Stefano,
According to this book about Snort
(http://www.amazon.com/Snort-Toolkit-Beales-Source-Security/dp/1597490997):
"A false positive is an alert that triggers on normal traffic where no
intrusion or attack is underway"
That is how we used the term in the paper. Is that not how it is used
with an anomaly detector with respect to the use as an intrusion detector?
In addition, I don't understand why there would be no reason that this
algorithm would work. Could you explain? The algorithm is developed by
experts in Bayesian statistics and has been applied in other fields as well.
But I agree, we have to show that this algorithm works with more
experiments.
If somebody would be willing to let us test the algorithm on real data,
we would be very happy... :)
/Tomas
Stefano Zanero wrote:
Usually, extraordinary claims need extraordinary proof. If there was any
reason to believe that clustering data in the way you describe would
lead to spotting false positives (which, in the case of Snort, would
rather be noncontextual alerts which you do not care about), testing it
over IDEVAL may be sufficient.
Since there is no reason why this should work, you need much more
convincing experiments to show that it actually does. And it's not just
a matter of the dataset, it's also a matter of what you define as a
false positive: in fact, the term "false positive" has a different
meaning for misuse detectors and anomaly detectors.
Best,
Stefano
-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you can
securely collect sensitive information online, and increase business by giving
your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
