Security

1. REVIEW QUESTION NO: 2

A false positive seems like an alert, but is in fact, routine activity. A false negative seems like normal activity and is in fact an alert-level action. From a security viewpoint, false positives are just a nuisance but false negatives are a failure in the mission of the system.

False Positive Alarm

Occurs if there is a claim of a network intrusion but one did not occur. An Intrusion Detection System (IDS) analyzes network traffic and raises alarms if it detects anything suspicious. For example, it may alert the intrusion analysts because it has noticed network traffic trying to exploit a vulnerability in the Microsoft Internet Information Server (IIS). The analyst will then have to look at the notice to decide whether, indeed, the alarm is a false positive; the organization may not have any IIS servers.

Crackers sometimes try to create massive numbers of false positives to divert the attention of intrusion analysts away from a real attack. Therefore, tuning the Intrusion Detection System (IDS) so that false positives are minimized while no real positives are missed is a task that requires a deep understanding of the underlying technology, attack patterns, and the organization Â’s infrastructure.

False positives also exist in the security space of pen testing. Most automated tools generate false positives, resulting from the lack of effective Artificial Intelligence (AI) in the scanning engine; therefore, the discovered issue reports have to be screened thoroughly.

More recently, false positive is a term also applied to the situation in which email is identified as  “spam ” by a spam-filtering service when in reality it is not spam but some other legitimate file. Given the false positive situation, the most important accuracy measure of any spam filtering system is that the number of real emails falsely identified as spam should be as close to zero as possible. Because chances exist that no spam email can trigger a filtering...