False positive, false intrusion, false alarm

Discussion in 'Computer Security' started by Nick, Apr 23, 2006.

  1. Nick

    Nick Guest

    What is the real difference between these three terms, please?

    Different sources give the following:

    A false positive, also called a Type I error, exists when a test incorrectly
    reports that it has found a positive result where none really exists.
    Alternatively, a Type 1 error can be thought of as an incorrect rejection of
    the null hypothesis - accepting the alternative hypothesis even though the
    null hypothesis was true.

    False Positives / False Alarm
    An event that is picked up by the IDS and declared an attack but is actually
    benign.

    False Alarm - occurs when an intrusion detection system activates for no
    apparent cause or reason.

    False Alarm (subscriber or user oriented) - occurs when an intrusion
    detection system activates as a result of improper use by the subscriber or
    a user.

    False intrusion is a false alarm, when there is no need of any alarm.

    A false positive is when legitimate traffic is picked up as an intruder.



    Thanks in advance!
     
    Nick, Apr 23, 2006
    #1
    1. Advertising

  2. Nick

    Moe Trin Guest

    On Sun, 23 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
    <HOB2g.61052$WI1.47547@pd7tw2no>, Nick wrote:

    >What is the real difference between these three terms, please?


    Depends on context, and the mind of the person making the statement.

    A "False Positives" is normally used in such areas as medicine (which
    can sorta carry over into spam/virus/malware) or military action. It
    generally means that the subject was classified as "true" (that is a
    virus) AND action was taken (quarantine, missile launch, what-ever)
    based on that classification - although in fact the subject was not
    "true" (it just looked like a virus). There is the corresponding
    "False Negative". This generally defines the result of an analysis
    that gave the "wrong" result. In all of the use I've seen, it is less
    commonly the result of malicious actions - someone set out to get a
    false response.

    A "False Alarm" is a term in a security field - also common in fire
    fighting. This could also be the result of bad analysis (motion
    detector triggered by wind, fire detector triggered by dust particles)
    or it could be malicious - kids pulled the fire alarm signal at school
    or on the pole down at the corner. There may be action taken, but it's
    _usually_ not as fatal (fire trucks roll, compared to strategic missile
    launch).

    "False Intrusion" is a false alarm on an intrusion detection system. It
    may result in fatal or non-fatal results to the perp. This could be a
    result of malicious action, or bad analysis.

    Old guy
     
    Moe Trin, Apr 23, 2006
    #2
    1. Advertising

  3. Nick

    new guy Guest

    "Moe Trin" <> wrote in message
    news:...
    > On Sun, 23 Apr 2006, in the Usenet newsgroup alt.computer.security, in
    > article
    > <HOB2g.61052$WI1.47547@pd7tw2no>, Nick wrote:
    >
    >>What is the real difference between these three terms, please?

    >
    > Depends on context, and the mind of the person making the statement.
    >
    > A "False Positives" is normally used in such areas as medicine (which
    > can sorta carry over into spam/virus/malware) or military action. It
    > generally means that the subject was classified as "true" (that is a
    > virus) AND action was taken (quarantine, missile launch, what-ever)
    > based on that classification - although in fact the subject was not
    > "true" (it just looked like a virus). There is the corresponding
    > "False Negative". This generally defines the result of an analysis
    > that gave the "wrong" result. In all of the use I've seen, it is less
    > commonly the result of malicious actions - someone set out to get a
    > false response.
    >
    > A "False Alarm" is a term in a security field - also common in fire
    > fighting. This could also be the result of bad analysis (motion
    > detector triggered by wind, fire detector triggered by dust particles)
    > or it could be malicious - kids pulled the fire alarm signal at school
    > or on the pole down at the corner. There may be action taken, but it's
    > _usually_ not as fatal (fire trucks roll, compared to strategic missile
    > launch).
    >
    > "False Intrusion" is a false alarm on an intrusion detection system. It
    > may result in fatal or non-fatal results to the perp. This could be a
    > result of malicious action, or bad analysis.
    >
    > Old guy




    Thanks for your explaination. Examples always help :)
    I used to think that a false positive is when authorized users are not
    accepted :(

    Security + guide by Mike Pastore and Emmett Dulaney has:
    False positive - a flagged event that isn't really an event and has been
    falsely triggered
    (glossary, p448)

    Security + guide by Mark Ciampa has:
    false positive - an action by a biometric device that accepts unauthorized
    users
    (glossary, p510)


    New guy :)
     
    new guy, Apr 26, 2006
    #3
  4. Nick

    Moe Trin Guest

    On Wed, 26 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
    <kvA3g.72738$P01.26325@pd7tw3no>, new guy wrote:

    >Thanks for your explaination. Examples always help :)


    The problem is that this is a live language situation. The definitions are
    not cast in stone and fully agreed upon.

    >I used to think that a false positive is when authorized users are not
    >accepted :(


    Depends where you are looking at the situation. The authentication
    mechanism did not authorize the person who should be - that's a 'false
    negative'. The authentication mechanism did determine that the person
    is a bad guy - that's a 'false positive'. See me pulling my hair?

    Old guy
     
    Moe Trin, Apr 26, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Smith

    WPA_Kill.exe false positive in Avast?

    Al Smith, Jul 4, 2006, in forum: Computer Security
    Replies:
    13
    Views:
    45,808
    ezbless
    May 31, 2008
  2. ellis_jay

    Asquared false positive..fyi

    ellis_jay, Jun 14, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    452
    ellis_jay
    Jun 14, 2006
  3. ellis_jay

    FIREDLL.dll---trojan-false positive...FYI

    ellis_jay, Jul 11, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    695
    ellis_jay
    Jul 11, 2006
  4. Tester
    Replies:
    1
    Views:
    870
    ellis_jay
    Dec 8, 2006
  5. John

    BOClean False Positive

    John, Jun 14, 2007, in forum: Computer Information
    Replies:
    0
    Views:
    476
Loading...

Share This Page