Chapter 8
This intruder skill level include: hackers with minimal technical skill who use existing attack toolkits comprise the largest number of attackers are the easiest to defend against
What is Apprentice
This IDS approach involves the use of rules for identifying known penetration or penetrations that would exploit known weaknesses, rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage
What is Heuristic-based approaches
The purpose of this type of format is to define data formats/exchange procedures for sharing information of interest to intrusion detection and response systems and to management systems that may need to interact with them
What is Intrusion detection exchange format
This intruder skill level include: hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered or purchased vulnerabilities may be able to locate new vulnerabilities to exploit that are similar to some already known found in all intruder classes
What is Journeymen
This intruder skill level include: hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities write new attack toolkits include better known classical hackers employed by state sponsored organizations
What is Master
This IDS approach matches a large collection of known patterns of malicious data against data stored on a system or in transit over a network, where the signatures need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data
What is Signature based detection
This IDS analysis approach uses a set of known malicious data patterns or attack rules that are compared to current behavior, can only identify known attacks for which it as patterns or rules is also know as misuse detection,
What is Signature/Heuristic based detection
This type of intruder is a member of an organized crime group with a goal of financial reward
What is a Cyber Criminal
This type of intruders activities may includes Identity theft theft of financial credentials corporate espionage data theft data ransoming
What is a Cyber Criminal
This Key element of the functional model includes network packets, operating system audit logs, application audit logs, and system-generated checksum data
What is a Data Source
This key element of the functional model is the raw data that an IDS uses to detect unauthorized or undesired activity.
What is a Data Source
This IDS adds a specialized layer of security software to vulnerable or sensitive systems, and can use either anomaly or signature and heuristic approaches
What is a Host-based intrusion detection system
This type of honeypot, consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or system.
What is a Low Interaction Honeypot
This type of sensor is a NIC in promiscuous mode that will just listen to all network traffic, and is more efficent
What is a Passive sensor
This key element of the functional model collects data from the data source, and then forwards events to the analyzer
What is a Sensor
This type of intruder are groups of hackers sponsored by governments to conduct espionage or sabotage activities, and are also know as advanced persistent threats
What is a State-Sponsored intruder
This type of HIDS allows us to take the network into consideration, and move beyond the single host
What is a distributed HIDS
This detection system combines information from a number of sensors, often both host and network based, in a central analyzer that is able to better identify and respond to intrusion activity
What is a distributed or hybrid intrusion detection system
This type of honeypot is a real system, with a full O/S, services and applications which are instrumented and deployed where they can be accessed by attackers
What is a high interaction honeypot
This type of honeypot provides a more realistic target that may occupy an attacker for an extended period, but requires significantly more resources and if compromised could be used to initiate attacks on other systems
What is a high interaction honeypot
This decoy system is designed to lure a potential attacker away from critical systems, collection information about the attacker, and encourage the attack to stay on the system long enough for admins to respond
What is a honeypot
This system is filled with fabricated information that a legitimate user of the system wouldn't access, also the resources have no production value so, incoming communication is most likely a probe, scan or attack, and outbound communications suggests the system has been compromised
What is a honeypot
This detection system monitors the characteristics of a single host for suspicious activity
What is a host-based intrusion detection system
This type of honeypot provides a less realistic target, but is often sufficient for use as a component of a distributed IDS to warn of imminent attack
What is a low interaction honeypot
This type of IDS monitors traffic at selected points on a network, and examines traffic packet by packet in real time
What is a network based intrusion detection system
This detection system monitors network traffic and analyzes network, transport, and application protocols to identify suspicious activity
What is a network-based intrusion detection system
This type of intruder are either individuals or members of a larger group of outsider attackers who are motivated by social or political causes
What is an Activist
This type of intruder has a low skill level and the aim of their attacks is often to promote and publicize their cause typically through website defacement denial of service attacks theft and distribution of data
What is an Activist
This key element of the functional model is the ID component or process that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator
What is an Analyzer
The disadvantage of this honeypot is that it has little or no ability to trap internal attackers.
What is an external honeypot
This type of sensor has network traffic go through the sensor and doesn't require an additional piece of hardware, just software
What is an inline sensor
The disadvantages of this honeypot is if the honeypot is compromised it can attack other internal systems.
What is an internal honeypot
This IDS analysis approach involves the collection of data relating to the behavior of legitimate users over a period of time, and current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder
What is anomaly-based detection
A honeypot at this location can catch internal attacks, and can also detect a misconfigured firewall that forwards impermissible traffic from the internet to the internal network.
What is behind the firewall
This term is when a hardware or software function that gathers and analyzes information from various areas within a computer or a network to identify possible security intrusions
What is intrusion detection
This type of anomaly based detection use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior
What is knowledge based anomaly based detection
This type of anomaly based detection automatically determine a suitable classification model from the training data using data mining techniques
What is machine-learning anomaly based detection
A honeypot that is deployed in this location is useful for tracking attempts to connect to unused IP addresses with the scope of the network, and does not increase the risk for the internal network
What is outside the external firewall
This term is the unauthorized act of bypassing the security mechanisms of a system
What is security intrusion
This type of anomaly based detection is analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics
What is statistical anomaly based detection
This key element of the functional model has functions that typically include sensor and analyzer configuration, event notification management, data consolidation, and reporting
What is the Manager
This key element of the functional model is the ID component or process from which the operator manages the various components of the IDS
What is the Manager
This key element of the functional model is the human that is the primary user of the IDS manager, and often monitors the output of the IDS and initiates or recommends further action
What is the Operator
This key element of the functional model is the human with overall responsibility for setting the security policy of the organization, and, thus, for decisions about deploying and configuring the IDS
What is the administrator
