Key Differences and Limitations

C.

This is wrong which makes this the correct choice.This statement is not true as stateful matching scans for attack signatures by analyzing traffic streams rather than individual packets.

Stateful matching intrusion detection takes pattern matching to the next level.

As networks become faster there is an emerging need for security analysis techniques that can keep up with the increased network throughput.

Existing network- based intrusion detection sensors can barely keep up with bandwidths of a few hundred Mbps.

Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers.

The following answers are all incorrect: Anomaly detection tends to produce more data is true as an anomaly-based IDS produces a lot of data as any activity outside of expected behavior is recorded.

A pattern matching IDS can only identify known attacks is true as a pattern matching IDS works by comparing traffic streams against signatures.

These signatures are created for known attacks.

An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines is true as the assertion is a characteristic of a statistical anomaly-based IDS.

Pages 198 to 201 http://cs.ucsb.edu/~vigna/publications/2003_vigna_robertson_kher_kemmerer_ACSAC03.pdf.

Intrusion Detection Systems (IDS) are used to monitor and analyze network traffic for signs of unauthorized access, attacks, or misuse. IDS uses two main techniques for detection, pattern matching and anomaly detection.

Pattern matching IDS (also known as signature-based IDS) is a technique that identifies attacks by comparing network traffic against a database of known attack patterns. If the network traffic matches a known attack pattern, then the IDS triggers an alert.

Anomaly detection IDS, on the other hand, uses a baseline of normal network behavior to detect any unusual activity that deviates from that baseline. The baseline is established through continuous monitoring of network traffic over time. Any activity that falls outside of the baseline is flagged as a potential threat.

Now let's discuss the options:

A. Anomaly detection tends to produce more data This assertion is true. Anomaly detection IDS generates a significant amount of data because it monitors all network traffic and compares it to a baseline of normal behavior. As a result, it tends to produce more alerts than pattern matching IDS.

B. A pattern matching IDS can only identify known attacks This assertion is also true. A pattern matching IDS is limited to identifying attacks that match known attack patterns. It cannot detect new or unknown attacks that do not match the existing database of attack signatures.

C. Stateful matching scans for attack signatures by analyzing individual packets instead of traffic streams This assertion is false. Stateful matching is a type of pattern matching IDS that examines traffic streams, not individual packets. It uses a combination of packet inspection and session tracking to identify attacks.

D. An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines. This assertion is also true. Anomaly detection IDS establishes a baseline of normal network behavior by monitoring traffic over time. It then alerts on any deviations from this baseline.

In summary, the assertion that is NOT true about pattern matching and anomaly detection in intrusion detection is C. Stateful matching does not analyze individual packets, but instead examines traffic streams.