Zero-day attacks might be stopped by ________ detection.

Zero-day threats rely on exploiting vulnerabilities that defenders have no signatures for yet. Signature-based detection looks for known patterns or fingerprints, so when a new, unseen exploit arrives, there isn’t a matching signature to trigger detection. Anomaly detection, by contrast, models normal system and network behavior and flags deviations from that baseline. A zero-day attack usually causes unusual or abnormal activity—unexpected spikes in traffic, unusual file changes, or atypical process behavior—so it stands out as an anomaly even though the exact exploit isn’t known. That makes anomaly detection the more effective way to catch or mitigate zero-day activity. In practice, security often combines both approaches for broader coverage, but for addressing zero-days specifically, anomaly detection is the best fit.