True/False = This either CORRECTLY or INCORRECTLY identifies an attack
Positive/Negative = This performs and event that takes an ACTION or is ACTION-LESS
True Positive (TP) - A legitimate attack (CORRECTLY) which triggers an IDP to produce and alarm/alert or mitigate the risk (ACTION)
False Positive (FP) - An IDP believes there is an attack taking place (INCORRECTLY) and produces an alarm/alert or mitigates the risk (ACTION).This can cause disrupt legitimate traffic and flood your IDP with alerts drowning real alerts that may be taking place. Some traffic that may cause false positives include:
- Legitimate applications that do not follow RFC's
- Legitimate traffic in one part of an organization that may not follow normal behaviors in another part of the organization causing alerts.
- Signatures that we written poorly and identify both legitimate and illegitimate traffic.
False Negative (FN) - There is an attack that has NOT been identified (INCORRECTLY) and no alarm/alert/mitigation was raised (ACTION-LESS). This causes a false sense of security. This can be caused for a variety of reason which may include:
- Signatures miss variations or poorly written
- Obfuscation of an attack on the fly -zero day
- Overloaded IDP
True Negative - (TN) No attack has taken place (CORRECTLY) and no alarm raised (ACTION-LESS).
0 comments:
Post a Comment