Yes....... kind of..... Personally I wouldn't say you are using either the positive or negative security model until you have refined your policy and have them in blocking not learning mode.
I would say you are in policy building mode right now as you are not enforcing anything yet, but yes essentially building a policy that tracks file types, URLs, parameters, parameter values and so on would be a positive security model, and the attack signatures, anomaly detection and such would be negative security.
Or another way of thinking of it
Positive Security = White Listing
Negative Security = Black Listing
If you want to test just using Attack Signatures then go into your policy blocking settings (Application Security > Policy > Blocking > Settings) and turn off Learn, Alarm, and Block for all violation, except Attack Signatures.