IDS mailing list archives
Re: Network hardware IPS
From: "Stefano Zanero" <zanero () elet polimi it>
Date: Fri, 3 Oct 2003 12:15:12 +0200
They claim a "92% reduction in false positives".
Sometimes this kind of bragging makes me wonder: these people actually think they are speaking to clueless folks ? Or the average audience is actually inclined to hear "92%" and then run to buy a copy of whatever they are selling ? False Positive rate and Detection Rate are inversely proportional, in any detection system. It is true for radars, it is true for medical screening systems, it is true for anything. Check out the ROC, receiver operating curves concepts. I cannot draw in an e-mail, but you can pick up a sheet of paper yourself. Draw a graph: on x-axis, put FP rate. On y-axis, put DR. Now think of a clueless, totally clueless, intrusion detection system. It generates totally random answers. You CAN obtain a 100% detection rate with it - if you accept a 100% false positive rate. The diagram on your chart is a line, bisecting the quadrant. If you want a 50% detection rate, you need to accept a 50% false positive rate, and so on. Better intrusion detection systems would have a different graph, which stands "above" the diagonal line. Draw it - it's just any curve you may think of, which (hopefully !) is monotonically increasing, starting from (0,0) and ending up in (100,100). Do you notice something ? You _CAN_ reduce by any factor (92%, 95%, 99.9999%) the FP rate - but you WILL, always, without doubt, pay a price in detection rate terms. You can do it for the "idiot" IDS described above, you can do it for the best IDS you may think of: but it has always got a price! The curve gives you a suggestion: the best "working point" is the one where the rate of FP increase vs. DR increase is at its top. Of course, determining it in reality is not as simple as on our simple equation ! But this model explains clearly (even clear enough for a salesperson maybe) that "decrease in false positive" or "increase in detection rate" mean nothing at all, by themselves. Stefano Zanero --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- RE: Network hardware IPS Davis, Scott L (Oct 02)
- Re: Network hardware IPS Stefano Zanero (Oct 06)
- <Possible follow-ups>
- Re: Network hardware IPS Darren Bolding (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- RE: Network hardware IPS Dave Killion (Oct 07)