Re: False Positives with IntruVert

• Previous message: falcifer: "filtering ARP and detecting ARP spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 15 Apr 2003 00:02:14 -0400
From: Michael Rash <mbr@cipherdyne.com>
To: "Cure, Samuel J" <scure@kpmg.com>

On Mar 28, 2003, Cure, Samuel J wrote:

> While it seems that many IDS/IPS reviewers rank and measure finding attacks
> high, it would seem equally if not, more important to rank false positives
> high especially in Prevention mode. Is there any reviewers that have
> compared the false positives and false alarms of all the IDS/IPS products?
> Has anyone here compared false positives of Introvert, Snort, Cisco,
> RealSecure, etc?

You might be interested in the paper "The Base-Rate Fallacy and its
Implications for the Difficulty of Intrusion Detection" by Stefan
Axelsson:

http://citeseer.nj.nec.com/cache/papers/cs/13832/http:zSzzSzwww.ce.chalmers.sezSzstaffzSzsaxzSzdifficulty.pdf/axelsson99baserate.pdf

It is heavy on the math side of things, but this is good since it
begins to put questions about false positives on a rigorous footing.
(The paper does not answer your specific question above, but it does
provide an interesting perspective on false positives in general).

--Mike

Michael Rash
http://www.cipherdyne.com
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F

------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities -
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids

• Previous message: falcifer: "filtering ARP and detecting ARP spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]