ccna 5 chapter 4 exam answers

ccna 5 chapter 4 exam answers.Other common trigger mechanisms are called protocol decoding. Instead of simply looking for patterns in the packet, it first breaks the packet into protocol fields and then looks for specific patterns within a specific protocol field, or some other aberration in the protocol field. The advantage of protocol decoding is the ability to detect traffic at a more granular level and reduce the number of false positives, such as when a data stream generates an alert but does not threaten the network.5.2.2.2 Pattern-Based DetectionPattern-based detection, also known as feature-based detection, is the simplest trigger mechanism because it looks for specific, predefined patterns. A feature-based IDS or IPS sensor compares the network data stream against a database of known attacks and triggers an alarm or blocks communication if a match is found.The feature trigger can be text, binary, or even a series of function calls. It can be detected in a single packet (atomic) or in a sequence of packets (combined). In many cases, the feature will only match the pattern if the suspicious packet is associated with a particular service or travels to or from a particular port. This matching technique helps to reduce the number of checks performed on each packet. However, it makes it more difficult for the system to handle packets that are not5.2 IPS Features 129 protocols and attacks that use well-known ports, such as Trojans and other related randomly flowable data streams. At the beginning of a pattern-based effort for IDS or IPS, before the features have been tuned, there can be many false positives. After the system has been tuned and adapted to specific network parameters, there will be somewhat fewer false positives at this point than with a policy-based approach.5.2.2.3 Anomaly-Based DetectionAnomaly-based detection, also known as profile-based (profiile) detection, requires first defining a profile that is normal for the network or host. This normal profile can be learned by monitoring the behavior on the network or specific applications on the host over a period of time. It can also be based on a defined specification such as an RFC. after defining a normal behavior. the feature will trigger a behavior if an excess behavior occurs that exceeds the threshold value specified in the normal profile.The advantage of anomaly-based detection is that new and previously unpublished attacks can be detected. Administrators can simply define profiles for normal behavior without having to define a large number of features for different attack scenarios. Any deviation from the profile is abnormal and will trigger the feature behavior.While this advantage is obvious, some drawbacks make it difficult to use anomaly-based features. For example, an anomaly feature alert does not necessarily indicate that an attack has occurred. It simply indicates a deviation from the defined normal behavior, and valid user traffic can sometimes cause this behavior. As networks evolve, the definition of normal changes frequently, so the definition of normal must be redefined.It is also important to note that the administrator must ensure that no network attacks occur during the learning phase. Otherwise, the attacking behavior will be considered normal data flow. When establishing normal behavior, precautionary behavior should be taken to ensure that the network is not being attacked. However, defining normal traffic is difficult because most networks are a mix of systems, devices, and ever-changing applications.