Re: What is false alarm rate and false positive rate?

• Previous message: Helios Xu: "΄πΈ΄: What is false alarm rate and false positive rate?"
• In reply to: Zhuowei Li: "What is false alarm rate and false positive rate?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ids@securityfocus.com
Date: Mon, 20 Sep 2004 20:14:28 -0400

On Wednesday 15 September 2004 02:20, Zhuowei Li allegedly wrote:
> Hi,
>
> I am confused by the terms 'false positive rate' and 'false alarm
> rate' within the context of intrusion detection. Does anybody about
> what's the exact definition for these two terms?
>
> Some literatures said 'false positive rate = false alarm rate', which
> the number of false alarms divided by the number of alarms (true and
> false).
>
> Other said false positive rate is not equal to false alarm rate, the
> false alarm rate is the same above definition, but the false positive
> rate is "the total number of normal instances that were incorrectly
> classified as intrusions divided by the total number of normal
> instances"
>
> Who is true, who is wrong within the context of intrusion detection?

False positives are cases in which (in the case of I[DP]S) in which an
event that is *not* an intrusion attempt is labelled as an intrustion
attempt. A false negative is a case in which an intrustion attempt is
labelled as a non-attempt. In signal detection theory (of which this
is an instance) a false positive is the same thing as a false alarm.
See, for instance, http://psych.hanover.edu/Krantz/STD/ or Google for
"signal detection theory." There's lots of good information out there.

Cheers,

George Capehart

-- 
George W. Capehart
Key fingerprint:  3145 104D 9579 26DA DBC7  CDD0 9AE1 8C9C DD70 34EA
"With sufficient thrust, pigs fly just fine."  -- RFC 1925
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

• Previous message: Helios Xu: "΄πΈ΄: What is false alarm rate and false positive rate?"
• In reply to: Zhuowei Li: "What is false alarm rate and false positive rate?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]