You have successfully implemented a new Intrusion Detection System in your network. You have
verified that the system is active and did detect the tests you have run against it thus far. You are
now in the stage of identifying the type of analysis you wish to use with the system. You meet with
the rest of the IT staff and are asked to describe the different options for analysis. Which of the
following best describes Interval Analysis?

A.
This method of analysis uses the internal operating system (or other host-based) audit logs to
capture the events, and the IDS at given intervals analyzes the data in the logs for signatures of
intrusion.

B.
The basic concept of Interval analysis is to find a deviation from a known pattern of behavior.
Using this method, an IDS would create profiles of user behavior.

C.
Interval analysis runs continuously, collecting, analyzing, reporting, and responding (if
programmed to do so). An event cannot be countered the exact moment it happens. However, the
concept behind Interval analysis is such that an attack should be dealt with as it is happening, and
if the system knows the signature, stop the attack before it can complete and compromise a host.

D.
Interval analysis is a method in which the IDS gathers data from both the internal IDS logs and
host-based logs, such as Event Viewer files. Using the collected data, the IDS reports on found
anomalies and/or intrusions.

E.
Interval analysis is the process of matching known attacks, at intervals, against the data
collected in the network. If there is a match, then that is a trigger for an intrusion, and an alarm
may be the result.