Intrusion Detection System - Terminology

Terminology

• burglar Alert/Alarm: A signal suggesting that a system has not been or is being attacked.
• Detection Rate: The detection rate is defined as the number of intrusion instances detected by the system(True Positive) divided by the total number of intrusion instances present in the test set.
• False Alarm Rate: defined as the number of 'normal' patterns classified as attacks(False Positive) divided by the total number of 'normal' patterns.
• True Positive: A legitimate attack which triggers an IDS to produce an alarm.
• False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
• False Negative: A failure of an IDS to detect an actual attack.
• True Negative: When no attack has taken place and no alarm is raised.
• Noise: Data or interference that can trigger a false positive.
• Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
• Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.
• Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
• Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
• Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
• Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
• Misfeasor: They are commonly internal users and can be of two types:
  1. An authorized user with limited permissions.
  2. A user with full permissions and who misuses their powers.
• Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.