Intrusion Prevention System (IPS)

Correct Answer: Ability to protect individual assets

The primary advantage of implementing a Host-based Intrusion Prevention System (HIPS) over a Network-based Intrusion Prevention System (NIPS) is the 'Ability to protect individual assets'. Host-based systems provide in-depth defense by monitoring individual host activity and protecting individual assets, while network-based systems focus more on network traffic. 'Protection against Distributed Denial of Service (DDoS) attacks' and 'Real-time prevention of traffic-based attacks' are usually more appropriate for NIPS as they are designed to protect the entire network. As for 'Better performance in high-traffic networks', this is generally a benefit of NIPS over HIPS, as NIPS are designed to handle higher network traffic levels without significant performance degradation.

Correct Answer: Inline IPS deployment

The best choice for the described scenario would be 'Inline IPS deployment'. This option operates directly on the traffic flow and has the capability to halt or block traffic depending on the conditions detected. This means it can effectively block the suspicious traffic flooding the server, reducing the chance of an intrusion attempt being successful without entirely taking the server offline, which is what the question requires. The other options are not ideal. 'Passive IPS deployment' simply monitors the traffic flow and would only issue an alert instead of taking active action to prevent the intrusion. The 'takedown' choice would mean taking the server offline, which does not align with the need to keep the server online that is indicated in the question. Lastly, 'Load balancing' would only distribute the traffic among multiple servers, which might dilute the impact but would not eliminate malicious activities.

Correct Answer: Threshold tuning

The best method to minimize the issues of false negatives and positives in an Intrusion Prevention System (IPS) is Threshold tuning. This technique involves adjusting the sensitivity of the IPS to strike a balance between detection and false alarm rates. Therefore, it helps to reduce the occurrence of both false positives (wrongly tagging legitimate activities as malicious) and false negatives (failing to detect actual intrusions). The other methods don't directly address the concern of false positives and negatives. Signature-based detection is a method that matches patterns of network traffic against a database of known attack patterns, which might not completely eliminate the possibility of false positives and negatives. Anomaly-based detection identifies intrusions by noting deviations from established patterns. While this could potentially reduce false negatives, it could increase false positives. Lastly, Stateful protocol analysis potentially could reduce false negatives/positives by considering context and state information in protocol traffic, but this relies heavily on the definitions and rules established, which doesn't eliminate the risk of false positives/negatives as threshold tuning can.