The base-rate fallacy and its implications for the difficulty of intrusion detection

1 November 1999

proceedings article
Published by Association for Computing Machinery (ACM)

p. 1-7
https://doi.org/10.1145/319709.319710

Abstract

Many different demands can be made of intrusion detection systems. An important requirement is that it be effective i.e. that it should detect a substantial percentage of intrusions into the supervised system, while still keeping the false alarm rate at an acceptable level.This paper aims to demonstrate that, for a reasonable set of assumptions, the false alarm rate is the limiting factor for the performance of an intrusion detection system. This is due to the base-rate fallacy phenomenon, that in order to achieve substantial values of the Bayesian detection rate, P(Intrusion|Alarm), we have to achieve—a perhaps unattainably low—false alarm rate.A selection of reports of intrusion detection performance are reviewed, and the conclusion is reached that there are indications that at least some types of intrusion detection have far to go before they can attain such low false alarm rates.

Keywords

This publication has 7 references indexed in Scilit:

Detecting intrusions using system calls: alternative data models
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2003
Detection of anomalous computer session activity
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2003
Temporal sequence learning and data reduction for anomaly detection
Published by Association for Computing Machinery (ACM) ,1998
Decision-theoretic limits on earthquake prediction
Geophysical Journal International, 1997
Base-rate errors and rain forecasts
Nature, 1996
Statistical foundations of audit trail analysis for the detection of computer misuse
IEEE Transactions on Software Engineering, 1993
An Intrusion-Detection Model
IEEE Transactions on Software Engineering, 1987