A rule-based IDS takes a different approach than a signature-based or anomaly-based system. Which of the following is characteristic of a rule-based IDS?

A.
Uses IF/THEN programming within expert systems

B.
Identifies protocols used outside of their common bounds

C.
Compares patterns to several activities at once

D.
Can detect new attacks

Explanation:
A: Rule-based intrusion detection is commonly associated with the use of an expert system. An expert system is made up of a knowledge base, an inference engine, and rule-based
programming. Knowledge is represented as rules, and the data to be analyzed is referred to as facts. The knowledge of the system is written in rule-based programming (IF situation
THEN action). These rules are applied to the facts, the data that comes in from a sensor, or a system that is being monitored. For example, an IDS pulls data from a system’s audit log
and stores it temporarily in its fact database. Then, the preconfigured rules are applied to this data to indicate whether anything suspicious is taking place. In our scenario, the rule
states “IF a root user creates File1 AND creates File2 SUCH THAT they are in the same directory THEN there is a call to Administrative Tool TRIGGER send alert.” This rule has been
defined such that if a root user creates two files in the same directory and then makes a call to a specific administrative tool, an alert should be sent.
B is incorrect because a protocol anomaly-based IDS identifies protocols used outside of their common bounds. The IDS has specific knowledge of each protocol that it will monitor.
A protocol anomaly pertains to the format and behavior of a protocol. If a protocol is formatted differently or is demonstrating abnormal behavior, then the IDS triggers an alarm.
C is incorrect because a stateful matching IDS compares patterns to several activities at once. It is a type of signature-based IDS, meaning that it does pattern matching, similar to
antivirus software. State is a snapshot of an operating system’s values in volatile, semipermanent, and permanent memory locations. In a state-based IDS, the initial state is the state
prior to the execution of an attack, and the compromised state is the state after successful penetration. The IDS has rules that outline which state transition sequences should sound an
alarm.
D is incorrect because a rule-based IDS cannot detect new attacks. An anomaly-based IDS can detect new attacks because it doesn’t rely on predetermined rules or signatures,
which are only available after security researchers have had time to study an attack. Instead, an anomaly-based IDS learns the “normal” activities of an environment and triggers an
alarm when it detects activity that differs from the norm. The three types of anomaly-based IDS are statistical, protocol, and traffic. They are also called behavior- or heuristic-based.