Which of the following Intrusion Detection Systems (IDS) uses a database of attacks, known system vulnerabilities, monitoring current attempts to exploit those vulnerabilities, and then triggers an alarm if an attempt is found?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Knowledge-based Intrusion Detection Systems use a database of previous attacks and known system vulnerabilities to look for current attempts to exploit their vulnerabilities, and trigger an alarm if an attempt is found.
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87
Application-Based ID System -"a subset of HIDS that analyze what's going on in an application using the transaction log files of the application." Source: Official ISC2 CISSP CBK Review Seminar Student Manual Version 7.0 p.
87 Host-Based ID System - "an implementation of IDS capabilities at the host level.
Its most significant difference from NIDS is intrusion detection analysis, and related processes are limited to the boundaries of the host." Source: Official ISC2 Guide to the CISSP CBK - p.
197 Network-Based ID System - "a network device, or dedicated system attached to teh network, that monitors traffic traversing teh network segment for which it is integrated." Source: Official ISC2 Guide to the CISSP CBK - p.
196
The correct answer is A. Knowledge-Based ID System.
An Intrusion Detection System (IDS) is a security software application that monitors network traffic for suspicious activity and alerts system administrators when potential threats are detected. There are four main types of IDS, namely:
A. Knowledge-Based ID System B. Application-Based ID System C. Host-Based ID System D. Network-Based ID System.
A Knowledge-Based ID System, also known as a Signature-Based IDS, uses a database of known attacks, system vulnerabilities, and monitoring current attempts to exploit those vulnerabilities. It matches network traffic against this database and triggers an alarm if an attempt is found. This system uses predefined rules, signatures, or patterns of known attacks to detect any suspicious activity. It is an effective method of detecting known attacks but is less effective against new or unknown attacks.
An Application-Based ID System is a type of IDS that is designed to monitor specific applications or services. This system is capable of analyzing application-level protocols such as HTTP, SMTP, or FTP. It is useful in detecting attacks that exploit application-level vulnerabilities such as SQL injection or cross-site scripting (XSS).
A Host-Based ID System is installed on a specific host or endpoint, such as a server or a workstation. It monitors the activity of the host and compares it to a baseline of normal activity. Any deviation from this baseline is considered suspicious and triggers an alarm. This system is useful in detecting attacks that target specific hosts or applications.
A Network-Based ID System monitors network traffic at the network layer and is capable of analyzing network protocols such as TCP/IP, UDP, or ICMP. It uses a combination of signature-based detection and anomaly-based detection to identify potential threats.
In conclusion, the Knowledge-Based ID System uses a database of known attacks, system vulnerabilities, and monitoring current attempts to exploit those vulnerabilities, making it an effective method of detecting known attacks but less effective against new or unknown attacks.