Selecting an Intrusion Detection System for Unknown Attacks and Unusual Traffic Behavior
Question
As a result of a risk assessment, your security manager has determined that your organization needs to implement an intrusion detection system that can detect unknown attacks and can watch for unusual traffic behavior, such as a new service appearing on the network.
What type of intrusion detection system would you select?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Traffic anomaly-based is the correct choice.
An anomaly based IDS can detect unknown attacks.
A traffic anomaly based IDS identifies any unacceptable deviation from expected behavior based on network traffic.
Protocol anomaly based is not the best choice as while a protocol anomaly based IDS can identify unknown attacks, this type of system is more suited to identifying deviations from established protocol standards such as HTTP.
This type of IDS faces problems in analyzing complex or custom protocols.
Pattern matching is not the best choice as a pattern matching IDS cannot identify unknown attacks.
This type of system can only compare packets against signatures of known attacks.
Stateful matching is not the best choice as a statful matching IDS cannot identify unknown attacks.
This type of system works by scanning traffic streams for patterns or signatures of attacks.
pages 198 to 201
The type of intrusion detection system that can detect unknown attacks and monitor unusual traffic behavior, such as a new service appearing on the network, is a Traffic anomaly-based intrusion detection system.
A traffic anomaly-based intrusion detection system is designed to detect deviations from normal network traffic patterns. It is based on a baseline profile of what is considered normal traffic for a particular network, and then it uses statistical analysis to identify any deviations from that profile.
This type of intrusion detection system is especially effective for detecting new or unknown attacks that are not yet identified by signature-based detection systems. It can also detect insider threats or unauthorized activity on the network.
In contrast, Protocol anomaly-based intrusion detection systems monitor network traffic for deviations from expected protocols or protocol sequences, while Pattern matching intrusion detection systems search for known attack signatures in network traffic. Stateful matching intrusion detection systems match network traffic to a known state of legitimate network behavior.
Therefore, based on the given scenario, the most appropriate option would be a Traffic anomaly-based intrusion detection system.
