© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
false alarms, alerts tend to not be taken seriously.
On the other side of the
spectrum, if the IDS rarely alerts on malicious traffic, it leads one to wonder if it is
working at all. Tuning an IDS is somewhat of an art, a balancing act between four
points of concern. These four points are true positives, false positives, true
negatives and false negatives. Table 1 shows their relationship:
Table 1: Relationship of event categories.
The ideal tuning of an IDS maximizes instances of events categorized in the cells
with a shaded background.
True positives
occur when the system alerts on intrusion
attempts or other malicious activity. False negatives are somewhat of a null situation
but are important nonetheless. The
false negative
is comprised of the system failing
to alert on malicious traffic. At times many people have trouble remembering what
each of the four event categories are. An analogy helps.
Imagine the life cycle of a schoolhouse fire alarm. Using this analogy to
describe the four categories is perhaps an easier method of understanding the
distinctions.
A true positive, would then be analogous to a burning schoolhouse and
the alarm sounding. This, after all, is the intended purpose of the schoolhouse fire
alarm. The false negative occurs when the schoolhouse has an actual fire yet the fire
Nicholas Pappas
5
