nerdexam
EC-Council

312-50V10 · Question #105

Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?

The correct answer is B. Can identify unknown attacks. Anomaly-based IDS establishes a baseline of normal behavior and flags deviations, enabling detection of previously unknown or zero-day attacks that have no existing signature.

Evading IDS, Firewalls, and Honeypots

Question

Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?

Options

  • AProduces less false positives
  • BCan identify unknown attacks
  • CRequires vendor updates for a new threat
  • DCannot deal with encrypted network traffic

How the community answered

(58 responses)
  • A
    2% (1)
  • B
    90% (52)
  • C
    2% (1)
  • D
    7% (4)

Why each option

Anomaly-based IDS establishes a baseline of normal behavior and flags deviations, enabling detection of previously unknown or zero-day attacks that have no existing signature.

AProduces less false positives

Anomaly-based IDS typically produces more false positives than signature-based IDS because legitimate but unusual behavior can trigger alerts that deviate from the baseline.

BCan identify unknown attacksCorrect

Anomaly-based IDS compares current network or system behavior against a learned baseline of normal activity. Because it detects statistical deviations rather than matching known attack patterns, it can identify novel or zero-day attacks that no signature exists for yet. This is the primary conceptual advantage over signature-based systems.

CRequires vendor updates for a new threat

Requiring vendor updates for new threats is a characteristic of signature-based IDS, which must receive updated signature databases to detect newly discovered attack patterns.

DCannot deal with encrypted network traffic

Inability to deal with encrypted traffic is a general limitation shared by many IDS types and is not a defining conceptual characteristic that distinguishes anomaly-based from signature-based detection.

Concept tested: Anomaly-based vs signature-based intrusion detection

Source: https://docs.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idmOverview.html

Topics

#anomaly-based IDS#signature-based IDS#zero-day detection#false positives

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice