09 December 2010

Tuning False Alarms

Triggering mechanisms can generate alarms that are false positives or false negatives. These alarms must be addressed when implementing an IPS sensor.

A false positive alarm is an expected but undesired result. A false positive alarm occurs when an intrusion system generates an alarm after processing normal user traffic that should not have resulted in the alarm. Analyzing false positives limits the time that a security analyst has to examine actual intrusive activity on a network. If this occurs, the administrator must be sure to tune the IPS to change these alarm types to true negatives. A true negative describes a situation in which normal network traffic does not generate an alarm.

A false negative is when an intrusion system fails to generate an alarm after processing attack traffic that the intrusion system is configured to detect. It is imperative that the intrusion system does not generate false negatives, because it means that known attacks are not being detected. The goal is to render these alarm types as true positive. A true positive describes a situation in which an intrusion system generates an alarm in response to known attack traffic.








biOos

No comments: