Several analysis methods can be employed by an IDS, each with its own strengths and weaknesses, and their
applicability to any given situation should be carefully considered. There are two basic IDS analysis methods
that exist.Which of the basic method is more prone to false positive?

A.
Pattern Matching (also called signature analysis)

B.
Anomaly Detection

C.
Host-based intrusion detection

D.
Network-based intrusion detection

Explanation:
Anomaly Detection IDS learns about the normal activities and events on your system by watching and tracking
what it sees. Once it has accumulated enough data about normal activity, it can detect abnormal and possibly
malicious activities or events. There is a small risk that some non-harmful activity is classified as anomaly by
mistake – false positives can occur.
Incorrect Answers:
A: A Pattern Matching IDS uses a signature database and attempts to match all monitored events to its
contents. Only activities present in the database will be detected. There will be no false positives.
C: Host-based intrusion detection is not an IDS analysis method. It is a classification on information source.
A host – based IDS watches for questionable activity on a single computer system, especially by watching audit
trails, event logs, and application logs.
D: Network-based intrusion detection is not an IDS analysis method. It is a classification on information course.
Here the source is a network segment.

Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional
Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 56