False Positive(FP),True Negative(TN),Actual Negative(FP+TN). We can calculate the false positive rate by FP/(FP+TN); In DDoS detection experiments, the false positive happens when we misjudge the legitimate traffic as malicious traffic. However, the legitimate traffic is usually as background traffic. It does not have a specific number. How to get the number of FP+TN How to calculate the false positive rate of ddos detection algorithm?
This is about event counts. The DDoS device will log intrusion events which count as Actual Negatives. Of these, further inspection will reveal False Negatives. Now you can calculate the FP rate as FP / AN and the TN rate as TN / AN or (AN-FP) / AN.
What you cannot rate is the number of intrusion events in relation to "background" traffic as the latter is event-less. But this rate is commonly not asked for, rather the absolute number of events (AN).