RE: What is false alarm rate and false positive rate?

From: Rob Shein (shoten_at_starpower.net)
Date: 09/17/04

Next message: PS R: "Re: Wishlist for IPS Products"

Previous message: brennan stewart: "RE: session logging IDS"
Maybe in reply to: Zhuowei Li: "What is false alarm rate and false positive rate?"
Next in thread: Gautam Singaraju: "Re: What is false alarm rate and false positive rate?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Zhuowei Li'" <zhuowei@gmail.com>, <focus-ids@securityfocus.com>
Date: Thu, 16 Sep 2004 23:14:54 -0400

Actually, no. What constitutes a useful alarm is mostly a matter of policy
for the user; the technical means used to detect an attack (or which fails
and alerts on an attack that never took place) doesn't define how useful the
data is when all is said and done.

> -----Original Message-----
> From: Zhuowei Li [mailto:zhuowei@gmail.com]
> Sent: Thursday, September 16, 2004 9:22 PM
> To: Rob Shein; focus-ids@securityfocus.com
> Subject: Re: What is false alarm rate and false positive rate?
>
>
> Hi,
>
> > Martin Roesch did a fantastic way of shedding light on this
> question.
> > The short answer is "neither," but it comes down to this
> question: If
> > the IDS sees an OpenSSL attack go towards an IIS server that isn't
> > using OpenSSL, is that a false alarm or not? It's
> definitely not as
> > useful as it would be as an alert if the attack were aimed at an
> > actual OpenSSL listener, but it's not as useless as a
> complete false
> > alarm that alerts on something that didn't happen at all.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Under such scenario, if it is in signature-based intrusion
> detection, it is yes since one of its tasks is to identify
> the intrusion correctly for the purpose of response. However,
> in anomaly-based intrusion detection, there is no such task,
> the only we can do for anomaly-based is to alert that there
> is an anomaly occurs in the system. That's a true alarm, right?
>
> Since Roesch's focus is on the signature-based, I think
> his/her example is applicable only for his/her focus. For
> anomaly-based intrusion detection, it is a different picture
> we should draw. right?
>
> Thanks.
>
> Li
> _______________________________________
> http://www.cais.ntu.edu.sg/~zhuowei
>
> >
> >
> > > -----Original Message-----
> > > From: Zhuowei Li [mailto:zhuowei@gmail.com]
> > > Sent: Wednesday, September 15, 2004 2:21 AM
> > > To: focus-ids@securityfocus.com
> > > Subject: What is false alarm rate and false positive rate?
> > >
> > >
> > > Hi,
> > >
> > > I am confused by the terms 'false positive rate' and 'false alarm
> > > rate' within the context of intrusion detection. Does
> anybody about
> > > what's the exact definition for these two terms?
> > >
> > > Some literatures said 'false positive rate = false alarm rate',
> > > which the number of false alarms divided by the number of alarms
> > > (true and false).
> > >
> > > Other said false positive rate is not equal to false
> alarm rate, the
> > > false alarm rate is the same above definition, but the false
> > > positive rate is "the total number of normal instances that were
> > > incorrectly classified as intrusions divided by the total
> number of
> > > normal instances"
> > >
> > > Who is true, who is wrong within the context of intrusion
> detection?
> > >
> > > Thanks.
> > >
> > > --------------------------------------------------------------
> > > ------------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world attacks
> > > from CORE IMPACT. Go to
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> > 0708 to learn more.
> >
> ----------------------------------------------------------------------
> > ----
> >
> >
>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Next message: PS R: "Re: Wishlist for IPS Products"

Previous message: brennan stewart: "RE: session logging IDS"
Maybe in reply to: Zhuowei Li: "What is false alarm rate and false positive rate?"
Next in thread: Gautam Singaraju: "Re: What is false alarm rate and false positive rate?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: The night the world nearly died. (posted without permission but with attribution)
... Word of this attack warning never reached ... When Colonel Petrov declared the alarm false, ... Colonel Petrov declaring the alarm false, ... Petrov and sends an "Attack underway and Yankee Spy Petrov is blocking ...
(sci.space.policy)
Re: The night the world nearly died. (posted without permission but with attribution)
... Word of this attack warning never reached ... When Colonel Petrov declared the alarm false, ... :> the possibility of any nuclear weapons launch stopped immediately. ...
(sci.space.policy)
Re: General Quarters Ringtone
... Which GQ alarm? ... "Four people attack you with screwdrivers, you have a gun, they're ...
(sci.military.naval)
Re: ISA alerts that local users are intruding
... I do have it enabled but the question is why do I receive alerts that the ... > an attack is attempted against your network. ... You can configure ISA Server ... If you have enabled the intrusion detection on ISA, ...
(microsoft.public.windows.server.sbs)
Re: An Caisleanghearr
... Mustafa when alerts it too, the zone will attack more than the ...
(sci.crypt)