Re: What is false alarm rate and false positive rate?

From: Jeffrey Denton (dentonj_at_gmail.com)
Date: 09/21/04

  • Next message: Helios Xu: "΄πΈ΄: What is false alarm rate and false positive rate?" 
    Date: Mon, 20 Sep 2004 19:13:41 -0700
To: focus-ids@securityfocus.com

    On Fri, 17 Sep 2004 19:41:56 -0400, Gautam Singaraju
    <gautam.singaraju@gmail.com> wrote:
    > Hi,
    > This is what I think about the difference between them...
    >
    > False Positive: Is the intrusion detected when there is no intrusion.
    > False Negative: is the intrusion not detected when there is an intrusion.
    >
    > False Alarm: is the total of the false positives and false negatives.

    Of course this is subject to debate, but a false alarm to me is when
    someone makes a big deal out of a false positive or a false negative.
    If the false positive/negative is recognized for what it is, then it's
    not a false alarm. The rest of your math will be either true or false
    depending on what you accept as a definition of a false alarm.

    This doesn't take into account when someone realizes (later!) that
    some event turned out to be a false alarm, but that information wasn't
    passed on for fear of looking stupid, being twisted to further some
    agenda (either way), etc. (No, I've never seen that happen before.
    Of course I didn't do something like that myself.....)

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Helios Xu: "΄πΈ΄: What is false alarm rate and false positive rate?"

    Relevant Pages

    • False positive, false intrusion, false alarm
      ... False Positives / False Alarm ... False Alarm - occurs when an intrusion detection system activates for no ... False Alarm (subscriber or user oriented) - occurs when an intrusion ...
      (alt.computer.security)
    • Re: What is false alarm rate and false positive rate?
      ... > rate' within the context of intrusion detection. ... > false alarm rate is the same above definition, ... False positives are cases in which in which an ...
      (Focus-IDS)
    • Re: What is false alarm rate and false positive rate?
      ... False Alarm: is the total of the false positives and false negatives. ... In a typical deployment of Intrusion Detection System, ...
      (Focus-IDS)
    • RE: False Positives
      ... > when no actual exploited attack has ... > when attackers attempt to overload an IDS' alert processing ... > Subject: False Positives ... > IntruShield now offers unprecedented Intrusion IntelligenceTM ...
      (Focus-IDS)
    • RE: False Positives
      ... There isn't an IDS system that will not report "false positives" ... tools are not actually attacking but testing, and they report an attack, ... > IntruShield now offers unprecedented Intrusion IntelligenceTM ...
      (Focus-IDS)