Which of the following assertions is NOT true about pattern matching and anomaly detection in intrusion
detection?

A.
Anomaly detection tends to produce more data

B.
A pattern matching IDS can only identify known attacks

C.
Stateful matching scans for attack signatures by analyzing individual packets instead of traffic streams

D.
An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on
deviations from these baselines

Explanation:
Pattern matching and anomaly detection analysis activities do not work with packets.
Incorrect Answers:
A: Anomaly detection collects data on normal activities. This produces data.
B: A pattern matching IDS uses a signature database and attempts to match all monitored events to its
contents. It can only detect known attacks that are present in the database.
D: Anomaly detection collects data on normal activities. Once it has accumulated enough data about normal
activity, it can detect abnormal and possible malicious activities and events.

Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional
Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 56