Detection rate or True Positive(TP) rate:
given that there is an intrusion, how likely will the IDS correct output an alert.
False Negative Rate: FN = 1- TP
False alarm or False Positive(FP) rate:given that there is no intrusion, how likely is the IDS to falsely output an alert.
True Negative Rate: TN = 1 – FP
Bayesian detection rate: given that the IDS produces an alert, how likely is it that an intrusion actually occurs?
Alarm/positive: A; Intrusion: I
Detection (true positive) rate: P(A|I)
false negative rate P(¬A|I)
False alarm rate: P(A|¬I)
true negative rate P(¬A|¬I)
Bayesian detection rate: P(I|A)
System should be: scalable, resilient to attacks
Bayesian Detection Rate
P(I|A) = P(I)P(A|I)/P(I)P(A|I)+P(¬I)P(A|¬I)
P(I) is prior probability of attacks: this is the probability of intrusion evidences in the data.
