Executive Director and Endowed Chair

Slides:



Advertisements
Similar presentations
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director February © Ravi Sandhu.
Advertisements

1 New Trends and Challenges in Computer Network Security Ravi Sandhu Executive Director and Endowed Professor September 2010
1 Authentication with Passwords Prof. Ravi Sandhu Executive Director and Endowed Chair February 1, © Ravi.
1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, © Ravi Sandhu.
1 The Science, Engineering, and Business of Cyber Security Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair.
1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, © Ravi.
1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.
1 Privacy and Access Control: How are These Two Concepts Related? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT Panel June 3, 2015
1 Institute for Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair February 4, 2015
1 Big Data Applications in Cloud and Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Professor UTSA COB Symposium on Big Data, Big Challenges.
1 Virtualization Prof. Ravi Sandhu Executive Director and Endowed Chair February 7, © Ravi Sandhu World-Leading.
1 The Quest for Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 8, © Ravi Sandhu.
1 Cloud Computing and Security Prof. Ravi Sandhu Executive Director and Endowed Chair April 19, © Ravi Sandhu.
1 Panel on Data Usage Management: Technology or Regulation? Prof. Ravi Sandhu Executive Director and Endowed Chair DUMA 2013 May 23, 2013
1 Security and Privacy in Human-Centric Computing and Big Data Management Prof. Ravi Sandhu Executive Director and Endowed Chair CODASPY 2013 February.
1 Open Discussion PSOSM 2012 Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
1 Secure Cloud Computing: A Research Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair Texas Fresh Air Big Data and Data Analytics Conference.
Conditional Probability
Intrusion Detection Evaluation
Executive Director and Endowed Chair
Symmetric Cryptography
Mar. 5 Statistic for the day: U. S
Executive Director and Endowed Chair
What can Technologists learn from the History of the Internet?
Security and Privacy in the Networked World
Bayesian Notions and False Positives
Discretionary Access Control (DAC)
Executive Director and Endowed Chair
Introduction to Cyber Security
Introduction and Basic Concepts
Cryptography Basics and Symmetric Cryptography
Institute for Cyber Security: Research Vision
Authentication by Passwords
Role-Based Access Control (RBAC)
Identity and Access Control in the
Executive Director and Endowed Chair
Data Mining Anomaly Detection
Executive Director and Endowed Chair
Internet Security Threat Status
Executive Director and Endowed Chair
Cyber Security Research: Applied and Basic Combined*
On the Value of Access Control Models
Challenge-Response Authentication
ABAC Panel Prof. Ravi Sandhu Executive Director and Endowed Chair
The False Positive Paradox
Asymmetric Cryptography
Public-Key Certificates
Discretionary Access Control (DAC)
Executive Director and Endowed Chair
Attribute-Based Access Control (ABAC)
Cyber Security Research: Applied and Basic Combined*
Institute for Cyber Security: Research Vision
Security and Privacy in the Age of the Internet of Things:
Intersection of Data, Policy and Privacy
Authentication and Authorization Federation
Intrusion Detection Evaluation
Cyber Security and Privacy: An Optimist’s Perspective
Identity and Access Control in the
Big Data and Privacy Panel Prof. Ravi Sandhu
Executive Director and Endowed Chair
Institute for Cyber Security Overview
Challenge-Response Authentication
Data Mining Anomaly Detection
Cyber Security Research: A Personal Perspective
Cyber Security Research: Applied and Basic Combined*
MAS2317 Presentation Question 1
Attribute-Based Access Control (ABAC)
World-Leading Research with Real-World Impact!
Data Mining Anomaly Detection
Chapter 2, Unit E Screening Tests.
Presentation transcript:

Executive Director and Endowed Chair CS 5323 Intrusion Detection: Base Rate Fallacy Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 11 ravi.utsa@gmail.com www.profsandhu.com © Ravi Sandhu World-Leading Research with Real-World Impact!

Base-Rate Fallacy S: Patient is Sick (has the disease) S ¬S R ᴧ S True positive False positive R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative © Ravi Sandhu World-Leading Research with Real-World Impact! 2

Base-Rate Fallacy S: Patient is Sick (has the disease) System is under attack S ¬S R ᴧ S R ᴧ ¬S R True positive False positive R: Test Result is positive Alarm is raised ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative © Ravi Sandhu World-Leading Research with Real-World Impact! 3

Malware Detection Techniques I will learn what is good and bad False positives: incorrect learning False negatives: incorrect learning I know what is bad and can detect it False positives: none False negatives: ever increasing I know what is good and can detect when you go beyond specification False positives: incomplete specification False negatives: incorrect specification Nwokedi Idika and Aditya Mathur, A Survey of Malware Detection Techniques, Purdue University, Feb 2007. © Ravi Sandhu World-Leading Research with Real-World Impact! 4

Base-Rate Fallacy S: Patient is Sick (has the disease) S ¬S R ᴧ S True positive False positive R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative © Ravi Sandhu World-Leading Research with Real-World Impact! 5

Base-Rate Fallacy S: Patient is Sick (has the disease) S ¬S R ᴧ S True positive False positive P(R|S) = 0.99 P(R|¬S) = 0.01 R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative These probabilities can be empirically estimated P(¬R|S) = 0.01 P(¬R|¬S) = 0.99 © Ravi Sandhu World-Leading Research with Real-World Impact! 6

Estimating P(R|S) etc 2000 sick 1000 not sick Test R is positive is negative Test R is positive Test R is negative 1980 20 10 990 estimate P(R|S) = 0.99 P(¬R|S) = 0.01 P(R|¬S) = 0.01 P(¬R|¬S) = 0.99 Coincidentally equal © Ravi Sandhu World-Leading Research with Real-World Impact! 7

Estimating P(R|S) etc 2000 sick 1000 not sick Test R is positive is negative Test R is positive Test R is negative 1980 20 30 970 estimate P(R|S) = 0.99 P(¬R|S) = 0.01 P(R|¬S) = 0.03 P(¬R|¬S) = 0.97 In general will not be equal © Ravi Sandhu World-Leading Research with Real-World Impact! 8

Base-Rate Fallacy S: Patient is Sick (has the disease) S ¬S R ᴧ S True positive False positive P(R|S) = 0.99 P(R|¬S) = 0.03 Rows must total between 0 and 2 R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative These probabilities can be empirically estimated P(¬R|S) = 0.01 P(¬R|¬S) = 0.97 Columns must total 1 © Ravi Sandhu World-Leading Research with Real-World Impact! 9

Base-Rate Fallacy S: Patient is Sick (has the disease) We will continue with these numbers S ¬S R ᴧ S R ᴧ ¬S R True positive False positive P(R|S) = 0.99 P(R|¬S) = 0.01 R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative These probabilities can be empirically estimated P(¬R|S) = 0.01 P(¬R|¬S) = 0.99 © Ravi Sandhu World-Leading Research with Real-World Impact! 10

Real Interest S: Patient is Sick (has the disease) S ¬S R ᴧ S R ᴧ ¬S R True positive False positive P(S|R) = ?? P(¬S|R) = ?? Rows must total 1 R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative These probabilities can be computed by Bayes’ theorem if we know P(S) P(S|¬R) = ?? P(¬S|¬R) = ?? Columns must total between 0 and 2 © Ravi Sandhu World-Leading Research with Real-World Impact! 11

Bayes’ Theorem P(S|R) = (P(S)×P(R|S))/ (P(S)×P(R|S)+P(¬S) )×P(R|¬S)) P(¬S|R) = 1 - P(S|R) P(S|¬R) = (P(S)×P(¬R|S))/ (P(S)×P(¬R|S)+P(¬S) )×P(¬R|¬S)) P(¬S|¬R) = 1 - P(S|¬R) © Ravi Sandhu World-Leading Research with Real-World Impact! 12

Base-Rate Fallacy S: Patient is Sick (has the disease) We will continue with these numbers S ¬S R ᴧ S R ᴧ ¬S R True positive False positive P(R|S) = 0.99 P(R|¬S) = 0.01 R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative These probabilities can be empirically estimated P(¬R|S) = 0.01 P(¬R|¬S) = 0.99 © Ravi Sandhu World-Leading Research with Real-World Impact! 13

Real Interest S: Patient is Sick (has the disease) Assume P(S)=0.0001 1 in 10,000 has disease S ¬S R ᴧ S R ᴧ ¬S R True positive False positive P(S|R) = 0.009804 P(¬S|R) = 0.990196 Rows must total 1 R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative These probabilities can be computed by Bayes’ theorem if we know P(S) P(S|¬R) = 0.000001 P(¬S|¬R) = 0.999999 Columns must total between 0 and 2 © Ravi Sandhu World-Leading Research with Real-World Impact! 14

False Alarms Predominate! Assume P(S)=0.0001 1 in 10,000 has disease P(S|R) requires P(R|¬S) 0.01 0.01 0.09 0.001 0.5 0.0001 0.9 0.00001 0.99 0.000001 © Ravi Sandhu World-Leading Research with Real-World Impact! 15

Base-Rate Fallacy S: Patient is Sick (has the disease) Total population = 1,000,000 1 in 10,000 has disease S ¬S 100 999,900 R ᴧ S R ᴧ ¬S R True positive False positive R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative R is 99% accurate for sick and non-sick populations © Ravi Sandhu World-Leading Research with Real-World Impact! 16

Base-Rate Fallacy S: Patient is Sick (has the disease) Total population = 1,000,000 1 in 10,000 has disease S ¬S 100 999,900 R ᴧ S R ᴧ ¬S R True positive False positive 99 9,999 R: Test Result is positive ¬R ᴧ S ¬R ᴧ ¬S ¬R False negative True negative 1 989,901 R is 99% accurate for sick and non-sick populations © Ravi Sandhu World-Leading Research with Real-World Impact! 17