Suspicious traffic without a specific signature was detected. Under further investigation, it was
determined that these were false indicators. Which of the following security devices needs to be
configured to disable future false alarms?
A.
Signature based IPS
B.
Signature based IDS
C.
Application based IPS
D.
Anomaly based IDS
Explanation:
Most intrusion detection systems (IDS) are what is known as signature-based. This means that they
operate in much the same way as a virus scanner, by searching for a known identity – or signature – for
each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known s of
attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch
with variations in hacker technique. In other words, signature-based IDS is only as good as its database of
stored signatures.
Any organization wanting to implement a more thorough – and hence safer – solution, should consider
what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In
network traffic terms, it captures all the headers of the IP packets running towards the network. From
this, it filters out all known and legal traffic, including web traffic to the organization’s web server, mail
traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and
from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects
any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and
probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because
probes and scans are the predecessors of all attacks. And this applies equally to any new service installed
on any item of hardware – for example, Telnet deployed on a network router for maintenance purposes
and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for
detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is
deliberately mis-typed.Incorrect Answers:
A: The question states that suspicious traffic without a specific signature was detected. Therefore, a
signature based IDS would not detect the suspicious traffic. The traffic must have been detected by an
anomaly based device. The fact that the traffic was ‘detected’ rather than ‘prevented’ suggest the
anomaly based device was an IDS rather than an IPS.
B: The question states that suspicious traffic without a specific signature was detected. Therefore, a
signature based IPS would not detect the suspicious traffic. The traffic must have been detected by an
anomaly based device. The fact that the traffic was ‘detected’ rather than ‘prevented’ suggest the
anomaly based device was an IDS rather than an IPS.
C: The question states that suspicious traffic without a specific signature was detected. The fact that the
traffic was ‘detected’ rather than ‘prevented’ suggest the anomaly based device was an IDS rather than
an IPS.http://www.scmagazine.com/signature-based-or-anomaly-based-intrusion-detection-the-practice-andpitfalls/article/30471/