cspp Chapter 8 - Intrusion Detection - Stallings 4th ed.
F
12. An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
A
13. _________ is a document that describes the application level protocol for exchanging data between intrusion detection entities. A. RFC 4767 B. RFC 4766 C. RFC 4765 D. RFC 4764
T
14. Network-based intrusion detection makes use of signature detection and anomaly detection.
C
14. The rule _______ tells Snort what to do when it finds a packet that matches the rule criteria. A. protocol B. direction C. action D. destination port
D
15. The _______ is the ID component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator. A. data source B. sensor C. operator D. analyzer
D
2. A _________ is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so. A. intrusion detection B. IDS C. criminal enterprise D. security intrusion
F
2. Activists are either individuals or members of an organized crime group with a goal of financial reward.
A
3. A _________ monitors the characteristics of a single host and the events occurring within that host for suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection
T
3. Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.
T
4. Those who hack into computers do so for the thrill of it or for status.
A
5. The ________ is responsible for determining if an intrusion has occurred. A. analyzer B. host C. user interface D. sensor
intrusion
6. Copying a database containing credit card numbers, viewing sensitive data without authorization, and guessing and cracking passwords are examples of _________ .
F
6. The IDS component responsible for collecting data is the user interface.
B
6. __________ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection
T
8. The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
F
9. Signature-based approaches attempt to define normal, or expected behavior, whereas anomaly approaches attempt to define proper behavior.
Information gathering or system exploit
Actions by the attacker to access or modify information or resources on the system, or to navigate to another target system.
Maintaining access
Actions such as the installation of backdoors or other malicious software or through the addition of covert authentication credentials or other configuration changes to the system.
Privilege escalation
Actions taken on the system, typically via a local access vulnerability, to increase the privileges available to the attacker to enable their desired goals on the target system.
action
The rule _______ tells Snort what to do when it finds a packet that matches the rule criteria.
base rate fallacy
The tendency to ignore information about general principles in favor of very specific but vivid information.
Machine-learning anomaly detection approaches
Bayesian networks, Markov models, Neural networks, Fuzzy logic, Genetic algorithms, Clustering and outlier detection
HIDS primary benefit
Can detect both external and internal intrusions
IDS Sensors
Collect data. The input can be anything that could contain intrusion evidence. Types of input are: network packets, log files and system call traces.
Distributed or hybrid IDS
Combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity
NIDS Anomaly Detection attack types
DOS, Scanning, Worms
Benefits of Network sensors on critical networks
Detects attacks targeting critical systems and resources Allows focusing of limited resources to the network assets considered of greatest value.
Benefits of Network sensors between External Firewall and Internet
Document number and types of attacks originating from the Internet that target the network
Which intrusion attempts do NIDS focus on?
External
State-sponsored organizations
Groups of hackers sponsored by governments to conduct espionage or sabotage activities.
T
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
True
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
Anomaly detection
Involves the collection of data relating to the behavior of legitimate users over a period of time. Then current observed behavior is analyzed to determine with a high level of confidence whether this behavior is that of a legitimate user or alternatively that of an intruder.
High interaction honeypot
Is a real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers
user interface
3. The _________ to an IDS enables a user to view output from the system or control the behavior of the system.
C
4. A ________ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection
T
5. Intruders typically use steps from a common attack methodology.
T
7. Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
Profile-based
7. _________ anomaly detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations.
D
7. _________ involves the collection of data relating to the behavior of legitimate users over a period of time. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection
B
8. A (n) __________ is a hacker with minimal technical skill who primarily uses existing attack toolkits. A. Master B. Apprentice C. Journeyman D. Activist
A
9. The _________ module analyzes LAN traffic and reports the results to the central manager. A. LAN monitor agent B. host agent C. central manager agent D. architecture agent
T
11. To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
B
12. A(n) ________ event is an alert that is generated when the gossip traffic enables a platform to conclude that an attack is under way. A. PEP B. DDI C. IDEP D. IDME
IDS
12.The functional components of an _________ are: data source, sensor, analyzer, administration, manager, and operator.
T
13. A common location for a NIDS sensor is just inside the external firewall.
security policy
13. The _________ is the predefined formally documented statement that defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements.
F
15. Snort can perform intrusion prevention but not intrusion detection.
Neural networks
9. _________ simulate human brain operation with neurons and synapse between them that classify observed data
Rule-based anomaly detection
historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns(past behaviors)
Network - Inline Sensor
inserted into a network segment so that the traffic that it is monitoring must pass through the sensor
What are the types of attacks suitable for "Anomaly Detection Techniques"?
+ Denial of Service Attacks + Scanning + Worms
What are the types of attacks suitable for "Signature Detections Techniques"?
+ application layer reconnaissance and attacks + transport layer reconnaissance and attacks + network layer reconnaissance and attacks unexpected application services + policy violations
T
A common location for a NIDS sensor is just inside the external firewall.
T
The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
Snort Actions
Alert Log Pass Activate Dynamic Drop Reject Sdrop
Sequence time-delay embedding (STIDE)
An algorithm based on artificial immune system approaches , that compares observed sequences of system calls with sequences from the training phase to obtain a mismatch ratio that determines whether the sequence is normal or not.
F
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
An IDS comprises three logical components: sensors, ________, and user interface.
Analyzers
Master
Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities, or writing new powerful attack toolkits.
Apprentice
Hackers with minimal technical skill who primarily use existing attack toolkits. Also known as "script kiddies."
Journeyman
Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities; or to focus on different target groups.
False negative
IDS does not identify intruders as intruders.
False positive
IDS identifies authorized users as intruders (i.e. false alarms)
Base-rate fallacy
If actual numbers of intrusions is low compared to the number of legitimate uses of a system, then the false alarm rate will be high unless the test is extremely discriminating. (Example of base-rate fallacy in IDS)
Cyber-criminals
Individuals or members of an organized crime group with a goal of financial reward
Inline sensor
Inserted into a network segment so that the traffic that it is monitoring must pass through the sensor
An anomaly detection approach that uses an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.
Knowledge based
An anomaly detection approach that determines a suitable classification model from the training data using data mining techniques.
Machine-learning
T
Network-based intrusion detection makes use of signature detection and anomaly detection.
Analyzers
Receive input from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion has occurred.
T
Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.
Sensors
Sensors are responsible for collecting data. The input for a sensor may be part of a system that could contain evidence of an intrusion. Types of input to a sensor includes network packets, log files, and system call traces.
Intrusion Detection System (IDS) logical components
Sensors, Analyzers, User Interface
F
Signature-based approaches attempt to define normal, or expected behavior.
F
Snort can perform intrusion prevention but not intrusion detection.
An anomaly detection approach that uses analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
Statistical
Name three categories of anomaly detection
Statistical, knowledge based, & machine learning
administrator
The ______ is the human with overall responsibility for setting the security policy of the organization, and, thus, for decisions about deploying and configuring the IDS.
LAN monitor agent
The _________ module analyzes LAN traffic and reports the results to the central manager.
T
To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
True or false: Ideally, you want an IDS to have a high detection rate, that is, the ratio of detected to total attacks, while minimizing the false alarm rate, the ratio of incorrectly classified to total normal usage.
True
The _____ to an IDS enables a user to view output from the system or control the behavior of the system.
User interface
Covering tracks
Where the attacker disables or edits audit logs to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code.
Windows-based systems have traditionally not used _____, as the wide usage of Dynamic Link Libraries (DLLs) as an intermediary between process requests for operating system functions and the actual system call interface has hindered the effective use of system call traces to classify process behavior.
anomaly-based HIDS
Low interaction honeypot
consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute the full version.
B
1. _________ are either individuals or members of a larger group of outsider attackers who are motivated by social or political causes. A. State-sponsored organizations B. Activists C. Cyber criminals D. Others
net-work based (NIDS)
10. A ________ IDS monitors traffic at selected points on a network or interconnected set of networks.
F
10. Anomaly detection is effective against misfeasors.
D
11. A(n) ________ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. A. passive sensor B. analysis sensor C. LAN sensor D. inline sensor
Intrusion Detection Message Exchange Requirements
11. The _________ (RFC 4766) document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF).
C
10. The purpose of the ________ module is to collect data on security related events on the host and transmit these to the central manager. A. central manager agent B. LAN monitor agent C. host agent D. architecture agent
Intruder Behavior
* Target Acquisition and Information Gathering * Initial Access * Privilege Escalation * Information Gathering or System Exploit * Maintaining Access - Backdoor installation, or some installation of other software to allow for future access * Covering Tracks - Attackers disable logs
Common intruder behaviors...
++Target acquisition and information gathering, ++initial access, ++privilege escalation,++ information gathering or system exploit, ++maintaining access, & ++covering tracks
T
1. An intruder can also be referred to as a hacker or cracker.
True
A common location for a NIDS sensor is just inside the external firewall.
Banner grabbing
A method used to gain information about a remote system. It identifies the operating system and other details on the remote system.
Security Intrusion
A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.
Intrusion Detection
A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner
Honeypot
A security tool used to lure attackers away from the actual network components. They divert an attacker from attacking critical systems, collect information about the attacker's activity, and encourage attack to stay on the system long enough for the administrators to respond. They are classified as being either low or high interaction.
False
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
Snort
An open source, highly configurable and portable host-based or network-based IDS. Snort is referred to as a lightweight IDS. A Snort installation consists of four logical components: Packet decoder, detection engine, logger, and alerter.
Statistical anomaly detection
Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
NIDS Signature Detection attack types
Application, Transport and Network layer reconnaissance and attacks, unexpected application services and policy violations
Machine-learning anomaly detection
Approaches automatically determine a suitable classification model from the training data using data mining techniques
Knowledge based anomaly detection
Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior
Activists
Are either individuals working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes. They are also known as hacktivists, and their skill level might be quite low. The aim of their attacks is often to promote and publicize their cause.
True
Intruders typically use steps from a common attack methodology.
NIDS location
Perimeter security infrastructure of an organization, either incorporated in, or associated with, the firewall
Passive sensor
Monitors a copy of network traffic; the actual traffic does not pass through the device.
Benefits of Network sensors to protect major backbone networks
Monitors a large amount of a network's traffic Detects unauthorized activity by authorized users within the organization
Network-based IDS (NIDS)
Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
Host-based IDS (HIDS)
Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity
Host IDS vs Network IDS
NIDS examines packet traffic directed towards potentially vulnerable computer system on a network. Host based system examines user and software activity on a host.
True
Network-based intrusion detection makes use of signature detection and anomaly detection.
Snort Components
Packet decoder, Detection engine, Logger, Alerter
IDS Analyzers
Receive input from sensors or other analyzers. Responsible for determining if an intrusion has occurred. Outputs if intrusion has occurred and evidence of it. Provides guidance as to what to do.
IDS Requirements
Run continually, be fault tolerant, resist subversion, impose a minimal overhead on system, configured according to system security policies, adapt to changes in systems and users, scale to monitor large numbers of systems, provide graceful degradation of service, allow dynamic reconfiguration.
A ____ attack occurs when an attacker probes a target network or system by sending different kinds of packets. Using the responses received from the target, the attacker can learn many of the system's characteristics and vulnerabilities.
Scanning
Benefits of Network sensors on the External Firewall
Sees attacks that penetrate the firewall Highlights problems with the Firewall policy Sees attacks that might target Web/FTP servers Can detect outgoing traffic from compromised servers
IDS data sources
System call traces, Audit (log file) records, File integrity checksums, Registry access
False
The IDS component responsible for collecting data is the user interface.
Stateful protocol analysis (SPA)
The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.
Initial access
The initial access to a target system, typically by exploiting a remote network vulnerability by guessing weak authentication credentials or via the installation of malware.
True
The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
True
To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
Signature or Heuristic detection
Uses a set of known malicious data patterns (signatures) or attack rules (heuristics) that are compared with current behavior to decide if is that of an intruder. It is also known as misuse detection. This approach can only identify known attacks for which it has patterns or rules
Signature or heuristic detection
Uses a set of known malicious data patterns (signatures) or attack rules (heuristics) that are compared with current behavior to decide if it is that of an intruder. It is also known as misuse detection. This approach can only identify known attacks for which it has patterns or rules.
Target acquisition and information gathering
Where the attacker identifies and characterizes the target systems using publicly available information, both technical/non- technical and the use of network exploration tools to map target resources.
Signature Detection
_____ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.