|
False positive, false intrusion, false alarm
What is the real difference between these three terms, please?
Different sources give the following: A false positive, also called a Type I error, exists when a test incorrectly reports that it has found a positive result where none really exists. Alternatively, a Type 1 error can be thought of as an incorrect rejection of the null hypothesis - accepting the alternative hypothesis even though the null hypothesis was true. False Positives / False Alarm An event that is picked up by the IDS and declared an attack but is actually benign. False Alarm - occurs when an intrusion detection system activates for no apparent cause or reason. False Alarm (subscriber or user oriented) - occurs when an intrusion detection system activates as a result of improper use by the subscriber or a user. False intrusion is a false alarm, when there is no need of any alarm. A false positive is when legitimate traffic is picked up as an intruder. Thanks in advance! |
Re: False positive, false intrusion, false alarm
On Sun, 23 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
<HOB2g.61052$WI1.47547@pd7tw2no>, Nick wrote: >What is the real difference between these three terms, please? Depends on context, and the mind of the person making the statement. A "False Positives" is normally used in such areas as medicine (which can sorta carry over into spam/virus/malware) or military action. It generally means that the subject was classified as "true" (that is a virus) AND action was taken (quarantine, missile launch, what-ever) based on that classification - although in fact the subject was not "true" (it just looked like a virus). There is the corresponding "False Negative". This generally defines the result of an analysis that gave the "wrong" result. In all of the use I've seen, it is less commonly the result of malicious actions - someone set out to get a false response. A "False Alarm" is a term in a security field - also common in fire fighting. This could also be the result of bad analysis (motion detector triggered by wind, fire detector triggered by dust particles) or it could be malicious - kids pulled the fire alarm signal at school or on the pole down at the corner. There may be action taken, but it's _usually_ not as fatal (fire trucks roll, compared to strategic missile launch). "False Intrusion" is a false alarm on an intrusion detection system. It may result in fatal or non-fatal results to the perp. This could be a result of malicious action, or bad analysis. Old guy |
Re: False positive, false intrusion, false alarm
"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message news:slrne4nmd0.ss.ibuprofin@compton.phx.az.us... > On Sun, 23 Apr 2006, in the Usenet newsgroup alt.computer.security, in > article > <HOB2g.61052$WI1.47547@pd7tw2no>, Nick wrote: > >>What is the real difference between these three terms, please? > > Depends on context, and the mind of the person making the statement. > > A "False Positives" is normally used in such areas as medicine (which > can sorta carry over into spam/virus/malware) or military action. It > generally means that the subject was classified as "true" (that is a > virus) AND action was taken (quarantine, missile launch, what-ever) > based on that classification - although in fact the subject was not > "true" (it just looked like a virus). There is the corresponding > "False Negative". This generally defines the result of an analysis > that gave the "wrong" result. In all of the use I've seen, it is less > commonly the result of malicious actions - someone set out to get a > false response. > > A "False Alarm" is a term in a security field - also common in fire > fighting. This could also be the result of bad analysis (motion > detector triggered by wind, fire detector triggered by dust particles) > or it could be malicious - kids pulled the fire alarm signal at school > or on the pole down at the corner. There may be action taken, but it's > _usually_ not as fatal (fire trucks roll, compared to strategic missile > launch). > > "False Intrusion" is a false alarm on an intrusion detection system. It > may result in fatal or non-fatal results to the perp. This could be a > result of malicious action, or bad analysis. > > Old guy Thanks for your explaination. Examples always help :) I used to think that a false positive is when authorized users are not accepted :( Security + guide by Mike Pastore and Emmett Dulaney has: False positive - a flagged event that isn't really an event and has been falsely triggered (glossary, p448) Security + guide by Mark Ciampa has: false positive - an action by a biometric device that accepts unauthorized users (glossary, p510) New guy :) |
Re: False positive, false intrusion, false alarm
On Wed, 26 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
<kvA3g.72738$P01.26325@pd7tw3no>, new guy wrote: >Thanks for your explaination. Examples always help :) The problem is that this is a live language situation. The definitions are not cast in stone and fully agreed upon. >I used to think that a false positive is when authorized users are not >accepted :( Depends where you are looking at the situation. The authentication mechanism did not authorize the person who should be - that's a 'false negative'. The authentication mechanism did determine that the person is a bad guy - that's a 'false positive'. See me pulling my hair? Old guy |
| All times are GMT. The time now is 03:13 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.