The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
ACM Transactions on Information and System Security (TISSEC)
Evaluation of Intrusion Detectors: A Decision Theory Approach
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
More Netflow Tools for Performance and Security
LISA '04 Proceedings of the 18th USENIX conference on System administration
A Framework for the Evaluation of Intrusion Detection Systems
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Challenging the anomaly detection paradigm: a provocative discussion
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
ADCOM '07 Proceedings of the 15th International Conference on Advanced Computing and Communications
| Hi-index | 0.01 |
IDS are regularly evaluated by comparing their false positive and false negative rates on ROC curves. However, this mechanism generally ignores both the context within which the IDS operates and the attacker's own ability to adapt to IDS behavior. In this paper, we propose an alternative strategy for evaluating IDS based around multiple strategies. Each strategy defines how an attacker profits from attacking a target, and describes victory conditions for the attacker and defender. By mapping the results of ROC analysis to these strategies, we produce results which evaluate defensive mechanisms by their capacity to frustrate an attacker.