5 Days Left to Save $400 on SANS Security East 2015, New Orleans

What is a false negative?

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >

False negatives are any alert that should have happened but didn't.

There are a number of reasons for false negatives including:

  1. In a signature based system there will be a period where new attacks are not recognized.
  2. Many attackers will frequently change their attack just enough to evade current signatures. Many attack toolkits include the ability to obfuscate the attack on the fly.
  3. Similarly, in a signature based system a rule can be written so tightly that it will only catch a subset of an attack vector. For example, a rule may catch Attack Tool A but not Attack Tool B even though both tools exploit the same vulnerability.
  4. In an environment relying on anomaly detection or a host based intrusion detection system (HIDS) relying on file changes, the assumption must be that at the time of training the network or system was not compromised. If this is not true there will be false negatives for any already exploited conditions.
  5. An overloaded IDS will drop packets potentially causing false negatives.

False negative create two problems. First, there are missed attacks that will not be mitigated. Second, and probably more important, false negatives give a false sense of security.

Daniel Owen
www.danielowen.com

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >