Overview of Intrusion Detection and Prevention
Types of alarms

By definition, every IDS must generate some type of alarm to signal when intrusive activity has been detected on the network. No IDS, however, is 100 percent accurate. This inaccuracy means that an IDS will generate some alarms that do not correspond to actual intrusive activity, and potentially fail to alarm when an actual attack occurs. IDS alarms fall into the two categories. These categories are false alarms and true alarms .

False Alarms
The first broad category of IDS alarms is known as false alarms. These alarms represent situations in which the IDS fails to accurately indicate what is happening on the network. False alarms fall into two major categories. These categories are false positives and false negatives.

False Positives
One of the most common terms associated with IDS alarms is a false positive. False positives occur when the IDS generates an alarm based on normal network activity. False positives force administrators to waste time and resources analyzing phantom attacks. Over time, these false positives can also desensitize security personnel so that when a real alarm comes in, it is ignored or slowly processed. A good analogy is a home burglar alarm that goes off accidentally. Each time it goes off, the police respond. If there are too many false alarms, the police may impose a fine. Also, after numerous false alarms, police response time could diminish significantly.

False Negatives
When the IDS fails to generate an alarm for known intrusive activity, it is called a false negative. False negatives represent actual attacks that the IDS missed even though it is programmed to detect the attack. Most IDS developers tend to design their systems to prevent false negatives. It is very difficult, however, to totally eliminate false negatives. Nevertheless, false negatives represent a serious risk to network security because they enable an attacker to launch an attack against the network undetected.

A situation in which a specific attack does not generate the appropriate alarm usually represents a software bug. Before reporting this to the vendor using their reporting policy, the administrator needs to make sure that the false negative was not generated because the IDS is saturated with traffic and dropping packets.

True Alarms
The second broad category of IDS alarms is known as true alarms. These alarms represent situations in which the IDS accurately indicates what is happening on the network. True alarms also fall into two major categories. These categories are true positives and true negatives.

True Positives
The opposite of a false negative alarm is a true positive alarm. In the case of true positives, the IDS generates an alarm correctly in response to actually detecting the attack traffic that a signature is designed to detect. In an ideal world, 100 percent of the alarms generated by an IDS would be true positives, meaning that every alarm corresponds to an actual attack against the network. To be effective, the number of attacks missed by an IDS should be extremely low. In most cases, it is preferable to have a signature generate a small number of false positives instead of letting any actual attacks get through undetected.

True Negatives
The last alarm classification is a true negative. Like false negatives, true negatives do not represent actual alarms that are generated by the IDS. Instead, a true negative represents a situation in which an IDS signature does not alarm when it is examining normal user traffic. This is the correct behavior. This makes a true negative the opposite of a false positive. When IDS signatures are well written, they do not frequently generate alarms on normal user activity. On the other hand, poorly written or poorly tuned signatures can lead to numerous false positives. Again, in an ideal world, normal user traffic would not cause an IDS to generate an alarm, but false positives do occur. If the IDS generates too many false positives, its credibility begins to suffer.