This problem has implications for sensor fusion (the latest hot
topic) in IDS; for example when combining host logs (HIDS) with NIDS
alerts. The risk of false positives is particularly relevant when you
try to write signatures that match similar but unknown bad stuff, and
false negatives when
--- begin forwarded text
Delivered-To: [EMAIL PROTECTED]
Date: Wed, 19 Oct 2005 23:32:55 -0400
To: Philodox Clips List [EMAIL PROTECTED]
From: R.A. Hettinga [EMAIL PROTECTED]
Subject: [Clips] Read two biometrics, get worse results - how it works
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL
RAH, et al.,
It is true that one can combine two diagnostic
tests to a worse effect than either alone, but
it is not a foredrawn conclusion. To take a
medical example, you screen first with a cheap
test that has low/no false negatives then for the
remaining positives you screen with a
On 10/19/05, R.A. Hettinga [EMAIL PROTECTED] wrote:
[EDIT]
Daugman presents
(http://www.cl.cam.ac.uk/users/jgd1000/combine/combine.html) the two rival
intuitions, then does the maths. On the one hand, a combination of
different tests should improve performance, because more information
