Recently I was thinking about IPS alarms and remembered the times when trying to distinguish between various types of events in IPS. There are four types of event categories and many people have trouble telling them apart. This is going to be a short post
We can categorize events into “trues” and “falses”, so we have:
- True positives
- True negatives
- False positives
- False negatives
We should have in mind two things before explaining each of four categories:
- Trues are generally a good thing. Either a signature fired if offending traffic was detected or it did not fire for regular, non-malicious traffic.
- Falses, on the other hand, are not a good thing. Because a signature did not fire when it should have or did fire when it should not.
So here is what those categories are:
- True positive is a good thing. It is an event when an intrusion did happen and the IPS did react on it. This is a normal thing.
- True negative is even better. No intrusion happened and no action is taken by an IPS. This represents a normal traffic flow. This is also normal.
- False positive is “kind-a” bad thing. It is not an intrusion but rather a situation when normal user traffic triggers an alarm. This can cause a lot of log entries or even drop a normal user traffic. This is NOT normal.
- False negative is the worst case. This is a situation in which an intrusion did happen and IPS totally missed it! This is also NOT normal.