Certified Information Security Manager (CISM) — Question 622

An anomaly-based intrusion detection system (IDS) operates by gathering data on:

Answer options

• A. normal network behavior and using it as a baseline for measuring abnormal activity.
• B. abnormal network behavior and using it as 4 baseline for measuring normal activity.
• C. abnormal network behavior and issuing instructions to the firewall to drop rogue connections.
• D. attack pattern signatures from historical data.

Correct answer: A

Explanation

The correct answer, A, is accurate because an anomaly-based IDS establishes a baseline of normal behavior to identify deviations that may indicate security threats. Option B is incorrect as it wrongly suggests that the system uses abnormal behavior as a baseline for normalcy. Options C and D do not align with the functioning of an anomaly-based IDS, as they focus on abnormal behavior and historical signatures, respectively, rather than establishing a baseline from normal activity.