Exam 312-49v10 topic 1 question 57 discussion

Might be C. CHFI textbook p651: the conventional method of anomaly detection, essential data are kept for checking variations in network traffic. However, in reality, some unpredictability exists in network traffic, and there are too many statistical variations, making these models imprecise. Some events labeled as anomalies might only be irregularities in network usage.

Anomaly detection systems typically produce the most false alarms because they are designed to identify deviations from normal behavior. Since user and network behaviors can be unpredictable and varied, these systems may incorrectly flag legitimate activities as suspicious, leading to a higher number of false positives.

NIDS systems turn up more false positives than HIDS.

I think B is the correct answer. Question ask for the IDS systems ( hids/nids) not for the IDS detection approach ( Anomaly/Signature)

The question itself mentions users and networks, hence it cannot be HIDS as that is limited to Host. It narrows it down to NIDS or Anomaly Detection. The details for Anomaly Detection is found in EC Coucil's Network Defender Course e-Book where it states the following disadvantages for Anomaly Detection. "Disadvantages ▪ The rate of generating false alarms is high due to unpredictable behavior of users and networks ▪ The need to create an extensive set of system events in order to characterize normal behavior patterns" The answer should be Anomaly Detection.

I feel like the answer has to be either B or C as the question specifically refers to the "unpredictable behavior" of users. It's definitely NOT D, as a signature-based IDS is not behavior-based as it looks for predefined characteristics. It's pretty well-known in infosec that a signature-based IDS does not produce as many false positives as an anomaly-based IDS. I personally believe the answer is C.

Might be D. From EC Council official materials: " Signature recognition can detect known attacks. However, there is a possibility that some innocuous packets might also contain the same signature, triggering false positives. o Improper signatures may trigger false positives. To detect misuse, a huge number of signatures is required. The more the signatures, the greater are the chances of the IDS detecting attacks. However, normal traffic may incorrectly match with the signatures, impeding system performance.

Network based IDS should be the correct answer