Problems

• Bayesian base-rate fallacy [Axel99]
  • applies to ALL intrusion detection systems

• Example (all numbers made up, this is only an example)
  • accuracy: LUSER test is 99% accurate
  • basic rate of incidence: 1 out of every 10,000 people is a luser
  • given that you scored positive on a LUSER test, what is your probability of actually being a luser?
  • surprisingly, only ~1%!

• Applied to IDS, it means: the factor limiting the effectiveness of an IDS is not its ability to correctly identify misuse, but rather its ability to suppress false alarms!