CompTIA Security Plus Mock Test Q633

Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators. Which of the following security devices needs to be configured to disable future false alarms?

A. Signature based IPS
B. Signature based IDS
C. Application based IPS
D. Anomaly based IDS


Correct Answer: D
Section: Threats and Vulnerabilities

Explanation:
Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity – or signature – for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known s of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures. Any organization wanting to implement a more thorough – and hence safer – solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization’s web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server. There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks.
And this applies equally to any new service installed on any item of hardware – for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.

Incorrect Answers:
A: The question states that suspicious traffic without a specific signature was detected. Therefore, a signature based IDS would not detect the suspicious traffic. The traffic must have been detected by an anomaly based device. The fact that the traffic was ‘detected’ rather than ‘prevented’ suggest the anomaly based device was an IDS rather than an IPS.
B: The question states that suspicious traffic without a specific signature was detected. Therefore, a signature based IPS would not detect the suspicious traffic. The traffic must have been detected by an anomaly based device. The fact that the traffic was ‘detected’ rather than ‘prevented’ suggest the anomaly based device was an IDS rather than an IPS.
C: The question states that suspicious traffic without a specific signature was detected. The fact that the traffic was ‘detected’ rather than ‘prevented’ suggest the anomaly based device was an IDS rather than an IPS.

References:
http://www.scmagazine.com/signature-based-or-anomaly-based-intrusion-detection-the-practice-and-pitfalls/article/30471/