1

I have difficulties in understanding the difference between Knowledge-based IDS and behavior-based IDS.

This link says that a knowledge-based IDS uses a database of specific attacks and system vulnerabilities, which is blacklist method, I think. But what about a IDS that uses whitelist? Is this IDS still a Knowledge-based IDS? (or a behavior-based IDS?)

Here is an example of a simple IDS, can someone tell me is this IDS a Knowledge-based IDS or a behavior-based IDS?

Example:

A simple IDS has a whitelist of all allowed personnel. And the whitelist looks like [alice, bob].

When alice or bob comes, no alarm is sound. But when jack comes, the intrusion alarm is triggered.

(you can also think alice, bob and jack as network packet IDs)

So, knowledge-based? behavior-based?

Ema
  • 203
  • 1
  • 2
  • 7
  • You defined "knowledge-based" but never defined "behaviour-based". If you define what a behaviour is, you might find your own answer. – schroeder Apr 26 '17 at 06:52
  • I also think you are confusing IDS (detecting bad things) and IPS (stopping bad things). – schroeder Apr 26 '17 at 06:53
  • @schroeder thanks for replying. I looked up the definition of "behavior-based IDS", and the definition is "detect the **deviation** from normal/expected behavior". So I'm thinking the simple IDS in my question should be categorized as Behavior-based IDS. Agree? – Ema Apr 26 '17 at 07:04

1 Answers1

2

Knowledge-based is like a signature-based anti-virus: you populate a database of "badness" and look for those things.

Behaviour-based learns what is normal for the network over time, then alerts on things that are "weird".

Your whitelist approach is still "knowledge-based" because you populate the whitelist database. A behaviour-based approach would learn that Alice and Bob are normal users by watching the traffic.

schroeder
  • 123,438
  • 55
  • 284
  • 319