Re: What is false alarm rate and false positive rate?

From: Zhuowei Li (zhuowei_at_gmail.com)
Date: 09/17/04

  • Next message: Rob Shein: "RE: What is false alarm rate and false positive rate?" 
    Date: Fri, 17 Sep 2004 09:21:39 +0800
To: Rob Shein <shoten@starpower.net>, focus-ids@securityfocus.com

    Hi,

    > Martin Roesch did a fantastic way of shedding light on this question. The
    > short answer is "neither," but it comes down to this question: If the IDS
    > sees an OpenSSL attack go towards an IIS server that isn't using OpenSSL, is
    > that a false alarm or not? It's definitely not as useful as it would be as
    > an alert if the attack were aimed at an actual OpenSSL listener, but it's
    > not as useless as a complete false alarm that alerts on something that
    > didn't happen at all.
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    Under such scenario, if it is in signature-based intrusion detection,
    it is yes since one of its tasks is to identify the intrusion
    correctly for the purpose of response. However, in anomaly-based
    intrusion detection, there is no such task, the only we can do for
    anomaly-based is to alert that there is an anomaly occurs in the
    system. That's a true alarm, right?

    Since Roesch's focus is on the signature-based, I think his/her
    example is applicable only for his/her focus. For anomaly-based
    intrusion detection, it is a different picture we should draw. right?

    Thanks.

    Li
    _______________________________________
    http://www.cais.ntu.edu.sg/~zhuowei
     
    >
    >
    > > -----Original Message-----
    > > From: Zhuowei Li [mailto:zhuowei@gmail.com]
    > > Sent: Wednesday, September 15, 2004 2:21 AM
    > > To: focus-ids@securityfocus.com
    > > Subject: What is false alarm rate and false positive rate?
    > >
    > >
    > > Hi,
    > >
    > > I am confused by the terms 'false positive rate' and 'false
    > > alarm rate' within the context of intrusion detection. Does
    > > anybody about what's the exact definition for these two terms?
    > >
    > > Some literatures said 'false positive rate = false alarm
    > > rate', which the number of false alarms divided by the number
    > > of alarms (true and false).
    > >
    > > Other said false positive rate is not equal to false alarm
    > > rate, the false alarm rate is the same above definition, but
    > > the false positive rate is "the total number of normal
    > > instances that were incorrectly classified as intrusions
    > > divided by the total number of normal instances"
    > >
    > > Who is true, who is wrong within the context of intrusion detection?
    > >
    > > Thanks.
    > >
    > > --------------------------------------------------------------
    > > ------------
    > > Test Your IDS
    > >
    > > Is your IDS deployed correctly?
    > > Find out quickly and easily by testing it with real-world
    > > attacks from CORE IMPACT. Go to
    > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
    > 0708 to learn more.
    > --------------------------------------------------------------------------
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Rob Shein: "RE: What is false alarm rate and false positive rate?"

    Relevant Pages