IDS

Question 1

What is IDS?

Answer 1

“Intrusion Detection System”

Can be seen as the networks anti-virus.

Looks at every bit of data that goes into the network

Question 2

What are the 4 IDS Objectives

Answer 2

1. Detect a variety of intrusions
2. Analysis in a simple, easy-to-understand format
3. Detection in timely fashion (within short period of time)
4. Be accurate (False positives & negatives)

Question 3

What is the types of detection?

Answer 3

Packet filter - Looks at packets like a bunch of bytes.

Application filter - Knows that there is HTTP, FTF…

Stateful filter - Track connections and their states.

Deep packet inspection -
Analyses entire packet payload instead of just header information, Computationally much more expensive, Used for lawful interception & censorship (The great firewall)

Question 4

Describe the NIDS placements

Answer 4

In-Band NIDS - Between network and node. Possible to silently drop packets. More error prone. Trickier to deploy, may increase network latency

Out-of-Band NIDS - Outside and gets copies. Can be too late when discovered.

Question 5

What are the two models of detection?

Answer 5

Anomalies & Heuristics (pattern matching)

Question 6

Describe heuristics (pattern matching)

Answer 6

Operates by using a pre-programmed list of known threats and their indicators of compromise.

Types:
Misuse modelling (rule-based) - Focuses on predefined rules for known attacks or vulnerabilities.

Specification modelling (rule-based) - Concentrates on defining normal or expected behavior, identifying deviations from the norm.

Question 7

Describe Anomaly Detection

Answer 7

Checks for something that is not right.

Anomaly detection systems (ADS) are either self-learning or learning by example.

Question 8

What are some problems with pattern matching

Answer 8

Number of signatures always increase
Network speed increases
Encoding/obfuscation
Should avoid rescanning data and support stream-based scanning

Question 9

Challanges to IDS

Answer 9

No or very few false positives & false negatives

Encrypted traffic

Networks can be too fast

A lot of automated attacks

Failover mode

Question 10

What is meant by the Base Rate Fallacy?

Answer 10

1% is good but can be bad if the underlying base rate is highly asymmetric.
This must be kept in mind when evaluating IDS performance.

Question 11

What is meant by ”The base rate fallacy”

Answer 11

It refers to the tendancy to ignore relevant statistical information in favor of case-specific information.

Must be kept in mind when evaluating IDS performance.

1% false positives and negatives rate sounds good but can be bad if highly asymmetrical.

Question 12

What are false positives and false negatives?

Answer 12

False positives are benign packets that are falsely marked as malicious.

False negatives are the other way around.

Question 13

What are the ids data sources

Answer 13

Truncated network data
Raw network data
Network flows

Question 14

Challanges for ADS

Answer 14

Hard to model normality

Hard to get training data

Semantic gap between anomaly and actual attack

Not easy to configure