IDS mailing list archives
Re: What is false alarm rate and false positive rate?
From: Gautam Singaraju <gautam.singaraju () gmail com>
Date: Fri, 17 Sep 2004 19:41:56 -0400
Hi, This is what I think about the difference between them... False Positive: Is the intrusion detected when there is no intrusion. False Negative: is the intrusion not detected when there is an intrusion. False Alarm: is the total of the false positives and false negatives. In a typical deployment of Intrusion Detection System, it is difficult to find the number of false negatives. This means that some consider to ignore these and consider False Alarm = False Positives. A rate hence would be a total number of false positives/negatives/alarms divided by total number of alarms both true and false. Hence for testing an IDS, False Alarm Rate = False Positive Rate+ False Negative Rate. And for an industry installation, False Alarm Rate = False Positive Rate. On Fri, 17 Sep 2004 09:21:39 +0800, Zhuowei Li <zhuowei () gmail com> wrote:
Hi,Martin Roesch did a fantastic way of shedding light on this question. The short answer is "neither," but it comes down to this question: If the IDS sees an OpenSSL attack go towards an IIS server that isn't using OpenSSL, is that a false alarm or not? It's definitely not as useful as it would be as an alert if the attack were aimed at an actual OpenSSL listener, but it's not as useless as a complete false alarm that alerts on something that didn't happen at all.^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Under such scenario, if it is in signature-based intrusion detection, it is yes since one of its tasks is to identify the intrusion correctly for the purpose of response. However, in anomaly-based intrusion detection, there is no such task, the only we can do for anomaly-based is to alert that there is an anomaly occurs in the system. That's a true alarm, right? Since Roesch's focus is on the signature-based, I think his/her example is applicable only for his/her focus. For anomaly-based intrusion detection, it is a different picture we should draw. right? Thanks. Li _______________________________________ http://www.cais.ntu.edu.sg/~zhuowei-----Original Message----- From: Zhuowei Li [mailto:zhuowei () gmail com] Sent: Wednesday, September 15, 2004 2:21 AM To: focus-ids () securityfocus com Subject: What is false alarm rate and false positive rate? Hi, I am confused by the terms 'false positive rate' and 'false alarm rate' within the context of intrusion detection. Does anybody about what's the exact definition for these two terms? Some literatures said 'false positive rate = false alarm rate', which the number of false alarms divided by the number of alarms (true and false). Other said false positive rate is not equal to false alarm rate, the false alarm rate is the same above definition, but the false positive rate is "the total number of normal instances that were incorrectly classified as intrusions divided by the total number of normal instances" Who is true, who is wrong within the context of intrusion detection? Thanks. -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ---------------------------------------------------------------------------------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org Itsme,GautamSingaraju;) -----END PGP PUBLIC KEY BLOCK----- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- What is false alarm rate and false positive rate? Zhuowei Li (Sep 15)
- RE: What is false alarm rate and false positive rate? Rob Shein (Sep 17)
- Re: What is false alarm rate and false positive rate? Zhuowei Li (Sep 17)
- RE: What is false alarm rate and false positive rate? Rob Shein (Sep 17)
- Re: What is false alarm rate and false positive rate? Gautam Singaraju (Sep 20)
- Re: What is false alarm rate and false positive rate? Jeffrey Denton (Sep 21)
- 答复: What is false alarm rate and false positive rate? Helios Xu (Sep 21)
- Re: What is false alarm rate and false positive rate? Zhuowei Li (Sep 17)
- RE: What is false alarm rate and false positive rate? Rob Shein (Sep 17)
- Re: What is false alarm rate and false positive rate? George Capehart (Sep 21)