{"id":"https://openalex.org/W2043314203","doi":"https://doi.org/10.1145/1128817.1128834","title":"Measuring intrusion detection capability","display_name":"Measuring intrusion detection capability","publication_year":2006,"publication_date":"2006-03-21","ids":{"openalex":"https://openalex.org/W2043314203","doi":"https://doi.org/10.1145/1128817.1128834","mag":"2043314203"},"language":"en","primary_location":{"id":"doi:10.1145/1128817.1128834","is_oa":false,"landing_page_url":"https://doi.org/10.1145/1128817.1128834","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2006 ACM Symposium on Information, computer and communications security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5058852421","display_name":"Guofei Gu","orcid":"https://orcid.org/0000-0003-0630-741X"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Guofei Gu","raw_affiliation_strings":["Georgia Institute of Technology","[Georgia Institute of Technology.]"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]},{"raw_affiliation_string":"[Georgia Institute of Technology.]","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5034137329","display_name":"Prahlad Fogla","orcid":null},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Prahlad Fogla","raw_affiliation_strings":["Georgia Institute of Technology","[Georgia Institute of Technology.]"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]},{"raw_affiliation_string":"[Georgia Institute of Technology.]","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035849898","display_name":"David Dagon","orcid":null},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"David Dagon","raw_affiliation_strings":["Georgia Institute of Technology","[Georgia Institute of Technology.]"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]},{"raw_affiliation_string":"[Georgia Institute of Technology.]","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047140382","display_name":"Wenke Lee","orcid":"https://orcid.org/0000-0003-2761-1277"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Wenke Lee","raw_affiliation_strings":["Georgia Institute of Technology","[Georgia Institute of Technology.]"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]},{"raw_affiliation_string":"[Georgia Institute of Technology.]","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5013767254","display_name":"Boris \u0160kori\u0107","orcid":"https://orcid.org/0000-0003-1409-4127"},"institutions":[{"id":"https://openalex.org/I4210122849","display_name":"Philips (Netherlands)","ror":"https://ror.org/02p2bgp27","country_code":"NL","type":"company","lineage":["https://openalex.org/I4210122849"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Boris Skori\u0107","raw_affiliation_strings":["Philips Research Laboratories, Netherlands"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Philips Research Laboratories, Netherlands","institution_ids":["https://openalex.org/I4210122849"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":7.886,"has_fulltext":false,"cited_by_count":161,"citation_normalized_percentile":{"value":0.97512552,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"90","last_page":"101"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9966999888420105,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.8220760822296143},{"id":"https://openalex.org/keywords/metric","display_name":"Metric (unit)","score":0.687936544418335},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6813562512397766},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.6642587780952454},{"id":"https://openalex.org/keywords/constant-false-alarm-rate","display_name":"Constant false alarm rate","score":0.5880842208862305},{"id":"https://openalex.org/keywords/false-positive-rate","display_name":"False positive rate","score":0.5832522511482239},{"id":"https://openalex.org/keywords/anomaly-based-intrusion-detection-system","display_name":"Anomaly-based intrusion detection system","score":0.5738908648490906},{"id":"https://openalex.org/keywords/entropy","display_name":"Entropy (arrow of time)","score":0.5562291145324707},{"id":"https://openalex.org/keywords/measure","display_name":"Measure (data warehouse)","score":0.5363553762435913},{"id":"https://openalex.org/keywords/false-alarm","display_name":"False alarm","score":0.5026214122772217},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.4215657711029053},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.3404434323310852},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.11138543486595154}],"concepts":[{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.8220760822296143},{"id":"https://openalex.org/C176217482","wikidata":"https://www.wikidata.org/wiki/Q860554","display_name":"Metric (unit)","level":2,"score":0.687936544418335},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6813562512397766},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.6642587780952454},{"id":"https://openalex.org/C77052588","wikidata":"https://www.wikidata.org/wiki/Q644307","display_name":"Constant false alarm rate","level":2,"score":0.5880842208862305},{"id":"https://openalex.org/C95922358","wikidata":"https://www.wikidata.org/wiki/Q5432725","display_name":"False positive rate","level":2,"score":0.5832522511482239},{"id":"https://openalex.org/C137524506","wikidata":"https://www.wikidata.org/wiki/Q2247688","display_name":"Anomaly-based intrusion detection system","level":3,"score":0.5738908648490906},{"id":"https://openalex.org/C106301342","wikidata":"https://www.wikidata.org/wiki/Q4117933","display_name":"Entropy (arrow of time)","level":2,"score":0.5562291145324707},{"id":"https://openalex.org/C2780009758","wikidata":"https://www.wikidata.org/wiki/Q6804172","display_name":"Measure (data warehouse)","level":2,"score":0.5363553762435913},{"id":"https://openalex.org/C2776836416","wikidata":"https://www.wikidata.org/wiki/Q1364844","display_name":"False alarm","level":2,"score":0.5026214122772217},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.4215657711029053},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3404434323310852},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.11138543486595154},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C21547014","wikidata":"https://www.wikidata.org/wiki/Q1423657","display_name":"Operations management","level":1,"score":0.0},{"id":"https://openalex.org/C62520636","wikidata":"https://www.wikidata.org/wiki/Q944","display_name":"Quantum mechanics","level":1,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/1128817.1128834","is_oa":false,"landing_page_url":"https://doi.org/10.1145/1128817.1128834","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2006 ACM Symposium on Information, computer and communications security","raw_type":"proceedings-article"},{"id":"pmh:oai:pure.tue.nl:openaire_cris_publications/560edbf5-d897-48a2-9924-96d5fcfb7234","is_oa":false,"landing_page_url":"https://research.tue.nl/en/publications/560edbf5-d897-48a2-9924-96d5fcfb7234","pdf_url":null,"source":{"id":"https://openalex.org/S4406922641","display_name":"TU/e Research Portal","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Gu, G, Fogla, P, Dagon, D, Lee, W & Skoric, B 2006, Measuring intrusion detection capability : an information-theoretic approach. in F C Lin, D T Lee, B S Lin, S Shieh & S Jajodia (eds), Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006). Association for Computing Machinery, Inc., Providence, pp. 90-101, 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006), Taipe, Taiwan, 21/03/06. https://doi.org/10.1145/1128817.1128834","raw_type":"info:eu-repo/semantics/publishedVersion"},{"id":"pmh:tue:oai:pure.tue.nl:publications/560edbf5-d897-48a2-9924-96d5fcfb7234","is_oa":false,"landing_page_url":"https://research.tue.nl/nl/publications/560edbf5-d897-48a2-9924-96d5fcfb7234","pdf_url":null,"source":{"id":"https://openalex.org/S4306401843","display_name":"Data Archiving and Networked Services (DANS)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1322597698","host_organization_name":"Royal Netherlands Academy of Arts and Sciences","host_organization_lineage":["https://openalex.org/I1322597698"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2006, Taipei, Taiwan, March 21-24, 2006), 90 - 101","raw_type":"info:eu-repo/semantics/conferencepaper"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320338281","display_name":"Army Research Office","ror":"https://ror.org/05epdh915"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":26,"referenced_works":["https://openalex.org/W44307044","https://openalex.org/W146971565","https://openalex.org/W1489446631","https://openalex.org/W1490025813","https://openalex.org/W1512586648","https://openalex.org/W1516506771","https://openalex.org/W1591480890","https://openalex.org/W1674877186","https://openalex.org/W1952056635","https://openalex.org/W1988918299","https://openalex.org/W1990748933","https://openalex.org/W2048465382","https://openalex.org/W2096847629","https://openalex.org/W2099111195","https://openalex.org/W2116065364","https://openalex.org/W2126802698","https://openalex.org/W2136995341","https://openalex.org/W2150847526","https://openalex.org/W2151826746","https://openalex.org/W2155378438","https://openalex.org/W2156875677","https://openalex.org/W2157021454","https://openalex.org/W4241433670","https://openalex.org/W4285719527","https://openalex.org/W4302076716","https://openalex.org/W6629335652"],"related_works":["https://openalex.org/W2337148208","https://openalex.org/W3004832009","https://openalex.org/W3036013726","https://openalex.org/W1971929717","https://openalex.org/W1724519426","https://openalex.org/W2351051591","https://openalex.org/W2369534771","https://openalex.org/W2013909972","https://openalex.org/W2352639800","https://openalex.org/W3112374511"],"abstract_inverted_index":{"A":[0],"fundamental":[1],"problem":[2],"in":[3,20,299],"intrusion":[4,16,57,136,236,267],"detection":[5,17,58,137,209,237,268],"is":[6,100,109,171,242,289],"what":[7],"metric(s)":[8],"can":[9,258,293,332],"be":[10,294],"used":[11],"to":[12,25,52,70,186,244,279,305,324],"objectively":[13,230,343],"evaluate":[14,73],"an":[15,74,81,140,232,275,283,340],"system":[18],"(IDS)":[19],"terms":[21,300],"of":[22,56,62,84,121,143,176,189,208,235,262,266,301,317],"its":[23,302],"ability":[24,304],"correctly":[26],"classify":[27,306],"events":[28],"as":[29,173,249,274,313,315],"normal":[30],"or":[31],"intrusive.":[32],"Traditional":[33],"metrics":[34],"(e.g.,":[35],"true":[36,213,250],"positive":[37,41,214,217,219,251,255],"rate":[38,252],"and":[39,72,95,103,123,184,225,239,253,342],"false":[40,216,254],"rate)":[42],"measure":[43,53,234,278],"different":[44,345],"aspects,":[45],"but":[46],"no":[47],"single":[48,64],"metric":[49,66,127],"seems":[50],"sufficient":[51],"the":[54,106,135,152,157,174,177,181,187,190,195,205,260,263,290,297,334],"capability":[55,210],"systems.":[59,269],"The":[60,285],"lack":[61],"a":[63,90,117,125],"unified":[65],"makes":[67],"it":[68,229,241],"difficult":[69],"fine-tune":[71],"IDS.":[75,284],"In":[76,113],"this":[77,98],"paper,":[78],"we":[79,88,115,146,331],"provide":[80,116],"in-depth":[82],"analysis":[83,120],"existing":[85],"metrics.":[86],"Specifically,":[87],"analyze":[89],"typical":[91],"cost-based":[92,131],"scheme":[93],"[6],":[94],"demonstrate":[96,259],"that":[97,128,292,326],"approach":[99],"very":[101],"confusing":[102],"ineffective":[104],"when":[105,281],"cost":[107],"factor":[108],"not":[110],"carefully":[111],"selected.":[112],"addition,":[114],"novel":[118],"information-theoretic":[119,141],"IDS":[122,158,182,245,298,341],"propose":[124,271],"new":[126,164],"highly":[129],"complements":[130],"analysis.":[132],"When":[133],"examining":[134],"process":[138],"from":[139],"point":[142,288,338],"view,":[144],"intuitively,":[145],"should":[147],"have":[148],"less":[149],"uncertainty":[150],"about":[151],"input":[153,183,307],"(event":[154],"data)":[155],"given":[156],"output":[159,185],"(alarm":[160],"data).":[161],"Thus,":[162],"our":[163],"metric,":[165],"CI":[166,192,272,329],"D":[167,193,273],"(Intrusion":[168],"Detection":[169],"Capability),":[170],"defined":[172],"ratio":[175],"mutual":[178],"information":[179],"between":[180],"entropy":[188],"input.":[191],"has":[194],"desired":[196],"property":[197],"that:":[198],"(1)":[199],"It":[200],"takes":[201],"into":[202],"account":[203],"all":[204],"important":[206],"aspects":[207],"naturally,":[211],"i.e.,":[212],"rate,":[215,218,256],"predictive":[220,223],"value,":[221,224],"negative":[222],"base":[226],"rate;":[227],"(2)":[228],"provides":[231],"intrinsic":[233,303],"capability;":[238],"(3)":[240],"sensitive":[243],"operation":[246,287],"parameters":[247],"such":[248],"which":[257],"effect":[261],"subtle":[264],"changes":[265],"We":[270,309],"appropriate":[276],"performance":[277],"maximize":[280],"fine-tuning":[282],"obtained":[286],"best":[291,335],"achieved":[295],"by":[296,327],"data.":[308],"use":[310],"numerical":[311],"examples":[312],"well":[314],"experiments":[316],"actual":[318],"IDSs":[319],"on":[320],"various":[321],"data":[322],"sets":[323],"show":[325],"using":[328],"D,":[330],"choose":[333],"(optimal)":[336],"operating":[337],"for":[339],"compare":[344],"IDSs.":[346]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":8},{"year":2023,"cited_by_count":7},{"year":2022,"cited_by_count":11},{"year":2021,"cited_by_count":4},{"year":2020,"cited_by_count":14},{"year":2019,"cited_by_count":4},{"year":2018,"cited_by_count":7},{"year":2017,"cited_by_count":9},{"year":2016,"cited_by_count":5},{"year":2015,"cited_by_count":9},{"year":2014,"cited_by_count":15},{"year":2013,"cited_by_count":11},{"year":2012,"cited_by_count":15}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2016-06-24T00:00:00"}