Which of the following is a disadvantage of a behavior-based ID system?

A.
The activity and behavior of the users while in the networked system may not be static enough
to effectively implement a behavior-based ID system.

B.
The activity and behavior of the users while in the networked system may be dynamic enough
to effectively implement a behavior-based ID system.

C.
The activity and behavior of the users while in the networked system may not be dynamic
enough to effectively implement a behavior-based ID system.

D.
The system is characterized by high false negative rates where intrusions are missed.

Explanation:
Behavior-based intrusion detection techniques assume that an intrusion can be
detected by observing a deviation from normal or expected behavior of the system or the users.
The model of normal or valid behavior is extracted from reference information collected by various
means. The intrusion detection system later compares this model with the current activity. When a
deviation is observed, an alarm is generated. In other words, anything that does not correspond to
a previously learned behavior is considered intrusive. The high false alarm rate is generally cited
as the main drawback of behavior-based techniques because the entire scope of the behavior of
an information system may not be covered during the learning phase. Also, behavior can change
over time, introducing the need for periodic online retraining of the behavior profile, resulting either
in unavailability of the intrusion detection system or in additional false alarms. To get the most out
of this kind of IDS you need to have very static behavior on your network and the user actions, this
is because any new thing is considered dangerous, providing many false-positives but increased

security. If you are in a very “dynamic” environment these kind of IDS system is not
recommended.