An Intrusion Detection System monitors traffic or host activity and generates alerts when it identifies suspicious patterns. The correct answer is monitoring network traffic for specific patterns because detection is the central IDS function. An IDS can use signatures, anomaly detection, protocol analysis, or behavioral indicators to identify potential attacks. However, unlike an IPS, a traditional IDS is not usually placed inline to block traffic. Rejecting connections, filtering malicious packets, and dropping inline packets are prevention or enforcement actions more closely associated with an IPS or firewall. IDS alerts are valuable to security operations because they create visibility into attempted attacks, policy violations, scanning activity, or suspicious behavior that may require investigation. A NIDS monitors network traffic, while a HIDS monitors activity on a specific host. The certification expects candidates to distinguish detection systems from prevention systems and understand where each operates. Reference/topics: Cybersecurity 1.4, IDS, HIDS, and NIDS; Cybersecurity 1.5, threat prevention systems.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit