nerdexam
EC-Council

312-50V9 · Question #50

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over p

The correct answer is D. False positives. When an IDS generates an alert but no actual attack has occurred, the event is classified as a false positive - the system incorrectly identified benign traffic as malicious.

Evading IDS, Firewalls, and Honeypots

Question

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?

Options

  • ATrue negatives
  • BFalse negatives
  • CTrue positives
  • DFalse positives

How the community answered

(31 responses)
  • A
    3% (1)
  • B
    6% (2)
  • C
    3% (1)
  • D
    87% (27)

Why each option

When an IDS generates an alert but no actual attack has occurred, the event is classified as a false positive - the system incorrectly identified benign traffic as malicious.

ATrue negatives

A true negative is when no alert is generated and there is genuinely no attack - the system correctly identified safe traffic as safe, which is the opposite of what occurred here.

BFalse negatives

A false negative is when an actual attack occurs but the IDS fails to generate an alert - here an alert did fire, so this classification does not apply.

CTrue positives

A true positive is when an alert fires and an actual attack is confirmed - the investigation found no attack, ruling this out.

DFalse positivesCorrect

A false positive occurs when the detection system fires an alert for traffic that is not actually an attack. In this scenario, the IDS alerted on high-volume FTP traffic (ports 20/21), but investigation confirmed no attack on the FTP servers, meaning the alert was incorrect - a false positive. This is a common outcome with signature-based IDS when legitimate traffic matches an attack pattern.

Concept tested: IDS alert classification - false positive identification

Source: https://csrc.nist.gov/glossary/term/false_positive

Topics

#false positive#IDS alert classification#FTP traffic#intrusion detection

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice