5.9.1: Quiz IDS/IPS (Doshi) Flashcards
An organization has installed a IDS which monitor general patterns of activity and creates the database. Which of the following intrusion detection systems (IDSs) has this feature?
A. Packet filtering
B. Signature-based
C. Statistical-based
D. Neural networks
D. Neural networks
The component of an IDS that collects the data is:
A. Sensor
B. Analyzer
C. User interface
D. Administration console
A. Sensor
Even for normal activity, which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms?
A. Statistical-based
B. Signature-based
C. Neural network
D. Host-based
A. Statistical-based
Statistical based IDS determine normal (known and expected) behaviour of the system. Any activity which falls outside the scope of normal behaviour is flagged as intrusion. Statistical based IDS is most likely to generate false positive (i.e. false alarm) as compared to other IDS. Since normal network activity may include unexpected behaviour (e.g., frequent download by multiple users), these activities will be flagged as suspicious.
An IS auditor is reviewing installation of intrusion detection system (IDS). Which of the following is a GREATEST concern?
A. number of non-alarming events identified as alarming
B. system not able to identify the alarming attacks
C. automated tool is used for analysis of reports/logs
D. traffic from known source is blocked by IDS
B. system not able to identify the alarming attacks
Major concern will be of system not able to identify the alarming attacks. They present a higher risk because attacks will be unnoticed and no action will be taken to address the attack. High false positive is a concern but not a major concern. Also, logs/reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem, and an IDS does not block any traffic.
An organization wants to detect attack attempts that the firewall is unable to recognize. A network intrusion detection system (IDS) between the:
A. Internet and the firewall
B. firewall and organization’s internal network
C. Internet and the IDS.
D. IDS and internal network
B. firewall and organization’s internal network
Which of the following is a function of an intrusion detection system (IDS)?
A. obtain evidence on intrusive activity
B. control the access on the basis of defined rule
C. blocking access to websites for unauthorized users
D.preventing access to servers for unauthorized users
A. obtain evidence on intrusive activity
Obtaining evidence on intrusive activity is a function of IDS. Other options are functions of firewall.
Which of the following is the most routine problem in implementation of intrusion detection system (IDS)?
A. instances of false rejection rate.
B. instances of false acceptance rate.
C. instances of false positives.
D. denial-of-service attacks.
C. instances of false positives.
Main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives (i.e. false alarm). Option A & B are the concerns of biometric implementation. Denial of service is a type of attack and is not a problem in the operation of IDSs.
Attempts of intrusion attacks and penetration threat to a network can be detected by which of the following by analyzing the behavior of the system?
A. Router
B. Intrusion detection system (IDs)
C. Stateful inspection
D. Packet filters
B. Intrusion detection system (IDs)
IDS determine normal (known and expected) behaviour of the system. Any activity which falls outside the scope of normal behaviour is flagged as intrusion. Router, Stateful inspection and packet filters are types of firewalls designed to block certain types of communications routed or passing through specific ports. It is not designed to discover someone bypassing or going under the firewall
To detect intrusion, BEST control would be:
A.Controlled procedure for granting user access
B.Inactive system to be automatically logged off after time limit.
C.Actively monitor unsuccessful login attempts.
D. Deactivate the user ID after specified unsuccessful login attempts.
C. Actively monitor unsuccessful login attempts.
BEST method to detect the intrusion is to actively monitor the unsuccessful logins. Deactivating the user ID is preventive method and not detective
An IS auditor reviewing the implementation of IDS should be most concerned if:
A. High instances of false alarm by statistical based IDS.
B.IDS is placed between firewall and internal network.
C.IDS is used to detect encrypted traffic.
D.Signature based IDS is not able to identify new threats.
C.IDS is used to detect encrypted traffic.
IDS cannot detect attacks which are in form of encrypted traffic. So if organization has misunderstood that IDS can detect encrypted traffic also and accordingly designed its control strategy, then it is major concern.
Of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), neural network is more effective in detecting fraud because:
A. Intrusion is identified on the basis of known type of attacks.
B. Any activity which falls outside the scope of normal behaviour is flagged as intrusion.
C. IDS monitor the general pattern of activities and create a database and attacks problems that require consideration of a large number of input variables.
D. IDS solves the problem where large and where large database is not required.
C. IDS monitor the general pattern of activities and create a database and attacks problems that require consideration of a large number of input variables.
Neural networks monitor the general pattern of activities and create a database and attacks problems that require consideration of a large number of input variables. They are capable of capturing relationships and patterns often missed by other statistical methods. Option A is feature of signature based IDS. Option B is feature of statistics based IDS.
