312-50V10 · Question #288
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?
The correct answer is A. An attacker, working slowly enough, can evade detection by the IDS.. Alert thresholding suppresses repeated alerts below a defined count or rate, which means a slow-and-low attacker who stays under that threshold can operate without triggering any alerts.
Question
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?
Options
- AAn attacker, working slowly enough, can evade detection by the IDS.
- BNetwork packets are dropped if the volume exceeds the threshold.
- CThresholding interferes with the IDS' ability to reassemble fragmented packets.
- DThe IDS will not distinguish among packets originating from different sources.
How the community answered
(36 responses)- A58% (21)
- B6% (2)
- C25% (9)
- D11% (4)
Why each option
Alert thresholding suppresses repeated alerts below a defined count or rate, which means a slow-and-low attacker who stays under that threshold can operate without triggering any alerts.
Thresholding only fires an alert after a minimum number of events occur within a time window. An attacker who paces malicious activity slowly enough will never reach that threshold, effectively evading IDS detection entirely. This is a well-known trade-off between reducing alert fatigue and enabling low-rate attack evasion.
Packet dropping based on volume is a behavior associated with rate-limiting or IPS inline blocking, not with IDS alert thresholding, which is purely a detection and alerting mechanism.
Fragmented packet reassembly is a separate IDS processing function that operates independently of alert thresholding logic.
Thresholding reduces how many alerts are generated based on event count or rate, but does not remove the ability to distinguish source IP addresses or differentiate traffic origins.
Concept tested: IDS alert thresholding evasion trade-off
Source: https://csrc.nist.gov/publications/detail/sp/800-94/final
Topics
Community Discussion
No community discussion yet for this question.