Monday, October 18, 2010

Confused with Alerts Terminology?

Are you also confused with IPS alert terminology or sometimes just get confused between false positive & true negative etc etc....
  • False Positive
  • False Negative
  • True Positive
  • True Negative
There are four types of alerts/alarms/events or notifications that can be generated. Before i explain each one of them lets break the terminology to understand it in a better way so that its easy to remember whats what.

~~~~~~~~~     ##############
False/True    --  Positive/Negative
~~~~~~~~~     ##############

>> False/True : False means something wrong which an admin would not expect or is not expected from the device. True is good condition/scenario where device (IPS) is working as expected.

>> Positive/Negative : This part of the terminology has to do with whether alert/event was raised or not. Positive means alert was raised/generated. Negative means alert was not raised/generated.

False Positive : Device failed to recognize the attack traffic or offending packets correctly & alarm was raised. Regular or benign traffic detected as attack traffic. [When any IPS generates false positive & if blocking is configured for that signature. Major concern is that legitimate traffic will get blocked & many organizations consider blocking legitimate traffic much more serious problem than generating false alerts.]

True Positive : Device recognized attack pattern, attack traffic or packets & alert was raised correctly.
[This is the strength of any IPS & depends on which signatures are enabled & available. It becomes the selling point for many deals.]

False Negative : Device fails to recognize attack traffic or offending packets & no alert is raised by IPS
[This is the worst among all & can be a deal breaker initially [PoC] & can be a waste of cost/time if the device is deployed but not configured correctly to avoid false negatives.]

True Negative
 : Normal or non-offending traffic for which no alert is raised.
[Regular benign traffic.]

If you have any better technique or suggestions then do share the same in comments.

Dream Scenario : As any IPS/WIPS admin/operator your target should be to get rid of  False (Positive + Negative)'s and reach a state of when alerts are either True Positives or True Negatives.

ToD # Most of the alerts is an alert to cause an alert for the admin to be alert :-)
~ @Sorabhk5