Intrusion Detection FAQ: Why does my intrusion-detection system generate false alarms / no alarms?

Well, first of all it's extremely difficult to detect intrusions. We are only seeing the first generation of commercial tools, and they are limited in scope. However, it is clear that today's tool either generate lots of false positives (i.e. signaling attack when there is none) or miss attacks. Even tools based on attack signatures generate a large number of false alarms, in the most unexpected cases.

One of the most obvious reasons why false alarms occur is because tools are stateless. To detect an intrusion, simple pattern matching of signatures is often insufficient. However, that's what most tools do. Then, if the signature is not carefully designed, there will be lots of matches. For example, tools detect attacks in sendmail by looking for the words "DEBUG" or "WIZARD" as the first word of a line. If this is in the body of the message, it's in fact innocuous, but if the tool doesn't differentiate between the header and the body of the mail, then a false alarm is generated.

Another example deals with http requests for bad scripts. One would actually like to know whether the request was successful or not, because it's a very different story to react to. In the second case, it is a minor annoyance, in the first a dangerous security breach. Since tools do not have the notion of session, creating such a signature is quite difficult.

In the false positive realm, tools cannot cope with the amount of data to be analyzed. Keep in mind that 99.99% of the data analyzed is for nothing, and that for each of these pieces of data, all attack tests have to be performed! Therefore, accuracy is often traded for speed. Also, there are many ways to detect an attack, and sometimes attackers come quickly with new methods that bypass the detection mechanism.

Finally, there are many events happening in the course of the normal life of any system or network that can be mistaken for attacks. A lot of sysadmin activity can be catalogued as anomalous. Therefore, a clear correlation between attack data and administrative data should be established to cross-check that everything happening on a system is actually desired.

Herve Debar
IBM Zurich Research Laboratory