Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > False positive, false intrusion, false alarm

Reply
Thread Tools

False positive, false intrusion, false alarm

 
 
Nick
Guest
Posts: n/a
 
      04-23-2006
What is the real difference between these three terms, please?

Different sources give the following:

A false positive, also called a Type I error, exists when a test incorrectly
reports that it has found a positive result where none really exists.
Alternatively, a Type 1 error can be thought of as an incorrect rejection of
the null hypothesis - accepting the alternative hypothesis even though the
null hypothesis was true.

False Positives / False Alarm
An event that is picked up by the IDS and declared an attack but is actually
benign.

False Alarm - occurs when an intrusion detection system activates for no
apparent cause or reason.

False Alarm (subscriber or user oriented) - occurs when an intrusion
detection system activates as a result of improper use by the subscriber or
a user.

False intrusion is a false alarm, when there is no need of any alarm.

A false positive is when legitimate traffic is picked up as an intruder.



Thanks in advance!




 
Reply With Quote
 
 
 
 
Moe Trin
Guest
Posts: n/a
 
      04-23-2006
On Sun, 23 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
<HOB2g.61052$WI1.47547@pd7tw2no>, Nick wrote:

>What is the real difference between these three terms, please?


Depends on context, and the mind of the person making the statement.

A "False Positives" is normally used in such areas as medicine (which
can sorta carry over into spam/virus/malware) or military action. It
generally means that the subject was classified as "true" (that is a
virus) AND action was taken (quarantine, missile launch, what-ever)
based on that classification - although in fact the subject was not
"true" (it just looked like a virus). There is the corresponding
"False Negative". This generally defines the result of an analysis
that gave the "wrong" result. In all of the use I've seen, it is less
commonly the result of malicious actions - someone set out to get a
false response.

A "False Alarm" is a term in a security field - also common in fire
fighting. This could also be the result of bad analysis (motion
detector triggered by wind, fire detector triggered by dust particles)
or it could be malicious - kids pulled the fire alarm signal at school
or on the pole down at the corner. There may be action taken, but it's
_usually_ not as fatal (fire trucks roll, compared to strategic missile
launch).

"False Intrusion" is a false alarm on an intrusion detection system. It
may result in fatal or non-fatal results to the perp. This could be a
result of malicious action, or bad analysis.

Old guy
 
Reply With Quote
 
 
 
 
new guy
Guest
Posts: n/a
 
      04-26-2006

"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sun, 23 Apr 2006, in the Usenet newsgroup alt.computer.security, in
> article
> <HOB2g.61052$WI1.47547@pd7tw2no>, Nick wrote:
>
>>What is the real difference between these three terms, please?

>
> Depends on context, and the mind of the person making the statement.
>
> A "False Positives" is normally used in such areas as medicine (which
> can sorta carry over into spam/virus/malware) or military action. It
> generally means that the subject was classified as "true" (that is a
> virus) AND action was taken (quarantine, missile launch, what-ever)
> based on that classification - although in fact the subject was not
> "true" (it just looked like a virus). There is the corresponding
> "False Negative". This generally defines the result of an analysis
> that gave the "wrong" result. In all of the use I've seen, it is less
> commonly the result of malicious actions - someone set out to get a
> false response.
>
> A "False Alarm" is a term in a security field - also common in fire
> fighting. This could also be the result of bad analysis (motion
> detector triggered by wind, fire detector triggered by dust particles)
> or it could be malicious - kids pulled the fire alarm signal at school
> or on the pole down at the corner. There may be action taken, but it's
> _usually_ not as fatal (fire trucks roll, compared to strategic missile
> launch).
>
> "False Intrusion" is a false alarm on an intrusion detection system. It
> may result in fatal or non-fatal results to the perp. This could be a
> result of malicious action, or bad analysis.
>
> Old guy




Thanks for your explaination. Examples always help
I used to think that a false positive is when authorized users are not
accepted

Security + guide by Mike Pastore and Emmett Dulaney has:
False positive - a flagged event that isn't really an event and has been
falsely triggered
(glossary, p44

Security + guide by Mark Ciampa has:
false positive - an action by a biometric device that accepts unauthorized
users
(glossary, p510)


New guy





 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      04-26-2006
On Wed, 26 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
<kvA3g.72738$P01.26325@pd7tw3no>, new guy wrote:

>Thanks for your explaination. Examples always help


The problem is that this is a live language situation. The definitions are
not cast in stone and fully agreed upon.

>I used to think that a false positive is when authorized users are not
>accepted


Depends where you are looking at the situation. The authentication
mechanism did not authorize the person who should be - that's a 'false
negative'. The authentication mechanism did determine that the person
is a bad guy - that's a 'false positive'. See me pulling my hair?

Old guy
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
False Alarm from Forms Security Validation honcho ASP .Net 0 06-24-2005 08:38 PM
Zone Alarm or Zone Alarm Pro? Jones Computer Information 5 02-20-2004 07:29 PM
Audible alarm in Zone Alarm? Patch Computer Support 4 08-18-2003 07:43 PM



Advertisments