[Dailydave] Encrypted Malware Traffic Detection == hilarious?

Thorsten Holz thorsten.holz at gmail.com
Wed Jun 21 14:33:33 EDT 2017


On Wed, Jun 21, 2017 at 4:25 PM, dave aitel <dave at immunityinc.com> wrote:

> 99% effective with the kind of traffic a normal network sees means you are
> FLOODED AND OVERWHELMED WITH FALSE POSITIVES. Although they don't specify
> what that number even means. Is it false positives? False negatives? Both?
> Let's just say this: 99.99% is useless when doing a network-based IDS.
>

More details are available in a technical report:
https://arxiv.org/pdf/1607.01639.pdf

Starting on page 8, the evaluation is explained in more detail. 99%
reflects the accuracy, but the 1-in-10,000 false discovery rate (FDR) is
much lower even in their tests. Furthermore, all these results were
obtained in synthetic tests where the ratio of malicious traffic to benign
traffic was almost 1:1 ("In total, there were 225,740 malicious and 225,000
enterprise flows for this experiment")...

Cheers,
  Thorsten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170621/eb285a62/attachment.html>


More information about the Dailydave mailing list