Re: Network hardware IPS

["George W. Capehart" <gwc () acm org>]

On Monday 06 October 2003 06:01 pm, Dave Killion wrote:
> Stefano,
>
> Perhaps I may have misunderstood some of your points, but the fact
> remains that I can decrease FP without affecting DR, something that
> you
>
> said wasn't possible:
> > Do you notice something ? You _CAN_ reduce by any factor (92%, 95%,
> > 99.9999%) the FP rate - but you WILL, always, without doubt, pay a
>
> price in
>
> > detection rate terms.
>
> My examples were to point out the fact that DR is not directly
> related to FP - and that you *not* ALWAYS have a decrease in DR when
> reducing FP.

There have been several discussions on this list generally having to do 
with this topic and similar ones.  I've waited for someone to bring up 
signal detection theory, but so far no one has, so I'll be the pedant.   
;-]  I'm willing to chance the flames because I think that there really 
is some value in these discussions, and I believe the formalism of 
signal detection theory will significantly enhance the discussions as 
well as aid in coming up with solutions.  It was first developed early 
in the last century to aid in understanding problems in signal 
processing in telecommunications.  Since then it has been applied in 
many different contexts, from radar and sonar to medical imaging and 
the study of the Central Nervous System.  I think that understanding 
how criterion, spread of the noise and signal distributions 
(probability of occurrence curves), the discriminability index, and 
information have on the detection process and the receiver operating 
characteristic would help in two ways.  Firstly, it would provide a 
common base of understanding and meaning of terms.  Secondly, it would 
actually make tuning IDSs easier.

Below are some URLs to intros to SDT and a reference for a great book if 
there is further interest.  Google will turn up lots of references and 
Amazon has many books on the subject.  IMVHO, some exposure to SDT 
would be *very* useful to those who are responsible for selecting, 
implementing and tuning IDSs.

http://wise.cgu.edu/sdt/index.html
http://sucia.stanford.edu/~lera/psych115s/notes/signal/
http://white.stanford.edu/~heeger/sdt/sdt.html
http://epsych.msstate.edu/deliberate/sig_det/index.html

_Signal_Detection_Theory_ by Vyacheslav P. Tuzlukov
ISBN 0-8176-4152-1

My $0.02.
--
George Capehart

"I'd rather have a bottle in front of me than a frontal lobotomy."
  -- Unknown


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------