Introduction

This chapter discusses a pervasive two-pronged problem that plagues nearly all intrusion detection systems (IDS ) false positives and false negatives and shows that this problem can become greatly magnified in terms of the damage it can cause in the realm intrusion prevention systems (IPS ). A false positive in the context of an IDS is defined as the inappropriate generation of an event or alert in response to the misidentification of an attempted intrusion or attack. Note that the concept of a false positive applies equally to both Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS). A false negative is defined as the lack of an event or alert being generated when a legitimate intrusion or attack is actually taking place in the monitored medium. Again, the concept of a false negative applies equally to both NIDS and HIDS. Unfortunately, false positives and false negatives are generated by nearly all IDS , even those that have been laboriously tuned for the specific networks or hosts on which they are deployed.

False positives not only create needless work for the security administrator, but they can render a IDS useless if the amount of data is too great. For a large network, it is possible for a IDS to create 1 million events in a single day. Buried within this mountain of data could be real alerts for real attacks or successful compromises, but with so much data, how can these particular events (which represent the reason...