Which of the following IPS detection types does not require regularly updated definition files? (Select the best answer.)
Profilebased detection methods, which are also known as anomalybased detection methods, do not require regularly updated definition files. Profilebased detection methods detect abnormal behavior on a network. Traffic is classified as normal or abnormal based on information that is dynamically learned or manually programmed. The benefit of anomalybased detection is that anything that is not specified as normal is classified as abnormal? therefore, anomalybased detection can typically detect a wide range of threats. One drawback of anomalybased detection is that new traffic patterns are required on a regular basis on all but the smallest of networks, which leads to a lot of false positives. Another drawback is the memory and processing power required to handle profiles for each user.
By contrast, patternbased detection methods, which are also called signaturebased methods, require regularly updated definition files. Patternbased detection methods use specific strings of text to detect malicious traffic. Many signaturebased detection methods can also use protocols and port numbers to further specify malicious traffic patterns. The benefit of signaturebased detection methods is that the number of false positives generated is typically low. However, the drawback is that a modified attack cannot be detected by old signature definition files? the modified attack will not be detected until a new signature is added for the modified attack. Therefore, Cisco recommends updating signature files, including antivirus signatures, every time a new update is available.
Reputationbased detection methods use information collected from a global network of security devices to detect malicious traffic. Because the information available is constantly being updated, reputationbased systems require frequent updates to their definition files. The primary advantage to these frequent updates is that many attacks can be detected and prevented based on information gathered from other systems that have already experienced the same attack.