Occurs if there is a claim of a network intrusion but one did not occur. An Intrusion Detection System (IDS) analyzes network traffic and raises alarms if it detects anything suspicious. For example, it may alert the intrusion analysts because it has noticed network traffic trying to exploit a vulnerability in the Microsoft Internet Information Server (IIS). The analyst will then have to look at the notice to decide whether, indeed, the alarm is a false positive; the organization may not have any IIS servers.

Crackers sometimes try to create massive numbers of false positives to divert the attention of intrusion analysts away from a real attack. Therefore, tuning the Intrusion Detection System (IDS) so that false positives are minimized while no real positives are missed is a task that requires a deep understanding of the underlying technology, attack patterns, and the organizationÂ’s infrastructure.

False positives also exist in the security space of pen testing. Most automated tools generate false positives, resulting from the lack of effective Artificial Intelligence (AI) in the scanning engine; therefore, the discovered issue reports have to be screened thoroughly.

More recently, false positive is a term also applied to the situation in which email is identified as “spam” by a spam-filtering service when in reality it is not spam but some other legitimate file. Given the false positive situation, the most important accuracy measure of any spam filtering system is that the number of real emails falsely identified as spam should be as close to zero as possible. Because chances exist that nonspam email can trigger a filtering rule erroneously, false positives do occur, angering email users who do not receive an anticipated email message that supposedly was sent.

Some spam-filtering services such as Brightmail claim a false positive rate of only one false positive per one million emails. Another accuracy measure is with the number of spam messages escaping detection by the filtering system—known as a “false negative.” This number should also be as low as possible.

See Also: Artificial Intelligence; Crackers; Electronic Mail or Email; Intrusion Detection System (IDS); Spam.