Positive / Negative Terminology
False positive: the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network licious traffic on the network, and for whatever reason the IPS / IDS did not trigger to alert True positive: there was malicious traffic and that the sensor saw it and reported on it True negative: there was normal nonmalicious traffic, and the sensor did not generate any type of alert Identifying Malicious Traffic on the Network There are several different methods that sensors can be configured to use to identify malicious traffic,
including the following:
Signature-based IPS / IDS: A signature is just a set of rules looking for some specific pattern or characteristic in either a single packet or a stream of packets. It is the most significant method used on sensors today.
Policy-based IPS / IDS: This type of traffic matching can be implemented based on the security policy for your network.
Anomaly-based IPS / IDS: An example of anomaly-based IPS / IDS is creating a baseline of how many TCP sender
requests are generated on average each minute that do not get a response; used to identify worms that may be propagating through the network
More Info: how ips works