Chapter 7
Agents/Sensors
A hardware and/or software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application.
Whitelist
A list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite those entities' access to systems or networks.
Blacklist
A list of systems, users, files, or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access.
Attack Protocol
A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.
Honeynet
A monitored network or network segment that contains multiple honeypot systems.
Clipping Level
A predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file and/or notify an administrator. Also known as a threshold
Alarm clustering and compaction
A process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm. This consolidation reduces the number of alarms, which reduces administrative overhead and identifies a relationship among multiple alarms.
Padded Cell System
A protected honeypot that cannot be easily compromised.
known vulnerability
A published weakness or fault in an information asset or its protective systems that may be exploited and result in loss.
Security Information and Event Management (SIEM)
A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPSs and network management devices.
Intrusion Detection System (IDS)
A system capable of automatically detecting an intrusion into an organization's networks or host systems and notifying a designated authority.
Monitoring Port
Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.
Anomaly Based Detection
Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy.
Signature Based Detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.
Fully Distributed IDPS Control Strategy
An IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component.
Central IDPS Control Strategy
An IDPS implementation approach in which all control functions are implemented and managed in a central location.
Partially Distributed IDPS Control Strategy
An IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies.
Inline Sensor
An IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall.
Passive Mode
An IDPS sensor setting in which the device simply monitors and analyzes observed network or system traffic.
Network Based IDPS (NIDPS)
An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.
Host Based IDPS (HIDPS)
An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.
Site Policy Awareness
An IDPS's ability to dynamically modify its configuration in response to environmental activity.
Intrusion
An adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm.
False Positive
An alert or alarm that occurs in the absence of an actual attack.
Trap and Trace
An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.
Honeypots
An application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the software notifies the administrator of the intrusion.
Pen Registers
An application that records information about outbound communications.
active vulnerability scanner
An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers.
log file monitor (LFM)
An attack detection method that reviews the log files generated by computer systems, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred.
True Attack Stimulus
An event that triggers an alarm and causes an IDPS to react as if a real attack is in progress.
False Attack Stimulus
An event that triggers an alarm when no actual attack is in progress.
Alert or Alarm
An indication or notification that a system has just been attacked or is under attack.
zero-day vulnerability
An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss.
Signatures
Patterns that correspond to a known attack.
Enticement
The act of attracting attention to a system by placing tantalizing information in key locations. Legal
Entrapment
The act of luring a person into committing a crime in order to get a conviction. Illegal
Stateful Protocol Analysis (SPA)
The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.
False Negative
The failure of an IDPS to react to an actual attack event.
Attack Surface
The functions and features that a system exposes to unauthenticated users.
Intrusion Detection and Prevention System (IDPS)
The general term for a system that can both detect and modify its configuration and environment to prevent intrusions.
Confidence Value
The measure of an IDPS's ability to correctly detect and identify certain types of attacks.
Footprinting
The organized research and investigation of Internet addresses owned or controlled by a target organization.
Noise
The presence of additional and disruptive signals in network communications or electrical power delivery. Alarm events that are accurate and noteworthy but do not pose significant threats to information security.
Evasion
The process by which attackers change the format and/or timing of their activities to avoid being detected by an IDPS.
Tuning
The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives.
Alarm Filtering
The process of classifying IDPS alerts so they can be more effectively managed.
protocol stack verification
The process of examining and verifying network traffic for invalid data packets—that is, packets that are malformed under the rules of the TCP/IP protocol.
Application Protocol Verification
The process of examining and verifying the higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use.
Back Hack
The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system.
Site Policy
The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
Fingerprinting
The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.
Port Scanners
Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information.
Packet Sniffer
network protocol analyzer can provide a network administrator with valuable information for diagnosing and resolving networking issues.