A particular vendor uses the following approach to intrusion detection. The company maintains a large number of honeypots distributed across the Internet. To a potential attacker, these honeypots look like vulnerable systems. Consequently, the honeypots attract many attacks and, in particular, new attacks tend to show up on the honeypots soon aftersometimes even duringtheir development. Whenever a new attack is detected at one of the honeypots, the vendor immediately develops a signature and distributes the resulting signature to all systems using its product. The actual derivation of the signature is generally a manual process.

a. What are the advantages, if any, of this approach as compared to a standard signature-based system?

b. What are the advantages, if any, of this approach as compared to a standard anomaly-based system?