System and Event Log Analysis for Attack Detection
Question
Which of the following reviews system and event logs to detect attacks on the host and determine if the attack was successful?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
A host-based IDS can review the system and event logs in order to detect an attack on the host and to determine if the attack was successful.
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.
The correct answer is A. host-based IDS.
An Intrusion Detection System (IDS) is a security tool that helps detect attacks and other suspicious activities on a network or host. IDS operates by examining network traffic or host activity to identify potential security incidents. There are various types of IDS, including network-based IDS, host-based IDS, and hybrid IDS.
A host-based IDS monitors a single system, typically a server or workstation. It reviews system and event logs to detect attacks on the host and determine if the attack was successful. The host-based IDS can also analyze system activity to detect anomalies or suspicious behavior that may indicate an attack.
In contrast, a firewall-based IDS, also known as network-based IDS, operates at the network level and monitors traffic on the network. It detects attacks and other malicious activities by analyzing network packets.
A bastion-based IDS is an IDS that is deployed on a bastion host, which is a highly secured computer system that is placed at the boundary of a network. The bastion host is typically used to secure access to critical resources, such as servers and databases. The bastion-based IDS monitors activity on the bastion host and can detect attacks that may be targeted at the host.
A server-based IDS is another type of IDS that is installed on a server. It monitors the server activity and logs to detect attacks and other suspicious activities. However, server-based IDS typically focuses on a specific type of server application, such as web servers or database servers.
In summary, a host-based IDS is the type of IDS that reviews system and event logs to detect attacks on the host and determine if the attack was successful.
