The anomaly based intrusion detection system (IDS) is widely used based on different machine learning algorithms. The IDS is usually evaluated by its ability to make accurate predictions of attacks. In case of the binary classifier IDS four possible outcomes are possible. Attacks correctly predicted as attacks (TP), or incorrectly predicted as normal (FP). Normal correctly predicted as normal (TN), or incorrectly predicted as attack (FN). However, in case of multi classifier, when a class of attack is incorrectly predicted as another class of attack, it could not be any of the existing four instances. In this paper, a new approach is proposed to evaluate the anomaly based IDS. A new proposed metric F-score per Cost (FPC) is a one value calculated for each attack predictor. A new instance misclassification of attack class “MC” is proposed to represent the cases of wrong predicted attacks as another attack class. Based on the five instances a numerical evaluation can apply different measures to quantify the performance of IDS. In order to test the effectiveness of the proposed approach, three competitors of the “KDD CUP’99” competition are selected to measure their results by the proposed metrics. The results show that it was effective to add the MC instance. It achieves deep understanding of the IDS performance, and makes it more accurate to compare different intrusion detection systems and reflects the trade-off between the harmonic mean of the sensitivity, precision of the IDS and the misclassification paid against its detection accuracy.

G. Gu, P. Fogla, D. Dagon and W. Lee “An Information-Theoretic Measure of Intrusion Detection Capability”. In Proceedings of the 2006 ACM Symposium on Information, computer and communications security; 21-24 Mar. (2006).

S. N. Abouzakhar and A. G. Manson. “Evaluation of Intelligent Intrusion Detection Models”. The International Journal of Digital Evidence, Volume 3, Issue 1, November (2004).

S. Xiaonan Wu, W. Banzhaf. “The use of computational intelligence in intrusion detection systems: A review”, Applied Soft Computing, Volume 10, Issue 1, Pages 1-35, ISSN 1568-4946. January (2010).

F. Bassam. “One-pass algorithms for large and shifting data sets”. University of Southampton, School of Electronics and Computer Science, Doctoral Thesis, 144pp. Available at: http://eprints.soton.ac.uk/159173/1/Thesis.pdf (2010).

J. A. Swets. “Measuring the accuracy of diagnostic systems”. Science, 240(4857):1285–1293, (1988).

G. Gu, P. Fogla, D. Dagon, W. Lee, B. Skoric. “Towards An Information Theoretic Framework for Analyzing Intrusion Detection Systems”. In Pro ceedings of the 11th European Symposium on Research in Computer Security. (2006).

C. Elkan. “Results of the KDD' 99 Classifier Learning”. University of California. San Diego, Available at: http://cseweb.ucsd.edu/~elkan/clresults.html. (2000).

I. Levin. “KDD-99 Classifier Learning Contest. LLSoft's Results Overview”. ACM SIGKDD, Volume 1, Issue 2 – page 67. January 2000.

C. Thomas, N. Balakrishnan. “Performance Enhancement of Intrusion Detection Systems using Advances in Sensor Fusion”. Supercomputer Education and Research Centre Indian Institute of Science, Doctoral Thesis, 304pp. Available at: http://www.serc.iisc.ernet.in/graduation-theses/CizaThomas-PhD-Thesis.pdf. (2009).

R. P. Lippmann, D. J. Fried, and I. Graf etc. “Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation”. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX’00), (2000).

J. McHugh. “Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA off-line intrusion detection system evaluation as performed by Lincoln laboratory”. ACM Transactions on Information and System Security, 3 (4), November (2000).

J. E. Gaffney and J. W. Ulvila. “Evaluation of intrusion detectors: A decision theory approach”. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, pages 5061, Oakland, CA, USA, 2001.

S. Axelsson. “The base-rate fallacy and its implications for the difficulty of intrusion detection”. In Proceedings of ACM CCS’1999, November (1999).

M. Dacier. “Design of an intrusion-tolerant intrusion detection system”. Maftia Project, deliverable 10. Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.80.8318&rep=rep1&type=pdf. (2005).