- Alert/Alarm: A signal suggesting that a system has been being attacked.
- True Positive: A legitimate attack which triggers an IDS to produce an alarm.
- False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
- False Negative: A failure of an IDS to detect an actual attack.
- True Negative: When no attack has taken place and no alarm is raised.
- Noise: Data or interference that can trigger a false positive.
- Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
- Site policy awareness: An IDS’s ability to dynamically change its rules and configurations in response to changing environmental activity.
- Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
- Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
- Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
- Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
- Misfeasor: They are commonly internal users and can be of two types:
- An authorized user with limited permissions.
- A user with full permissions and who misuses their powers.
- Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.