By definition, every IDS must generate some type of alarm to signal when
intrusive activity has been detected on the network. No IDS, however, is 100
percent accurate. This inaccuracy means that an IDS will generate some alarms
that do not correspond to actual intrusive activity, and potentially fail to
alarm when an actual attack occurs. IDS alarms fall into the two categories.
These categories are false alarms and true alarms
.
False
Alarms
The first broad category of IDS alarms is known as false alarms.
These alarms represent situations in which the IDS fails to accurately indicate
what is happening on the network. False alarms fall into two major categories.
These categories are false positives and false negatives.
False Positives
One of the most common terms associated with IDS
alarms is a false positive. False positives occur when the IDS generates an
alarm based on normal network activity. False positives force administrators to
waste time and resources analyzing phantom attacks. Over time, these false
positives can also desensitize security personnel so that when a real alarm
comes in, it is ignored or slowly processed. A good analogy is a home burglar
alarm that goes off accidentally. Each time it goes off, the police respond. If
there are too many false alarms, the police may impose a fine. Also, after
numerous false alarms, police response time could diminish significantly.
False Negatives
When the IDS fails to generate an alarm for known
intrusive activity, it is called a false negative. False negatives represent
actual attacks that the IDS missed even though it is programmed to detect the
attack. Most IDS developers tend to design their systems to prevent false
negatives. It is very difficult, however, to totally eliminate false negatives.
Nevertheless, false negatives represent a serious risk to network security
because they enable an attacker to launch an attack against the network
undetected.
A situation in which a specific attack does not generate the
appropriate alarm usually represents a software bug. Before reporting this to
the vendor using their reporting policy, the administrator needs to make sure
that the false negative was not generated because the IDS is saturated with
traffic and dropping packets.
True Alarms
The second broad category of IDS alarms is known as
true alarms. These alarms represent situations in which the IDS accurately
indicates what is happening on the network. True alarms also fall into two
major categories. These categories are true positives and true negatives.
True Positives
The opposite of a false negative alarm is a true
positive alarm. In the case of true positives, the IDS generates an alarm
correctly in response to actually detecting the attack traffic that a signature
is designed to detect. In an ideal world, 100 percent of the alarms generated
by an IDS would be true positives, meaning that every alarm corresponds to an
actual attack against the network. To be effective, the number of attacks
missed by an IDS should be extremely low. In most cases, it is preferable to
have a signature generate a small number of false positives instead of letting
any actual attacks get through undetected.
True Negatives
The
last alarm classification is a true negative. Like false negatives, true
negatives do not represent actual alarms that are generated by the IDS.
Instead, a true negative represents a situation in which an IDS signature does
not alarm when it is examining normal user traffic. This is the correct
behavior. This makes a true negative the opposite of a false positive. When IDS
signatures are well written, they do not frequently generate alarms on normal
user activity. On the other hand, poorly written or poorly tuned signatures can
lead to numerous false positives. Again, in an ideal world, normal user traffic
would not cause an IDS to generate an alarm, but false positives do occur. If
the IDS generates too many false positives, its credibility begins to
suffer.