Which detection method differs from signature recognition and relies on a database of anomalies detected when traffic deviates from normal tolerance?

• A. Signature Recognition
• B. Anomaly Detection
• C. Protocol Anomaly Detection
• D. File System Intrusions

Answer: (B)

Anomaly-based detection focuses on deviations from normal behavior. It builds a baseline of typical traffic patterns and flags anything that falls outside the acceptable tolerance, rather than matching against a list of known attack signatures. This lets it catch new or unknown threats that signature recognition would miss, since there’s no need for a preexisting signature to trigger an alert. Protocol anomaly detection is a specialized form that looks at deviations within protocol behavior, while file system intrusions describe a type of activity rather than a detection method. Using this approach helps identify unusual activity by comparing current traffic to what’s considered normal.