Which of the following is a Cisco IPS appliance feature that analyzes normal network activity to detect hosts
that are infected with worms? (Select the best answer.)

A.
anomaly detection

B.
global correlation

C.
reputation filtering

D.
a signature definition

E.
a threat rating

Explanation:
Anomaly detection is a Cisco Intrusion Prevention System (IPS) appliance feature that analyzes normal network
activity to detect hosts that are infected with worms. The IPS anomaly detection feature enables IPS to learn
what type of network activity is normal activity for the network that is being protected. If a network starts to
become congested by traffic that is generated by a worm or if a host that is infected with a worm connects to
the network and attempts to infect other hosts, the anomaly detection feature can trigger a specific response,
such as denying traffic from the infected host or alerting an administrator.
Signature definitions do not analyze normal network activity to detect hosts that are infected with worms. A
signature definition is a set of rules to which a Cisco IPS appliance can compare network traffic to determine
whether an attack is occurring. If the network activity matches a signature definition, IPS can trigger a specific
response from other defined event action rule sets, such as denying traffic from a host or alerting an
administrator. IPS administrators can manually configure signature definitions in Cisco IPS Device Manager
(IDM) or use the Signature Wizard to create custom signature definitions.
Global correlation does not analyze normal network activity to detect hosts that are infected with worms. Global
correlation enables IPS sensors to allow or deny traffic based on the reputation of the sending device. When
you enable global correlation, IPS devices will periodically receive updates that include information about known
malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will send
statistical information about attacks against your company’s network to the Cisco SensorBase Network. Cisco
uses that information to detect threat patterns on the Internet.
Reputation filtering does not analyze normal network activity to detect hosts that are infected with worms.
Reputation filtering denies packets from hosts that are considered to have a malicious reputation based on the
global correlation information that is available from the Cisco SensorBase Network. Reputation filtering is
different from global correlation inspection in that reputation filtering denies traffic before the traffic is compared
to any signature definitions. In addition, reputation filtering does not generate alerts.
Threat ratings do not analyze normal network activity to detect hosts that are infected with worms. A threat
rating is an event action risk rating that has been lowered because of a specific action taken by IPS. A risk
rating is a numerical representation of the risk presented to a network by a specific attack. Risk ratings can
range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a
value from the threat rating of the event. For example, if IPS responds to a specific event by issuing a request
to block the attacking host, a value of 20 will be subtracted from the threat rating.
Cisco: Configuring Anomaly Detections: Understanding Anomaly Detection