答复: What is false alarm rate and false positive rate?

[Helios Xu <xu_hui () pku edu cn>]

Hi,

There is a problem here. In your mail, False negative rate is the total
number of false negatives divided by total number of alarms. I don't think
this rate means something. False positive rate is a criterion of the quality
of the alarm set of an IDS. But what does this false negative rate mean?

If we want to know the rate of missed detection of an IDS, we should let the
total number of false negatives be divided by the total number of real
attacks. 


Helios

-----邮件原件-----
发件人: Gautam Singaraju [mailto:gautam.singaraju () gmail com] 
发送时间: 2004年9月18日 7:42
收件人: Zhuowei Li
抄送: Rob Shein; focus-ids () securityfocus com
主题: Re: What is false alarm rate and false positive rate?

Hi,
This is what I think about the difference between them...

False Positive: Is the intrusion detected when there is no intrusion.
False Negative: is the intrusion not detected when there is an intrusion.

False Alarm: is the total of the false positives and false negatives.

In a typical deployment of Intrusion Detection System, it is difficult
to find the number of false negatives. This means that some consider
to ignore these and consider False Alarm = False Positives.

A rate hence would be a total number of false
positives/negatives/alarms divided by total number of alarms both true
and false.

Hence for testing an IDS, False Alarm Rate = False Positive Rate+
False Negative Rate.
And for an industry installation, False Alarm Rate = False Positive Rate.


On Fri, 17 Sep 2004 09:21:39 +0800, Zhuowei Li <zhuowei () gmail com> wrote:
> Hi,
>
> > Martin Roesch did a fantastic way of shedding light on this question.
The
> > short answer is "neither," but it comes down to this question:  If the
IDS
> > sees an OpenSSL attack go towards an IIS server that isn't using
OpenSSL, is
> > that a false alarm or not?  It's definitely not as useful as it would be
as
> > an alert if the attack were aimed at an actual OpenSSL listener, but
it's
> > not as useless as a complete false alarm that alerts on something that
> > didn't happen at all.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Under such scenario, if it is in signature-based intrusion detection,
> it is yes since one of its tasks is to identify the intrusion
> correctly for the purpose of response. However, in anomaly-based
> intrusion detection, there is no such task, the only we can do for
> anomaly-based is to alert that there is an anomaly occurs in the
> system. That's a true alarm, right?
>
> Since Roesch's focus is on the signature-based, I think his/her
> example is applicable only for his/her focus. For anomaly-based
> intrusion detection, it is a different picture we should draw. right?
>
> Thanks.
>
> Li
> _______________________________________
> http://www.cais.ntu.edu.sg/~zhuowei
>
> > > -----Original Message-----
> > > From: Zhuowei Li [mailto:zhuowei () gmail com]
> > > Sent: Wednesday, September 15, 2004 2:21 AM
> > > To: focus-ids () securityfocus com
> > > Subject: What is false alarm rate and false positive rate?
> > >
> > >
> > > Hi,
> > >
> > > I am confused by the terms 'false positive rate' and 'false
> > > alarm rate' within the context of intrusion detection. Does
> > > anybody about what's the exact definition for these two terms?
> > >
> > > Some literatures said 'false positive rate = false alarm
> > > rate', which the number of false alarms divided by the number
> > > of alarms (true and false).
> > >
> > > Other said false positive rate is not equal to false alarm
> > > rate, the false alarm rate is the same above definition, but
> > > the false positive rate is "the total number of normal
> > > instances that were incorrectly classified as intrusions
> > > divided by the total number of normal instances"
> > >
> > > Who is true, who is wrong within the context of intrusion detection?
> > >
> > > Thanks.
> > >
> > > --------------------------------------------------------------
> > > ------------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world
> > > attacks from CORE IMPACT. Go to
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> > 0708 to learn more.
--------------------------------------------------------------------------
> >
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
> --------------------------------------------------------------------------



-- 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
Itsme,GautamSingaraju;)
-----END PGP PUBLIC KEY BLOCK-----

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------