P(I) is base rate: prior probability of attacks
base-rate fallacy
– even if false alarm rate P(A|¬I) is very low, Bayesian detection rate P(I|A) is still low if base-rate P(I) is low
– E.g. if P(A|I)=1, P(A|¬l)=10^-5, P(I)=2×10^-5, P(I|A)=66%
When the IDS produces an alert, the probability that an intrusion has actually occurred is low.
Implications to IDS
– Design algorithms to reduce false alarm rate
– Deploy IDS to appropriate point/layer with sufficiently high base rate
– Multiple independent detection models
Architecture of Network IDS
– Packet data volume can be huge
– Base rate at the packet level is typically low
– Applying detection algorithms at this level may result in a low bayesian detection rate
Network -> libcap -> Event Engine -> Detection Engine
Eluding Network IDS
What the IDS sees may not be what the end system gets
Ambiguities in protocols lead different implementations in operating systems:
E.G, TTL, fragments