What Causes a False Positive?

IP address false positive

When a click from an IP address false positive is recorded and displayed in your Learner Click Report, but the clicking activity isn’t done by the learner, it’s referred to as a false positive.

False clicks can significantly reduce your CTR and impact campaign performance, especially when a large number of false positives are present. It is important to understand what causes a false click, so you can take steps to mitigate their effects.

1. CYREN was informed by one or more other security products that the IP address was involved in malicious activity in the past.

CYREN may have received information about the originating IP address from other security products that are configured to share threat intelligence. This information is then analyzed by other systems to determine if the IP address should be added to their threat definitions as hostile. Sometimes the link analysis happens instantly and other times it takes a few minutes to be performed.

Unraveling the Mysteries of IP Address False Positives: Understanding Causes and Solutions

2. CYREN was notified by one or more other security products that the originating IP address is connected to a residential proxy or similar fraudulent anonymous connection.

Fraudsters are constantly looking for ways to obscure their identity online. One common method is to connect via residential proxies that mimic genuine cable or DSL connections, or by using VPN connections. These proxies allow attackers to bypass security measures and spoof their originator identity.

When a security product detects activity that matches the pattern of known attacks, it will trigger an alarm. This is a critical design criterion for network IDSs, as it allows them to detect attacks that would be difficult or impossible to detect otherwise. However, this also means that some benign activities will be triggered as malicious and will generate a large volume of alerts. This is referred to as alert saturation and can be caused by things like well-known viruses such as MS Blaster or SQL Slammer.