Which of the following IPS detection methods is a string pattern-based detection method? (Select the best
answer.)
A.
anomalybased detection
B.
profilebased detection
C.
signaturebased detection
D.
policybased detection
Explanation:
Signaturebased detection is a string patternbased detection method. Patternbased detection methods use
specific strings of text to detect malicious traffic. Many signaturebased detection methods can also use
protocols and port numbers to further specify malicious traffic patterns. The benefit of signaturebased detection
methods is that the number of false positives generated is typically low. However, the drawback is that a
modified attack cannot be detected by an old signature? the modified attack will not be detected until a new
signature is added for the modified attack. Therefore, Cisco recommends updating signature files, including
antivirus signatures, every time a new update is available.
Anomalybased detection methods and profilebased detection methods detect abnormal behavior on a network.
Traffic is classified as normal or abnormal based on information that is dynamically learned or manually
programmed. The benefit of anomalybased detection is that anything that is not specified as normal is
classified as abnormal? therefore, anomalybased detection can typically detect a wide range of threats. One
drawback of anomalybased detection is that new traffic patterns are required on a regular basis on all but the
smallest of networks, which leads to a lot of false positives. Another drawback is the memory and processing
power required to handle profiles for each user.
Policybased detection methods use algorithms to detect patterns in network traffic. The benefit of policybased
detection methods is that they can often detect when a coordinated attack, such as a Distributed Denial of
Service (DDoS) attack, is happening, whereas a signaturebased detection method might detect only a
collection of individual Denial of Service (DoS) attacks.CCNA Security 210260 Official Cert Guide, Chapter 17, SignatureBased IPS/IDS, p. 464 Symantec: Network
Intrusion Detection Signatures, Part One