Anomaly-based vs Behavior-based IDS/IPS

DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
Darril's book considers that these 2 terms are the same thing. But I have seen a few practice questions now that have both terms as possible answers, and only one of them is right.

So what is the difference?

Thanks
Decide what to be and go be it.

Comments

  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Another thing is that it refers to passive and active IDS'. What is the difference between an active IDS and an IPS?
    Decide what to be and go be it.
  • slinuxuzerslinuxuzer Member Posts: 665 ■■■■□□□□□□
    Devilsbane wrote: »
    Another thing is that it refers to passive and active IDS'. What is the difference between an active IDS and an IPS?

    IDS = Intrusion detection system which by nature is a passive device (hardware or software, host or network based) that monitors network traffic or systems at various levels based on certain logic, rules, signatures, baselines or a combination of the above in an attempt to identify intrusions during the act.

    IPS = Intrusion prevention system. Is closely related to an intrusion detection system and serves basically all of the same functions with an added function. The ability to take some sort of mitigating action to "prevent" what if percieves to be an attack. This could be in the form of firewalling certain ports, stopping certain services, disabling a systems NIC or any other form of mitigating act.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    When I was reading the CCNA:S it was explained that an IPS is always active because it is actually a "bump on the wire". That is, it actively scans and can stop traffic in flux. An IDS is passive and cannot actively prevent attacks but it can alert or detect bad traffic. An IDS will let bad traffic into the network. I was told that the term IDS is an IPS.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    So an active IDS is really an IPS. But if it is not specified active or passive, then it is a passive IDS?
    Decide what to be and go be it.
  • slinuxuzerslinuxuzer Member Posts: 665 ■■■■□□□□□□
    knwminus wrote: »
    When I was reading the CCNA:S it was explained that an IPS is always active because it is actually a "bump on the wire". That is, it actively scans and can stop traffic in flux. An IDS is passive and cannot actively prevent attacks but it can alert or detect bad traffic. An IDS will let bad traffic into the network. I was told that the term IDS is an IPS.

    Keep in mind these are vendor neutral terms and your CCNA books may be referring to Cisco's own implementation.

    There is both Host-based and network based IDS and IPS, when you refer to stopping something on the wire, this would be in a network based implemenation.

    For a more thourgh explanation of these technologies refer to Shon Hariss All-in-one CISSP training kit.

    Might I also suggest Safari books online service that allows you access to thousands of books for 10$ a month? I have no affiliation with them, just a customer.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    slinuxuzer wrote: »
    Keep in mind these are vendor neutral terms and your CCNA books may be referring to Cisco's own implementation.

    There is both Host-based and network based IDS and IPS, when you refer to stopping something on the wire, this would be in a network based implemenation.

    For a more thourgh explanation of these technologies refer to Shon Hariss All-in-one CISSP training kit.

    Might I also suggest Safari books online service that allows you access to thousands of books for 10$ a month? I have no affiliation with them, just a customer.

    That's a good point. I should have said that I was talking about a NIDS and NIPS. HIDS and HIPS are different animals.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Devilsbane wrote: »
    Darril's book considers that these 2 terms are the same thing. But I have seen a few practice questions now that have both terms as possible answers, and only one of them is right.

    So what is the difference?

    Thanks

    Does anyone have an answer to this question?
    Decide what to be and go be it.
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    Devilsbane wrote: »
    Does anyone have an answer to this question?

    They usually mean the same thing. They detect intrusions based upon "unusual" network traffic.

    Here is the Wiki article explaining Anomaly based:
    Anomaly-based intrusion detection system - Wikipedia, the free encyclopedia

    Here is the FAQ on SANS:
    SANS: Intrusion Detection FAQ: What is behavior-based intrusion detection?
    I bring nothing useful to the table...
  • skwira001skwira001 Member Posts: 94 ■■■□□□□□□□
    Devilsbane wrote: »
    Darril's book considers that these 2 terms are the same thing. But I have seen a few practice questions now that have both terms as possible answers, and only one of them is right.

    So what is the difference?

    Thanks
    Just know the difference between signature based and anomoly. Heuristics is another name for anomoly.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    skwira001 wrote: »
    Heuristics is another name for anomoly.

    Not exactly. It does the same thing, but there is a whole different process involved to get to that decision.
    Decide what to be and go be it.
Sign In or Register to comment.