Title :
Evaluation of intrusion detectors: a decision theory approach
Author :
Gaffney, John E., Jr. ; Ulvila, Jacob W.
Abstract :
We present a method of analysis for evaluating intrusion detection systems. The method can be used to compare the performance of intrusion detectors, to evaluate performance goals for intrusion detectors, and to determine the best configuration of an intrusion detector for a given environment. The method uses a decision analysis that integrates and extends ROC (receiver operating characteristics) and cost analysis methods to provide an expected cost metric. We provide general results and illustrate the method in several numerical examples that cover a range of detectors that meet a performance goal and two actual detectors operating in a realistic environment. We demonstrate that, contrary to common advice, the value of an intrusion detection system and the optimal operation of that system depend not only on the system´s ROC curve, but also on cost metrics and the hostility of the operating environment as summarized by the probability of intrusion. Extensions of the method are outlined, and conclusions are drawn
Keywords :
decision theory; security of data; software performance evaluation; ROC; cost analysis methods; decision theory; expected cost metric; intrusion detection systems evaluation; performance goals; receiver operating characteristics; Cost function; Data analysis; Data mining; Decision theory; Detectors; Forensics; Intrusion detection; Jacobian matrices; Probability; Statistical analysis;
Conference_Titel :
Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on
Conference_Location :
Oakland, CA
Print_ISBN :
0-7695-1046-9
DOI :
10.1109/SECPRI.2001.924287
