Which type of IPS can identify worms that are propagating in a network?
A.
Policy-based IPS
B.
Anomaly-based IPS
C.
Reputation-based IPS
D.
Signature-based IPS
Explanation:
BD
An example of anomaly-based IPS/IDS is creating a baseline of how many TCP sender requests are
generated on average each minute that do not get a response. This is an example of a half-opened session. If
a system creates a baseline of this (and for this discussion, let’s pretend the baseline is an average of 30 halfopened sessions per minute), and then notices the half-opened sessions have increased to more than 100 per
minute, and then acts based on that and generates an alert or begins to deny packets, this is an example of
anomaly-based IPS/IDS. The Cisco IPS/IDS appliances have this ability (called anomaly detection), and it is
used to identify worms that may be propagating through the network.
Source: Cisco Official Certification Guide, Anomaly-Based IPS/IDS, p.464