How do we come with True Positives and False Negatives rates when creating signatures in IDS? How do we measure the signatures efficiency? I've seen so many papers that discuss the same, but how do they come up with these numbers?
Asked
Active
Viewed 119 times
1 Answers
1
How do we measure the signatures efficiency?
You don't want too much false positives, or your users will be impacted for being denied access to legitimate sites. On the other hand, false negatives allows attackers to bypass the filters and attack your infrastructure. So an IDS with the lowest false positives/negatives rates is better than the others.
how do they come up with these numbers?
They create a list of URLs, both malicious and clean, and send to the IDS, recording the result. This is how they get the amount of false positives and negatives.
You can create the same list by checking your log files and manually labelling them as malicious or not. Check those labels against the IDS log file, and you will end up with the Confusion Matrix.
ThoriumBR
- 50,648
- 13
- 127
- 142
-
Thank you so much for your response @ThoriumBR ! So, the idea is to feed snort a pcap file that has both the good and bad traffic and outputs the alerts in a csv file, right? For this, we can also convert the pcap file to csv and can then check which all created alerts and which didn't. – Tasneem Singh Apr 30 '19 at 16:34
-
Yes, exact that. You can now test more than one IDS and decide if you care more about positives or negatives. – ThoriumBR Apr 30 '19 at 16:35