Threat Detection

Detection difficult because of false positives:
Detection theory tells us:
If we have no false positives then we detect nothing.
If we have no false negatives then everything seems positive.

We want high detection rate but low false positive rate.
Honeypots are expected to be probed an attacked.
No legitimate traffic.  Every connection attempt dubious.