What IDS approach relies on a database of known attacks?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
A weakness of the signature-based (or knowledge-based) intrusion detection approach is that only attack signatures that are stored in a database are detected.
Network-based intrusion detection can either be signature-based or statistical anomaly-based (also called behavior-based)
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 49).
The IDS (Intrusion Detection System) is a security technology that monitors network traffic and system events for signs of potential malicious activity. IDS uses different approaches to identify and alert on suspicious behavior, and one of these approaches is the use of a database of known attacks.
The IDS approach that relies on a database of known attacks is called Signature-based Intrusion Detection (A). Signature-based IDS works by comparing network traffic and system events to a pre-defined set of signatures or patterns of known attacks. The signatures are stored in a database that is regularly updated to reflect the latest threats and attack techniques.
When the IDS identifies a signature match in the network traffic or system event, it generates an alert to notify the security team of the potential intrusion attempt. The signature-based IDS is effective in detecting known and common attacks, such as viruses, worms, and Trojans.
However, signature-based IDS has some limitations, as it cannot detect unknown or zero-day attacks that have no known signatures. Additionally, attackers can evade signature-based detection by using sophisticated techniques like polymorphic malware that changes its signature with each iteration.
In contrast, Statistical Anomaly-based IDS (B) monitors for unusual patterns of behavior that deviate from the normal baseline, while Behavior-based IDS (C) focuses on identifying deviations from expected behavior of individual users or systems. Network-based IDS (D) monitors network traffic for signs of malicious activity, regardless of the source or destination of the traffic.
In conclusion, Signature-based IDS (A) relies on a database of known attacks and is effective in detecting common and known attacks, but it has limitations in detecting unknown and sophisticated attacks.