Answer (B) is correct . A network IDS works by using sensors to examine packets traveling on the network. Each sensor monitors only the segment of the network to which it is attached. A packet is examined if it matches a signature. String signatures (certain strings of text) are potential signs of attack. Port signatures alert the IDS that a point subject to frequent intrusion attempts may be under attack. A header signature is a suspicious combination in a packet header.
Answer (A) is incorrect because A host IDS provides maximum protection only when the software is installed on each computer. It may operate in the following ways:? The aggressive response is to monitor every call on the operating system and application as it occurs. A less effective method of preventing attacks is analysis of access log files. A host IDS may also identify questionable processes and verify the security of system files.
Answer (C) is incorrect because An IDS is not limited to knowledge-based detection. Knowledge-based detection is based on information about the system’s weaknesses and searches for intrusions that take advantage of them.
Answer (D) is incorrect because An IDS is not limited to behavior-based detection. Behavior-based detection presumes that an attack will cause an observable anomaly. Actual and normal system behavior (a model of expected operations) are compared. A discrepancy results in an alert.
| 
