312-50V9 · Question #474
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type
The correct answer is A. False positive. A legitimate administrative action triggered an IDS alert, meaning the system incorrectly flagged authorized activity as malicious - this is a false positive.
Question
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this?
Options
- AFalse positive
- BFalse negative
- CTrue positve
- DTrue negative
How the community answered
(46 responses)- A91% (42)
- B2% (1)
- C2% (1)
- D4% (2)
Why each option
A legitimate administrative action triggered an IDS alert, meaning the system incorrectly flagged authorized activity as malicious - this is a false positive.
A false positive occurs when an IDS generates an alert for activity that is actually legitimate and authorized. The administrator accessing the router to update its configuration is a normal, expected action, so the IDS incorrectly classified benign traffic as a threat. This wastes analyst time and can erode trust in the IDS if tuning is not performed.
A false negative means malicious activity occurred but the IDS failed to detect it - the opposite of what happened here, since an alert was generated.
A true positive means the IDS correctly identified actual malicious activity, but the router access here was legitimate administrative work.
A true negative means no malicious activity occurred and no alert was generated, which contradicts the scenario where an alert was logged.
Concept tested: IDS alert classification - false positive identification
Source: https://csrc.nist.gov/glossary/term/false_positive
Topics
Community Discussion
No community discussion yet for this question.