On Wednesday 15 September 2004 02:20, Zhuowei Li allegedly wrote:
Hi,
I am confused by the terms 'false positive rate' and 'false alarm
rate' within the context of intrusion detection. Does anybody about
what's the exact definition for these two terms?
Some literatures said 'false positive rate = false alarm rate', which
the number of false alarms divided by the number of alarms (true and
false).
Other said false positive rate is not equal to false alarm rate, the
false alarm rate is the same above definition, but the false positive
rate is "the total number of normal instances that were incorrectly
classified as intrusions divided by the total number of normal
instances"
Who is true, who is wrong within the context of intrusion detection?
False positives are cases in which (in the case of I[DP]S) in which an
event that is *not* an intrusion attempt is labelled as an intrustion
attempt. A false negative is a case in which an intrustion attempt is
labelled as a non-attempt. In signal detection theory (of which this
is an instance) a false positive is the same thing as a false alarm.
See, for instance, http://psych.hanover.edu/Krantz/STD/ or Google for
"signal detection theory." There's lots of good information out there.
Cheers,
George Capehart
--
George W. Capehart
Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA
"With sufficient thrust, pigs fly just fine." -- RFC 1925
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
