Akamai Diversity
Home > Web Security > WAF: False Positives vs. False Negatives

WAF: False Positives vs. False Negatives

I said in my last article that one of the key factors when it comes to judging the effectiveness of a WAF is accuracy. There is a metric that, measured in an objective way, provides an unmistakable view of quality and accuracy of a WAF solution: false negatives and false positives.
To better understand this concept, we have to deep dive a bit in the mechanics of a WAF operation. The essence of a WAF is to inspect the traffic sent towards a web site or application infrastructure. This function, although ideally supported and managed by a group of human experts, has to be done automatically, according to a set of predefined patterns and some techniques that allow to categorize and label traffic as 'good' or 'bad'. This capacity of automation is key. Every http request, before reaching the web server, will be scanned by the WAF and compared against some models to determine the likelihood of this traffic belongs to a legitimate transaction or it is part of an attack. These models are based on rules and, depending on the chosen strategy to define and create the rules (which is inherent to every WAF), they will provide a more or less accurate result.
It is fundamental to understand that, by definition, there is no 100% infallible protection, other than literally blocking every single request.
False Positives vs False Negatives Img1-thumb-500x260-4705.png 
Arguably, this firewall configuration is the one that fully protects against every attack. Flip side is that you don't receive ANY kind of traffic, though.
One of the basic strategies of attackers is disguising themselves among legitimate users, mimicking their behavior, so it is difficult to detect them. Therefore, every WAF will introduce a small (ideally it should be none) percentage of mistakes:
• False positives: Requests that have been labeled as malicious by the WAF but were actually legitimate.
• False negatives: Malicious requests that have not been detected by the WAF and consequently are not filtered.

False Positives vs False Negatives Img2.png

The key factor is to find an adequate balance between false positives and false negatives, given that in practice, it becomes impossible to reduce both to 0%. Since a WAF must be configurable in terms of tolerance, the company (or the service provider that manages the WAF) should trade off between false positives and negatives:
    • The more restrictive and severe the WAF rules are, the less illegitimate requests will escape from the scrutiny and the lower the risk of attack will be, but at the same time, more legitimate users will be blocked by mistake.
    • On the contrary, more tolerant rules could be deployed. It will avoid that legitimate users are blocked and don't have access to the service, as this would negatively impact business and image. However, these less rigorous rules will have an outcome of a more permissive evaluation of requests, so the risk of attackers not detected will increase and some attacks will reach the web infrastructure.
In my next article, I will talk about the right strategy to balance between false positives and false negatives. However, if suspense is killing you, I recommend the reading of this white paper to unveil the secret.

Leave a comment