4. Classification
• True-positive (TP). That something has been successfully classied as the thing that we
want it classied as.
• False-positive (FP). That we have classied something that is incorrect. This would be
dened as a Type I error. An example might be where a system classies an alert as a hack
and where a user enters an incorrect password a number of times, but, on investigation, it
is found that the valid user had just forgotten their password.
• True-negative (TN). That we rejected something, and it is not a match.
• False-negative (FN). That we have dismissed something, but, in fact, it is True. This is
dened as a miss and is a Type II error. With this, a hacker might try a number of
passwords for a user, and but where the system does not create an alert for the intrusion.