Exam 212-82 topic 1 question 10 discussion

Certified Cybersecurity Technician Module 07 Page 811 Anomaly-based IDS: An anomaly-based IDS uses statistical techniques to compare the monitored traffic with the normal traffic.

The correct answer is C. Anomaly detection. Rhett's description of the IDS solution, which creates models for possible intrusions and compares them with incoming events to make detection decisions, matches the concept of anomaly detection. This method involves identifying patterns or behavior that deviate from normal activity on the network, indicating potential intrusions or malicious activity.

Signature recognition – Signature-based detection relies on matching incoming events with known attack patterns or signatures. The scenario describes an IDS that creates models for normal behavior rather than matching with predefined signatures, so this is not the correct choice.

In Anomaly detection, the IDS (Intrusion Detection System) first creates baseline models for what is considered normal behavior within the network. It then compares incoming events or traffic against these models to detect deviations or anomalies, which could indicate potential intrusions or attacks. This method helps detect previously unknown or evolving threats, as it doesn't rely on pre-defined attack signatures, but rather identifies unusual patterns that differ from the baseline.

The use of "evolving threats" makes all the difference. It's Anomaly Detection since signature detection are used for currently known intrusion unlike anomaly which is used for not known or evolving threat.

It is signature based. On page 814 in the EC Council Study guide it says this verbatim

Signature recognition involves comparing network traffic or system activity against a database of known attack patterns or signatures. While effective at detecting known threats, signature recognition is not suitable for identifying new or evolving threats that do not match any existing signatures. Therefore, in this case, since the threat is evolving, Anomaly detection is the correct answer because the IDS is looking for deviations from normal behavior rather than specific known signatures of attacks.

Page 814 : it's signature-based recognition D

From the EC CCT book, signature recongition '... This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision. ..'

KEY WORD "defend against evolving threats" that is when anomaly comes in otherwise it could be signature based but that puts the difference

Signature Recognition Signature recognition, also known as misuse detection, tries to identify events that indicate an abuse of a system or network. This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision. The signatures for IDS were created under the assumption that the model must detect an attack without disturbing normal system traffic. Only attacks should match the model; otherwise, false alarms could occur.

Signature based. Signature-based detection is typically best used for identifying known threats. It operates by using a pre-programmed list of known threats and their indicators of compromise (IOCs) while anomaly-based intrusion detection systems can alert you to suspicious behavior that is unknown.

Answer Signature recognition This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision. The signatures for IDS were created under the assumption that the model must detect an attack without disturbing normal system traffic.

Answer is definitely signature recognition

This looks like signature recognition

Anomaly-based detection is correct: The anomaly-based detection process depends on observing and comparing the observed events with the normal behavior and then detecting any deviation from it.

I think it's Signature Detection too