Re: What is false alarm rate and false positive rate?

[Jeffrey Denton <dentonj () gmail com>]

On Fri, 17 Sep 2004 19:41:56 -0400, Gautam Singaraju
<gautam.singaraju () gmail com> wrote:
> Hi,
> This is what I think about the difference between them...
>
> False Positive: Is the intrusion detected when there is no intrusion.
> False Negative: is the intrusion not detected when there is an intrusion.
>
> False Alarm: is the total of the false positives and false negatives.

Of course this is subject to debate, but a false alarm to me is when
someone makes a big deal out of a false positive or a false negative. 
If the false positive/negative is recognized for what it is, then it's
not a false alarm.  The rest of your math will be either true or false
depending on what you accept as a definition of a false alarm.

This doesn't take into account when someone realizes (later!) that
some event turned out to be a false alarm, but that information wasn't
passed on for fear of looking stupid, being twisted to further some
agenda (either way), etc.  (No, I've never seen that happen before. 
Of course I didn't do something like that myself.....)

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------