What is the key limitation of a Network-Based Intrusion Detection System (NIDS)?

A Network-Based Intrusion Detection System (NIDS) is designed to monitor and analyze network traffic for signs of malicious activity or policy violations. One key limitation of a NIDS is that it cannot prevent attacks; it can only detect and alert administrators of potential threats once they occur. This means that while a NIDS can provide valuable information and insights about intrusions in real time, it does not include mechanisms to block, mitigate, or respond to those attacks actively. Instead, the responsibility for taking action upon detection typically falls to cybersecurity personnel or other security devices, such as firewalls, that are designed to prevent attacks.

In contrast, some of the other choices involve capabilities that do not align with the primary functions of a NIDS. For instance, a NIDS is indeed capable of monitoring network traffic (which would infer that choice regarding monitoring network traffic is not a limitation). Additionally, while a NIDS can operate at various layers of the network stack, its primary focus is not limited to just the application layer. Lastly, a NIDS does not only monitor individual hosts; rather, it monitors entire network segments or traffic patterns across multiple hosts. Thus, the central aspect that distinguishes the NIDS is its inability to take preventive measures against detected attacks,