In a biometric-based authentication, the false acceptance rate (FAR) occurs when the authentication system accepts a user whom it should actually have rejected. Which of the following is also known as FAR?
A. True positive
B. False positive
C. True negative
D. False negative
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. False negative.
NIST, OSG, and other sources suggest that false positives are also called false matches or false acceptance. However, I hold another perspective and summarize it in the following table so that it can align with statistics errors: Type I and Type II errors. Please refer to this post, What Does It Mean By “Positive?”, for details.
NIST
Technical testing in biometrics has historically focused on throughput and recognition error rates – the latter of two types: false positives (also called false matches – an incorrect decision that two biometric samples are from the same individual when they are not) and false negatives (also called false non-matches – an incorrect decision that two biometric samples are not from the same individual when they in fact are).
Note #20: Here, NIST’s use of the term “FAR” (False Acceptance Rate) is to be interpreted as the false match rate.
OSG and Other Sources
The following is another source that supports the same perspective as the one of the CISSP OSG:
False acceptance rate (FAR) and false rejection rate (FRR) are two of these.
* FAR occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive.
* FRR is the problem of rejecting a legitimate user when we should have accepted him. This type of issue is commonly known outside the world of biometrics as a false negative.
Source: Jason Andress, in The Basics of Information Security (Second Edition), 2014
Type I and Type II Errors
There are two types of errors as a result of a test procedure:
- Type I error is the rejection of a true null hypothesis. (aka a “false positive“)
- Type II error is the failure to reject a false null hypothesis. (aka a “false negative“)
“The null hypothesis is generally assumed to be true until evidence indicates otherwise (similar to the case that a defendant of a jury trial is presumed innocent until proven guilty).” (Wikipedia)
IDS Decisions
In terms of the accuracy of an IDS, there are four possible states for each activity observed.
- A true positive state is when the IDS identifies an activity as an attack and the activity is actually an attack. A true positive is a successful identification of an attack.
- A true negative state is similar. This is when the IDS identifies an activity as acceptable behavior and the activity is actually acceptable. A true negative is successfully ignoring acceptable behavior. Neither of these states are harmful as the IDS is performing as expected.
- A false positive state is when the IDS identifies an activity as an attack but the activity is acceptable behavior. A false positive is a false alarm.
- A false negative state is the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack. That is, a false negative is when the IDS fails to catch an attack. This is the most dangerous state since the security professional has no idea that an attack took place. False positives, on the other hand, are an inconvenience at best and can cause significant issues. However, with the right amount of overhead, false positives can be successfully adjudicated; false negatives cannot.
Source: Intrusion Detection (OWASP)
Reference
- False positives and false negatives
- Sensitivity and specificity
- Confusion matrix
- Intrusion Detection (OWASP)
- Fundamental issues in biometric performance testing: A modern statistical and philosophical framework for uncertainty assessment (NIST)
- Challenges and Future Perspectives on Electroencephalogram-Based Biometrics in Person Recognition
- Jason Andress, in The Basics of Information Security (Second Edition), 2014
- Type I and type II errors
- Examples of null and alternative hypotheses
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
在基於生物特徵的身份驗證中,當身份驗證系統接受了實際上應該拒絕的用戶時,就會出現錯誤接受率(FAR)。 以下哪個是FAR的同義詞?
A. 真陽性 (True positive)
B. 偽陽性 (False positive)
C. 真陰性 (True negative)
D. 偽陰性 (False negative)