PrepAway - Latest Free Exam Questions & Answers

Why would anomaly detection IDSs often generate a large…

Why would anomaly detection IDSs often generate a large number of false positives?

PrepAway - Latest Free Exam Questions & Answers

A.
Because they can only identify correctly attacks they already know about.

B.
Because they are application-based are more subject to attacks.

C.
Because they can’t identify abnormal behavior.

D.
Because normal patterns of user and system behavior can vary wildly.

Explanation:
An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by
monitoring system activity and classifying it as either normal or anomalous. The classification is based on
heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of
normal system operation. This is as opposed to signature-based systems, which can only detect attacks for
which a signature has previously been created.
In order to determine what is attack traffic, the system must be taught to recognize normal system activity. This
can be accomplished in several ways, most often with artificial intelligence type techniques. Systems using
neural networks have been used to great effect. Another method is to define what normal usage of the system
comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as
strict anomaly detection.
Anomaly-based Intrusion Detection does have some shortcomings, namely a high false-positive rate and the
ability to be fooled by a correctly delivered attack.
A cause of the high false-positive rate is that normal patterns of user and system behavior can vary wildly.
Different people do things in different ways. These can appear as ‘anomalies’ to the IDS and generate a false
positive.
Incorrect Answers:
A: It is not true that anomaly detection IDSs can only identify correctly attacks they already know about. This
statement describes signature-based IDSs.
B: It is not true that anomaly detection IDSs are application-based and are more subject to attacks. They can be
hardware-based. Furthermore, hackers attack computer systems; they don’t attack IDSs.
C: It is not true that anomaly detection IDSs cannot identify abnormal behavior; that’s exactly what they do.References:
https://en.wikipedia.org/wiki/Anomaly-based_intrusion_detection_system


Leave a Reply