[Clips] Read two biometrics, get worse results - how it works
Travis H.
solinym at gmail.com
Fri Oct 21 15:17:32 EDT 2005
This problem has implications for "sensor fusion" (the latest hot
topic) in IDS; for example when combining host logs (HIDS) with NIDS
alerts. The risk of false positives is particularly relevant when you
try to write signatures that match similar but unknown bad stuff, and
false negatives when dealing with novel "zero day" attacks. Sometimes
it's not always clear how to generalize to all the forms an attack
could take (a problem compounded in a closed source environment),
proper decoding of a vulnerable protocol could itself be dangerous or
resource-prohibitive at wire speeds, so you end up with a compromise.
Assuming that one wants to run tests at the equal error rate is a nice
way to reduce the classification error relationship to a single
statistic for analysis, but it's an assumption that may not hold in an
operational environment. If the false negative costs a life, and a
false positive means inconveniencing someone, you may want to run on
the conservative side of the equal error rate.
An interesting and somewhat related phenomenon is the "base rate
fallacy", which involves a positive test for a rare condition. Assume
1 in ~10000 people have a condition, and the test for it gives a false
positive 1 in 100 times. Assume you test positive - intuition tends
to tell us that we likely have the condition (after all, the test
correct 99% of the time). In fact for every true positive, there are
10,000 opportunities for the false positive, so in fact your chances
of actually having the condition are merely 1 in 100.
For a prolonged explanation, see this paper:
http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf
--
http://www.lightconsulting.com/~travis/ -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list