nerdexam
Cisco

352-001 · Question #205

What is required in order to perform attack detection using anomaly detection technologies?

The correct answer is C. baseline data. Anomaly-based intrusion detection requires a baseline of normal behavior as the reference point against which deviations are measured to identify potential attacks.

Designing Security

Question

What is required in order to perform attack detection using anomaly detection technologies?

Options

  • Apacket captures
  • Bexploit signatures
  • Cbaseline data
  • Dsyslog data

How the community answered

(33 responses)
  • A
    3% (1)
  • B
    6% (2)
  • C
    88% (29)
  • D
    3% (1)

Why each option

Anomaly-based intrusion detection requires a baseline of normal behavior as the reference point against which deviations are measured to identify potential attacks.

Apacket captures

Packet captures are a forensic and investigative tool used after detection or for manual analysis, not a prerequisite for the anomaly detection engine itself.

Bexploit signatures

Exploit signatures are the foundation of signature-based (misuse) detection systems, not anomaly detection, which works without any knowledge of specific attack patterns.

Cbaseline dataCorrect

Anomaly detection engines build a statistical profile of normal network activity - including typical traffic volumes, protocols, connection rates, and patterns - and flag deviations from that profile as potential attacks. Without baseline data, the system has no reference point to distinguish normal activity from malicious activity, making detection impossible.

Dsyslog data

Syslog data provides event logs for review and SIEM correlation, but anomaly detection requires statistical behavioral baseline profiles, not log entries, as its core reference.

Concept tested: Anomaly-based IDS baseline requirement for attack detection

Source: https://csrc.nist.gov/publications/detail/sp/800-94/final

Topics

#anomaly detection#IDS/IPS#baseline#attack detection

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice