You have successfully implemented a new Intrusion Detection System in your network. You have verified that the system is active and did detect the tests you have run against it thus far. You are now in the stage of identifying the type of analysis you wish to use with the system. You meet with the rest of the IT staff and are asked to describe the different options for analysis. Which of the following best describes Interval Analysis?

A.
This method of analysis uses the internal operating system (or other host-based) audit logs to capture the events, and the IDS at given intervals analyzes the data in the logs for signatures of intrusion.

B.
The basic concept of Interval analysis is to find a deviation from a known pattern of behavior.
Using this method, an IDS would create profiles of user behavior.

C.
Interval analysis runs continuously, collecting, analyzing, reporting, and responding (if programmed to do so). An event cannot be countered the exact moment it happens. However, the concept behind Interval analysis is such that an attack should be dealt with as it is happening, and if the system knows the signature, stop the attack before it can complete and compromise a host.

D.
Interval analysis is a method in which the IDS gathers data from both the internal IDS logs and host-based logs, such as Event Viewer files. Using the collected data, the IDS reports on found anomalies and/or intrusions.

E.
Interval analysis is the process of matching known attacks, at intervals, against the data collected in the network. If there is a match, then that is a trigger for an intrusion, and an alarm may be the result.