How Intrusion Detection System uses Confusion matrix to identify the malicious activity.
What is a Confusion Matrix?
A Confusion matrix is an N x N matrix used for evaluating the performance of a classification model, where N is the number of target classes. The matrix compares the actual target values with those predicted by the machine learning model. This gives us a holistic view of how well our classification model is performing and what kinds of errors it is making.
For a binary classification problem, we would have a 2 x 2 matrix as shown below with 4 values:
Let’s understand the matrix:
- The target variable has two values: Positive or Negative
- The columns represent the actual values of the target variable
- The rows represent the predicted values of the target variable
So let’s see the various values in the matrix:
1. True Positive (TP)
- The predicted value matches the actual value
- The actual value was positive and the model predicted a positive value
2. True Negative (TN)
- The predicted value matches the actual value
- The actual value was negative and the model predicted a negative value
3. False Positive (FP) — Type 1 error
- The predicted value was falsely predicted
- The actual value was negative but the model predicted a positive value
4. False Negative (FN) — Type 2 error
- The predicted value was falsely predicted
- The actual value was positive but the model predicted a negative value
Cyber Crimes are increasing day by day, and to classify these cybercrimes, Confusion Matrix is used a lot.
Confusion Matrix concepts in Cyber Security
Investigating false positives is a waste of time as well as resources and distracts your team from focusing on real cyber incidents (alerts) originating from your SIEM.
On the contrary, missing false negatives (uncaught threats) increases your cyber risk, reduces your ability to respond to those attackers, and in the event of a data breach, it could even lead to the end of your business.
False Positives in Cyber Security
False positives are mislabeled security alerts, indicating there is a threat when in actuality, there isn’t. These false alerts (SIEM events) increase noise for already over-worked security teams and can include software bugs, poorly written software, or unrecognized network traffic.
By default, most security teams are conditioned to ignore false positives. These false alarms account for roughly 40% of the alerts cybersecurity teams receive daily and at large organizations can be overwhelming and a huge waste of time.
False Negatives in Cyber Security
False negatives are uncaught cyber threats — overlooked by security tooling because they’re dormant, highly sophisticated (i.e. file-less or capable of lateral movement) or the security infrastructure in place lacks the technological ability to detect these attacks.
These advanced/hidden cyber threats are capable of evading prevention technologies, like next-gen firewalls, antivirus software, and endpoint detection and response (EDR) platforms trained to look for “known” attacks and malware.
No cybersecurity or data breach prevention technology can block 100% of the threats they encounter. False positives are among the 1% (roughly) of malicious malware and cyber threats most methods of prevention are prone to miss.
The trade-off between type 1 and type 2 errors is very critical in cybersecurity.
In a brief, we can say -
- True Positive (TP): The amount of attack detected when it is actually attacked.
- True Negative (TN): The amount of normal detected when it is actually normal.
- False Positive (FP): The amount of attack detected when it is actually normal (False alarm).
- False Negative (FN): The amount of normal detected when it is actually attacked.
