False positive, false intrusion, false alarm

Discussion in 'Computer Security' started by Nick, Apr 23, 2006.

  1. Nick

    Nick Guest

    What is the real difference between these three terms, please?

    Different sources give the following:

    A false positive, also called a Type I error, exists when a test incorrectly
    reports that it has found a positive result where none really exists.
    Alternatively, a Type 1 error can be thought of as an incorrect rejection of
    the null hypothesis - accepting the alternative hypothesis even though the
    null hypothesis was true.

    False Positives / False Alarm
    An event that is picked up by the IDS and declared an attack but is actually
    benign.

    False Alarm - occurs when an intrusion detection system activates for no
    apparent cause or reason.

    False Alarm (subscriber or user oriented) - occurs when an intrusion
    detection system activates as a result of improper use by the subscriber or
    a user.

    False intrusion is a false alarm, when there is no need of any alarm.

    A false positive is when legitimate traffic is picked up as an intruder.



    Thanks in advance!
     
    Nick, Apr 23, 2006
    #1
    1. Advertisements

  2. Nick

    Moe Trin Guest

    On Sun, 23 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
    Depends on context, and the mind of the person making the statement.

    A "False Positives" is normally used in such areas as medicine (which
    can sorta carry over into spam/virus/malware) or military action. It
    generally means that the subject was classified as "true" (that is a
    virus) AND action was taken (quarantine, missile launch, what-ever)
    based on that classification - although in fact the subject was not
    "true" (it just looked like a virus). There is the corresponding
    "False Negative". This generally defines the result of an analysis
    that gave the "wrong" result. In all of the use I've seen, it is less
    commonly the result of malicious actions - someone set out to get a
    false response.

    A "False Alarm" is a term in a security field - also common in fire
    fighting. This could also be the result of bad analysis (motion
    detector triggered by wind, fire detector triggered by dust particles)
    or it could be malicious - kids pulled the fire alarm signal at school
    or on the pole down at the corner. There may be action taken, but it's
    _usually_ not as fatal (fire trucks roll, compared to strategic missile
    launch).

    "False Intrusion" is a false alarm on an intrusion detection system. It
    may result in fatal or non-fatal results to the perp. This could be a
    result of malicious action, or bad analysis.

    Old guy
     
    Moe Trin, Apr 23, 2006
    #2
    1. Advertisements

  3. Nick

    new guy Guest



    Thanks for your explaination. Examples always help :)
    I used to think that a false positive is when authorized users are not
    accepted :(

    Security + guide by Mike Pastore and Emmett Dulaney has:
    False positive - a flagged event that isn't really an event and has been
    falsely triggered
    (glossary, p448)

    Security + guide by Mark Ciampa has:
    false positive - an action by a biometric device that accepts unauthorized
    users
    (glossary, p510)


    New guy :)
     
    new guy, Apr 26, 2006
    #3
  4. Nick

    Moe Trin Guest

    On Wed, 26 Apr 2006, in the Usenet newsgroup alt.computer.security, in article
    The problem is that this is a live language situation. The definitions are
    not cast in stone and fully agreed upon.
    Depends where you are looking at the situation. The authentication
    mechanism did not authorize the person who should be - that's a 'false
    negative'. The authentication mechanism did determine that the person
    is a bad guy - that's a 'false positive'. See me pulling my hair?

    Old guy
     
    Moe Trin, Apr 26, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.