This problem has implications for "sensor fusion" (the latest hot topic) in IDS; for example when combining host logs (HIDS) with NIDS alerts. The risk of false positives is particularly relevant when you try to write signatures that match similar but unknown bad stuff, and false negatives when dealing with novel "zero day" attacks. Sometimes it's not always clear how to generalize to all the forms an attack could take (a problem compounded in a closed source environment), proper decoding of a vulnerable protocol could itself be dangerous or resource-prohibitive at wire speeds, so you end up with a compromise.
Assuming that one wants to run tests at the equal error rate is a nice way to reduce the classification error relationship to a single statistic for analysis, but it's an assumption that may not hold in an operational environment. If the false negative costs a life, and a false positive means inconveniencing someone, you may want to run on the conservative side of the equal error rate. An interesting and somewhat related phenomenon is the "base rate fallacy", which involves a positive test for a rare condition. Assume 1 in ~10000 people have a condition, and the test for it gives a false positive 1 in 100 times. Assume you test positive - intuition tends to tell us that we likely have the condition (after all, the test correct 99% of the time). In fact for every true positive, there are 10,000 opportunities for the false positive, so in fact your chances of actually having the condition are merely 1 in 100. For a prolonged explanation, see this paper: http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
