Re: What is false alarm rate and false positive rate?

[George Capehart <gwc () acm org>]

On Wednesday 15 September 2004 02:20, Zhuowei Li allegedly wrote:
> Hi,
>
> I am confused by the terms 'false positive rate' and 'false alarm
> rate' within the context of intrusion detection. Does anybody about
> what's the exact definition for these two terms?
>
> Some literatures said 'false positive rate = false alarm rate', which
> the number of false alarms divided by the number of alarms (true and
> false).
>
> Other said false positive rate is not equal to false alarm rate, the
> false alarm rate is the same above definition, but the false positive
> rate is "the total number of normal instances that were incorrectly
> classified as intrusions divided by the total number of normal
> instances"
>
> Who is true, who is wrong within the context of intrusion detection?

False positives are cases in which (in the case of I[DP]S) in which an 
event that is *not* an intrusion attempt is labelled as an intrustion 
attempt.  A false negative is a case in which an intrustion attempt is 
labelled as a non-attempt.  In signal detection theory (of which this 
is an instance) a false positive is the same thing as a false alarm.  
See, for instance, http://psych.hanover.edu/Krantz/STD/ or Google for 
"signal detection theory."  There's lots of good information out there.

Cheers,

George Capehart
-- 
George W. Capehart

Key fingerprint:  3145 104D 9579 26DA DBC7  CDD0 9AE1 8C9C DD70 34EA

"With sufficient thrust, pigs fly just fine."  -- RFC 1925



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------