Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: What is false alarm rate and false positive rate?

from [Zhuowei Li] Network Security [Permanent Link]
Subject: Re: What is false alarm rate and false positive rate?
Date: Fri, 17 Sep 2004 09:21:39 +0800 
Hi,


Martin Roesch did a fantastic way of shedding light on this question.  The
short answer is "neither," but it comes down to this question:  If the IDS
sees an OpenSSL attack go towards an IIS server that isn't using OpenSSL, is
that a false alarm or not?  It's definitely not as useful as it would be as
an alert if the attack were aimed at an actual OpenSSL listener, but it's
not as useless as a complete false alarm that alerts on something that
didn't happen at all.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Under such scenario, if it is in signature-based intrusion detection,
it is yes since one of its tasks is to identify the intrusion
correctly for the purpose of response. However, in anomaly-based
intrusion detection, there is no such task, the only we can do for
anomaly-based is to alert that there is an anomaly occurs in the
system. That's a true alarm, right?

Since Roesch's focus is on the signature-based, I think his/her
example is applicable only for his/her focus. For anomaly-based
intrusion detection, it is a different picture we should draw. right?

Thanks.

Li
_______________________________________
http://www.cais.ntu.edu.sg/~zhuowei
 




-----Original Message-----
From: Zhuowei Li [mailto:zhuowei@gmail.com]
Sent: Wednesday, September 15, 2004 2:21 AM
To: focus-ids@securityfocus.com
Subject: What is false alarm rate and false positive rate?


Hi,

I am confused by the terms 'false positive rate' and 'false
alarm rate' within the context of intrusion detection. Does
anybody about what's the exact definition for these two terms?

Some literatures said 'false positive rate = false alarm
rate', which the number of false alarms divided by the number
of alarms (true and false).

Other said false positive rate is not equal to false alarm
rate, the false alarm rate is the same above definition, but
the false positive rate is "the total number of normal
instances that were incorrectly classified as intrusions
divided by the total number of normal instances"

Who is true, who is wrong within the context of intrusion detection?

Thanks.

--------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04

0708 to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IPS, alternative solutions, Jason
Next by Date:  Re: Wishlist for IPS Products, PS R
Previous by Thread:  RE: What is false alarm rate and false positive rate?, Rob Shein
Next by Thread:  RE: What is false alarm rate and false positive rate?, Rob Shein
Indexes:  [Date] [Thread] [Top] [All Lists]