IDS mailing list archives

RE: False Positives with IntruVert

From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Tue, 15 Apr 2003 15:23:15 -0700

Samuel makes a good point, though I think there's another dimension
that needs to be caught-
What differentiates a false positive from something that simply has
very low value?

For instance, Snort has (had? Brian Caswell's been cleaning the rules
a lot recently) a rule that looks just for URLs that start with HEAD
instead of GET. This is done because it is one of the techniques that
Whisker uses to avoid being seen. The result if you turn this on is
a lot of false positives (events that contain the string but aren't
important) but also the potential to actually catch scans
that are novel in every other way. The problem is that the value of
the alert by itself is very very low but not zero. So, how do you score
this?

toby

-----Original Message-----
From: Michael Rash [mailto:mbr () cipherdyne com]
Sent: Monday, April 14, 2003 9:02 PM
To: Cure, Samuel J
Cc: 'focus-ids () securityfocus com'
Subject: Re: False Positives with IntruVert


On Mar 28, 2003, Cure, Samuel J wrote:

While it seems that many IDS/IPS reviewers rank and measure

finding attacks

high, it would seem equally if not, more important to rank

false positives

high especially in Prevention mode.  Is there any reviewers

that have

compared the false positives and false alarms of all the

IDS/IPS products?

Has anyone here compared false positives of Introvert, Snort, Cisco,
RealSecure, etc?


You might be interested in the paper "The Base-Rate Fallacy and its
Implications for the Difficulty of Intrusion Detection" by Stefan
Axelsson:

http://citeseer.nj.nec.com/cache/papers/cs/13832/http:zSzzSzww

w.ce.chalmers.sezSzstaffzSzsaxzSzdifficulty.pdf/axelsson99baserate.pdf

It is heavy on the math side of things, but this is good since it
begins to put questions about false positives on a rigorous footing.
(The paper does not answer your specific question above, but it does
provide an interesting perspective on false positives in general).

--Mike

Michael Rash
http://www.cipherdyne.com
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids


------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities -
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids

Current thread:

RE: False Positives with IntruVert Bill Boyle (Apr 11)
- <Possible follow-ups>
- Re: False Positives with IntruVert Michael Rash (Apr 15)
- RE: False Positives with IntruVert Kohlenberg, Toby (Apr 15)