Intrusion Prevention System: Signature-Based vs. Anomaly-Based

Answer: 1. Scheme M, because signature-based systems have lower false negative rates than anomaly-based systems.

You run a security company that sells intrusion detection systems. Your company currently offers two core technologies: M, a misuse-based (signature-based) scheme; and A, an anomaly-based scheme. Suppose that M is a network-based scheme that works by passively analyzing individual UDP and TCP packets. Suppose that A is a host-based scheme that works as a browser plug-in, processing and analyzing individual URLs on the fly. Scheme M operates in a stateless fashion, while scheme A maintains state regarding URLs it has previously analyzed.

To achieve intrusion prevention functionality, your company decides to deploy a new product. Taking either M or A as a design basis, choose the best candidate scheme for this purpose.

1. Scheme M, because signature-based systems have lower false negative rates than anomaly-based systems.
2. Scheme A, because anomaly-based systems have lower false positive rates than signature-based systems.
3. Scheme M, since it works in real time while A does not.
4. Scheme A, because it requires less state than M.
5. It is not clear without additional information which of schemes M or A would work better for intrusion prevention.