312-50V10 · Question #105
Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?
The correct answer is B. Can identify unknown attacks. Anomaly-based IDS establishes a baseline of normal behavior and flags deviations, enabling detection of previously unknown or zero-day attacks that have no existing signature.
Question
Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?
Options
- AProduces less false positives
- BCan identify unknown attacks
- CRequires vendor updates for a new threat
- DCannot deal with encrypted network traffic
How the community answered
(58 responses)- A2% (1)
- B90% (52)
- C2% (1)
- D7% (4)
Why each option
Anomaly-based IDS establishes a baseline of normal behavior and flags deviations, enabling detection of previously unknown or zero-day attacks that have no existing signature.
Anomaly-based IDS typically produces more false positives than signature-based IDS because legitimate but unusual behavior can trigger alerts that deviate from the baseline.
Anomaly-based IDS compares current network or system behavior against a learned baseline of normal activity. Because it detects statistical deviations rather than matching known attack patterns, it can identify novel or zero-day attacks that no signature exists for yet. This is the primary conceptual advantage over signature-based systems.
Requiring vendor updates for new threats is a characteristic of signature-based IDS, which must receive updated signature databases to detect newly discovered attack patterns.
Inability to deal with encrypted traffic is a general limitation shared by many IDS types and is not a defining conceptual characteristic that distinguishes anomaly-based from signature-based detection.
Concept tested: Anomaly-based vs signature-based intrusion detection
Source: https://docs.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/idm/idmOverview.html
Topics
Community Discussion
No community discussion yet for this question.