False Positives and Negatives from Real Traffic with Intrusion Detection/Prevention Systems
False Positives (FPs) and False Negatives (FNs) happen to every Intrusion Detection/Prevention System (IDS/IPS). This paper proposes a mechanism of False Positive/Negative Assessment (FPNA) with multiple IDSs/IPSs to collect FP and FN cases from real-world traffic. Over a period of sixteen months, more than two thousand FPs and FNs have been collected and analyzed. From the statistical analysis results, the authors obtain three interesting findings. More than 92.85% of false cases are FPs even if the numbers of attack types for FP and FN are similar.