Statistical Anomaly-Based Intrusion Detection System Disadvantages

Disadvantage of Statistical Anomaly-Based IDS

Prev Question Next Question

Question

Which of the following is a disadvantage of a statistical anomaly-based intrusion detection system?

Answers

A. it may truly detect a non-attack event that had caused a momentary anomaly in the system.

B. it may falsely detect a non-attack event that had caused a momentary anomaly in the system.

C. it may correctly detect a non-attack event that had caused a momentary anomaly in the system.

D. it may loosely detect a non-attack event that had caused a momentary anomaly in the system.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Some disadvantages of a statistical anomaly-based ID are that it will not detect an attack that does not significantly change the system operating characteristics, or it may falsely detect a non-attack event that had caused a momentary anomaly in the system.

Source: KRUTZ, Ronald L.

&amp; VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley &amp; Sons, Page 49.

Statistical anomaly-based intrusion detection systems (IDS) work by establishing a baseline of what is normal behavior for a system or network and then analyzing incoming traffic or system behavior for deviations from that baseline. While these systems can be effective at detecting previously unknown attacks, there are some disadvantages to this approach.

The correct answer to the question is B. A disadvantage of a statistical anomaly-based IDS is that it may falsely detect a non-attack event that had caused a momentary anomaly in the system. This means that an IDS may alert administrators to an attack that is not actually occurring. For example, if a legitimate user generates a lot of traffic at an unusual time, the IDS may interpret this as an attack and generate a false alarm. This is called a false positive. False positives can be time-consuming and expensive to investigate, and they can also lead to the unnecessary blocking or filtering of legitimate traffic.

Option A, "it may truly detect a non-attack event that had caused a momentary anomaly in the system," is not a disadvantage, but rather a potential benefit of this type of IDS. For example, if a non-malicious user inadvertently generates an unusual pattern of network traffic that looks like an attack, the IDS may detect it and alert administrators to investigate. This is called a true positive.

Option C, "it may correctly detect a non-attack event that had caused a momentary anomaly in the system," is similar to option A and is not a disadvantage, but rather a potential benefit of this type of IDS.

Option D, "it may loosely detect a non-attack event that had caused a momentary anomaly in the system," is not a clear disadvantage, but rather a vague statement. "Loosely detect" is not a defined term and is unclear in its meaning.

Prev Question Next Question