What is false alarm rate and false positive rate?

From: Zhuowei Li (zhuowei_at_gmail.com)
Date: 09/15/04

  • Next message: Alex Butcher, ISC/ISYS: "RE: session logging IDS"
    Date: Wed, 15 Sep 2004 14:20:37 +0800
    To: focus-ids@securityfocus.com
    
    

    Hi,

    I am confused by the terms 'false positive rate' and 'false alarm
    rate' within the context of intrusion detection. Does anybody about
    what's the exact definition for these two terms?

    Some literatures said 'false positive rate = false alarm rate', which
    the number of false alarms divided by the number of alarms (true and
    false).

    Other said false positive rate is not equal to false alarm rate, the
    false alarm rate is the same above definition, but the false positive
    rate is "the total number of normal instances that were incorrectly
    classified as intrusions divided by the total number of normal
    instances"

    Who is true, who is wrong within the context of intrusion detection?

    Thanks.

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------


  • Next message: Alex Butcher, ISC/ISYS: "RE: session logging IDS"