Which Cisco IPS appliance feature is best used to detect these two conditions? 1) The network starts becoming congested by worm traffic. 2) A single worminfected source enters the network and starts scanning for other vulnerable hosts.

A.
global correlation

B.
anomaly detection

C.
reputation filtering

D.
custom signature

E.
meta signature

F.
threat detection

Explanation:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/securi ty_manager/4.0/user/guide/ipsanom.html
Anomaly detection identifies worm-infected hosts by their behavior as a scanner. To spread, a worm virus must find new hosts. It finds them by scanning the
Internet using TCP, UDP, and other protocols to generate unsuccessful attempts to access different destination IP addresses. A scanner is defined as a source IP
address that generates events on the same destination port (in TCP and UDP) for too many destination IP addresses.