Chapter 6

Ace your homework & exams now with Quizwiz!

What metrics are useful for profile-based intrusion detection?

+ Counter: Typically a count of certain event types is kept over a particular period of time. Eg. number of logins, number of times a command is executed, number of password failures. + Gauge: is used to measure the current value of some entity. Eg. number of connections assigned to a user application, number of outgoing messages queued for a user process. + Interval timer: The length of time between two related events. Eg. the time between successive logins to an account. + Resource utilization: Quantity of resources consumed during a specified period. Eg total time consumed by a program execution.

What is the difference between a distributed host-based IDS and a NIDS.

+ Distributed host-based IDS: examines user and software activity on a host system. + Network-based IDS: monitors traffic at selected points on a network

Describe the differences between a host-based IDS and a network-based IDS.

+ Host-based IDS: Monitors the characteristics of a single host and the events occurring within that host for suspicious activity. + Network-based IDS: Monitors network traffic for particular network segments and analyses network, transport and application protocols to identify suspicious activity.

What are three benefits that can be provided by an IDS?

+ If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. + An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. + Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

List and briefly define three classes of intruders.

+ Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. + Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. + Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.

List some desirable characteristics of an IDS?

+ Run continually with minimal human supervision - It must be able to recover from system crashes and reinitializations. + Resist subversion (= must be able to monitor itself). + Impose a minimal overhead on the system where it is running. + Be able to adapt to changes in system and user behavior over time. + Be able to scale to monitor a large number of hosts.

Describe the three logical components of an IDS.

+ Sensor: it has responsibility in collecting data; input includes network packets, log files, system call traces. + Analyzer: receiving input from one or more sensors, responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred and may include evidence supporting the conclusion that an intrusion has occurred. + User interface: it enables user to view the output of the system, or control the system behavior.

Describe the types of sensors that can be used in NIDS.

+ inline sensors: inserted into a network segment so that the traffic that it is monitoring must pass through the sensor; able to block an attack when one is detected, may slow down network speed; may be integrated in a firewall or a LAN switch + passive sensors: monitors a copy of network traffic; does not slow down network speed; extra hardware is needed.

What are possible locations for NIDS sensors?

+ inside the external firewall + between the external firewall and the Internet + before internal servers and database resources + before the workstation networks

What is the difference between anomaly detection and signature intrusion detection?

Anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior (Threshold detection, profile based). Signature detection: Involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder.

What is a honeypot?

Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems. They can divert an attacker, collect information about the attacker's activity, encourage the attacker to stay on the system long enough for administrators to respond.

What is the difference between rule-based anomaly detection and rule-based penetration identification?

Rule-based anomaly detection: Historical audit records are analyzed to identify usage patterns and to generate automatically rules to describe those patterns. The current behavior is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern. Rule-based penetration identification: Use of rules for identifying known penetrations or penetrations that would exploit known weaknesses. The most fruitful approach to developing such rules is to analyze attack tools and scripts collected on the Internet.

Explain the base-rate fallacy.

The base rate fallacy is an error that occurs when the conditional probability of some hypothesis H (is this an intruder?), given some evidence E (network data), is assessed without taking into account the prior probability of H and the total probability of evidence E. If the actual numbers of intrusions is low compared to the number if legitimate uses of a system, then the false alarm rate will be high unless the test is extremely discriminating. This is known as base-rate fallacy.


Related study sets

Chapter 16 - Electrolyte Balance and Imbalance

View Set

Art 100 Ch 17. The 17th and 18th Centuries

View Set

Astronomy 1101 LSU Final combination of test 1 and 2

View Set

Personal Finance Ch 1,2,3 learnsmart

View Set

IT Security: Defense against the digital dark arts. Week2: Pelcgbybtl (Cryptology)

View Set

4.09: Uncertainty in the Postwar World

View Set

bio 102 unit 3 cumulative practice

View Set

Pain Assessment and Management: Fundamentals Midterm

View Set