EC-Council
312-50V11 · Question #67
312-50V11 Question #67: Real Exam Question with Answer & Explanation
The correct answer is A: Just a network monitoring tool. Bob's application qualifies only as a basic network monitoring tool because it solely measures packet rates against a threshold, which lacks the intrusion-specific detection logic required to be classified as an IDS.
Question
Bob finished a C programming course and created a small C application to monitor the network traffic and produce alerts when any origin sends "many" IP packets, based on the average number of packets sent by all origins and using some thresholds. In concept, the solution developed by Bob is actually:
Options
- AJust a network monitoring tool
- BA signature-based IDS
- CA hybrid IDS
- DA behavior-based IDS
Explanation
Bob's application qualifies only as a basic network monitoring tool because it solely measures packet rates against a threshold, which lacks the intrusion-specific detection logic required to be classified as an IDS.
Common mistakes.
- B. A signature-based IDS detects threats by matching traffic against a database of known attack patterns or signatures, a capability Bob's tool entirely lacks.
- C. A hybrid IDS combines both signature-based and anomaly-based detection engines, which is far beyond the single-metric threshold alerting Bob implemented.
- D. A behavior-based IDS builds a multi-dimensional statistical baseline of normal system and network behavior and correlates deviations specifically tied to intrusion indicators, whereas Bob's tool only tracks a single metric - packet count per source.
Concept tested. IDS classification - behavior-based vs. network monitoring
Reference. https://csrc.nist.gov/publications/detail/sp/800-94/final
Community Discussion
No community discussion yet for this question.