IDS Accuracy

Accuracy in reporting is a critical issue for intrusion detection systems. Accuracy errors fall into two categories: false positives and false negatives. On the one hand, a false positive occurs when an activity is reported as an attack, while in reality it isn't an attack. On the other hand, a false negative occurs when an attack occurs without being reported. As far as the degree of risk goes, a false negative is more dangerous than a false positive. An IDS failing to report even a single attack can be entirely ineffective because, at times, all it takes is one attack to cause the maximum amount of damage. False positives often are more annoying than dangerous the degree of danger lies in the response to them. On one occasion, our network intrusion detection system was sending a huge number of alerts when we were downloading exploit code from a public exploit archive! The IDS thought that the archive site was launching every piece of shellcode against our systems. The problem was fixed easily enough. At the other extreme, we have encountered system administrators who simply turn off the IDS when large numbers of false positives are reported, potentially leading to disaster!

There is no perfect IDS that has zero false positive and false negative rates. When it comes to defeating an IDS, a Web hacker can either sufficiently disguise the attacks so that they pass unnoticed or flood the IDS logs with hundreds of false positives that can be easily generated by automated attack tools.