nerdexam
(ISC)2

CISSP · Question #647

An Intrusion Detection System (IDS) is based on the general hypothesis that a security violation is associated with a pattern of system usage which can be

The correct answer is A. differentiated from a normal usage pattern.. IDS operates on the foundational hypothesis that malicious or anomalous activity produces usage patterns statistically or behaviorally distinguishable from normal baseline activity.

Submitted by yasin.bd· Mar 5, 2026Security Operations

Question

An Intrusion Detection System (IDS) is based on the general hypothesis that a security violation is associated with a pattern of system usage which can be

Options

  • Adifferentiated from a normal usage pattern.
  • Bused to detect known violations.
  • Cused to detect a masquerader.
  • Ddifferentiated to detect all security violations.

How the community answered

(35 responses)
  • A
    89% (31)
  • B
    3% (1)
  • C
    6% (2)
  • D
    3% (1)

Why each option

IDS operates on the foundational hypothesis that malicious or anomalous activity produces usage patterns statistically or behaviorally distinguishable from normal baseline activity.

Adifferentiated from a normal usage pattern.Correct

The core hypothesis underlying IDS design is anomaly/signature detection: security violations produce system usage patterns (e.g., unusual login times, abnormal resource consumption, atypical network traffic) that can be differentiated from an established baseline of normal behavior. This principle applies to both anomaly-based IDS (statistical deviation) and signature-based IDS (known attack patterns), making 'differentiated from normal usage' the foundational and general hypothesis.

Bused to detect known violations.

Detecting only known violations describes signature-based IDS specifically, not the general foundational hypothesis of all IDS systems, which must also account for anomaly-based detection.

Cused to detect a masquerader.

Detecting a masquerader is one specific use case or application of IDS, not the broad underlying hypothesis upon which the entire IDS concept is built.

Ddifferentiated to detect all security violations.

No IDS system is hypothesized to detect all security violations; this overstates the capability and does not accurately reflect the theoretical basis of IDS design.

Concept tested: Foundational hypothesis of Intrusion Detection Systems

Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-31.pdf

Topics

#Intrusion Detection Systems#IDS#anomaly detection

Community Discussion

No community discussion yet for this question.

Full CISSP Practice