It was uncovered that several attacks on a company’s network have been successful. The manager was told that this is because anomaly scores were set improperly and most likely too low. What does this information pertain to?
A.
The behavioral IDS system was not properly tuned
B.
The IPS was not properly configured
C.
The host-based IDS was not properly configured
D.
The firewall was not properly configured
Explanation:
A statistical anomaly-based IDS is a behavioral-based system.
Behavioral-based IDS products do not use predefined signatures, but rather are put
in a learning mode to build a profile of an environment’s "normal"
activities. This profile is built by continually sampling the environment’s
activities. The longer the IDS is put in a learning mode, in most instances, the
more accurate a profile it will build and the better protection it will provide.
After this profile is built, all future traffic and activities are compared to it.
The same type of sampling that was used to build the profile takes place, so the
same type of data is being compared. Anything that does not match the profile is
seen as an attack, in response to which the IDS sends an alert. With the use of
complex statistical algorithms, the IDS looks for anomalies in the network traffic
or user activity. Each packet is given an anomaly score, which indicates its degree
of irregularity. If the score is higher than the established threshold of
"normal" behavior, then the preconfigured action will take place. If
anomaly scores are set too low, malicious activity can go unnoticed.