Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that
these were false indicators. Which of the following security devices needs to be configured to disable future
Signature based IPS
Signature based IDS
Application based IPS
Anomaly based IDS
Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in
much the same way as a virus scanner, by searching for a known identity – or signature – for each specific
intrusion event. And, while signature-based IDS is very efficient at sniffing out known s of attack, it does, like
anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker
technique. In other words, signature-based IDS is only as good as its database of stored signatures.
Any organization wanting to implement a more thorough – and hence safer – solution, should consider what we
call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic
terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all
known and legal traffic, including web traffic to the organization’s web server, mail traffic to and from its mail
server, outgoing web traffic from company employees and DNS traffic to and from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any
traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards
network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are
the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware –
for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the
maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomaliesand web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.