Knowledge-based Intrusion Detection Systems (IDS) are more common than:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Knowledge-based IDS are more common than behavior-based ID systems.
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 63
Application-Based IDS - "a subset of HIDS that analyze what's going on in an application using the transaction log files of the application." Source: Official ISC2 CISSP CBK Review Seminar Student Manual Version 7.0 p.
87 Host-Based IDS - "an implementation of IDS capabilities at the host level.
Its most significant difference from NIDS is intrusion detection analysis, and related processes are limited to the boundaries of the host." Source: Official ISC2 Guide to the CISSP CBK - p.
197 Network-Based IDS - "a network device, or dedicated system attached to the network, that monitors traffic traversing the network segment for which it is integrated." Source: Official ISC2 Guide to the CISSP CBK - p.
196 CISSP for dummies a book that we recommend for a quick overview of the 10 domains has nice and concise coverage of the subject: Intrusion detection is defined as real-time monitoring and analysis of network activity and data for potential vulnerabilities and attacks in progress.
One major limitation of current intrusion detection system (IDS) technologies is the requirement to filter false alarms lest the operator (system or security administrator) be overwhelmed with data.
IDSes are classified in many different ways, including active and passive, network-based and host-based, and knowledge-based and behavior-based: Active and passive IDS - An active IDS (now more commonly known as an intrusion prevention systemIPS) is a system that's configured to automatically block suspected attacks in progress without any intervention required by an operator.
IPS has the advantage of providing real-time corrective action in response to an attack but has many disadvantages as well.
An IPS must be placed in-line along a network boundary; thus, the IPS itself is susceptible to attack.
Also, if false alarms and legitimate traffic haven't been properly identified and filtered, authorized users and applications may be improperly denied access.
Finally, the IPS itself may be used to effect a Denial of Service (DoS) attack by intentionally flooding the system with alarms that cause it to block connections until no connections or bandwidth are available.
A passive IDS is a system that's configured only to monitor and analyze network traffic activity and alert an operator to potential vulnerabilities and attacks.
It isn't capable of performing any protective or corrective functions on its own.
The major advantages of passive IDSes are that these systems can be easily and rapidly deployed and are not normally susceptible to attack themselves.
Network-based and host-based IDS A network-based IDS usually consists of a network appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous mode and a separate management interface.
The IDS is placed along a network segment or boundary and monitors all traffic on that segment.
A host-based IDS requires small programs (or agents) to be installed on individual systems to be monitored.
The agents monitor the operating system and write data to log files and/or trigger alarms.
A host-based IDS can only monitor the individual host systems on which the agents are installed; it doesn't monitor the entire network.
Knowledge-based and behavior-based IDS A knowledge-based (or signature-based) IDS references a database of previous attack profiles and known system vulnerabilities to identify active intrusion attempts.
Knowledge-based IDS is currently more common than behavior-based IDS.
Advantages of knowledge-based systems include the following: It has lower false alarm rates than behavior-based IDS.
Alarms are more standardized and more easily understood than behavior-based IDS.
Disadvantages of knowledge-based systems include these: Signature database must be continually updated and maintained.
New, unique, or original attacks may not be detected or may be improperly classified.
A behavior-based (or statistical anomalybased) IDS references a baseline or learned pattern of normal system activity to identify active intrusion attempts.
Deviations from this baseline or pattern cause an alarm to be triggered.
Advantages of behavior-based systems include that they Dynamically adapt to new, unique, or original attacks.
Are less dependent on identifying specific operating system vulnerabilities.
Disadvantages of behavior-based systems include Higher false alarm rates than knowledge-based IDSes.
Usage patterns that may change often and may not be static enough to implement an effective behavior-based IDS.
Intrusion Detection Systems (IDS) are security tools designed to monitor network and system activities for malicious or unauthorized behavior. IDS can be broadly categorized into two types: network-based IDS and host-based IDS.
Network-based IDS (NIDS) monitors network traffic for suspicious activities and anomalous behavior. NIDS sensors are placed at various points on the network to capture and analyze traffic. NIDS is effective in detecting network-based attacks such as port scans, denial of service attacks, and other suspicious traffic.
Host-based IDS (HIDS), on the other hand, monitors individual systems for malicious activities. HIDS software is installed on individual hosts to monitor system activity, including file changes, login attempts, and system events. HIDS is effective in detecting attacks that target specific hosts, such as malware infections or unauthorized access attempts.
Behavior-based IDS (BIDS) is a newer type of IDS that uses machine learning and behavioral analytics to detect anomalous behavior on the network or system. BIDS can analyze traffic and system activity to detect unusual patterns that may indicate an attack or compromise.
Application-based IDS (AIDS) is another type of IDS that monitors specific applications or services for suspicious activity. AIDS can detect attacks that target vulnerabilities in specific applications, such as web application attacks.
Based on the question, the answer is B. Host-based IDS. While behavior-based IDS and application-based IDS are becoming more common, host-based IDS is still widely used to monitor individual systems for malicious activities. Network-based IDS is also commonly used, but the question implies that knowledge-based IDS are more common than NIDS.