Which of the following is a disadvantage of a behavior-based ID system?

A.
The activity and behavior of the users while in the networked system may not be static enough to
effectively implement a behavior-based ID system.

B.
The activity and behavior of the users while in the networked system may be dynamic enough to
effectively implement a behavior-based ID system.

C.
The activity and behavior of the users while in the networked system may not be dynamic enough
to effectively implement a behavior-based ID system.

D.
The system is characterized by high false negative rates where intrusions are missed.

Explanation:
Behavior-based intrusion detection techniques assume that an intrusion can be detected by
observing a deviation from normal or expected behavior of the system or the users. The model of
normal or valid behavior is extracted from reference information collected by various means. The
intrusion detection system later compares this model with the current activity. When a deviation is
observed, an alarm is generated. In other words, anything that does not correspond to a previously
learned behavior is considered intrusive. The high false alarm rate is generally cited as the main
drawback of behavior-based techniques because the entire scope of the behavior of an information
system may not be covered during the learning phase. Also, behavior can change over time,
introducing the need for periodic online retraining of the behavior profile, resulting either in
unavailability of the intrusion detection system or in additional false alarms. To get the most out of
this kind of IDS you need to have very static behavior on your network and the user actions, this is
because any new thing is considered dangerous, providing many false-positives but increased
security. If you are in a very “dynamic” environment these kind of IDS system is not recommended.