Intrusion Detection

Question 1

Are either individuals, usually working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes

Aim of their attacks is often to promote and publicize their cause typically through:
Website defacement
DoS attacks
theft and distribution of data that results in negative publicity or compromise of their targets.

Answer 1

Activists

Question 2

Individuals or members of an organized crime group with a goal of financial reward

Answer 2

Cyber Criminals

Question 3

Groups of hackers sponsored by governments to conduct espionage or sabotage activities

Answer 3

State-Sponsored Organizations (APTs)

Question 4

Hackers with minimal technical skill who primarily use existing attack toolkits

Answer 4

Apprentice

Question 5

Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities

Answer 5

Journeyman

Question 6

Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities

Answer 6

Master

Question 7

What are the Intruder Skill Levels?

Answer 7

Apprentice
Journeyman
Master

Question 8

What is Intruder Behavior

Answer 8

Target acquisition and information gathering
Initial access
Privilege escalation
Information gathering or system exploit 
Maintaining access
Covering tracks

Question 9

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

Answer 9

Security Intrusion

Question 10

A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

Answer 10

Intrusion Detection

Question 11

What are the three logical components of the Intrusion Detection System (IDS)

Answer 11

• Sensors - collect data
• Analyzers - determine if intrusion has occurred
• User interface - view output or control system behavior

Question 12

Monitors the characteristics of

a single host for suspicious activity

Answer 12

Host-based IDS (HIDS)

Question 13

Monitors network traffic and

analyzes network, transport, and application protocols to identify suspicious activity

Answer 13

Network-based IDS (NIDS)

Question 14

Combines information from a number of sensors, often both
host and network based, in a central analyzer that is able to
better identify and respond to intrusion activity

Answer 14

Distributed or hybrid IDS

Question 15

Involves the collection of data relating to the behavior of legitimate users over a period of time
Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder

Answer 15

Anomaly detection

Question 16

What are analysis approaches?

Answer 16

Anomaly detection

Signature/Heuristic detection

Question 17

Uses a set of known malicious data patterns or attack rules that are compared with current behavior
Also known as misuse detection
Can only identify known attacks for which it has patterns or rules

Answer 17

Signature/Heuristic detection

Question 18

What are the classification approaches used for Anomaly Detection

Answer 18

Statistical
Knowledge based
Machine learning

Question 19

Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics

Answer 19

Statistical

Question 20

Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior

Answer 20

Knowledge based

Question 21

Approaches automatically determine a suitable classification model from the training data using data mining techniques

Answer 21

Machine learning