May 22, 2013

2.1.2 False Positives

False positives

“A legitimate file inadvertently detected as 'infected', 'malicious' or 'suspicious' (also known as a False Positive or a False Alarm).” (f-secure)

From mathematics to medicine, from internet security to robotics, the term False positive is used as a jargon that implies a paradoxical condition where a value is said to be TRUE although it is FALSE in reality. A false positive is also known as a false alarm or false detection.

The security definition of a false positive goes like this “The erroneous identification of a threat or dangerous condition that turns out to be harmless. E.g., false positives often occur in intrusion detection systems.” (PC MAG encyclopedia)

A false negative occurs when a security system fails to realize an actual risk. Anytime a virus gets through an anti-virus scan, it is termed as a false negative. Possible reasons for a false negative include a check not yet being written (maybe the vulnerability is new), user error (maybe you didn't select the right policy, or maybe your configuration needs tweaking).

Although the term False positive is used in many subsystems (e.g. scanners, application firewalls, intrusion detection and prevention systems), it implies only one thing, a false detection or a false alarm. In the security realm, anti-virus software and intrusion detection systems have this condition. When a harmless file is flagged as a virus only because it contains a string of characters that match a string from an actual virus, a false positive is said to occur. In 2008, AVG erroneously identified the user32.dll file as a potential Trojan virus. This led to several BSOD (Blue Screen of Death) crashes among AVG users. In 2010, corporate editions of McAfee security suite, falsely flagged “svchost.exe”, a necessary Windows XP process, as a virus.

False positives in intrusion detection system (IDS) reduce the performance of the system and also have worse consequence. When a false alarm goes off with a legitimate user, IDS false positive is said to have occurred. An IDS false negative may introduce a security risk by allowing unauthorized users access to the system.

Reducing false positives
Several algorithms are followed to reduce false positive errors in cyber security and intrusion detection systems. One such famous example is the heuristic bloodhound technology followed by Symantec antivirus corp. This technology uses heuristic algorithm to effectively distinguish virus program from a harmless file.
Categories of false positive in network based IDS:
  1. Reactionary Traffic alarms: Traffic from local/other networks is misinterpreted as a malicious attack. In reality, it is just another false positive error.
  2. Equipment-related alarms: Unrecognized packets that are generated from some network devices may cause this type of false positive error in intrusion detection system. Load balancers may be the culprit here. 
  3. Protocol Violations: Software errors and bugs cause this type of false positive error. Regular software updating and debugging will solve this type of error.
  4. True False Positives: Random false positives caused by IDS software errors constitute true false positives.
  5. Non Malicious alarms: Some non-malicious occurrences are wrongly identified as threats. These are classified as non-malicious false positives.
Understanding false positives and its implication in the security arena helps a learner differentiate a bad security algorithm from a good security algorithm and the importance of false positive heuristics in Intrusion Detection System and anti-virus software.


No comments:

Post a Comment