5.9: IDS and IPS (Doshi) Flashcards

1
Q

What is an IDS?

A

Device or software application that monitors a network (network based IDS) or monitors a system (host based IDS) for intrusive activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

is IDS a substitute for firewall?

A

No, it complements the function of a firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Monitoring activities : Network based IDS vs Host based IDS

A

Network based IDS monitors activities on identified network.

Host based IDS monitor activities on a particular single system or host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

False positive rate : Network based IDS vs Host based IDS

A

The False positive rate (wrong alarm) is HIGH for network based IDS

False positive rate (wrong alarm) is LOW for hot based IDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does each IDS detect

A

Network based is better for detecting attack from outside

Host better for detecting attack from insider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What do network based IDS check for

A

They check for attacks on irregular behavior by inspecting the contents and header information of all packets moving across the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what do host based IDS check for

A

They can detect activity on host computer such as deletion of files, modification of program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Components of an IDS:

A

Sensors/ analyzers/Administrative console/ user interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does a sensor do?

A

Collects the data (in the form of network packets, log files) AND SEND IT TO ANALYZER

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does an anlayzer do?

A

It analyzes the data and determine the intrusive activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

User interface?

A

Enable user to view results and take necessary action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Administrative control:

A

To manage the IDS rules and functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Types of IDS:

A

Signature based/ statistical based/ Neural network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Signature based IDS

A

Intrusion is identified based of known type of attacks. Such known patterns are stored in form of signature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Statistical based

A

Determine (known and expected) behavior of the system. Any activity which falls outside the scope of normal behavior is flagged as intrusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Neural network

A

It’s similar to statistical IDS, but with added self-leaning functionality. IT monitors the general pattern of activities and create a database

17
Q

Limitation of IDS

A

Cannot detect application level vulnerabilities
Back doors into application
Cannot detect encrypted traffic

18
Q

Network IDS placed between internet and firewall

A

It will detect all the attack attempts (whether or not they enter the firewall).

19
Q

Network IDS placed between firewall and the corporate network

A

It will detect only those attempts which enter the firewall ( cases where the firewall failed to block the attack).

20
Q

IPS vs IDS

A

IDS only monitors and records the intrusion activities

IPS Detects and prevents intrusions

21
Q

Challenges in implementation of IPS

A

Threshold limits that are too high or too low will reduces the effectiveness of IPS.
IPS may itself become a threat when attackers send commands to large number of host protected by IPS to make them dysfunctional.

22
Q

Which IDS creates its own database?

A

Neural Network

23
Q

Which IDS system is effective in detecting fraud?

A

Neural Network

24
Q

Which IDS generates MOST false positives (false alarms)?

A

Statistical based IDS

25
In any given scenario, out of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), neural network
creates its own database.
26
Of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), neural network is more effective
in detecting fraud
27
)In any given scenario, out of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), statistical based IDS generates
most false positives (false alarms).
28
In any given scenario, out of four components of IDS (i.e. (i) sensor (ii) analyzer (iii) admin console and (iv) user interface) sensor collects
the data and send to analyzer for data analysis.
29
In any given scenario, MOST important concern of IDS implementation is that
attacks not identified/detected by IDS.