Which detection method analyzes traffic and compares it to a normal baseline to identify threats?

Anomaly-based detection analyzes traffic by comparing it to a learned baseline of normal behavior. It detects threats by flagging deviations from that baseline, so it can identify new, unknown attacks that don’t match any existing signature. This makes it strong for catching zero-days and unusual activity, though it can generate false positives if the baseline isn’t well maintained or legitimate changes occur. Signature-based detection looks for known malicious patterns and won’t detect new techniques unless a signature is updated. An IPS is a system that can implement and enforce detections, while NAC focuses on controlling access and device posture rather than ongoing threat analysis.