Certified Ethical Hacker (CEH v11) — Question 233

Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?

Answer options

• A. Cannot deal with encrypted network traffic
• B. Requires vendor updates for new threats
• C. Can identify unknown attacks
• D. Produces less false positives

Correct answer: C

Explanation

The correct answer is C because anomaly-based IDS can recognize patterns that deviate from normal behavior, allowing them to identify unknown attacks. In contrast, option A is incorrect as both types can struggle with encrypted traffic, B is wrong since signature-based systems need updates, and D is misleading because anomaly-based systems can sometimes produce more false positives.