Positive/Negative Terminology

When working with an IPS/IDS, you will likely come across the following terms:

False positive

False negative

True positive

True negative

A false positive is when the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network. False positives are easy to identify because alerts are generated and easily viewed. A false negative, however, is when there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on. In the case of a false negative, you must use some third-party or external system to alert you to the problem at hand, such as syslog messages from a network device.

The true positives and true negatives are much clearer and easier for a network administrator to understand. A true positive means that there was malicious traffic and that the sensor saw it and reported on it; if the sensor was an IPS, it may have dropped the malicious traffic based on the current set of rules in place. A true negative is also a wonderful thing in that there was normal nonmalicious traffic, and the sensor did not generate any type of alert, which is normal sensor behavior regarding nonmalicious traffic.