Four weeks ago, a network administrator applied a new IDS and allowed it to gather baseline data. As
rumors of a layoff began to spread, the IDS alerted the network administrator that access to sensitive
client files had risen far above normal. Which of the following kind of IDS is in use?

A.
Protocol based

B.
Heuristic based

C.
Signature based

D.
Anomaly based

Explanation:
Most intrusion detection systems (IDS) are what is known as signature-based. This means that they
operate in much the same way as a virus scanner, by searching for a known identity – or signature – for
each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known
methods of attack, it does, like anti-virus software, depend on receiving regular signature updates, to
keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as
its database of stored signatures.
Any organization wanting to implement a more thorough – and hence safer – solution, should consider
what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In
network traffic terms, it captures all the headers of the IP packets running towards the network. From
this, it filters out all known and legal traffic, including web traffic to the organization’s web server, mail
traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and
from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects
any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and
probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because
probes and scans are the predecessors of all attacks. And this applies equally to any new service installed
on any item of hardware – for example, Telnet deployed on a network router for maintenance purposes
and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for
detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is
deliberately mis-typed.
Incorrect Answers:
A: A protocol-based intrusion detection system (PIDS) is an intrusion detection system which is typically
installed on a web server, and is used in the monitoring and analysis of the protocol in use by the
computing system. A protocol-based intrusion detection system would not detect abnormal amounts
access to sensitive client files. Therefore, this information is incorrect.
B: A heuristic-based signature uses an algorithm to determine whether an alarm should be fired. An
example of this type of analysis and warning would be a signature that fires an alarm if a thresholdnumber of unique ports are scanned on a particular host. The signature can also be limited to, say, SYN
packets that are from a particular source, such as a perimeter router. Although heuristic-based signatures
can be the only way to detect certain types of attacks, they require tuning and modification to better
conform to their unique network environment. A heuristic -based intrusion detection system would not
detect abnormal amounts access to sensitive client files. Therefore, this information is incorrect.
C: A signature-based system is primarily focused on evaluating attacks based on attack signatures and
audit trails. Signature-based IDS uses database of stored signatures and can only detect attacks based on
the signatures in its database. A signature -based intrusion detection system would not detect abnormal
amounts access to sensitive client files. Therefore, this information is incorrect.

http://www.scmagazine.com/signature-based-or-anomaly-based-intrusion-detection-the-practice-andpitfalls/article/30471/
http://www.pearsonitcertification.com/articles/article.aspx?p=174342
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 109