The False Positive: Still tomorrow’s mistake!

By Richard Moss | Jul 2, 2009 | 3381 reads

5 comments

Facebook

LinkedIn

Digg

The topic of the 'false positive' has always been an issue for the security profession and the subject has been in the news again recently; last week, following the announcement of Michael Jackson’s death, Google News found its website so inundated with page requests that its security systems and [human] analysts mistook the legitimate traffic for a denial of service attack – so convinced were Google that they disconnected the news site for a short period of time.

Closer to home, the mainland’s deployment of the controversial content control software ‘Green Dam’ has generated numerous press articles and criticism (but staying on the subject of false positives) a story that brought a wry smile to my face last week was ‘Green Dam’ blocking internet downloads of pictures of pigs (those filthy swine, always making the news somehow).

The software can be used for multiple purposes but is reportedly designed to target online pornography by scanning images for key attributes of pornography and apparently an excess of pink colored areas is one of those – so presumably the excess of pink pig flesh caused Green Dam to block downloads of pig pictures. 

This of course raises questions of how popular pig-picture downloads are in mainland china, but perhaps that’s a topic for another blog.

But let’s be honest with ourselves: the expression “false positive” is just another way of saying “mistake” – a mistake where legitimate email, content or applications have been incorrectly blocked in the name of security when they shouldn’t have been. And it's really hard to get this bit right - anyone involved in the deployment and tuning of an IPS system can tell you just how time-consuming and laborious the effort is in getting a complex security system tuned to the behavior of the enterprise and to accurately reproduce and solve any problems when they arise!

Furthermore, as much of an enterprises’ security requirements are outsourced today (think anti-virus, SPAM control, managed security services) the reporting requirements to a 3^rd party vendor can become quiet onerous and needs to be very specific or there is little they can do to help.

However, the false positive is not a new phenomenon; yet it is one that has not successfully been resolved over the past few years - although the industry might argue that great improvements have been made in the area (an example being the accelerated deployment of IPS over the more widely accepted IDS systems of the past, although I would argue that IPS deployments still block traffic in a limited fashion, sort of an IDS+ rather than a true IPS!).

5 comments

Facebook

LinkedIn

Digg