Which of the following should an anomaly-based IDS behave? (Wentz QOTD)
A. Rendering more True Negative tests
B. Deploying agents to listen to SPAN ports
C. Training the model by supervised learning
D. Depending on sound knowledge of new intrusion patterns
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Rendering more True Negative tests.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
An IDS should make more True Negative and True Positive predictions. In other words, it should have a higher rate of correctly identifying normal (True Negative) and instruction traffic (True Positive).
A model can be trained using either supervised or unsupervised learning. The security requirements are not suggested in this question, so it’s better to say that the model of an anomaly-based IDS MAY be trained using either supervised or unsupervised learning.
基於異常的 IDS 應該表現出以下哪一項？ (Wentz QOTD)
B. 部署代理(agent)監聽 SPAN 端口