It is very confusing how IDS (Intrusion Detective System) and IPS (Intrusion Preventive System) detect malicious traffic on the network and generate true positive, true negative, false positive and false negative alerts.
There are FOUR types of IDS, IPS events: TWO are expected and TWO are not expected:
- true positive
- true negative
- False positive
- false negative
Example: To understand TRUE / FALSE with Binary Value
Let’s try to understand the four types of IDS and IPS traffic events to keep it simple, suppose:
Traffic is anticipated as:
(0) “Positive” means = malicious traffic denoted by “1”
(1) “Negative” means = normal traffic denoted by “0”
Real/real traffic result as TRUE/FALSE
(1) TRUE denoted by “1”
(0) FALSE denotes by “0”
Do predicted events and actual results mapping with 1 and 0
Let’s understand with the following example:
- Expected Result – Good RESULT
- True positive (1 = 1) –> Malicious traffic attack TRUE, Alert generated!
- True negative (1=0) –> No malicious traffic and no alert
- Unexpected result – BAD RESULT
- False positive (0 = 1) –> No malicious traffic, but generated a false alert
- False negative (0=0) –> Malicious traffic attack TRUE, but no alert was generated.
The goal of IDS, IPS is to have only TRUE POSITIVES and TRUE NEGATIVES. but most of the IDS, IPS have FALSE POSITIVE and FALSE NEGATIVE as well.
The expected results of IDS, IPS are (Good result)
IDS, IPS are designed to produce the following TWO results which are considered good results and other than this will be considered BAD results which are not acceptable.
TRUE POSITIVE (1 = 1): The IDS, IPS software/device predicts the network traffic as “Malicious Traffic {1)” and the value resulting from the post analysis is TRUE (1): IDS, IPS generates an attack alert.
Summary: The predicted malicious traffic (1) arrived and subsequent analysis found TRUE (1) The formula is (1 = 1: Attack is occurring (TRUE))
TRUE NEGATIVE (1=0): The IDS, IPS software/device predicts the network traffic as “Malicious Traffic {1)” and the value resulting from the post analysis is FALSE (0): IDS, IPS does not generate any alerts.
Summary: The predicted malicious traffic (1) arrived and subsequent analysis returned FALSE (0) The formula is (1 = 0: No attack is taking place (FALSE))
Unexpected IDS, IPS results are (BAD Result)
IDS, IPS is not designed to track TWO results and consider BAD and unexpected/unwanted results, which is a waste of resources and dangerous for any organization to obtain.
FALSE POSITIVE (0=1): The IDS software/device, IPS predicts the network traffic as “malicious traffic {1)” and the value resulting from the post analysis is FALSE (0) means it is normal traffic but detected as an attack. IDS, IPS generate fake attack alert.
Summary: Predicted malicious traffic (1) comes and post analysis found FALSE (0) The formula is (0 = 1: attack is not happening (FALSE) but detected as attack)
Impact: Waste of time and resources as the SOC team spends time investigating non-malicious events.
FALSE NEGATIVE (0=0): The IDS, IPS software/device predicts the network traffic as “normal traffic {0)” and the value resulting from the post analysis is FALSE (0): IDS, IPS does not generate any alerts.
Summary: Predicted normal traffic (0) comes and post analysis found FALSE (0) The formula is (0 = 0: attack is occurring but not detected as attack)
Impact: Arguably worst case/dangerous scenario where IDS, IPS actually fail by not preventing or detecting the actual malicious traffic/attack.
Hopefully, IDS, IPS detects malicious traffic and generates alerts, that is, the Tue Positive, True Negative, False Positive, False Negative concept is clear to everyone.
thanks for being with HyperHCI Technology Blog to be attentive and continue learning until the last breath.!
/cdn.vox-cdn.com/uploads/chorus_asset/file/24742194/350457055_218583294315389_8997521909640967870_n.jpg)