Broadly speaking, there are two distinct types of intrusion detection systems, namely, signature-based and anomaly-based.
a. List the advantages of signature-based intrusion detection, as compared to anomaly-based intrusion detection.
b. List the advantages of an anomaly-based IDS, in contrast to a signature-based IDS.
c. Why is effective anomaly-based IDS inherently more challenging than signature-based detection?
The anomaly-based intrusion detection example presented in this chapter is based on file-use statistics.
a. Many other statistics could be used as part of an anomaly-based IDS. For example, network usage would be a sensible statistic to consider. List five other statistics that could reasonably be used in an anomaly-based IDS.
b. Why might it be a good idea to combine several statistics ratherthan relying on just a few?
c. Why might it not be a good idea to combine several statistics rather than relying on just a few?