RE: What is false alarm rate and false positive rate?

From: Rob Shein (shoten_at_starpower.net)
Date: 09/17/04

  • Next message: Murtland, Jerry: "RE: IPS, alternative solutions"
    To: "'Zhuowei Li'" <zhuowei@gmail.com>, <focus-ids@securityfocus.com>
    Date: Thu, 16 Sep 2004 21:02:06 -0400
    
    

    Martin Roesch did a fantastic way of shedding light on this question. The
    short answer is "neither," but it comes down to this question: If the IDS
    sees an OpenSSL attack go towards an IIS server that isn't using OpenSSL, is
    that a false alarm or not? It's definitely not as useful as it would be as
    an alert if the attack were aimed at an actual OpenSSL listener, but it's
    not as useless as a complete false alarm that alerts on something that
    didn't happen at all.

    > -----Original Message-----
    > From: Zhuowei Li [mailto:zhuowei@gmail.com]
    > Sent: Wednesday, September 15, 2004 2:21 AM
    > To: focus-ids@securityfocus.com
    > Subject: What is false alarm rate and false positive rate?
    >
    >
    > Hi,
    >
    > I am confused by the terms 'false positive rate' and 'false
    > alarm rate' within the context of intrusion detection. Does
    > anybody about what's the exact definition for these two terms?
    >
    > Some literatures said 'false positive rate = false alarm
    > rate', which the number of false alarms divided by the number
    > of alarms (true and false).
    >
    > Other said false positive rate is not equal to false alarm
    > rate, the false alarm rate is the same above definition, but
    > the false positive rate is "the total number of normal
    > instances that were incorrectly classified as intrusions
    > divided by the total number of normal instances"
    >
    > Who is true, who is wrong within the context of intrusion detection?
    >
    > Thanks.
    >
    > --------------------------------------------------------------
    > ------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world
    > attacks from CORE IMPACT. Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
    0708 to learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------


  • Next message: Murtland, Jerry: "RE: IPS, alternative solutions"