Suspicious traffic without a specific signature was detected. Under further investigation, it was
determined that these were false indicators. Which of the following security devices needs to be
configured to disable future false alarms?

A.
Signature based IPS

B.
Signature based IDS

C.
Application based IPS

D.
Anomaly based IDS

Explanation:
Most intrusion detection systems (IDS) are what is known as signature-based. This means that
they operate in much the same way as a virus scanner, by searching for a known identity – or
signature – for each specific intrusion event. And, while signature-based IDS is very efficient at
sniffing out known s of attack, it does, like anti-virus software, depend on receiving regular
signature updates, to keep in touch with variations in hacker technique. In other words, signaturebased IDS is only as good as its database of stored signatures.
Any organization wanting to implement a more thorough – and hence safer – solution, should
consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more

complex creature. In network traffic terms, it captures all the headers of the IP packets running
towards the network. From this, it filters out all known and legal traffic, including web traffic to the
organization’s web server, mail traffic to and from its mail server, outgoing web traffic from
company employees and DNS traffic to and from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it
detects any traffic that is new or unusual, the anomaly method is particularly good at identifying
sweeps and probes towards network hardware. It can, therefore, give early warnings of potential
intrusions, because probes and scans are the predecessors of all attacks. And this applies equally
to any new service installed on any item of hardware – for example, Telnet deployed on a network
router for maintenance purposes and forgotten about when the maintenance was finished. This
makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies
to mis-formed attacks, where the URL is deliberately mis-typed.