Having a secure Intrusion Detection & Prevention System (IDPS) is a critical aspect of information security. It may be hard to know how to choose or build your system if you don’t know certain terminology. Here is a list of common terms that will help you understand the basics of IDPSs.
Alarm/Alert: A notification that a system is under attack or just experienced an attack. Typically, an alarm is an email or message that system administrators or information security personnel receive.
Alarm Clustering/Compaction: Consolidating similar alarms that go off around the same time into one high-level alarm in order to reduce administrative overhead. Clusters could be decided from attack targets, signatures, frequency, or other characteristics.
Confidence Value: A value given to an IDPS’s ability to correctly detect and identify specific kinds of attacks or threats. This value helps system admins determine the likelihood that an actual attack has been detected when they receive a certain alert, based on previous performance. The higher the confidence value, the higher the probability a real attack is occurring.
False Attack Stimulus: When an alert is triggered but no attack is happening. Frequently used in testing scenarios.
False Negative: When an IDPS fails to detect a real attack.
False Positive: When an IDPS sends an alert even though there was no attack or threat.
Noise: Alerts that are accurate but are not serious threats to the organization, such as unsuccessful attacks or scanning tools.
True Attack Stimulus: An event that triggers the IDPS to send an alert out; this could be used as a testing tool.
Tuning: Modifying the IDPS in order to minimize false positives/negatives.
Visit our blog archives for more IT and cyber related articles.