The IPS on your company’s network is blocking normal web traffic.
Which of the following best describes what the IPS has identified? (Select the best answer.)
- a false positive
- a false negative
- a true positive
- a true negative
The intrusion prevention system (IPS) has identified a false positive. A false positive occurs when an intrusion detection system (IDS) or an IPS identifies nonmalicious traffic as malicious. Tuning must be performed to minimize the number of false positives while eliminating false negatives. Not only can too many false positives overburden a device, they can also overburden a network administrator because false positives must usually be verified as harmless.
A false negative occurs when an IDS or IPS does not identify malicious traffic that enters the network. False negatives can often lead to disastrous network security problems. To properly secure a network, you should reduce the number of false negatives as much as possible by finetuning IDS and IPS rules, even if more false positives are reported. Penetration testing can help determine when an IDS or IPS is not detecting a genuine attack.
A true positive occurs when an IDS or IPS correctly identifies malicious traffic as malicious. For instance, a true positive occurs when a virus or an attack is identified and the appropriate action is taken.
A true negative occurs when an IDS or IPS correctly identifies harmless traffic as harmless. For example, a true negative occurs when an administrator correctly enters a password or when Hypertext Transfer Protocol (HTTP) traffic is sent to a web server.