Certified Incident Handler (ECIH) — Question 1

Rhett, a security professional at an organization, was instructed to deploy an IDS solution on their corporate network to defend against evolving threats. For this purpose, Rhett selected an IDS solution that first creates models for possible intrusions and then compares these models with incoming events to make detection decisions.
Identify the detection method employed by the IDS solution in the above scenario.

Answer options

• A. Not-use detection
• B. Protocol anomaly detection
• C. Anomaly detection
• D. Signature recognition

Correct answer: C

Explanation

The correct answer is C, Anomaly detection, as it involves creating models of normal behavior and identifying deviations from these models. Options A, B, and D do not accurately describe the method used; Not-use detection is not a standard term, Protocol anomaly detection focuses on protocol-specific deviations, and Signature recognition relies on known patterns rather than modeling behavior.