Which of the following occurs when an IDS or IPS does not identify malicious traffic that enters the network? (Select the best answer.)
- a false positive
- a false negative
- a true positive
- a true negative
A false negative occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) does not identify malicious traffic that enters the network. False negatives can often lead to disastrous network security problems. To properly secure a network, you should reduce the number of false negatives as much as possible by finetuning IDS and IPS rules, even if more false positives are reported. Penetration testing can help determine when an IDS or IPS is not detecting a genuine attack.
A false positive occurs when an IDS or IPS identifies nonmalicious traffic as malicious. Tuning must be performed to minimize the number of false positives while eliminating false negatives. Not only can too many false positives overburden a router, they can also overburden a network administrator because false positives must usually be verified as harmless.
A true positive occurs when an IDS or IPS correctly identifies malicious traffic as malicious. For instance, a true positive occurs when a virus or an attack is identified and the appropriate action is taken.
A true negative occurs when an IDS or IPS correctly identifies harmless traffic as harmless. For example, a true negative occurs when an administrator correctly enters a password or when Hypertext Transfer Protocol (HTTP) traffic is sent to a web server.