Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Network hardware IPS

Re: Network hardware IPS

From: George W. Capehart <gwc_at_acm.org>
Date: Wed, 8 Oct 2003 09:25:15 -0400

On Monday 06 October 2003 06:01 pm, Dave Killion wrote:
> Stefano,
>
> Perhaps I may have misunderstood some of your points, but the fact
> remains that I can decrease FP without affecting DR, something that
> you
>
> said wasn't possible:
> > Do you notice something ? You _CAN_ reduce by any factor (92%, 95%,
> > 99.9999%) the FP rate - but you WILL, always, without doubt, pay a
>
> price in
>
> > detection rate terms.
>
> My examples were to point out the fact that DR is not directly
> related to FP - and that you *not* ALWAYS have a decrease in DR when
> reducing FP.

There have been several discussions on this list generally having to do
with this topic and similar ones. I've waited for someone to bring up
signal detection theory, but so far no one has, so I'll be the pedant.
;-] I'm willing to chance the flames because I think that there really
is some value in these discussions, and I believe the formalism of
signal detection theory will significantly enhance the discussions as
well as aid in coming up with solutions. It was first developed early
in the last century to aid in understanding problems in signal
processing in telecommunications. Since then it has been applied in
many different contexts, from radar and sonar to medical imaging and
the study of the Central Nervous System. I think that understanding
how criterion, spread of the noise and signal distributions
(probability of occurrence curves), the discriminability index, and
information have on the detection process and the receiver operating
characteristic would help in two ways. Firstly, it would provide a
common base of understanding and meaning of terms. Secondly, it would
actually make tuning IDSs easier.

Below are some URLs to intros to SDT and a reference for a great book if
there is further interest. Google will turn up lots of references and
Amazon has many books on the subject. IMVHO, some exposure to SDT
would be *very* useful to those who are responsible for selecting,
implementing and tuning IDSs.

http://wise.cgu.edu/sdt/index.html
http://sucia.stanford.edu/~lera/psych115s/notes/signal/
http://white.stanford.edu/~heeger/sdt/sdt.html
http://epsych.msstate.edu/deliberate/sig_det/index.html

_Signal_Detection_Theory_ by Vyacheslav P. Tuzlukov
ISBN 0-8176-4152-1

My $0.02. 

--
George Capehart
"I'd rather have a bottle in front of me than a frontal lobotomy."
  -- Unknown
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 09 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos