Question 1 - EC-Council 312-50V13 CEH V13 Real Exam Questions [March 2026 Update]

Q: 1

Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?

Options

Discussion

Sara A. Mar 14, 2026 9:59 pm

B is what I'd pick. Anomaly-based IDS stands out for catching new or unknown attacks since it watches for deviations from normal behavior. Signature-based needs patterns in its database already. Pretty confident that's the main conceptual difference here, but let me know if you see it differently.

Alex R. Mar 2, 2026 2:50 am

B makes sense because anomaly-based IDS can catch attacks that aren't already in a signature database. Signature-based always needs new patterns to spot new threats, but anomaly just looks for anything out of the ordinary. Pretty sure that's what they're after here, unless I'm missing something?

Jamie Q. Mar 3, 2026 12:01 pm

Official study guide calls out B as the main conceptual difference, also seen in some practice tests.

VikramL Mar 11, 2026 10:40 am

Makes sense-B is the key difference here.

Ava S. Mar 16, 2026 12:49 pm

Probably B, official guide and some labs talk about anomaly-based picking up unknown attack types.

Adam Z. Mar 17, 2026 11:25 am

Seen this in the official guide and practice exams, always points to B since anomaly-based IDS can detect new or unknown attacks. Not 100 percent but that's what most legit resources say, double check the exam blueprint if unsure.

Ajay X. Mar 8, 2026 4:16 pm

Yep, that's B. Anomaly-based IDS can spot new attacks that signature-based systems might miss.

Jamie D. Mar 6, 2026 9:18 pm

C vs D, could argue C since sig-based needs updates for new threats right?

Chloe Q. Mar 9, 2026 6:50 pm

Ugh, EC-Council and their weird wording again. B imo-pretty sure anomaly-based can flag stuff signature IDS won't catch, even if you deal with more noise. Anyone else get tripped up by phrasing here?

Olivia T. Feb 27, 2026 5:41 am

B , trap is A since anomaly IDS actually triggers more false positives, but B is the main conceptual difference.

Be respectful. No spam.

Correct Answer:

Explanation

The primary conceptual advantage of an anomaly-based Intrusion Detection System (IDS) is its ability to identify unknown or "zero-day" attacks. Unlike signature-based systems that rely on a database of known attack patterns, an anomaly-based IDS first establishes a baseline of normal network or system behavior. It then monitors activity and flags any significant deviation from this baseline as a potential threat. This methodology allows it to detect novel attacks for which no signature exists, as the attack's behavior will likely differ from the established normal profile.

Why Incorrect

A. Produces less false positives: This is incorrect. Anomaly-based systems are known for producing a higher rate of false positives because benign, yet unusual, activities can be flagged as malicious deviations from the norm.

C. Requires vendor updates for a new threat: This is a characteristic of signature-based IDS. They depend on vendors to research new threats and distribute updated signature files to be able to detect them.

D. Cannot deal with encrypted network traffic: This is a challenge for most network-based IDS, regardless of whether they are anomaly-based or signature-based. Encrypted payloads obscure the data needed for analysis by both methods.

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-94

Guide to Intrusion Detection and Prevention Systems (IDPS).

Section 2.2.2

Anomaly-Based Detection: "The primary benefit of anomaly-based detection is that it can be effective against previously unknown threats... A major drawback of anomaly-based detection approaches is the high false positive rate." This directly supports option B as correct and option A as incorrect.

Section 2.2.1

Signature-Based Detection: "The main drawback to signature-based approaches is that they can only detect attacks for which a signature has been developed." This supports the reasoning for why option C describes signature-based systems.

2. Garcia-Teodoro

Diaz-Verdejo

Maciá-Fernández

& Vázquez

E. (2009). Anomaly-based network intrusion detection: Techniques

systems and challenges. Computers & Security

28(1-2)

18–28.

Section 1

Introduction (p. 19): "The main advantage of these systems [anomaly-based] is their ability to detect novel attacks against computer systems and networks... However

their main drawback is the high rate of false alarms they usually suffer." This publication corroborates that detecting unknown attacks is the key characteristic and that high false positives are a known issue. (DOI: https://doi.org/10.1016/j.cose.2008.08.003)

3. MIT OpenCourseWare

6.857 Computer and Network Security

Fall 2017. Lecture 15: Intrusion Detection.

The course materials frequently contrast the two methods

noting that signature-based systems are "Bad for zero-day exploits

" while anomaly-based systems "Can detect zero-day exploits." This aligns with the selection of option B. The materials also highlight that a disadvantage of anomaly detection is "High false alarm rate."

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE