System Security

Problem: ROC Curve of an IDS

You are told to design an intrusion detection algorithm that identifies vulnerabilities by solely looking at transaction length, i.e., the algorithm uses a packet length threshold T that determines when a packet is marked as an attack. More formally, the algorithm is defined:

D(k, T) -> 0/1

where k is the packet length of a suspect packet in bytes, T is the length threshold, and if the packet length is not greater than T, that packet should be marked as an attack (i.e., 1); otherwise marked as not (i.e., 0). You are given the following data to use to design the algorithm.

• attack packet lengths: 1, 1, 2, 3, 5, 8
• non-attack packet lengths: 2, 2, 4, 6, 6, 7, 8, 9

Draw the ROC curve.