelligence: a modern approach, Prentice-Hall, Inc., Upper Saddle River, NJ, 1995
	23	SEBRING,M.M.,SHELLHOUSE, E., HANNA,M.E.,AND WHITEHURST, R. A. 1988. Expert systems in intrusion detection: A case study. In Proceedings of the 11th National Computer Security Conference (NIST-NCSC, Baltimore, Maryland, Oct.17-20). National Institute of Standards and Technology, Gaithersburg, MD, 74-81.

CITED BY 33

	Lawrence A. Gordon , Martin P. Loeb, The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.438-457, November 2002
	Francesco Bergadano , Daniele Gunetti , Claudia Picardi, User authentication through keystroke dynamics, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.367-397, November 2002
	Wenke Lee, Applying data mining to intrusion detection: the quest for automation, efficiency, and credibility, ACM SIGKDD Explorations Newsletter, v.4 n.2, p.35-42, December 2002
	Ruoming Pang , Vern Paxson, A high-level programming environment for packet trace anonymization and transformation, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany
	Klaus Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.443-471, November 2003
	Robin Sommer , Vern Paxson, Enhancing byte-level network intrusion detection signatures with context, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Stefan Axelsson, Combining a bayesian classifier with visualisation: understanding the IDS, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
	Jeffrey B. Colombe , Gregory Stephens, Statistical profiling and visualization for detection of malicious insider attacks on computer networks, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
	Chunlin Zhang , Ju Jiang , Mohamed Kamel, Intrusion detection using hierarchical neural networks, Pattern Recognition Letters, v.26 n.6, p.779-791, 1 May 2005
	Peng Ning , Dingbang Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM Transactions on Information and System Security (TISSEC), v.7 n.4, p.591-627, November 2004
	Giorgio Giacinto , Fabio Roli , Luca Didaci, Fusion of multiple classifiers for intrusion detection in computer networks, Pattern Recognition Letters, v.24 n.12, p.1795-1803, August 2003
	Matthew Glickman , Justin Balthrop , Stephanie Forrest, A Machine Learning Evaluation of an Artificial Immune System, Evolutionary Computation, v.13 n.2, p.179-212, June 2005
	F. Bergadano , D. Gunetti , C. Picardi, Identity verification through dynamic keystroke analysis, Intelligent Data Analysis, v.7 n.5, p.469-496, October 2003
	Agustín Orfila , Javier Carbó , Arturo Ribagorda, Autonomous decision on intrusion detection with trained BDI agents, Computer Communications, v.31 n.9, p.1803-1813, June, 2008
	Mohammad Saniee Abadeh , Jafar Habibi , Zeynab Barzegar , Muna Sergi, A parallel genetic local search algorithm for intrusion detection in computer networks, Engineering Applications of Artificial Intelligence, v.20 n.8, p.1058-1069, December, 2007
	Shuyuan Jin , Daniel So Yeung , Xizhao Wang, Network intrusion detection in covariance feature space, Pattern Recognition, v.40 n.8, p.2185-2197, August, 2007
	Young U. Ryu , Hyeun-Suk Rhee, Evaluation of Intrusion Detection Systems Under a Resource Constraint, ACM Transactions on Information and System Security (TISSEC), v.11 n.4, p.1-24, July 2008
	Samer Fayssal , Youssif Alnashif , Byoung Kim , Salim Hariri, A proactive wireless self-protection system, Proceedings of the 5th international conference on Pervasive services, July 06-10, 2008, Sorrento, Italy
	Animesh Patcha , Jung-Min Park, An overview of anomaly detection techniques: Existing solutions and latest technological trends, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.12, p.3448-3470, August, 2007
	Damiano Bolzoni , Bruno Crispo , Sandro Etalle, ATLANTIDES: an architecture for alert verification in network intrusion detection systems, Proceedings of the 21st conference on 21st Large Installation System Administration Conference, p.1-12, November 11-16, 2007, Dallas
	Carrie E. Gates, A case study in testing a network security algorithm, Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities, March 18-20, 2008, Innsbruck, Austria
	Carrie Gates , Carol Taylor, Challenging the anomaly detection paradigm: a provocative discussion, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany
	Shu-Chuan Chao , Kuanchin Chen , Chien-Hua Lin, Capturing industry experience for an effective information security assessment, International Journal of Information Systems and Change Management, v.1 n.4, p.421-438, January 2006
	John Felix Charles Joseph , Amitabha Das , Boon-Chong Seet , Bu-Sung Lee, Opening the Pandora's Box: Exploring the fundamental limitations of designing intrusion detection for MANET routing attacks, Computer Communications, v.31 n.14, p.3178-3189, September, 2008
	Wei Yue , Metin Cakanyildirim, Intrusion Prevention in Information Systems: Reactive and Proactive Responses, Journal of Management Information Systems, v.24 n.1, p.329-353, Number 1 / Summer 2007
	Martin Rehak , Michal Pechoucek , Martin Grill , Karel Bartos , Vojtech Krmicek , Pavel Celeda, Collaborative approach to network behaviour analysis based on hardware-accelerated FlowMon probes, International Journal of Electronic Security and Digital Forensics, v.2 n.1, p.35-48, March 2009
	Giorgio Giacinto , Fabio Roli , Carlo Sansone, Guest Editorial: Information fusion in computer security, Information Fusion, v.10 n.4, p.272-273, October, 2009
	Alain Bensoussan , Radha Mookerjee , Vijay Mookerjee , Wei T. Yue, Maintaining Diagnostic Knowledge-Based Systems: A Control-Theoretic Approach, Management Science, v.55 n.2, p.294-310, February 2009
	Suvasini Panigrahi , Amlan Kundu , Shamik Sural , A. K. Majumdar, Credit card fraud detection: A fusion approach using Dempster-Shafer theory and Bayesian learning, Information Fusion, v.10 n.4, p.354-363, October, 2009
	Huseyin Cavusoglu , Srinivasan Raghunathan , Hasan Cavusoglu, Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems, Information Systems Research, v.20 n.2, p.198-217, June 2009
	François Gagnon , Babak Esfandiari, Using Artificial Intelligence for Intrusion Detection, Proceeding of the 2007 conference on Emerging Artificial Intelligence Applications in Computer Engineering: Real Word AI Systems with Applications in eHealth, HCI, Information Retrieval and Pervasive Technologies, p.295-306, June 10, 2007
	Wei Lu , Ali A. Ghorbani, Network anomaly detection based on wavelet analysis, EURASIP Journal on Advances in Signal Processing, 2009, p.1-16, January 2009
	Araceli Barradas-Acosta , Eleazar Aguirre Anaya , Mariko Nakano-Miyatake , Hector Perez-Meana, Neural network based attack detection algorithm, WSEAS Transactions on Computers, v.8 n.6, p.905-915, June 2009