APHRODITE: an Anomaly-based Architecture for False Positive Reduction

We present APHRODITE, an architecture designed to reduce false positives in network intrusion detection systems. APHRODITE works by detecting anomalies in the output traffic, and by correlating them with the alerts raised by the NIDS working on the input traffic. Benchmarks show a substantial reduction of false positives and that APHRODITE is effective also after a "quick setup", i.e. in the realistic case in which it has not been "trained" and set up optimall

Subword-based Indexing for a Minimal False Positive Rate

Subword-based Indexing for a Minimal False Positive Rat

Tardos fingerprinting is better than we thought

We review the fingerprinting scheme by Tardos and show that it has a much better performance than suggested by the proofs in Tardos' original paper. In particular, the length of the codewords can be significantly reduced. First we generalize the proofs of the false positive and false negative error probabilities with the following modifications: (1) we replace Tardos' hard-coded numbers by variables and (2) we allow for independently chosen false positive and false negative error rates. It turns out that all the collusion-resistance properties can still be proven when the code length is reduced by a factor of more than 2. Second, we study the statistical properties of the fingerprinting scheme, in particular the average and variance of the accusations. We identify which colluder strategy forces the content owner to employ the longest code. Using a gaussian approximation for the probability density functions of the accusations, we show that the required false negative and false positive error rate can be achieved with codes that are a factor 2 shorter than required for rigid proofs. Combining the results of these two approaches, we show that the Tardos scheme can be used with a code length approximately 5 times shorter than in the original construction.Comment: Modified presentation of result

A study on the false positive rate of Stegdetect

In this paper we analyse Stegdetect, one of the well-known image steganalysis tools, to study its false positive rate. In doing so, we process more than 40,000 images randomly downloaded from the Internet using Google images, together with 25,000 images from the ASIRRA (Animal Species Image Recognition for Restricting Access) public corpus. The aim of this study is to help digital forensic analysts, aiming to study a large number of image files during an investigation, to better understand the capabilities and the limitations of steganalysis tools like Stegdetect. The results obtained show that the rate of false positives generated by Stegdetect depends highly on the chosen sensitivity value, and it is generally quite high. This should support the forensic expert to have better interpretation in their results, and taking the false positive rates into consideration. Additionally, we have provided a detailed statistical analysis for the obtained results to study the difference in detection between selected groups, close groups and different groups of images. This method can be applied to any steganalysis tool, which gives the analyst a better understanding of the detection results, especially when he has no prior information about the false positive rate of the tool

Constraining the False Positive Rate for Kepler Planet Candidates with Multi-Color Photometry from the GTC

Using the OSIRIS instrument installed on the 10.4-m Gran Telescopio Canarias (GTC) we acquired multi-color transit photometry of four small (Rp < 5 R_Earth) short-period (P < 6 days) planet candidates recently identified by the Kepler space mission. These observations are part of a program to constrain the false positive rate for small, short-period Kepler planet candidates. Since planetary transits should be largely achromatic when observed at different wavelengths (excluding the small color changes due to stellar limb darkening), we use the observed transit color to identify candidates as either false positives (e.g., a blend with a stellar eclipsing binary either in the background/foreground or bound to the target star) or validated planets. Our results include the identification of KOI 225.01 and KOI 1187.01 as false positives and the tentative validation of KOI 420.01 and KOI 526.01 as planets. The probability of identifying two false positives out of a sample of four targets is less than 1%, assuming an overall false positive rate for Kepler planet candidates of 10% (as estimated by Morton & Johnson 2011). Therefore, these results suggest a higher false positive rate for the small, short-period Kepler planet candidates than has been theoretically predicted by other studies which consider the Kepler planet candidate sample as a whole. Furthermore, our results are consistent with a recent Doppler study of short-period giant Kepler planet candidates (Santerne et al. 2012). We also investigate how the false positive rate for our sample varies with different planetary and stellar properties. Our results suggest that the false positive rate varies significantly with orbital period and is largest at the shortest orbital periods (P < 3 days), where there is a corresponding rise in the number of detached eclipsing binary stars... (truncated)Comment: 13 pages, 12 figures, 3 tables; revised for MNRA