The primary conceptual advantage of an anomaly-based Intrusion Detection System (IDS) is its ability to identify unknown or "zero-day" attacks. Unlike signature-based systems that rely on a database of known attack patterns, an anomaly-based IDS first establishes a baseline of normal network or system behavior. It then monitors activity and flags any significant deviation from this baseline as a potential threat. This methodology allows it to detect novel attacks for which no signature exists, as the attack's behavior will likely differ from the established normal profile.

A. Produces less false positives: This is incorrect. Anomaly-based systems are known for producing a higher rate of false positives because benign, yet unusual, activities can be flagged as malicious deviations from the norm.

C. Requires vendor updates for a new threat: This is a characteristic of signature-based IDS. They depend on vendors to research new threats and distribute updated signature files to be able to detect them.

D. Cannot deal with encrypted network traffic: This is a challenge for most network-based IDS, regardless of whether they are anomaly-based or signature-based. Encrypted payloads obscure the data needed for analysis by both methods.

1. National Institute of Standards and Technology (NIST) Special Publication 800-94

Guide to Intrusion Detection and Prevention Systems (IDPS).

Section 2.2.2

Anomaly-Based Detection: "The primary benefit of anomaly-based detection is that it can be effective against previously unknown threats... A major drawback of anomaly-based detection approaches is the high false positive rate." This directly supports option B as correct and option A as incorrect.

Section 2.2.1

Signature-Based Detection: "The main drawback to signature-based approaches is that they can only detect attacks for which a signature has been developed." This supports the reasoning for why option C describes signature-based systems.

2. Garcia-Teodoro

P.

Diaz-Verdejo

J.

Maciá-Fernández

G.

& Vázquez

E. (2009). Anomaly-based network intrusion detection: Techniques

systems and challenges. Computers & Security

28(1-2)

18–28.

Section 1

Introduction (p. 19): "The main advantage of these systems [anomaly-based] is their ability to detect novel attacks against computer systems and networks... However

their main drawback is the high rate of false alarms they usually suffer." This publication corroborates that detecting unknown attacks is the key characteristic and that high false positives are a known issue. (DOI: https://doi.org/10.1016/j.cose.2008.08.003)

3. MIT OpenCourseWare

6.857 Computer and Network Security

Fall 2017. Lecture 15: Intrusion Detection.

The course materials frequently contrast the two methods

noting that signature-based systems are "Bad for zero-day exploits

" while anomaly-based systems "Can detect zero-day exploits." This aligns with the selection of option B. The materials also highlight that a disadvantage of anomaly detection is "High false alarm rate."