Ready to Start Your Career?

CISSP Study Guide: Knowledge-Based and Behavior-Based IDS

Cybrary's profile image

By: Cybrary

December 15, 2022

Knowledge-Based IDS, also known as signature based, are reliant on a database of known attack signatures. Knowledge-based systems look closely at data and try to match it to a signature pattern in the signature database. If an incident matches a signature, the IDS registers that an attack has happened or is happening and responds with an alert, alarm or modification to firewall configuration.

The main weakness of a knowledge-based IDS is that its effectiveness is based on known attack methods. Upgraded or altered versions of known attacks are often undetected by the IDS. Therefore, a knowledge-based IDS is only as effective as its signature database so the database must be kept updated.

Behavior-Based IDS, also referred to as a statistical intrusion IDS, profile-based IDS (anomaly detection) and heuristics-based IDS, monitors normal activities and events on the system and scans for abnormal activities or events that are considered possible malicious activities. This allows behavior-based IDS to look for new and unknown vulnerabilities, attacks, and intrusion methods.

Behavior-Based IDS have been known to produce false positives or false alarms because patterns of normal activities and events are fluid and can change day-to-day. The main weakness of behavior-based IDS is that security administrators are less inclined to respond to the red flags if it produces multiple false positives.

Schedule Demo

Let's build your cybersecurity career together

Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.

2,000+learning activities led by highly experienced cybersecurity professionals