The popular method for anomaly-based intrusion detection is based on file-use statistics.
(i) Many other statistics could be used as part of an anomaly-based IDS. For example, network usage would be a sensible statistic to consider. List five other statistics that could reasonably be used in an anomaly-based IDS.
(ii) Why might it be a good idea to combine several statistics rather than relying on just a few?
(iii) Why might it not be a good idea to combine several statistics rather than relying on just a few?