What is false positive and false negative in cyber security?
In the world of information security, false positive is the term used to indicate a file or item that is marked as malicious, but, in fact, isn’t.
A false negative is the opposite. It happens when a malicious file or item is labeled as secure, clean.
In the end, false positive and false negative are errors and failures found in protection solutions that fail to label files and items correctly
-----
True Positive: A legitimate attack which triggers to produce an alarm.
You have a brute force alert, and it triggers. You investigate the alert, and find out that somebody was indeed trying to break into one of your systems via brute force methods.
False Positive: An event signaling to produce an alarm when no attack has taken place.
You investigate another of these brute force alerts, and find out that it was just some user who mistyped their password a bunch of times, not a real attack.
False Negative: When no alarm is raised when an attack has taken place.
There actually was someone trying to break into your system, but they did so below the threshold of your brute force attack logic. For example, you set your rule to look for 10 failed login in a minute, and the attacker did only 9. The attack occurred, but your rule failed to detect it.
True Negative: An event when no attack has taken place and no detection is made.
No attack occurred and your rule didn't fire
How to prevent false positive and false negative?
If you have a cybersecurity solution that generates a lot of false positives, you can send samples of the files to the solution vendor, add the files to a safe list or whitelist, or evaluate other solutions.
False negatives tend to be more dangerous. Therefore, the best way to avoid them is to keep your solution up to date, so that samples of different threats also remain current
Comments
Post a Comment