IDS Thresholds

teancum144

I came across a question worded similarly to the following:

Which of the following outlines the possibilities of not properly setting and tuning thresholds of a behavior-based IDS:

A) If the threshold is set too low, non-intrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

If the threshold is set too low, non-intrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives).

C) If the threshold is set too high, non-intrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not identified (false negatives).

D) If the threshold is set too high, non-intrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

I selected "A", but the answer is "C".

Here's an example that supports my answer:

• Normal traffic = X
• Threshold = 5

Normal traffic "N" and abnormal traffic "A" are represented by the following:

• N = the range between X - 5 and X + 5
• A = traffic greater than X + 5 or less than X - 5

If I lower the threshold from 5 to 4, more non-intrusive activities will cause the IDS to trigger an attack.
Conversely, if I raise the threshold from 5 to 6, more malicious activities will not be identified.

Please help me reconcile my logic above to answer "C".

lsud00d

I'm interested for the reasoning, unless it is incorrect...I agree that "A" is the answer.

teancum144

lsud00d wrote: »

I'm interested for the reasoning, unless it is incorrect...I agree that "A" is the answer.

Here's the explanation:
C. If the threshold is set too high, non-intrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not identified (false negatives).

lsud00d

I'm not sure why you c/p'd the answer as the explanation?

Regardless, the question (which I think you forgot a 't' on 'no' to make it 'not') is asking about a misconfigured IDS. False positives will be generated if the threshold is too low, and the reverse for false negatives.

teancum144

lsud00d wrote: »

I'm not sure why you c/p'd the answer as the explanation?

Unfortunately, that is the explanation provided in the AIO book.

lsud00d wrote: »

Regardless, the question (which I think you forgot a 't' on 'no' to make it 'not') is asking about a misconfigured IDS. False positives will be generated if the threshold is too low, and the reverse for false negatives.

Thanks, I fixed the question.

5502george

"A" for me. I would also like to hear the reasoning for "C"

emerald_octane

apparently this question has been asked before:

CISSP_Study - Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57

Swap "threshold" with "sensitivity" and you understand why C is the correct answer. if the "sensitivity" is too high, you get more false positives. If the "Sensitivity" is too low, you get false negatives. Poor wording IMO.

teancum144

The AIO book (source of the question) has the following statements regarding thresholds:

• "Clipping level is a threshold value. Once a threshold value is passed the activity is considered to be an event that is logged, investigated, or both."
• "If the [normal] network traffic volume exceeds the IDS system's threshold, attacks may go unnoticed."
• "As with all filters, the thresholds are tunable to adjust the sensitivity, and to reduce the number of false positives and false negatives."
• "Determining the proper thresholds for statistically significant deviations is really the key for the successful use of a behavioral-based IDS. If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, some malicious activities won't be identified (false negatives). "

Given that the last bullet supports answer "A", I wonder if the answer in the book is a typo. Common sense seems to indicated that threshold level is not synonymous with sensitivity, but inversely related to it. Thoughts?

beads

Question seems a bit over tuned to simply become a word problem not a technical problem, let alone one of those dread "management questions". Answer is C when your figure that its the most conservative answer and allows the greatest amount flexibility. Better to capture too much and lower the clipping than to miss what could be obvious. Combined with another control point (HIDS, internal Firewall, etc.) it should be easy to confirm or deny. But relying strictly on one control will always be a dicey move. Hence why I think so many people have trouble with this type of question. It doesn't really reflect good practice in the field.

- B Eads

teancum144

beads wrote: »

...Answer is C when your figure that its the most conservative answer and allows the greatest amount flexibility. Better to capture too much and lower the clipping than to miss what could be obvious. Combined with another control point (HIDS, internal Firewall, etc.) it should be easy to confirm or deny. ...

I don't understand your reasoning in context of what answer "C" actually says. Please clarify.

atx1975

I answered "C" my reasoning is threshold is misleading making it sounds as if there is a clipping level which may be part of the analysis engine but not all, threshold in my mind is how detailed the inspection is meaning the higher the threshold the more detailed the inspection to the point where normal traffic may "possibly" look malicious causing false-positives......when the threshold is too low or less detailed on inspection it may allow more crafty malicious traffic through causing false negatives let me know if that makes sense?

lsud00d

Sensitivity is a byproduct of threshold. I agree that the wording is poor because sensitivity and threshold have an inverse relationship IMO.

atx1975

True I agree, but another key word could be "behavior-based" versus "anomaly-based" where i would think an anomaly-based looks more at thresholds for irregularity rather that the behavior of the traffic.

Clindamycin

U r right buddy. This is what I found in Sec+ book by Darril Gibson
With this in mind, administrators set the threshold to a number between 1 and 1,000 to indicate an attack. If administrators set it too low, they will have too many false positives and a high workload as they spend their time chasing ghosts. If they set the threshold too high, actual attacks will get through without administrators knowing about them.

p@r0tuXus

Holy Necro-Thread!


I'd say C. Like the privacy settings on your browser's Internet Zone Privacy settings... The threshold is like a tolerance.


Low Threshold = High Sensitivity (False Positives).
High Threshold = Low Sensitivity (False Negatives).

markulous

Yeah, it's C for sure. If you set your IDS threshold too high, you're going to get false positives for everything in your environment. If you set it too low, then you're going to get false negatives, meaning the bad stuff is going to be accepted.

cyberguypr

I REALLY hope the OP wasn't hanging there waiting for one more response for 4 years.