An IDS can perform many types of intrusion detections. Three common detection methods are signature-based, anomaly-based, and protocol-based. Which of the following best describes protocol-based detection?

• A. This detection method can include malformed messages and sequencing errors.
• B. It relies on known signatures alone.
• C. It analyzes user authentication patterns.
• D. It monitors port numbers for unusual activity.

Answer: (A)

Protocol-based detection focuses on whether the messages in a communication adhere to the protocol’s rules. It examines syntax, sequencing, and state transitions, so it can flag malformed messages and sequencing errors when a message sequence violates the protocol. This is why the option describing malformed messages and sequencing errors is the best match. Signature-based detection relies on known patterns, not on protocol correctness. Analyzing user authentication patterns aligns with anomaly-based detection. Monitoring port numbers relates to general network activity rather than protocol behavior.