Four weeks ago, a network administrator applied a new IDS and allowed it to gather baseline data. As rumors of a layoff began to spread, the IDS alerted the network administrator that access to sensitive client files had risen far above normal. Which of the following kind of IDS is in use?
A. Protocol based
B. Heuristic based
C. Signature based
D. Anomaly based
Correct Answer: D
Section: Threats and Vulnerabilities
Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known
identity – or signature – for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known methods of attack, it does, like anti-virus software,
depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored
Any organization wanting to implement a more thorough – and hence safer – solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather
more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including
web traffic to the organization’s web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at
identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks.
And this applies equally to any new service installed on any item of hardware – for example, Telnet deployed on a network router for maintenance purposes and forgotten about when
the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is
A: A protocol-based intrusion detection system (PIDS) is an intrusion detection system which is typically installed on a web server, and is used in the monitoring and analysis of the
protocol in use by the computing system. A protocol-based intrusion detection system would not detect abnormal amounts access to sensitive client files. Therefore, this information is
B: A heuristic-based signature uses an algorithm to determine whether an alarm should be fired. An example of this type of analysis and warning would be a signature that fires an
alarm if a threshold number of unique ports are scanned on a particular host. The signature can also be limited to, say, SYN packets that are from a particular source, such as a
perimeter router. Although heuristic-based signatures can be the only way to detect certain types of attacks, they require tuning and modification to better conform to their unique
network environment. A heuristic -based intrusion detection system would not detect abnormal amounts access to sensitive client files. Therefore, this information is incorrect.
C: A signature-based system is primarily focused on evaluating attacks based on attack signatures and audit trails. Signature-based IDS uses database of stored signatures and can
only detect attacks based on the signatures in its database. A signature -based intrusion detection system would not detect abnormal amounts access to sensitive client files.
Therefore, this information is incorrect.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 109