Security Training
Security Certification
Cyber Security Graduate School
Internet Storm Center
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software SecurityWhat is a false negative?
False negatives are any alert that should have happened but didn't.
There are a number of reasons for false negatives including:
- In a signature based system there will be a period where new attacks are not recognized.
- Many attackers will frequently change their attack just enough to evade current signatures. Many attack toolkits include the ability to obfuscate the attack on the fly.
- Similarly, in a signature based system a rule can be written so tightly that it will only catch a subset of an attack vector. For example, a rule may catch Attack Tool A but not Attack Tool B even though both tools exploit the same vulnerability.
- In an environment relying on anomaly detection or a host based intrusion detection system (HIDS) relying on file changes, the assumption must be that at the time of training the network or system was not compromised. If this is not true there will be false negatives for any already exploited conditions.
- An overloaded IDS will drop packets potentially causing false negatives.
False negative create two problems. First, there are missed attacks that will not be mitigated. Second, and probably more important, false negatives give a false sense of security.
Daniel Owen
www.danielowen.com
Check Them Out!
SANS and their instructors bring "real-world" experience to the InfoSec Industry. It is really nice to receive useful training without the vendor spin.
-Marc Dolce, Core Business Technology Solutions
