The Most Common Conceptual Approach to Intrusion Detection Systems

B.

There are two conceptual approaches to intrusion detection.

Knowledge-based intrusion detection uses a database of known vulnerabilities to look for current attempts to exploit them on a system and trigger an alarm if an attempt is found.

The other approach, not as common, is called behaviour-based or statistical analysis-based.

A host-based intrusion detection system is a common implementation of intrusion detection, not a conceptual approach.

Source: KRUTZ, Ronald L.

& VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 63)

Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 193-194).

Intrusion detection systems (IDS) are designed to detect and prevent unauthorized access to computer systems or networks. There are several different approaches to IDS, including behavior-based, knowledge-based, statistical anomaly-based, and host-based.

Behavior-based intrusion detection systems (BIDS) monitor system activity and compare it to a database of known attack patterns. BIDS can detect new, previously unknown attacks by looking for abnormal behavior that deviates from expected patterns. This approach is useful for detecting targeted attacks or insider threats that may not fit known attack signatures.

Knowledge-based intrusion detection systems (KIDS) use a database of known attack signatures to detect and prevent attacks. KIDS are effective at detecting known attacks and are relatively simple to implement. However, KIDS may not be able to detect new or unknown attacks that do not match any known signatures.

Statistical anomaly-based intrusion detection systems (SIDS) monitor system activity and build a statistical model of normal behavior. SIDS can detect anomalies in system activity that may indicate an attack. This approach is useful for detecting unknown attacks or zero-day attacks that do not match known signatures.

Host-based intrusion detection systems (HIDS) monitor activity on individual hosts or endpoints. HIDS can detect attacks that target specific hosts or applications and can provide detailed information about the attack. However, HIDS may not be able to detect attacks that occur outside of the monitored host.

In terms of which conceptual approach to IDS is the most common, it depends on the specific security needs and goals of the organization. However, statistically, knowledge-based intrusion detection systems are the most common due to their simplicity and ease of implementation. However, behavior-based and statistical anomaly-based intrusion detection systems are gaining in popularity due to their ability to detect new and unknown threats. Ultimately, the choice of which approach to use depends on the specific security needs of the organization and the potential threats that need to be addressed.