False Positive(FP),True Negative(TN),Actual Negative(FP+TN). We can calculate the false positive rate by FP/(FP+TN); In DDoS detection experiments, the false positive happens when we misjudge the legitimate traffic as malicious traffic. However, the legitimate traffic is usually as background traffic. It does not have a specific number. How to get the number of FP+TN How to calculate the false positive rate of ddos detection algorithm?
Asked
Active
Viewed 426 times
1
-
`However, the legitimate traffic is usually as background traffic. It does not have a specific number.` - I didn't get that part. – cel Apr 02 '15 at 15:37
-
Sorry for that. What I mean is that if we want to calculate the false positive, we must have the number of **Actual Negative**. In my opinion, the **Actual Negative** is related to the number of the legitimate traffic. However, the legitimate traffic is usually served as background traffic which we don't care the number. If you even don't understand, so, how can we get the number of **Actual Negative**? – codetime Apr 03 '15 at 01:16
1 Answers
0
This is about event counts. The DDoS device will log intrusion events which count as Actual Negatives. Of these, further inspection will reveal False Negatives. Now you can calculate the FP rate as FP / AN and the TN rate as TN / AN or (AN-FP) / AN.
What you cannot rate is the number of intrusion events in relation to "background" traffic as the latter is event-less. But this rate is commonly not asked for, rather the absolute number of events (AN).
user1016274
- 4,071
- 1
- 23
- 19