Article

Free access

The base-rate fallacy and its implications for the difficulty of intrusion detection

Author:

Stefan AxelssonAuthors Info & Claims

CCS '99: Proceedings of the 6th ACM conference on Computer and communications security

Pages 1 - 7

https://doi.org/10.1145/319709.319710

Published: 01 November 1999 Publication History

Abstract

Many different demands can be made of intrusion detection systems. An important requirement is that it be effective i.e. that it should detect a substantial percentage of intrusions into the supervised system, while still keeping the false alarm rate at an acceptable level.

This paper aims to demonstrate that, for a reasonable set of assumptions, the false alarm rate is the limiting factor for the performance of an intrusion detection system. This is due to the base-rate fallacy phenomenon, that in order to achieve substantial values of the Bayesian detection rate, P(Intrusion|Alarm), we have to achieve—a perhaps unattainably low—false alarm rate.

A selection of reports of intrusion detection performance are reviewed, and the conclusion is reached that there are indications that at least some types of intrusion detection have far to go before they can attain such low false alarm rates.

References

[1]

J. P. Anderson. Computer security threat monitoring and surveillance. Technical Report Contract 79F26400, James P. Anderson Co., Box 42, Fort Washington, PA, 19034, USA, Feb. 26, revised Apr. 15~ 1980.

[2]

S. Axelsson. Research in Intrusion-Detection systems: A Survey. Technical Report 98-17, Department of Computer Engineering Chedmers University of Technology, SE-412 96 GSteborg, Sweden, Dec. 1998. URL: htt p://www, ce. c h a liners .se / staff/sax.

[3]

S. Axelsson, U. Lindqvist, U. Gustafson, and E. Jonsson. An approach to UNIX security logging. In Proceedings of the ~lst National Information Systems Security Conference, pages 62-75, Crystal City, Arlington, VA~ USAj Oct. 5-8, 1998. NIST.

[4]

D. E. Denning. An intrusion-detection model. IEEE ff~ansactions on Software Engineemng, Vol. SE-13(No. 2):222-232, Feb. 1987.

Digital Library

[5]

D. E. Denning and P. G. Neumann. Requirements and model for IDES--A real-time intrusion detection system. Technical report, Computer Science Laboratory, SRI International~ Menlo Park, CA, USA, 1985.

[6]

L. Halme and B. Kahn. Building a security monitor with adaptive user work profiles. In Procee&ngs of the 11th Nat,onal Computer Security Conference, Washington DC, Oct. 1988.

[7]

P. Helman and G. Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software tEngineering~ 19(9):886--901, Sept. 1993.

Digital Library

[8]

C. Ko, M. Ruschitzl~, and K. Levitt. Execution monitoring of security-critical programs in distributed systems: A specification-based approach. In Proceedings of the 1#97 IEEE Symposium on Security and Privacy, pages 175-187, Oakland, CA, USA, May 1997.

Digital Library

[9]

T. Lane and C. E. Brodie. Temporal sequence learning and data reduction for anomaly detection, in 5th A CM Conference on Computer 8j Communications Security, pages 150-158, San Francisco, California, USA, Nov. 3- 5, 1998.

Digital Library

[10]

W. Lee. A data mining framework for building intrusion detection models. In IEEE Symposium on Security and Pmvacy, pages 120-132, Berkeley~ California, May 1999.

[11]

R. P. Lippmann, I. Graf, S. L. Garfinkel, A. S. Gotton, K. R. Kendall, D. J. McClung, D. J. Weber, S. E. Webster, D. Wyschogrod, and M. A. Zissma~u. The 1998 DARPA/AFRL off-line intrusion detection evaluation. Presented to The First Intl. Workshop on Recent Advances in Intrusion Detection (RAID-98), Lovain-hu- Neuve, Belgium, No printed proceedings, Sept. 14-16, 1998.

[12]

T. F. Lunt. Automated audit trail analysis and intrusion detection: A survey. In Proceedings of the 11th Natzonat Computer Security Conference, pages 65-73, Baltimore, Marylazad, Oct. 17-20 1988. NIST.

[13]

R. Matthews. Base-rate errors and rain forecasts. Nature, 382(6594):766, Aug. 29 1996.

[14]

R. Matthews. Decision-theoretic limits on earthquake prediction. Geophys. Jr. Int., 131(3):526--529, Dec. 1997.

[15]

R. A. Maxion. Measuring intrusion-detection systems. Presented to The First Intl. Workshop on Recent Advances in Intrusion Detection (RAID-98), Lovain-la- Neuve, Belgium, No pmnted proceedings, Sept. 14-16, 1998.

[16]

G. McGuire Pierce. Destruction by demolition, incendiaries and sabotage. Field training manual, Fleet Marine Force, US Marine Corps, 1943-1948. Reprinted: Paladin Press, PO 1507, Boulder CO, USA.

[17]

S. J. Russel and P. Norvig. Artificial IntelhgenceLA Modern Approach, chapter 14, pages 426-435. Prentice Hall Series in Artificial Intelligence. Prentice Hall International, Inc., London, UK, first edition, 1995. Exercise 14.3.

Digital Library

[18]

M. M. Sebring, E. Shellhouse, M. E. Hanna, mad R. A. Whitehurst. Expert systems in intrusion detection: A case study. In Proceedings of the 11th National Computer Securzty Conference, pages 74-81, Baltimore, Maryland, Oct. 17-20, 1988. NIST.

[19]

It. S. Vaccaro and G. E. Liepins. Detection of anomalous computer session activity. In Proceedzngs of the 1989 IEEE Symposium on Securely and Privacy, pages 280-289, Oakland, California, May 1-3, 1989.

[20]

H. L. Van Trees. Detection, Estimation, and Modulation Theory, Part I, Detection, Estimation, and Linear Modulation Theory. john Wiley and Sons, inc., 1968.

Digital Library

[21]

C. Warrender, S. Forrest, and B. Perlmutter. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy, pages 133-145~ Berkeley~ California, May 1999.

Cited By

Yamgar SN. G. B(2024)Analyzing the Efficacy of Machine Learning Algorithms on Intrusion Detection SystemsEmerging Technologies for Securing the Cloud and IoT10.4018/979-8-3693-0766-3.ch008(196-213)Online publication date: 23-Feb-2024
https://doi.org/10.4018/979-8-3693-0766-3.ch008
Vikram APatel SAlsalman O(2024)Measurement of optical fiber sensors for intrusion detection and warning systems fortified with intelligent false alarm suppressionOptical and Quantum Electronics10.1007/s11082-024-06797-756:6Online publication date: 17-Apr-2024
https://doi.org/10.1007/s11082-024-06797-7
Seo HYoon MCalandrino JTroncoso C(2023)Generative intrusion detection and prevention on data streamProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620479(4319-4335)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620479
Show More Cited By

Index Terms

The base-rate fallacy and its implications for the difficulty of intrusion detection

Recommendations

The base-rate fallacy and the difficulty of intrusion detection

Many different demands can be made of intrusion detection systems. An important requirement is that an intrusion detection system be effective; that is, it should detect a substantial percentage of intrusions into the supervised system, while still ...
Data base support for intrusion detection with honeynets
TELE-INFO'07: Proceedings of the 6th WSEAS Int. Conference on Telecommunications and Informatics

As computer attacks are becoming more and more difficult to identify the need for better and more efficient intrusion detection systems increases. The main problem with current intrusion detection systems is high rate of false alarms. In this paper we ...
A hybrid intrusion detection system

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '99: Proceedings of the 6th ACM conference on Computer and communications security

November 1999

160 pages

ISBN:1581131488

DOI:10.1145/319709

Chairmen:
Juzar Motiwalla
Kent Ridge Digital Labs, Singapore
,
Gene Tsudik
USC Information Sciences Institute, USA

Copyright © 1999 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 1999

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

CCS99

Sponsor:

SIGSAC

CCS99: Sixth ACM Conference on Computer and Communication Security

November 1 - 4, 1999

Kent Ridge Digital Labs, Singapore

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

145
Total Citations
View Citations
2,248
Total Downloads

Downloads (Last 12 months)227
Downloads (Last 6 weeks)97

Reflects downloads up to 17 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yamgar SN. G. B(2024)Analyzing the Efficacy of Machine Learning Algorithms on Intrusion Detection SystemsEmerging Technologies for Securing the Cloud and IoT10.4018/979-8-3693-0766-3.ch008(196-213)Online publication date: 23-Feb-2024
https://doi.org/10.4018/979-8-3693-0766-3.ch008
Vikram APatel SAlsalman O(2024)Measurement of optical fiber sensors for intrusion detection and warning systems fortified with intelligent false alarm suppressionOptical and Quantum Electronics10.1007/s11082-024-06797-756:6Online publication date: 17-Apr-2024
https://doi.org/10.1007/s11082-024-06797-7
Seo HYoon MCalandrino JTroncoso C(2023)Generative intrusion detection and prevention on data streamProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620479(4319-4335)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620479
Piet JSharma APaxson VWagner DCalandrino JTroncoso C(2023)Network detection of interactive SSH impostors using deep learningProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620477(4283-4300)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620477
Neupane SHolmes GWyss EDavidson DDe Carli LCalandrino JTroncoso C(2023)Beyond typosquattingProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620430(3439-3456)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620430
Wu MSippe JSivakumar DBurg JAnderson PWang XBock KHoumansadr ALevin DWustrow ECalandrino JTroncoso C(2023)How the great firewall of china detects and blocks fully encrypted trafficProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620386(2653-2670)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620386
Shon HLee YYoon M(2023)Semi-Supervised Alert Filtering for Network SecurityElectronics10.3390/electronics1223475512:23(4755)Online publication date: 23-Nov-2023
https://doi.org/10.3390/electronics12234755
Shahryari MMohammad-Khanli LRamezani MFarzinvash LFeizi-Derakhshi M(2023)Nesting Circles: An Interactive Visualization Paradigm for Network Intrusion Detection System AlertsSecurity and Communication Networks10.1155/2023/80436192023(1-16)Online publication date: 16-Jun-2023
https://doi.org/10.1155/2023/8043619
Nurmi JNiemelä MBrumley B(2023)Malware Finances and Operations: a Data-Driven Study of the Value Chain for Infections and Compromised AccessProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605047(1-12)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605047
Ramos FWang X(2023)Detecting Stealthy Cobalt Strike C&C Activities via Multi-Flow based Machine Learning2023 International Conference on Machine Learning and Applications (ICMLA)10.1109/ICMLA58977.2023.00332(2200-2206)Online publication date: 15-Dec-2023
https://doi.org/10.1109/ICMLA58977.2023.00332
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents