Intrusion Detection System

Terminology

burglar Alert/Alarm: A signal suggesting that a system has not been or is being attacked.
Detection Rate: The detection rate is defined as the number of intrusion instances detected by the system(True Positive) divided by the total number of intrusion instances present in the test set.
False Alarm Rate: defined as the number of 'normal' patterns classified as attacks(False Positive) divided by the total number of 'normal' patterns.
True Positive: A legitimate attack which triggers an IDS to produce an alarm.
False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
False Negative: A failure of an IDS to detect an actual attack.
True Negative: When no attack has taken place and no alarm is raised.
Noise: Data or interference that can trigger a false positive.
Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.
Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
Misfeasor: They are commonly internal users and can be of two types:
1. An authorized user with limited permissions.
2. A user with full permissions and who misuses their powers.
Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.