nerdexam
EC-Council

312-50V11 · Question #529

A recent security audit revealed that there were indeed several occasions that the company's network was breached. After investigating, you discover that your IDS is not configured properly and theref

The correct answer is B. False Negative. When an IDS fails to generate an alarm during a real attack, it is producing a False Negative - the most dangerous type of IDS detection error.

Evading IDS, Firewalls, and Honeypots

Question

A recent security audit revealed that there were indeed several occasions that the company's network was breached. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?

Options

  • ATrue Positive
  • BFalse Negative
  • CFalse Positive
  • DFalse Positive

How the community answered

(51 responses)
  • A
    4% (2)
  • B
    88% (45)
  • C
    6% (3)
  • D
    2% (1)

Why each option

When an IDS fails to generate an alarm during a real attack, it is producing a False Negative - the most dangerous type of IDS detection error.

ATrue Positive

A True Positive is when the IDS correctly identifies a real attack and generates an appropriate alarm - the opposite of what occurred here, since the IDS generated no alarms despite confirmed breaches.

BFalse NegativeCorrect

A False Negative occurs when the IDS fails to detect a genuine intrusion and produces no alert, allowing the attack to proceed unnoticed by security staff. In this scenario, confirmed network breaches occurred multiple times without triggering any IDS alarms due to misconfiguration, which precisely matches the definition of a False Negative. This is considered the most dangerous IDS failure mode because it provides administrators with false confidence that no threat exists while real attacks go undetected.

CFalse Positive

A False Positive occurs when the IDS generates an alarm for legitimate, benign traffic that is not actually an attack - the opposite of the described scenario where real attacks produced no alarms.

DFalse Positive

This option is a duplicate of option C (False Positive) and is equally incorrect, as the IDS failure to alarm during confirmed network breaches describes a False Negative, not a False Positive.

Concept tested: IDS alert classification and False Negative identification

Source: https://csrc.nist.gov/publications/detail/sp/800-94/final

Topics

#IDS alert types#false negative#intrusion detection#IDS misconfiguration

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice