Anomaly-based vs Behavior-based IDS/IPS

DevilsbaneDevilsbane Posts: 4,212Member
Darril's book considers that these 2 terms are the same thing. But I have seen a few practice questions now that have both terms as possible answers, and only one of them is right.

So what is the difference?

Thanks
Decide what to be and go be it.

Comments

  • DevilsbaneDevilsbane Posts: 4,212Member
    Another thing is that it refers to passive and active IDS'. What is the difference between an active IDS and an IPS?
    Decide what to be and go be it.
  • slinuxuzerslinuxuzer Posts: 665Member ■■■■□□□□□□
    Devilsbane wrote: »
    Another thing is that it refers to passive and active IDS'. What is the difference between an active IDS and an IPS?

    IDS = Intrusion detection system which by nature is a passive device (hardware or software, host or network based) that monitors network traffic or systems at various levels based on certain logic, rules, signatures, baselines or a combination of the above in an attempt to identify intrusions during the act.

    IPS = Intrusion prevention system. Is closely related to an intrusion detection system and serves basically all of the same functions with an added function. The ability to take some sort of mitigating action to "prevent" what if percieves to be an attack. This could be in the form of firewalling certain ports, stopping certain services, disabling a systems NIC or any other form of mitigating act.
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    When I was reading the CCNA:S it was explained that an IPS is always active because it is actually a "bump on the wire". That is, it actively scans and can stop traffic in flux. An IDS is passive and cannot actively prevent attacks but it can alert or detect bad traffic. An IDS will let bad traffic into the network. I was told that the term IDS is an IPS.
  • DevilsbaneDevilsbane Posts: 4,212Member
    So an active IDS is really an IPS. But if it is not specified active or passive, then it is a passive IDS?
    Decide what to be and go be it.
  • slinuxuzerslinuxuzer Posts: 665Member ■■■■□□□□□□
    knwminus wrote: »
    When I was reading the CCNA:S it was explained that an IPS is always active because it is actually a "bump on the wire". That is, it actively scans and can stop traffic in flux. An IDS is passive and cannot actively prevent attacks but it can alert or detect bad traffic. An IDS will let bad traffic into the network. I was told that the term IDS is an IPS.

    Keep in mind these are vendor neutral terms and your CCNA books may be referring to Cisco's own implementation.

    There is both Host-based and network based IDS and IPS, when you refer to stopping something on the wire, this would be in a network based implemenation.

    For a more thourgh explanation of these technologies refer to Shon Hariss All-in-one CISSP training kit.

    Might I also suggest Safari books online service that allows you access to thousands of books for 10$ a month? I have no affiliation with them, just a customer.
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    slinuxuzer wrote: »
    Keep in mind these are vendor neutral terms and your CCNA books may be referring to Cisco's own implementation.

    There is both Host-based and network based IDS and IPS, when you refer to stopping something on the wire, this would be in a network based implemenation.

    For a more thourgh explanation of these technologies refer to Shon Hariss All-in-one CISSP training kit.

    Might I also suggest Safari books online service that allows you access to thousands of books for 10$ a month? I have no affiliation with them, just a customer.

    That's a good point. I should have said that I was talking about a NIDS and NIPS. HIDS and HIPS are different animals.
  • DevilsbaneDevilsbane Posts: 4,212Member
    Devilsbane wrote: »
    Darril's book considers that these 2 terms are the same thing. But I have seen a few practice questions now that have both terms as possible answers, and only one of them is right.

    So what is the difference?

    Thanks

    Does anyone have an answer to this question?
    Decide what to be and go be it.
  • L0gicB0mb508L0gicB0mb508 Posts: 538Member
    Devilsbane wrote: »
    Does anyone have an answer to this question?

    They usually mean the same thing. They detect intrusions based upon "unusual" network traffic.

    Here is the Wiki article explaining Anomaly based:
    Anomaly-based intrusion detection system - Wikipedia, the free encyclopedia

    Here is the FAQ on SANS:
    SANS: Intrusion Detection FAQ: What is behavior-based intrusion detection?
    I bring nothing useful to the table...
  • xSequentialxxSequentialx Posts: 49Member ■■■□□□□□□□
    IPS is inline and can prevent malicious traffic from entering the network. IDS monitors the traffic entering the network at a console station. So some malicious traffic will enter the network, this will be monitored by IDS and raise an alert depending on signature, anomaly or behaviour based detection. Then the appropriate action can be taken - passive or active.

    From what i remember about anomaly vs behaviour. Anomaly always compares network traffic against a performance baseline to detect irregular traffic.
    Behaviour based I think is where an administrator would set policies and if they broken it would send an alert.
  • skwira001skwira001 Posts: 93Member ■■■□□□□□□□
    Devilsbane wrote: »
    Darril's book considers that these 2 terms are the same thing. But I have seen a few practice questions now that have both terms as possible answers, and only one of them is right.

    So what is the difference?

    Thanks
    Just know the difference between signature based and anomoly. Heuristics is another name for anomoly.
  • DevilsbaneDevilsbane Posts: 4,212Member
    skwira001 wrote: »
    Heuristics is another name for anomoly.

    Not exactly. It does the same thing, but there is a whole different process involved to get to that decision.
    Decide what to be and go be it.
Sign In or Register to comment.