IDS mailing list archives
Re: Network hardware IPS
From: "George W. Capehart" <gwc () acm org>
Date: Wed, 8 Oct 2003 09:25:15 -0400
On Monday 06 October 2003 06:01 pm, Dave Killion wrote:
Stefano, Perhaps I may have misunderstood some of your points, but the fact remains that I can decrease FP without affecting DR, something that you said wasn't possible:Do you notice something ? You _CAN_ reduce by any factor (92%, 95%, 99.9999%) the FP rate - but you WILL, always, without doubt, pay aprice indetection rate terms.My examples were to point out the fact that DR is not directly related to FP - and that you *not* ALWAYS have a decrease in DR when reducing FP.
There have been several discussions on this list generally having to do with this topic and similar ones. I've waited for someone to bring up signal detection theory, but so far no one has, so I'll be the pedant. ;-] I'm willing to chance the flames because I think that there really is some value in these discussions, and I believe the formalism of signal detection theory will significantly enhance the discussions as well as aid in coming up with solutions. It was first developed early in the last century to aid in understanding problems in signal processing in telecommunications. Since then it has been applied in many different contexts, from radar and sonar to medical imaging and the study of the Central Nervous System. I think that understanding how criterion, spread of the noise and signal distributions (probability of occurrence curves), the discriminability index, and information have on the detection process and the receiver operating characteristic would help in two ways. Firstly, it would provide a common base of understanding and meaning of terms. Secondly, it would actually make tuning IDSs easier. Below are some URLs to intros to SDT and a reference for a great book if there is further interest. Google will turn up lots of references and Amazon has many books on the subject. IMVHO, some exposure to SDT would be *very* useful to those who are responsible for selecting, implementing and tuning IDSs. http://wise.cgu.edu/sdt/index.html http://sucia.stanford.edu/~lera/psych115s/notes/signal/ http://white.stanford.edu/~heeger/sdt/sdt.html http://epsych.msstate.edu/deliberate/sig_det/index.html _Signal_Detection_Theory_ by Vyacheslav P. Tuzlukov ISBN 0-8176-4152-1 My $0.02. -- George Capehart "I'd rather have a bottle in front of me than a frontal lobotomy." -- Unknown --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- Re: Network hardware IPS, (continued)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 14)
- RE: Network hardware IPS Frank Knobbe (Oct 14)