Which type of IPS can identify worms that are propagating in a network?

Which type of IPS can identify worms that are propagating in a network?
A . Policy-based IPS
B . Anomaly-based IPS
C . Reputation-based IPS
D . Signature-based IPS

View Answer

Answer: B

Explanation:

An example of anomaly-based IPS/IDS is creating a baseline of how many TCP sender requests are generated on average each minute that do not get a response. This is an example of a half-opened session. If a system creates a baseline of this (and for this discussion, let’s pretend the baseline is an average of 30 half- opened sessions per minute), and then notices the half-opened sessions have increased to more than 100 per minute, and then acts based on that and generates an alert or begins to deny packets, this is an example of anomaly-based IPS/IDS. The Cisco IPS/IDS appliances have this ability (called anomaly detection), and it is used to identify worms that may be propagating through the network.

Source: Cisco Official Certification Guide, Anomaly-Based IPS/IDS, p.464