There are three modes of detection used by the NIPS/NIDS. For the purpose of the exam, you must know them thoroughly:
- Signature-based: Works off a known database of known exploits and cannot identify new patterns. If their database is not up to date, they will not operate efficiently.
- Anomaly-based: Starts off the same as the signature-based with the known database but they have the ability to identify new variants.
- Heuristic/behavioral-based: Instead of trying to match known variants, the Heuristic/Behavioral starts off with a baseline and matches traffic patterns against the baseline. It could also be known as anomaly-based.