The overall purpose of intrusion detection systems is to trigger alarms when a given packet or sequence of packets seems to represent suspicious activity that violates the defined network security policy. Although alarms are essential, it is critical for network security personnel to configure the IDS to minimize the occurrence of false negative and false positive alarms. There are a number of terms you should be familiar with when discussing host- or network-based IDSs:
■ False positive alarm—False positives (benign triggers) occur when the IDS reports certain benign activity as malicious, requiring human intervention to diagnose the event.
■ False negative alarm—A false negative alarm can occur when the IDS sensor does not detect and report a malicious activity, but the system allows it to pass as nonintrusive behavior. Because this can be catastrophic for network operation, minimizing false negatives is the highest priority.
■ True positive alarm—This is the opposite of a false negative. In this case an alarm has been correctly sent in response to malicious activity. These alarms cause the most concern for a network administrator.
■ True negative alarm—A true negative is not an actual alarm but rather a situation in which the IDS in place does not trigger an alarm for activity permitted within a network.
Was this article helpful?