A framework for the evaluation of the theoretical threat coverage provided by intrusion detection systems

Abstract

Intrusion detection systems are a central component of cyber security architecture, and their accuracy is a critical performance metric for any security deployment. Most of the current performance analysis of intrusion detection systems relies on empirical profiling of a given algorithm or implementation against a benchmark dataset. Whilst effective to a point, this traditional evaluation methodology is unable to assess the completeness of threat coverage provided by an intrusion detection system and is consequently a sub-optimal approach if conducted in isolation of other tests. This paper introduces a framework to evaluate the total potential coverage provided by an intrusion detection system as a function of its data sources, extending and complementing the traditional approach.