Skip to content

Event Classification

A false positive occurs when a scan incorrectly identifies a vulnerability. For instance, a scanner might flag a port as risky due to its association with certain malware, even if the port is not actually open. Addressing such inaccuracies can waste time and resources. Excessive false positives may lead to mistrust in scan results, increasing the risk of overlooking genuine issues.

Similarly, true positives refer to instances where the system correctly identifies actual vulnerabilities or threats. A true positive occurs when the alerting system detects a genuine issue that requires attention. By evaluating metrics for both true positives and false positives, organizations can assess the effectiveness and accuracy of their alerting systems.

False negatives occur when vulnerabilities remain undetected. This can be mitigated by running scans regularly and using tools from multiple vendors. Automated scanning tools rely on pre-defined scripts, which may not replicate the methods of a skilled attacker. Relying solely on these tools can create a false sense of security.

The concept of true negatives also plays a role, representing events that the system correctly identifies as safe and permits. By analyzing metrics for both false and true negatives, the performance of the alerting system can be effectively evaluated.

Example:

An Aesop's Fable: The Boy Who Cried Wolf (compressed)

A shepherd boy gets bored tending the town's flock. To have fun, he cries out, "Wolf!" even though no wolf is in sight. The villagers run to protect the flock but then get mad when they realize the boy is playing a joke on them.

[Iterate previous paragraph N times.]

One night, the shepherd boy sees a real wolf approaching the flock and calls, "Wolf!" The villagers refuse to be fooled again and stay in their houses. The hungry wolf turns the flock into lamb chops, and the town goes hungry. Panic ensues.

True Positive (TP):
  • Reality: A wolf threatened.
  • Shepherd said: "Wolf."
  • Outcome: Shepherd is a hero.
False Positive (FP):
  • Reality: No wolf threatened.
  • Shepherd said: "Wolf."
  • Outcome: Villagers are angry at shepherd for waking them up.
False Negative (FN):
  • Reality: A wolf threatened.
  • Shepherd said: "No wolf."
  • Outcome: The wolf ate all the sheep.
True Negative (TN):
  • Reality: No wolf threatened.
  • Shepherd said: "No wolf."
  • Outcome: Everyone is fine.