PrepAway - Latest Free Exam Questions & Answers

What type of IDS builds a profile of an environment’s normal activities and assigns an anomaly score to

There are several types of intrusion detection systems (IDSs). What type of IDS builds a profile of an environment’s normal activities and assigns an anomaly score to packets based on the profile?

PrepAway - Latest Free Exam Questions & Answers

A.
State-based

B.
Statistical anomaly-based

C.
Misuse detection system

D.
Protocol signature-based

Explanation:
B: A statistical anomaly-based IDS is a behavioral-based system. Behavioral-based IDS products do not use predefined signatures but rather are put in a learning mode to build a
profile of an environment’s “normal” activities. This profile is built by continually sampling the environment’s activities. The longer the IDS is put in a learning mode, in most instances,
the more accurate a profile it will build and the better protection it will provide. After this profile is built, all future traffic and activities are compared to it. With the use of complex
statistical algorithms, the IDS looks for anomalies in the network traffic or user activity. Each packet is given an anomaly score, which indicates its degree of irregularity. If the score is
higher than the established threshold of “normal” behavior, then the preconfigured action will take place.
A is incorrect because a state-based IDS has rules that outline which state transition sequences should sound an alarm. The initial state is the state prior to the execution of an
attack, and the compromised state is the state after successful penetration. The activity that takes place between the initial and compromised state is what the state-based IDS looks
for, and it sends an alert if any of the state-transition sequences match its preconfigured rules.
C is incorrect because a misuse-detection system is simply another name for a signature-based IDS, which compares network or system activity to signatures or models of how
attacks are carried out. Any action that is not recognized as an attack is considered acceptable. Signature-based IDS are the most popular IDS products today, and their effectiveness
depends upon regularly updating the software with new signatures, as with antivirus software. This type of IDS is weak against new types of attacks because it can only recognize
those that have been previously identified and have had signatures written for them.
D is incorrect because a protocol signature-based IDS is not a formal IDS. This is a distracter answer.


Leave a Reply