CBROPS200-201 - Compare Detection Methodologies
-
Hello,
I am a bit confused by the terminologies in the various Detection methodologies.
In the exam objectives, we must compare rule-based, behavioral and statistical detection methodologies. Am I correct stating that both behavioral and statistical detects intrusions based on what is normal and what is abnormal? What differentiates them is that in the behavioral, the "normal" is defined by the Security Administrator, while in the statistical, the "normal" is defined by statistical models based on normal distribution (Gaussian Distribution).
When I refer to the Cisco Press Guide, they seem to associate Statistical methodology with "Heuristic-Based Analysis", and Behavioral with "Anomaly-Based Analysis", but it is so briefly discussed that it is complicated to grasp the real nuance between them.
What confuses me the most are the responses and explanations provided in the CyberVista Quizz 200-201 Exam Simulation. They don't talk about statistical at all, and they seem to make a distinction between Behavioral and Anomaly-based detection. Moreover, they introduce Signature-based detection, but this one is quite straightforward and logical.
Here is the definitions they use in their questions related to Detection Methodologies :
Could you please explain to me key differences between behavioral, statistical and anomaly-based methodologies?
I tried to be as clear as possible, I am sorry if something is unclear in my message.
Have a nice day,
Nicolas.
-
@Nicolas-Steinbusch said in CBROPS200-201 - Compare Detection Methodologies:
Could you please explain to me key differences between behavioral, statistical and anomaly-based methodologies?
Behavioral detection is watching "regular and expected" traffic, when the traffic deviates from this behavior, it is detected
Statistical detection is using different statistical techniques to find anomalies.
Anomaly-based detection is a heuristic model that learns what is normal on your network---builds a baseline. Then outside of that baseline is will be detected. There is a high false positive at the beginning and these becomes less and less over time.
-
Hi Ronnie,
Thanks for the explanation !
Have a nice day,
Nicolas.