Why would anomaly detection IDSs often generate a large number of false positives?

A.
Because they can only identify correctly attacks they already know about.

B.
Because they are application-based are more subject to attacks.

C.
Because they cant identify abnormal behavior.

D.
Because normal patterns of user and system behavior can vary wildly.

Explanation:
One of the most obvious reasons why false alarms occur is because tools are
stateless. To detect an intrusion, simple pattern matching of signatures is often insufficient.
However, that’s what most tools do. Then, if the signature is not carefully designed, there will be
lots of matches. For example, tools detect attacks in sendmail by looking for the words “DEBUG”
or “WIZARD” as the first word of a line. If this is in the body of the message, it’s in fact innocuous,
but if the tool doesn’t differentiate between the header and the body of the mail, then a false alarm
is generated.
Finally, there are many events happening in the course of the normal life of any system or network
that can be mistaken for attacks. A lot of sysadmin activity can be catalogued as anomalous.
Therefore, a clear correlation between attack data and administrative data should be established
to cross-check that everything happening on a system is actually desired.
Normal patterns and user activities are usually confused with attacks by IDS devices, its expected
that the 2nd generations IDS systems will decrease the percent of false positives.