[TABS_R id=8782]
Which of the following is a Cisco IPS appliance feature that analyzes normal network activity to detect hosts that are infected with worms? (Select the best answer.)
- anomaly detection
- global correlation
- reputation filtering
- a signature definition
- a threat rating
Explanation:
Anomaly detection is a Cisco Intrusion Prevention System (IPS) appliance feature that analyzes normal network activity to detect hosts that are infected with worms. The IPS anomaly detection feature enables IPS to learn what type of network activity is normal activity for the network that is being protected. If a network starts to become congested by traffic that is generated by a worm or if a host that is infected with a worm connects to the network and attempts to infect other hosts, the anomaly detection feature can trigger a specific response, such as denying traffic from the infected host or alerting an administrator.
Signature definitions do not analyze normal network activity to detect hosts that are infected with worms. A signature definition is a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. If the network activity matches a signature definition, IPS can trigger a specific response from other defined event action rule sets, such as denying traffic from a host or alerting an administrator. IPS administrators can manually configure signature definitions in Cisco IPS Device Manager (IDM) or use the Signature Wizard to create custom signature definitions.
Global correlation does not analyze normal network activity to detect hosts that are infected with worms. Global correlation enables IPS sensors to allow or deny traffic based on the reputation of the sending device. When you enable global correlation, IPS devices will periodically receive updates that include information about known malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will send statistical information about attacks against your company’s network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on the Internet.
Reputation filtering does not analyze normal network activity to detect hosts that are infected with worms. Reputation filtering denies packets from hosts that are considered to have a malicious reputation based on the global correlation information that is available from the Cisco SensorBase Network. Reputation filtering is different from global correlation inspection in that reputation filtering denies traffic before the traffic is compared to any signature definitions. In addition, reputation filtering does not generate alerts.
Threat ratings do not analyze normal network activity to detect hosts that are infected with worms. A threat rating is an event action risk rating that has been lowered because of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a network by a specific attack. Risk ratings can range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a value from the threat rating of the event. For example, if IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be subtracted from the threat rating.
Anomaly detection is a Cisco Intrusion Prevention System (IPS) appliance feature that analyzes normal network activity to detect hosts that are infected with worms. The IPS anomaly detection feature enables IPS to learn what type of network activity is normal activity for the network that is being protected. If a network starts to become congested by traffic that is generated by a worm or if a host that is infected with a worm connects to the network and attempts to infect other hosts, the anomaly detection feature can trigger a specific response, such as denying traffic from the infected host or alerting an administrator.
Signature definitions do not analyze normal network activity to detect hosts that are infected with worms. A signature definition is a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurring. If the network activity matches a signature definition, IPS can trigger a specific response from other defined event action rule sets, such as denying traffic from a host or alerting an administrator. IPS administrators can manually configure signature definitions in Cisco IPS Device Manager (IDM) or use the Signature Wizard to create custom signature definitions.
Global correlation does not analyze normal network activity to detect hosts that are infected with worms. Global correlation enables IPS sensors to allow or deny traffic based on the reputation of the sending device. When you enable global correlation, IPS devices will periodically receive updates that include information about known malicious devices on the Internet from the Cisco SensorBase Network. In addition, global correlation will send statistical information about attacks against your company’s network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on the Internet.
Reputation filtering does not analyze normal network activity to detect hosts that are infected with worms. Reputation filtering denies packets from hosts that are considered to have a malicious reputation based on the global correlation information that is available from the Cisco SensorBase Network. Reputation filtering is different from global correlation inspection in that reputation filtering denies traffic before the traffic is compared to any signature definitions. In addition, reputation filtering does not generate alerts.
Threat ratings do not analyze normal network activity to detect hosts that are infected with worms. A threat rating is an event action risk rating that has been lowered because of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a network by a specific attack. Risk ratings can range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will subtract a value from the threat rating of the event. For example, if IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be subtracted from the threat rating.
[TABS_R id=8782]