Which of the following IPS detection methods is a string pattern-based detection method? (Select the best answer.)
- anomalybased detection
- profilebased detection
- signaturebased detection
- policybased detection
Signaturebased detection is a string patternbased detection method. Patternbased detection methods use specific strings of text to detect malicious traffic. Many signaturebased detection methods can also use protocols and port numbers to further specify malicious traffic patterns. The benefit of signaturebased detection methods is that the number of false positives generated is typically low. However, the drawback is that a modified attack cannot be detected by an old signature? the modified attack will not be detected until a new signature is added for the modified attack. Therefore, Cisco recommends updating signature files, including antivirus signatures, every time a new update is available.
Anomalybased detection methods and profilebased detection methods detect abnormal behavior on a network. Traffic is classified as normal or abnormal based on information that is dynamically learned or manually programmed. The benefit of anomalybased detection is that anything that is not specified as normal is classified as abnormal? therefore, anomalybased detection can typically detect a wide range of threats. One drawback of anomalybased detection is that new traffic patterns are required on a regular basis on all but the smallest of networks, which leads to a lot of false positives. Another drawback is the memory and processing power required to handle profiles for each user.
Policybased detection methods use algorithms to detect patterns in network traffic. The benefit of policybased detection methods is that they can often detect when a coordinated attack, such as a Distributed Denial of Service (DDoS) attack, is happening, whereas a signaturebased detection method might detect only a collection of individual Denial of Service (DoS) attacks.