Which of the following is a sign of a network-based intrusion?

When security monitoring looks for intrusions, spotting anomalies in how the network is used is a key signal. New or unusual protocols and services running indicate something outside the normal, expected environment is active. Attackers often attempt to bypass standard defenses or create covert channels by using uncommon or unexpected protocols and services, which stands out against a baseline of regular traffic. This kind of change directly points to potential unauthorized activity or a hidden foothold on the network. In contrast, increased bandwidth can happen from legitimate user activity or a DoS attack, regular traffic is just normal behavior, and high latency can be due to congestion, misconfigurations, or other non-security issues. The presence of new or unusual protocols and services is the strongest indicator among these options.