How to limit false positives in IPSes

As intrusion-prevention systems (IPSes) are increasingly deployed in corporate datacenters and network edges around the world, the issue of false positives grows. A false positive is any alert that indicates nefarious

    Requires Free Membership to View

activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior. Too many false positives can reduce the intrinsic value of the data received from the system and can become a problem as network attacks increase over time (think of The boy who cried wolf). Let's take a look at five ways to reduce false positives in IPSes.

  • Define profiles. Before deploying an IPS into production, pay special consideration to defining, vetting and revising statistics on the normal usage pattern to be expected on the network. The single largest contributing factor to excessive false positive reports is the inefficiency or unsuitability of a baseline network usage profile, which the IPS uses to detect abnormal activity.

  • Carefully establish threshold alarms. During the initial testing and rollout phases, give equal attention to condition matching, thresholds and triggers so that alerts aren't unnecessarily sent for minor spikes or abnormal activity. Think about what you really need to know, what is significant to your network as opposed to others, and then create these threshold alarms to only alert you when something you perceive as serious (and not the IPS itself) occurs.

    Security Seven Awards

    TechTarget's Information Security magazine, SearchSecurity.com and Information Security Decisions have created the Security Seven Awards to recognize the achievements of leading information security practitioners in seven vertical industries. Winners will be chosen from the financial services, telecommunications, manufacturing, energy, government, education and health care industries. To nominate an individual for the Security Seven Awards, please complete the form and return it to securityseven@infosecuritymag.com by Aug. 1, 2005.

  • Consider running only in mixed or bridge mode. Many businesses are choosing to run in mixed or bridge mode as opposed to blocking mode, to prevent excessive false positives from blocking important legitimate transmissions. Running outside of blocking mode still allows you to block the simplest types of malicious traffic, like worms, but otherwise transitions the device to function more like an intrusion-detection system (IDS) during normal periods. You can always turn the blocking mode back on, thereby enabling the full IPS-specific capabilities of your product when you need it most.

  • Change your IPS. This might be a worst-case scenario. IPSes that defend a network based on simple signature analysis are particularly prone to sending out false alarms. Look for an IPS that includes continuous stateful operation, time window-based rate limiting (useful for detecting attacks during off hours that might be construed as legitimate traffic during normal business hours) and special, application-aware protocol modules that detect abnormal activity heuristically.

  • Remember that context matters. Work to establish a human context around activity reports. For example, streaming audio and video with Windows Media Player is an arguably legitimate process for your users to undertake, but to an IPS, the port scanning and delivery mechanisms inherent in WMP can very much resemble a malicious port scan. Establish a human element to any incident reports you receive.

More on this topic

Take the IPS Quick Quiz.

Learn why IPS is a must-have tool.

Bookmark our IPS resource center and stay abreast of IPS developments.

About the author

Jonathan Hassell, a systems administrator and IT consultant in the Charlotte, N.C. area, is the author of several books, including Hardening Windows and Managing Windows Server 2003. He regularly speaks at conferences and contributes articles on Windows administration and network security.

This was first published in July 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.