The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs)
are less commonly used than signature-based IDSs, is that stat IDSs:

A.
create more overhead than signature-based IDSs.

B.
cause false positives from minor changes to system variables.

C.
generate false alarms from varying user or system actions.

D.
cannot detect new types of attacks.

Explanation:

A statistical anomaly-based intrusion detection system (stat IDS) collects data from normal traffic
and establishes a baseline. It then periodically samples the network activity based on statistical
methods and compares samples to the baseline. When the activity is outside the baseline
parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a
host’s memory or central processing unit (CPU) usage, network packet types and packet
quantities. If actions of the users or the systems on the network vary widely with periods of low
activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic
swing from one level to another almost certainly will generate false alarms. This weakness will
have the largest impact on the operation of the IT systems. Due to the nature of stat IDS
operations (i.e., they must constantly attempt to match patterns of activity to the baseline
parameters), a stat IDS requires much more overhead and processing than signature-based
versions. Due to the nature of a stat IDS—based on statistics and comparing data with baseline
parameters—this type of IDS may not detect minor changes to system variables and may
generate many false positives. Choice D is incorrect; since the stat IDS can monitor multiple
system variables, it can detect new types of variables by tracing for abnormal activity of any kind.