Which of the following is a proper match for the type of IDS and the type ofattack it is best suited to uncover?
A.
Signature-based IDS – "0 day" attack
B.
Signature-based IDS – user logging in at an unusual time
C.
Traffic anomaly IDS – Land attack
D.
Protocol anomaly IDS – brand new service on the network
Explanation:
A protocol anomaly pertains to the format and behavior of a protocol. The IDS builds a model (or profile) of each protocols "normal" usage. A protocol anomaly could be a new use for a protocol, improperly formatted protocol header, or a new service on the network. Signature-based IDS can only detect known attacks and cannot detect behavior changes. Traffic-based IDS just uncovers different patterns
in traffic activity.