It is very confusing that how IDS (Intrusion Detective System) and IPS (Intrusion Preventive System) detects malicious traffic in the network and generates true positive, true negative, false positive and false negative alerts.
There are FOUR type of IDS, IPS events: TWO is expected and other TWO is not expected:
- True Positive
- True Negative
- False Positive
- False Negative
Example: To understand TRUE / FALSE with Binary Value
Let’s try to understand all four types of IDS, IPS traffic events to make it simple let’s assume:
Traffic is Predicted as:
(0) “Positive” means = Malicious Traffic denotes by “1”
(1) “Negative” means = Normal Traffic denotes by “0”
Real / Actual traffic result as TRUE / FALSE
(1) TRUE denotes by “1”
(0) FALSE denotes by “0”
Do Predicted events and Real Result mapping with 1 and 0
Let understand with example below:
- Expected Result – Good RESULT
- True Positive [1 = 1] –> Malicious Traffic Attack TRUE, Alert Generated.!
- True Negative [1=0] –> No Malicious Traffic and No Alert
- Unexpected Result – BAD RESULT
- False Positive[0=1] –> No Malicious Traffic, But Generated False Alert
- False Negative[0=0] –> Malicious Traffic Attack TRUE, But No Alert Generated.!
The goal of IDS, IPS is to have only TRUE POSITIVE and TRUE NEGATIVEs. but most IDS, IPS have FALSE POSITIVE and FALSE NEGATIVE as well.
Expected IDS, IPS results are [Good Result]
IDS, IPS are designed to product followings TWO results which is considered good result and other than of this will be considered BAD result which is not acceptable.
TRUE POSITIVE [1 =1]: IDS, IPS software/device predicts network traffic as “Malicious Traffic {1)” and post analysis resulted value is TRUE (1) – IDS, IPS generates Attack Alert.
Summary: Predicted Malicious traffic (1) come, and post analysis resulted TRUE (1) Formula is [1 = 1: Attack is happening (TRUE)]
TRUE NEGATIVE [1=0]: IDS, IPS software/device predicts network traffic as “Malicious Traffic {1)” and post analysis resulted value is FALSE (0) – IDS, IPS generates no Alert.
Summary: Predicted Malicious traffic (1) come, and post analysis resulted FALSE (0) Formula is [1 = 0: No Attack is happening (FALSE)]
Unexpected IDS, IPS results are [BAD Result]
IDS, IPS is not designed for following TWO results and consider BAD result and unexpected / unwanted results which is waste of resources and dangerous to any organization to get it.
FALSE POSITVE [0=1]: IDS, IPS software/device predicts network traffic as “Malicious Traffic {1)” and post analysis resulted value is FALSE (0) means it is Normal Traffic but detected as Attack. IDS, IPS generates False Attack Alert.
Summary: Predicted Malicious traffic (1) come, and post analysis resulted FALSE (0) Formula is [0 = 1: Attack is not happening (FALSE) but detects as Attack]
Impact: it is waste of time and resources as SOC team spends time investigating non-malicious events.
FALSE NEGATIVE [0=0]: IDS, IPS software/device predicts network traffic as “Normal Traffic {0)” and post analysis resulted value is FALSE (0) – IDS, IPS generates no Alert.
Summary: Predicted Normal traffic (0) come, and post analysis resulted FALSE (0) Formula is [0 = 0: Attack is happening but does not detect as Attack]
Impact: it is arguably the worst-case / dangerous scenario where IDS, IPS is actually failed to neither prevented nor detected actual malicious traffic / attack.
Hopefully, IDS, IPS detects malicious traffic and generates alerts i.e Tue Positive, True Negative, False Positive, False Negative concept is clear to all.!
Thanks to being with HyperHCI Tech Blog to stay tuned and keep learning till last breath.!