CISSP Study Guide: Knowledge-Based and Behavior-Based IDS

Knowledge-Based IDS, also known as signature based, are reliant on a database of known attack signatures. Knowledge-based systems look closely at data and try to match it to a signature pattern in the signature database. If an incident matches a signature, the IDS registers that an attack has happened or is happening and responds with an alert, alarm or modification to firewall configuration.

The main weakness of a knowledge-based IDS is that its effectiveness is based on known attack methods. Upgraded or altered versions of known attacks are often undetected by the IDS. Therefore, a knowledge-based IDS is only as effective as its signature database so the database must be kept updated.

Behavior-Based IDS, also referred to as a statistical intrusion IDS, profile-based IDS (anomaly detection) and heuristics-based IDS, monitors normal activities and events on the system and scans for abnormal activities or events that are considered possible malicious activities. This allows behavior-based IDS to look for new and unknown vulnerabilities, attacks, and intrusion methods.

Behavior-Based IDS have been known to produce false positives or false alarms because patterns of normal activities and events are fluid and can change day-to-day. The main weakness of behavior-based IDS is that security administrators are less inclined to respond to the red flags if it produces multiple false positives.