352-001 · Question #205
What is required in order to perform attack detection using anomaly detection technologies?
The correct answer is C. baseline data. Anomaly-based intrusion detection requires a baseline of normal behavior as the reference point against which deviations are measured to identify potential attacks.
Question
What is required in order to perform attack detection using anomaly detection technologies?
Options
- Apacket captures
- Bexploit signatures
- Cbaseline data
- Dsyslog data
How the community answered
(33 responses)- A3% (1)
- B6% (2)
- C88% (29)
- D3% (1)
Why each option
Anomaly-based intrusion detection requires a baseline of normal behavior as the reference point against which deviations are measured to identify potential attacks.
Packet captures are a forensic and investigative tool used after detection or for manual analysis, not a prerequisite for the anomaly detection engine itself.
Exploit signatures are the foundation of signature-based (misuse) detection systems, not anomaly detection, which works without any knowledge of specific attack patterns.
Anomaly detection engines build a statistical profile of normal network activity - including typical traffic volumes, protocols, connection rates, and patterns - and flag deviations from that profile as potential attacks. Without baseline data, the system has no reference point to distinguish normal activity from malicious activity, making detection impossible.
Syslog data provides event logs for review and SIEM correlation, but anomaly detection requires statistical behavioral baseline profiles, not log entries, as its core reference.
Concept tested: Anomaly-based IDS baseline requirement for attack detection
Source: https://csrc.nist.gov/publications/detail/sp/800-94/final
Topics
Community Discussion
No community discussion yet for this question.