Volume 15, Number 1

Metrics for Evaluating Alerts in Intrusion Detection Systems


Jane Kinanu Kiruki1,2, Geoffrey Muchiri Muketha1 and Gabriel Kamau1, 1Murang’a University of Technology, Kenya, 2Chuka University, Kenya


Network intrusions compromise the network’s confidentiality, integrity and availability of resources. Intrusion detection systems (IDSs) have been implemented to prevent the problem. Although IDS technologies are promising, their ability of detecting true alerts is far from being perfect. One problem is that of producing large numbers of false alerts, which are termed as malicious by the IDS. In this paper we propose a set of metrics for evaluating the IDS alerts. The metrics will identify false, low-level and redundant alerts by mapping alerts on a vulnerability database and calculating their impact. The metrics are calculated using a metric tool that we developed. We validated the metrics using Weyuker’s properties and Kaner’s framework. The metrics can be considered as mathematically valid since they satisfied seven of the nine Weyuker’s properties. In addition, they can be considered as workable since they satisfied all the evaluation questions from Kaner’s framework.


Intrusion detection systems, honeypot, firewall, alert correlation, fuzzy logic, security metrics.