Suppose that every packet observed by a network-based intrusion detection system (NIDS) belongs to one of the following mutually exclusive categories:
- legitimate ($88\%$)
- known worm ($4\%$)
- distributed denial of service ($4\%$)
- port scan ($4\%$)
The NIDS correctly classifies all known-worm packets.
A legitimate packet is classified as legitimate with probability $91\%$, and misclassified as belonging to any of the three attack categories with equal probability.
A DDoS packet is classified as DDoS with probability $50\%$, as a known worm with probability $40\%$, and as a legitimate packet with probability $10\%$.
A port-scan packet is classified correctly with probability $85\%$, and misclassified as a legitimate packet with probability $15\%$.
If the NIDS announces that a particular packet belongs to a known worm, what is the probability that this packet is not a legitimate packet?
Let the following:
- $L$ denote the event that a given packet is legitimate
- $W$ denote the event that it is a worm
- $D$ denote the event that it is DDoS
- $S$ denote the event that it is a port scan
- $A$ denote the event that the worm alarm is raised
What I tried to is calculate $P(D\mid A)+P(W\mid A)+P(S\mid A)$.
Is there something wrong with my approach?