Applied Network Security
上QQ阅读APP看书,第一时间看更新

False positives

As it is related to detection for an analyzed event, there are four situations that exist in this context, corresponding to the relationship between the results of the detection for an analyzed event. In this case, each of the corresponding situations is outlined as follows:

  • True positive (TP): This is when the analyzed event is correctly classified as an intrusion or as harmful/malicious.
    For example, a network security administrator enters their credentials into the Active Directory server and is granted administrator access.
  • True negative (TN): This is when the analyzed event is correctly classified and correctly rejected.
    For example, an attacker uses a port such as 4444 to communicate with a victim's device. An intrusion detection system detects network traffic on the authorized port and alerts the cyber security team to this potential malicious activity. The cyber security team quickly closes the port and isolates the infected device from the network.
  • False positive (FP): This is when the analyzed event is innocuous or otherwise clean in the context of security, however, the system classifies it as malicious or harmful.
    For example, a user types their password into a website's login text field. Instead of being granted access, the user is flagged for an SQL injection attempt by input sanitation. This is often caused when input sanitation is misconfigured.
  • False negative (FN): This is when the analyzed event is malicious, but it is classified as normal/innocuous.
    For example, an attacker inputs an SQL injection string into a text field found on a website to gain unauthorized access to database information. The website accepts the SQL injection as normal user behavior and grants access to the attacker. For detection, having systems correctly identify the given situation is paramount.