Re: What is false alarm rate and false positive rate?
From: Gautam Singaraju (gautam.singaraju_at_gmail.com)
Date: 09/18/04
- Previous message: idswizard_at_earthlink.net: "RE: Wishlist for IPS Products"
- In reply to: Zhuowei Li: "Re: What is false alarm rate and false positive rate?"
- Next in thread: Jeffrey Denton: "Re: What is false alarm rate and false positive rate?"
- Reply: Jeffrey Denton: "Re: What is false alarm rate and false positive rate?"
- Reply: Helios Xu: "΄πΈ΄: What is false alarm rate and false positive rate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Sep 2004 19:41:56 -0400 To: Zhuowei Li <zhuowei@gmail.com>
Hi,
This is what I think about the difference between them...
False Positive: Is the intrusion detected when there is no intrusion.
False Negative: is the intrusion not detected when there is an intrusion.
False Alarm: is the total of the false positives and false negatives.
In a typical deployment of Intrusion Detection System, it is difficult
to find the number of false negatives. This means that some consider
to ignore these and consider False Alarm = False Positives.
A rate hence would be a total number of false
positives/negatives/alarms divided by total number of alarms both true
and false.
Hence for testing an IDS, False Alarm Rate = False Positive Rate+
False Negative Rate.
And for an industry installation, False Alarm Rate = False Positive Rate.
On Fri, 17 Sep 2004 09:21:39 +0800, Zhuowei Li <zhuowei@gmail.com> wrote:
> Hi,
>
> > Martin Roesch did a fantastic way of shedding light on this question. The
> > short answer is "neither," but it comes down to this question: If the IDS
> > sees an OpenSSL attack go towards an IIS server that isn't using OpenSSL, is
> > that a false alarm or not? It's definitely not as useful as it would be as
> > an alert if the attack were aimed at an actual OpenSSL listener, but it's
> > not as useless as a complete false alarm that alerts on something that
> > didn't happen at all.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Under such scenario, if it is in signature-based intrusion detection,
> it is yes since one of its tasks is to identify the intrusion
> correctly for the purpose of response. However, in anomaly-based
> intrusion detection, there is no such task, the only we can do for
> anomaly-based is to alert that there is an anomaly occurs in the
> system. That's a true alarm, right?
>
> Since Roesch's focus is on the signature-based, I think his/her
> example is applicable only for his/her focus. For anomaly-based
> intrusion detection, it is a different picture we should draw. right?
>
> Thanks.
>
> Li
> _______________________________________
> http://www.cais.ntu.edu.sg/~zhuowei
>
> >
> >
> > > -----Original Message-----
> > > From: Zhuowei Li [mailto:zhuowei@gmail.com]
> > > Sent: Wednesday, September 15, 2004 2:21 AM
> > > To: focus-ids@securityfocus.com
> > > Subject: What is false alarm rate and false positive rate?
> > >
> > >
> > > Hi,
> > >
> > > I am confused by the terms 'false positive rate' and 'false
> > > alarm rate' within the context of intrusion detection. Does
> > > anybody about what's the exact definition for these two terms?
> > >
> > > Some literatures said 'false positive rate = false alarm
> > > rate', which the number of false alarms divided by the number
> > > of alarms (true and false).
> > >
> > > Other said false positive rate is not equal to false alarm
> > > rate, the false alarm rate is the same above definition, but
> > > the false positive rate is "the total number of normal
> > > instances that were incorrectly classified as intrusions
> > > divided by the total number of normal instances"
> > >
> > > Who is true, who is wrong within the context of intrusion detection?
> > >
> > > Thanks.
> > >
> > > --------------------------------------------------------------
> > > ------------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world
> > > attacks from CORE IMPACT. Go to
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> > 0708 to learn more.
> > --------------------------------------------------------------------------
> >
> >
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> --------------------------------------------------------------------------
>
>
-- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org Itsme,GautamSingaraju;) -----END PGP PUBLIC KEY BLOCK----- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: idswizard_at_earthlink.net: "RE: Wishlist for IPS Products"
- In reply to: Zhuowei Li: "Re: What is false alarm rate and false positive rate?"
- Next in thread: Jeffrey Denton: "Re: What is false alarm rate and false positive rate?"
- Reply: Jeffrey Denton: "Re: What is false alarm rate and false positive rate?"
- Reply: Helios Xu: "΄πΈ΄: What is false alarm rate and false positive rate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
