Essentially, a quality IDS should be able to distinguish the events monitored (input data) as either intrusive or normal. Here, the IDS provide output information usually in form of alarms, that should give a true picture of the events being monitored. This means that the IDS should be able to detect whether there is actually an intrusion or not at any given time. Therefore, the task of a well designed IDS is to accept and analyze input data stream and give output alerts to show the presence of intrusion. On a careful analysis, each unit of an input data stream could be intrusive or normal and an IDS should be able to know and record these information for the attention of the administrator. This implies that the input of an IDS can be carefully modeled as a random variable X. For instance, if the value of X is high (X = 1), there is an intrusion and if X is low (X = 0), there is no intrusion and the traffic is normal.

Similarly, the output information of a typical IDS can be modeled as a random variable Y. Here, when Y = 1, it means that there is an alert of an intrusion, and when Y = 0, there is no alert information from the IDS. In a situation where it is assumed that an IDS output is available, and this corresponds to each input information to the IDS [5]. By leveraging on the knowledge of information theory, a binary symmetric channel can be used to model intrusion detection as illustrated in Figure 1. As shown in the model, p(X = 1) denotes the base rate, which means the prior probability that there are intrusions in the input information as detected by the IDS. This is denoted as B.

The probability that an intrusion event can be regarded as normal is represented by p ( Y = 0 | X = 1 ) . This is the false negative rate (FN), denoted as γ. Similarly, the probability that a normal event being misclassified as an intrusion is represented by p ( Y = 1 | X = 0 ) . This is the false positive rate (FP), denoted as α. From the foregoing, it can be assumed that X is the random variable depicting the IDS input and Y represents the random variable depicting the IDS output. Therefore, intrusion detection capability can be defined as:

C I D = I ( X ; Y ) H ( X ) (1)

Given what we know from our knowledge of information theory about mutual information, we can rewrite C_ID as Equation (2).

C I D = H ( X ) − H ( X | y ) H ( X ) (2)

Ideally, mutual information captures the decrease in the level of uncertainty of the input by evaluating the IDS output. From (2), it can be deduced that C_ID gives the ratio of the reduction of uncertainty of the IDS input given the IDS output. In practice, the value of C_ID is in the range of [0; 1]. Here, a large value of C_ID implies that the IDS is more capable of accurate classification of events.

The mutual information H(X) is defined as given in Equation (3), and the corresponding mutual information that an event has occurred H(X |Y) is given in Equation (4).

H ( X ) = − ∑ x p ( x ) log p ( x ) = − B log B − ( 1 − B ) log ( 1 − B ) (3)

H ( X | Y ) = − ∑ x ∑ y p ( x ) p ( y | x ) log [ p ( x ) p ( y | x ) ] p ( y ) = − B ( 1 − γ ) log P P V − B γ log ( 1 − N P V )       − ( 1 − B ) ( 1 − α ) log N P V − ( 1 − B ) α log ( 1 − P P V ) (4)

Substituting the equations, C_ID we obtain Equation (5).

C I D = − B log B − ( 1 − B ) log ( 1 − B ) − B ( 1 − γ ) log P P V − B γ log ( 1 − N P V ) − ( 1 − B ) ( 1 − α ) log N P V − ( 1 − B ) α log ( 1 − P P V ) (5)

In Equation (5), C_ID is intrusion detection capability, B is base rate, γ is false negative (FN) rate, α is false positive (FP) rate, PPV is positive predictive value and NPV is negative predicative value.

• Base rate (B): This is a measure of the environment in which IDS operates. When B = 0 or B = 1 (the input is 100% normal or 100% intrusion). In practice, it can be quite difficult to measure or control the base rate in an IDS. This is because the base rate is often seen as an operation parameter partly due to the fact that it is used to measure the IDS environment. The estimation of prior probabilities and base rate B has been presented in [8].

• False Positive (FP) Rate: This is the probability that the IDS outputs an alarm when there is no intrusion;

• False Negative (FN) Rate: This is the probability that an IDS does not output an alarm when there is an intrusion;

• Positive Predictive Value (PPV): This is the probability that there is an intrusion when the IDS output an alarm. That is, given IDS alarms, how many of them are real intrusions. It is mathematically expressed in Equation (6) [5] [8] ;

P P V = B ( 1 − γ ) B ( 1 − γ ) + ( 1 − B ) α (6)

• Negative Predictive Value (NPV): This is the probability that there is no intrusion when the IDS does not output an alarm. That is given that there are no IDS alerts; does it mean that there are really no intrusions? Mathematically, it can be expressed in Equation (7) [8].

N P V = ( 1 − B ) ( 1 − α ) ( 1 − B ) ( 1 − α ) + B γ (7)

The receiver operating characteristics (ROC) curve shows a graphical illustration of the detection probability against false alarm rate. This means that the curve is capable of showing the probability of detection as seen by the detector at a defined false alarm rate. Alternatively, the curve shows the detector’s captured false rate at a stated probability of detection [7]. During World War II, the ROC curve was used for the first time to analyze radar signals before its usage in signal detection theory. The 1941 Harbor attack motivated the US army to embark on researches on how to improve on accurate detection of the Japanese aircraft as seen from the radar signals captured by the US army. In order to achieve this critical task, they employ the principle of the Receiver Operating Characteristics [19] to determine the capabilities of the radar receiver operators to effectively distinguish between various signals captured from different radars. Generally, ROC analysis helps to select optimal solutions while disregarding sub-optimal solutions.

For a given operating point of a particular detector, it is possible to determine the expected cost by analyzing the outputs of the decision tree as illustrated in Figure 2.

As shown in the decision tree of Figure 2, the squares represent sequence of actions, which are being controlled by the decision maker, while the circles represent uncertain events that are outside the control of the decision maker. However, these events give useful information on the operation of the detector, and subsequent actions to be taken on the reports. In addition, the decision tree can provide useful tips on the risks involved when some actions and events are combined. Again, it is seen that cost correspond to the consequences, and reflects the cost of a wrong decision. For example, the cost of not giving a response when there is no alarm (NA), and the cost of not providing a response when there is intrusion is represented with C. Here, the cost of no response when there is an intrusion is zero, and the higher the cost, the outcome reduces in value and less appreciated. It should be noted that the probability of occurrence is attached to each uncertain event. As seen on the decision tree, three probabilities P1, P2, and P3 are worth describing. P1 refers to the probability that the detector is able to report an alarm, P2 is the conditional probability that there is no intrusion given that the detector did not report an alarm, and P3 is the conditional probability that there is no intrusion given that the detector actually reports an alarm.

Conventionally, the decision tree is read from left to right [20] , and in order to calculate the expected cost associated with any given operating point, costs are carefully calculated for all paths on the decision tree, and the probabilities P1, P2, and P3 are computed. Without loss of generality, cost ratio is defined as in Equation (8);

C = C γ C α (8)

where C_γ refers to the cost of responding to the presence of intrusion and C_α is the cost of responding to an intrusion where there is actually no intrusion. In most practical scenarios, it can be assumed that the cost of correct responses to intrusion is negligibly small or zero [21].

1) Expected Cost Calculation: The formulae depicting the total probability as shown in (9) and (10) can be used to evaluate the probabilities of the detector’s reports [22].

p 1 = P ( N A ) = P ( N A | N I ) P ( N I ) + P ( N A | I ) = ( 1 − α ) ( 1 − p ) + γ p (9)

1 − p 1 = P ( A ) = P ( A N | I ) P ( N I ) + P ( A | I ) P ( I ) = α ( 1 − p ) + ( 1 − γ ) p (10)

The Bayes Theorem as reported in [16] can be used to calculate the probabilities of the state of the system with respect to the reports given by the detector as shown in Equations (11)-(14).

p 2 = P ( N I | N A ) = P ( N A | N I ) P ( N I ) P ( N A ) = ( 1 − α ) ( 1 − p ) p 1 = ( 1 − α ) ( 1 − p ) ( 1 − α ) ( 1 − p ) + γ p (11)

1 − p 2 = P ( I | N A ) = P ( N A | I ) P ( I ) P ( N A ) = γ p p 1 = γ p ( 1 − α ) ( 1 − p ) + γ p (12)

p 3 = P ( N I | A ) = P ( A | N I ) P ( N I ) P ( A ) = α ( 1 − p ) 1 − p 1 = α ( 1 − p ) α ( 1 − p ) + ( 1 − γ ) p (13)

1 − p 3 = P ( I | A ) = P ( A | I ) P ( I ) P ( A ) = ( 1 − γ ) p 1 − p 1 = ( 1 − γ ) p α ( 1 − p ) + ( 1 − γ ) p (14)

As shown in Table 1, the expected cost, which is dependent on the detector’s report, is shown mathematically by finding the sum of the products of the probabilities together with the cost of the node following the response.

At any operating point, the expected cost of operating the IDS is given in Equations (15) and (16):

C E X = p 1 min { C γ p , ( 1 − α ) ( 1 − p ) } p 1 + ( 1 − p 1 ) min { C ( 1 − γ ) p , α ( 1 − p ) } 1 − p 1 (15)

C E X = min { C γ p , ( 1 − α ) ( 1 − p ) } + min { C ( 1 − γ ) p , α ( 1 − p ) } (16)

In practice, the optimal operating point is described as the most suitable point achievable by the given IDS in terms of its intrusion detection capabilities, and minimization of the expected cost. Therefore, choosing an optimal operating point would be equivalent to the best choice of values for the parameters α and γ that can provide the desired least expected cost.

On the concept of base-rate fallacy, there seems to be a very large difference between the amounts of events seen as normal and the amount of intrusion events, which are very few. This huge difference can results in the generation of multitudes of false alarms. Here, fallacy maintains that due to the low probability of a real attack, especially when an IDS triggers an alarm, the probability of intrusion occurring could be very minimal. Furthermore, Gu et al. [5] argued that the base-rate is significantly small as compared with the composite attacks in the evaluation data-set. Here, it is assumed that the base-rate content in the 1998 DARPA intrusion detection evaluation is given as p = 6.52 × 10⁻⁵, unless stated otherwise.

A mathematical formula as shown in Equation (5) is derived from an information theoretic point of view. To ease computation, a software intrusion detection evaluation system (SIDES) package is developed. The application provides a tool for calculating the intrusion detection capability C_ID of IDS using values from the

Receiver Operating Characteristics (ROC) reported in [24]. The ROC was based on the dataset reported in [11]. The proposed package was designed to receive metrics such as Base rate (B), False Positive rate (FP or α), False Negative rate (FN or γ), Positive Predictive Value (PPV), Negative Predictive Value (NPV) and calculates intrusion detection capability C_ID.

The algorithm for the SIDES package is as shown in Algorithm 1.

Using this application and the Receiver Operating Characteristics (ROC) values reported in [24] , the results obtained provide a useful guide in the choice of the optimal operating and a fair comparison of the IDSs. The point with the highest C_ID is regarded as the best ID capability of the system and gives the most optimized operating point for the IDS. This is without recourse to the cost implication of operating at this optimal point. It is therefore necessary to attach a corresponding cost to this point.

To introduce cost function into C_ID, we adopt the decision tree analysis method [7]. We compute the corresponding cost attached to each value of C_ID. To have an acceptable trade-off between cost and capability, C_ID and C_EX values are plotted against α. The lowest point on the C_EX curve is matched with the highest point on the C_ID curve to determine the optimal operating point. More specifically, the observable deviations in the values of the expected cost could be very useful metric suitable for the comparison of two intrusion detectors.

Text fields were used to receive input; False Positive rate (α), False Negative rate (γ) and Base rate (B). “Reset values” button was designed to clear the input values. Calculate PPV and calculate NPV buttons were designed to calculate PPV and NPV respectively. Calculate C_ID button was designed to calculate the intrusion detection capability of the IDS given the initial inputs received. The results panel is designed to display the calculated values PPV, NPV and C_ID. Back home button was designed to take the user back to initial information window. Exit button was designed to close the package.

Results of C_ID values were computed using data extracted from two ROC curves reported in [7]. Here, two ROC curves derived from the results reported in [11] are used to represent two intrusion detection systems, denoted as IDS₁ and IDS₂, respectively. As in [7] , IDS₁ ROC curve can be approximated as given in Equations (17) and (18).

1 − γ = 0.6909 × ( 1 − exp ( − 65625.64 α 1.19 ) ) (17)

1 − γ = 0.4909 × ( 1 − exp ( − 11932.6 α 1.19 ) ) (18)

Initial findings revealed that in 666,000 network session over a typical day, about 43 intrusion attempts were detected. Based on the assumption that the intrusion responses are achieved per session each time intrusion detectors are applied, the base-rate of intrusion is given as in (19).

B = Total   number   of   intrusion   attempts Total   number   of   network   sessions = 43 660000 = 6.52 × 10 − 5 (19)

Hence, we can estimate the probability of intrusion by the base-rate p = 6.52 × 10 − 5 . The results obtained from estimating the probability of intrusion are as depicted in Figure 3 and Figure 4, for IDS1 and IDS2, respectively.

In practice, the point at which the highest intrusion detection capability and its threshold yields the most suitable threshold is referred to as the optimal operating point. Here, the optimal operating point for IDS₁ occurs at α = 0.003, 1 − γ = 0.6807 corresponding to C_ID of 0.45567, while that of IDS₂ occurs at α = 0.001, 1 − γ = 0.47112, and C_ID of 0.2403. From the foregoing, IDS₂ achieves a better ID capability than IDS₁. By extension, comparing the two detectors based on the above analysis, we can conclude that IDS₂ is better than IDS₁. However, this is without recourse to the cost of operating at the selected optimal point.

For the derivation of minimum expected-cost operating point, the decision tree as shown in Figure 2 is adopted. Here, the tree is evaluated from the right hand side to the left. For instance, if the cost ratio C equals 1000, this means that it could be a thousand times more expensive to fail in response to an intrusion than to respond to no intrusion. Assume also that the base rate (probability of intrusion) were 6.52 × 10⁻⁵ as in [5].

From Figure 5, the maximum C_ID for IDS₁ occurs at α = 0.0003, with a C_ID value of 0.4557. The minimum corresponding cost occurs at α = 0.0003, with an expected cost of 0.0211. Hence, the optimal operating point for IDS₁ is 0.4557, 0.0211.

From Figure 6, the maximum C_ID for IDS₁ occurs at α = 0.0010, with a C_ID value of 0.2403. The minimum corresponding cost occurs at α = 0.0010, with an expected cost of 0.0355. Thus, the optimal operating point for IDS₂ is 0.2403, 0.0355.

A comparative analysis of IDS₁ and IDS₂ is as shown in Table 2.

IDS₁ is a better detector with a C_ID of 0.2154 per session higher than the C_ID of IDS₂ and an expected cost of 0.0144 per session less than that of IDS₂. The effect of the various input parameters on C_ID and C_EX is examined.

Ideally, an IDS may not be able to effectively control the base rate but it is a very important factor to be considered when presenting reports on intrusion detection capability because the base rate defines the environment of operation [5]. To study the effect of low base rate on Intrusion Detection capability, C_ID values were computed for different base rate values. The impact of different base rates on C_ID is as shown in Figure 7.

From Figure 7, assuming an IDS whose base rate B = 10⁻⁴, FP = 0.1 and FN = 0.1, In a case where the value of FP is decreased from 0.1 to 0.01, correspondingly, C_ID changes from 0.17 to 0.36. However, if FN is decreased by the same magnitude, the C_ID only changes from about 0.17 to 0.20. This shows that C_ID is more responsive to variations in false positive (FP) than false negative (FN). Hence, for low base rates, reducing FP will improve C_ID more than the same reduction in FN.

The base rate B was fixed and for each value of FP (α), the FN (γ) values were varied and the corresponding C_ID calculated. A plot of False Positives rates against C_ID is shown in Figure 8.

From Figure 8 (B = 0.0001), when FP (α) is increased from 0.01 to 0.02 for γ = 0.01 (a difference of 0.01),C_ID changes from 0.44 to 0.37 (a difference of 0.07). However, when FP changes from 0.01 to 0.03 (a difference of 0.02), C_ID changes from 0.44 to 0.33 (a difference of 0.11). Hence, for low base rate B, little changes in False Positive result in large changes in C_ID as shown in Figure 8.

The base rate B is fixed while for each value of FN, the FP values are varied and the corresponding C_ID calculated. A plot of False Positive rates on against C_ID is as shown in Figure 9.

From Figure 9 (α = 0.001), when FN is increased from 0.1 to 0.2 (a difference of 0.1), C_ID changes from 0.58 to 0.49 (a difference of 0.09). However, when FN changes from 0.1 to 0.15 (a difference of 0.05), C_ID changes from 0.58 to 0.54 (a difference of 0.04). Only large changes in FN will significantly affect C_ID. Hence, for low base rate B, only a large variation of FN (γ) have a significant effect on C_ID as shown in Figure 9.

As pointed out in [1] , the major drawback in the expected cost analysis presented in Section V is that the cost ratio C is chosen subjectively. Thus the effect of cost ratio on the expected cost is examined.

From Figure 10, it is shown that the various plots of C indicate that the sharpest drop in the expected cost is between α = 0.0001 and α = 0.0002. As the FP increases, the expected cost remains fairly constant. This shows that to minimize expected cost, it is imperative that FP (α) is very low. This agrees with

Gu et al. [5] that in realistic IDS operation environment, it can be reasonably assumed that B < α ≪ γ < 1 . Furthermore, Figure 10 implies that for large values of FP, the expected cost remains the same.