Which one of the following intrusion detection systems relies on agents to detect abnormal behavior? (Wentz QOTD)
A. Knowledge-based
B. Anomaly-based
C. Network-based
D. Host-based
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Host-based.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Host-based IDPS
A host-based IDPS monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Examples of the types of characteristics a host-based IDPS might monitor are wired and wireless network traffic (only for that host), system logs, running processes, file access and modification, and system and application configuration changes.
Most host-based IDPSs have detection software known as agents installed on the hosts of interest. Each agent monitors activity on a single host and if IDPS capabilities are enabled, also performs prevention actions.
Source: NIST SP 800-94
Network-based IDPS
A network-based IDPS monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.
A typical network-based IDPS is composed of sensors, one or more management servers, multiple consoles, and optionally one or more database servers (if the network-based IDPS supports their use). All of these components are similar to other types of IDPS technologies, except for the sensors. A network-based IDPS sensor monitors and analyzes network activity on one or more network segments. The network interface cards that will be performing monitoring are placed into promiscuous mode, which means that they will accept all incoming packets that they see, regardless of their intended destinations.
Source: NIST SP 800-94
Signature-based Detection
A signature is a pattern that corresponds to a known threat. Signature-based detection is the process of comparing signatures against observed events to identify possible incidents.
Source: NIST SP 800-94
Anomaly-based Detection
Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. An IDPS using anomaly-based detection has profiles that represent the normal behavior of such things as users, hosts, network connections, or applications. The profiles are developed by monitoring the characteristics of typical activity over a period of time. For example, a profile for a network might show that Web activity comprises an average of 13% of network bandwidth at the Internet border during typical workday hours. The IDPS then uses statistical methods to compare the characteristics of current activity to thresholds related to the profile, such as detecting when Web activity comprises significantly more bandwidth than expected and alerting an administrator of the anomaly. Profiles can be developed for many behavioral attributes, such as the number of e-mails sent by a user, the number of failed login attempts for a host, and the level of processor usage for a host in a given period of time.
The major benefit of anomaly-based detection methods is that they can be very effective at detecting previously unknown threats.Source: NIST SP 800-94
Reference
- Host-based intrusion detection system
- Monitor and Protect Your Critical Systems with Host-based IDS
- 8 Best HIDS Tools—Host-Based Intrusion Detection Systems
- Anomaly-based intrusion detection system
以下哪一個入侵檢測系統依賴代理來檢測異常行為? (Wentz QOTD)
A. 基於知識 (Knowledge-based)
B. 基於異常 (Anomaly-based)
C. 基於網絡 (Network-based)
D. 基於主機 (Host-based)