Describe two advantages and two disadvantages of an anomaly-based system.

What will be an ideal response?

Advantages:

Because an anomaly detection system is based on profiles an administrator creates, an attacker cannot test the IDPS beforehand and anticipate what will trigger an alarm.

As new users and groups are created, IDPS profiles can be updated to keep up with these changes.

Because an anomaly detection system does not rely on published signatures, it can detect new attacks.

The system can detect attacks from inside the network by employees or attackers who have
stolen employee accounts.


Disadvantages:

Configuring the IDPS to use profiles of network users and groups requires considerable time.

Updating IDPS profiles can be time consuming.

The definition of what constitutes normal traffic changes constantly, and the IDPS must be reconfigured to keep up.

After installation, the IDPS must be trained for days or weeks to recognize normal traffic.