Jade is considering deploying a network intrusion prevention system (IPS) and wants to be able to detect advanced persistent threats. What type of IPS detection method is most likely to detect the behaviors of an APT after it has gathered baseline information about normal operations?

Anomaly-based detection systems establish a behavioral baseline for networks and then detect deviations from that baseline. Though they may employ heuristics, the question pertains to anomaly-based systems that rely on baselined operations. Heuristic-based detection, on the other hand, identifies behaviors commonly associated with malicious activity, while signature-based or hash-based detection scrutinizes known malicious tools or files.