A false positive incorrectly indicates an attack is occurring when an attack is not active. A high incidence of false positives increases the administrator’s workload. A false negative is when an attack is occurring, but the system doesn’t detect and report it. Administrators often set the IDS threshold high enough that it minimizes false positives but low enough that it does not allow false negatives.
