This blog was originally started to better help me understand the technologies in the CCIE R&S blueprint; after completing the R&S track I have decided to transition the blog into a technology blog.
CCIE #29033

This blog will continue to include questions, troubleshooting scenarios, and references to existing and new technologies but will grow to include a variety of different platforms and technologies. Currently I have created over 185 questions/answers in regards to the CCIE R&S track!! Note: answers are in the comment field or within "Read More" section.

You can also follow me on twitter @FE80CC1E

Sunday, March 24, 2013

IDP - FN, TN, TP, FP

I have talked with a few security administrators that seem to struggle with the understanding of FN, TN, FP, TP. I have decided to try to create a simple method to remember.

True/False = This either CORRECTLY or INCORRECTLY identifies an attack
Positive/Negative = This performs and event that takes an ACTION or is ACTION-LESS

True Positive (TP) - A legitimate attack (CORRECTLY) which triggers an IDP to produce and alarm/alert or mitigate the risk (ACTION)

False Positive (FP) - An IDP believes there is an attack taking place (INCORRECTLY) and produces an alarm/alert or mitigates the risk (ACTION).This can cause disrupt legitimate traffic and flood your IDP with alerts drowning real alerts that may be taking place. Some traffic that may cause false positives include:

  • Legitimate applications that do not follow RFC's 
  • Legitimate traffic in one part of an organization that may not follow normal behaviors in another part of the organization causing alerts. 
  • Signatures that we written poorly and identify both legitimate and illegitimate traffic. 

False Negative (FN) - There is an attack that has NOT been identified (INCORRECTLY) and no alarm/alert/mitigation was raised (ACTION-LESS). This causes a false sense of security. This can be caused for a variety of reason which may include:

  • Signatures miss variations or poorly written
  • Obfuscation of an attack on the fly -zero day
  • Overloaded IDP 

True Negative - (TN) No attack has taken place (CORRECTLY) and no alarm raised (ACTION-LESS).

0 comments:

Post a Comment