# IDS/IPS - True/False Positive/Negative In the context of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), the terms "true negative," "false negative," "true positive," and "false positive" are used to describe the accuracy and effectiveness of the system in detecting malicious activities. 1. **True Negative (TN):** * **Definition:** When the IDS/IPS correctly identifies legitimate (non-malicious) activity as non-malicious. * **Example:** Normal network traffic is correctly identified as benign. 2. **False Negative (FN):** * **Definition:** When the IDS/IPS fails to identify malicious activity, allowing it to go undetected. * **Example:** A malware attack occurs, but the IDS/IPS does not detect it, and it passes through as normal traffic. 3. **True Positive (TP):** * **Definition:** When the IDS/IPS correctly identifies and flags malicious activity. * **Example:** An attempted SQL injection attack is detected and flagged by the IDS/IPS. 4. **False Positive (FP):** * **Definition:** When the IDS/IPS incorrectly identifies legitimate activity as malicious. * **Example:** Normal user behavior is flagged as suspicious by the IDS/IPS, causing an alert. Here's a table to summarize these concepts: | | Actual Malicious Activity | Actual Legitimate Activity | | -------------------------- | ------------------------- | -------------------------- | | **Detected as Malicious** | True Positive (TP) | False Positive (FP) | | **Detected as Legitimate** | False Negative (FN) | True Negative (TN) | Understanding these terms is crucial for evaluating the performance and reliability of an IDS/IPS, as high rates of false positives can lead to alert fatigue, while high rates of false negatives can leave the network vulnerable to undetected attacks. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kyou00.gitbook.io/xyz/comptia-security+-701/ids-ips-true-false-positive-negative.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.