Created by Akanksha

Confusion Matrix causing confusion 🤔 while Risk Identification in Security Surveillance of Organizational Network

Akanksha Singh
12 min readJul 5, 2021


Technology is meant to make human life easy but security breach happen at high rate in bait of money and some personal glitches many crackers enter Organization's network to insert malicious software patches which results in damaged system and Leaking of confidential information.

Intrusions are mostly done over the network for which many companies spend lots of money on System Surveillance and Software Patch Updates so that all the loops can be treated on time before any virus/malicious code entrance into the system. We have many type of insecurities in the Network Like:
Malware : Malware describe malicious software, including spyware, ransomware, viruses, and worms. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous link or email attachment that then installs risky software. It causes following disruptions in our system —

  • It will block the access to key component of network called Ransomware.
  • From false site with some software sometimes these malware program and harmful software also get downloaded at unknown location.
  • Obtain and transmit data from the hard drive this is called Spyware.
  • Malware with disguised intention is popularly known as Trojans or Trojan horses. Apart from attacking the system, Trojans can create a backdoor for the attackers to stealthily get into the system.
  • Bots (or Internet bots) are software programs developed to automate a repetitive task. While bad bots are self-propagating malware that infects the host and reports back to the connected central server. These bots are capable of collecting passwords, log keystrokes, personal financial data, and other sensitive data.
  • Adware is one of the most evitable forms of malware. You identify it when you witness one. It advertises malware with uninvited messages, which are automatically generated, clickable advertisements leading you to downloadable malicious software. They usually appear in the form of pop-ups or some random windows that do not close.
Phishing Attack

Phishing : Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.

Man in the middle Attack

Man-in-the-middle / Eavesdropping Attacks : Man-in-the-middle (MITM) attacks, also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter and steal data.

Session Hijacking Attack

Session Hijacking : Session hijacking is one of multiple types of MITM attacks. The attacker takes over a session between a client and the server. The computer being used in the attack substitutes its Internet Protocol (IP) address for that of the client computer, and the server continues the session without suspecting it is communicating with the attacker instead of the client.

Denial of Service Attack

Denial-of-service attack : A denial-of-service attack floods systems, servers, or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requests. Attackers can also use multiple compromised devices to launch this attack.

SQL injection attack

SQL injection : A Structured Query Language (SQL) injection occurs when an attacker inserts malicious code into a server that uses SQL and forces the server to reveal information it normally would not. An attacker could carry out a SQL injection simply by submitting malicious code into a vulnerable website search box.

DNS Tunneling Attack

DNS Tunneling : There are also malicious reasons to use DNS Tunneling VPN services. They can be used to disguise outbound traffic as DNS, concealing data that is typically shared through an internet connection. For malicious use, DNS requests are manipulated to exfiltrate data from a compromised system to the attacker’s infrastructure. It can also be used for command and control callbacks from the attacker’s infrastructure to a compromised organizational system.

Zero-Day Exploit Attack

Zero-day exploit : A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time.

Brute Force Attack

Brute-force attack : Attackers try every possible combination of passwords and passphrases until the account is unlocked. Perpetrators use brute-force attacks to gain passwords to access the data of a website or a personal account. Access to the login credentials can also let them shut down the victim’s account or website.

Credential Stuffing Attack

Credential Stuffing : Credential stuffing is when the attacker used stolen credentials to gain unauthorized access to a user’s account. With automation, the process gets simpler. Huge databases containing compromised credentials are used to break into an account. Once the attacker is successful, the hacked account can be used to initiate fraudulent transactions, for carrying out other ill-intended activities, to alter or misuse the stored data.

Birthday Attack

Birthday Attack : An attacker misuse security feature of hash algorithms, which are used to verify the authenticity of messages. The hash algorithm is a digital signature, and the receiver of the message checks it before accepting the message as authentic. If a hacker can create a hash that is identical to what the sender has appended to their message, the hacker can simply replace the sender’s message with their own. The receiving device will accept it because it has the right hash.

XSS Attack

XSS Attacks : the attacker transmits malicious scripts using clickable content that gets sent to the target’s browser. When the victim clicks on the content, the script is executed. Because the user has already logged into a web application’s session, what they enter is seen as legitimate by the web application. However, the script executed has been altered by the attacker, resulting in an unintended action being taken by the “user” also known as Cross-Site-Scripting.

These above attacks were detected in past decades and have caused tremendous loss to organizations. Solutions were meant to Identify the risk of these vulnerabilities. Under the Critical Infrastructure of IDS / IPS Systems that lease a huge cost on the organization but it’s accuracy and internal algorithms are sometimes behaving abnormally and detect the False Negatives that lead to disaster in the company's security suit.

👉 Let me Introduce the Intrusion Detection and Intrusion Prevention systems aka IDS and IPS respectively:

Topology of IDS and IPS

👉 IDS :

An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. It is a software application that scans a network or a system for harmful activity or policy breaching. Any malicious venture or violation is normally reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to differentiate malicious activity from false alarms.

Detection Method of IDS are:

Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific patterns such as number of bytes or number of 1’s or number of 0’s in the network traffic. It also detects on the basis of the already known malicious instruction sequence that is used by the malware. The detected patterns in the IDS are known as signatures. Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in system but it is quite difficult to detect the new malware attacks as their pattern (signature) is not known.

Anomaly-based Method:
Anomaly-based IDS was introduced to detect the unknown malware attacks as new malware are developed rapidly. In anomaly-based IDS there is use of machine learning to create a trustful activity model and anything coming is compared with that model and it is declared suspicious if it is not found in model. Machine learning based method has a better generalized property in comparison to signature-based IDS as these models can be trained according to the applications and hardware configurations.

📌 Classification of Intrusion Detection System:

  • Network Intrusion Detection System (NIDS):
    Network intrusion detection systems (NIDS) are set up at a planned point within the network to examine traffic from all devices on the network. It performs an observation of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks. Once an attack is identified or abnormal behavior is observed, the alert can be sent to the administrator. An example of an NIDS is installing it on the subnet where firewalls are located in order to see if someone is trying crack the firewall.
  • Host Intrusion Detection System (HIDS):
    Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their layout.
  • Protocol-based Intrusion Detection System (PIDS):
    Protocol-based intrusion detection system (PIDS) comprises of a system or agent that would consistently resides at the front end of a server, controlling and interpreting the protocol between a user/device and the server. It is trying to secure the web server by regularly monitoring the HTTPS protocol stream and accept the related HTTP protocol. As HTTPS is un-encrypted and before instantly entering its web presentation layer then this system would need to reside in this interface, between to use the HTTPS.
  • Application Protocol-based Intrusion Detection System (APIDS):
    Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally resides within a group of servers. It identifies the intrusions by monitoring and interpreting the communication on application specific protocols. For example, this would monitor the SQL protocol explicit to the middleware as it transacts with the database in the web server.
  • Hybrid Intrusion Detection System :
    Hybrid intrusion detection system is made by the combination of two or more approaches of the intrusion detection system. In the hybrid intrusion detection system, host agent or system data is combined with network information to develop a complete view of the network system. Hybrid intrusion detection system is more effective in comparison to the other intrusion detection system. Prelude is an example of Hybrid IDS.

👉 IPS :

Intrusion Prevention System (IPS) is also known as Intrusion Detection and Prevention System. It is a network security application that monitors network or system activities for malicious activity. Major functions of intrusion prevention systems are to identify malicious activity, collect information about this activity, report it and attempt to block or stop it.

IPS typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IPS can also respond to a detected threat by attempting to prevent it from succeeding. They use various response techniques, which involve the IPS stopping the attack itself, changing the security environment or changing the attack’s content.

Detection method in IPS are:

Signature-based detection:
Signature-based IDS operates packets in the network and compares with pre-built and preordained attack patterns known as signatures.

Statistical anomaly-based detection:
Anomaly based IDS monitors network traffic and compares it against an established baseline. The baseline will identify what is normal for that network and what protocols are used. However, It may raise a false alarm if the baselines are not intelligently configured.

Stateful protocol analysis detection:
This IDS method recognizes divergence of protocols stated by comparing observed events with pre-built profiles of generally accepted definitions of not harmful activity.

📌 Classification of Intrusion Prevention System :

  • Network-based intrusion prevention system (NIPS):
    It monitors the entire network for suspicious traffic by analyzing protocol activity.
  • Wireless intrusion prevention system (WIPS):
    It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.
  • Network behavior analysis (NBA):
    It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service attacks, specific forms of malware and policy violations.
  • Host-based intrusion prevention system (HIPS):
    It is an inbuilt software package which operates a single host for doubtful activity by scanning events that occur within that host.
Challenges in the IPS & IDS System

😥 Challenge with IDS and IPS System :

An issue about the type of errors likely to occur in the system. These can be neatly categorized as either false positive, false negative, or subversion errors. A false positive occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action. A false negative occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior. A subversion error occurs when an intruder modifies the operation of the intrusion detector to force false negatives to occur.

Confusion Matrix

False positive errors will lead users of the intrusion detection system to ignore its output, as it will classify legitimate actions as intrusions. The occurrences of this type of error should be minimized (it may not be possible to completely eliminate them) so as to provide useful information to the operators. If too many false positives are generated, the operators will come to ignore the output of the system over time, which may lead to an actual intrusion being detected but ignored by the users.

A false negative error occurs when an action proceeds even though it is an intrusion. False negative errors are more serious than false positive errors because they give a misleading sense of security. By allowing all actions to proceed, a suspicious action will not be brought to the attention of the operator. The intrusion detection system is now a liability as the security of the system is less than it was before the intrusion detector was installed.

Subversion errors are more complex and tie in with false negative errors. An intruder could use knowledge about the internals of an intrusion detection system to alter its operation, possibly allowing anomalous behavior to proceed. The intruder could then violate the system’s operational security constraints. This may be discovered by a human operator examining the logs from the intrusion detector, but it would appear that the intrusion detection system still seems to be working correctly.

Another form of subversion error is fooling the system over time. As the detection system is observing behavior on the system over time, it may be possible to carry out operations each of which when taken individually pose no threat, but taken as an aggregate form a threat to system integrity. How would this happen? As mentioned previously, the detection system is continually updating its notion of normal system usage. As time goes by a change in system usage patterns is expected, and the detection system must cope with this. But if an intruder could perform actions over time which were just slightly outside of normal system usage, then it is possible that the actions could be accepted as legitimate where as they really form part of an intrusion attempt. The detection system would have come to accept each of the individual actions as slightly suspicious, but not a threat to the system. What it would not realize is that the combination of these actions would form a serious threat to the system.

Conclusion :

When we talk about the accuracy index of the IDS and IPS, calculate using following formula. Where TP (True Positive), TN (True Negative), FP (False Positive) and FN (False Negative) come from the confusion metrics created by analysists by taking experience from the system decision and error proportions.

The more accuracy score the system has, better will be it’s predictions and detection alarm.



Akanksha Singh

Platform Engineer | Kubernetes | Docker | Terraform | Helm | AWS | Azure | Groovy | Jenkins | Git, GitHub | Sonar | NMAP and other Scan and Monitoring tool