Why would anomaly detection IDSs often generate a large number of false positives?
A.
Because they can only identify correctly attacks they already know about.
B.
Because they are application-based are more subject to attacks.
C.
Because they cant identify abnormal behavior.
D.
Because normal patterns of user and system behavior can vary wildly.
Explanation:
One of the most obvious reasons why false alarms occur is because tools are stateless. To detect an
intrusion, simple pattern matching of signatures is often insufficient. However, that’s what most
tools do. Then, if the signature is not carefully designed, there will be lots of matches. For example,
tools detect attacks in sendmail by looking for the words “DEBUG” or “WIZARD” as the first word of a
line. If this is in the body of the message, it’s in fact innocuous, but if the tool doesn’t differentiate
between the header and the body of the mail, then a false alarm is generated. Finally, there are
many events happening in the course of the normal life of any system or network that can be
mistaken for attacks. A lot of sysadmin activity can be catalogued as anomalous. Therefore, a clear
correlation between attack data and administrative data should be established to cross-check that
everything happening on a system is actually desired. Normal patterns and user activities are usually
confused with attacks by IDS devices, its expected that the 2nd generations IDS systems will
decrease the percent of false positives.