Page 1216 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1216
messages. All of these could indicate an attack that a knowledge-based
detection system may not recognize.
A behavior-based IDS can be labeled an expert system or a pseudo–
artificial intelligence system because it can learn and make
assumptions about events. In other words, the IDS can act like a
human expert by evaluating current events against known events. The
more information provided to a behavior-based IDS about normal
activities and events, the more accurately it can detect anomalies. A
significant benefit of a behavior-based IDS is that it can detect newer
attacks that have no signatures and are not detectable with the
signature-based method.
The primary drawback for a behavior-based IDS is that it often raises a
high number of false alarms, also called false alerts or false positives.
Patterns of user and system activity can vary widely during normal
operations, making it difficult to accurately define the boundaries of
normal and abnormal activity.
False Alarms
A challenge that many IDS administrators have is finding a balance
between the number of false alarms or alerts that an IDS sends and
ensuring that the IDS reports actual attacks. In one organization
we know about, an IDS sent a series of alerts over a couple of days
that were aggressively investigated but turned out to be false
alarms. Administrators began losing faith in the system and
regretted wasting time chasing these false alarms.
Later, the IDS began sending alerts on an actual attack. However,
administrators were actively troubleshooting another issue that
they knew was real, and they didn’t have time to chase what they
perceived as more false alarms. They simply dismissed the alarms
on the IDS and didn’t discover the attack until a few days later.
SIEM Systems
