knowledge-based IDS uses a database of attack signatures to detect
               intrusion attempts but cannot recognize new attack methods. A

               behavior-based system starts with a baseline of normal activity and
               then measures activity against the baseline to detect abnormal activity.
               A passive response will log the activity and possibly send an alert on
               items of interest. An active response will change the environment to
               block an attack in action. Host-based systems are installed on and
               monitor individual hosts, whereas network-based systems are
               installed on network devices and monitor overall network activity.

               Intrusion prevention systems are placed in line with the traffic and can
               block malicious traffic before it reaches the target system.

               Honeypots, honeynets, and padded cells can be useful tools to prevent
               malicious activity from occurring on a production network while
               enticing intruders to stick around. They often include pseudo flaws
               and fake data used to tempt attackers. Administrators and security
               personnel also use these to gather evidence against attackers for

               possible prosecution.

               Up-to-date anti-malware software prevents many malicious code
               attacks. Anti-malware software is commonly installed at the boundary
               between the internet and the internal network, on email servers, and
               on each system. Limiting user privileges for software installations
               helps prevent accidental malware installation by users. Additionally,

               educating users about different types of malware, and how criminals
               try to trick users, helps them avoid risky behaviors.

               Penetration testing is a useful tool to check the strength and
               effectiveness of deployed security measures and an organization’s
               security policies. It starts with vulnerability assessments or scans and
               then attempts to exploit vulnerabilities. Penetration testing should
               only be done with management approval and should be done on test

               systems instead of production systems whenever possible.
               Organizations often hire external consultants to perform penetration
               testing and can control the amount of knowledge these consultants
               have. Zero-knowledge testing is often called black-box testing, full-
               knowledge testing is often called white-box or crystal-box testing, and
               partial-knowledge testing is often called gray-box testing.