Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

cs6035 Test 2 > Intrusion Detection > Flashcards

Intrusion Detection Flashcards

1
Q

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

o be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level. (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.(T/F)

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A common location for a NIDS sensor is just inside the external firewall.(T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Network-based intrusion detection makes use of signature detection and anomaly detection.(T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A _______ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

A

host-based IDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

_______ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.

A

Signature detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

_______ involves the collection of data relating to the behavior of legitimate users over a period of time.

A

Anomaly detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A(n) ______ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.

A

inline sensor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The ______ is the IDS component that examines the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.

A

analyzer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Intrusion Defined

A

any attack that aims to compromise the security goals of an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Intrusion Examples

A

• Performing a remote root compromise of an e-mail server
• Defacing a Web server with inappropriate web contents
• Guessing and cracking passwords
• Stealing a database containing credit card numbers
• Reading sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Firewalls distinguished from IDS

A

Firewalls and IDS’s are both part of a network security system. A firewall is designed to prevent an intrusion and an IDS is designed to detect an intrusion.

F - tries to stop intrusion from happening
I - tries to evaluate an intrusion after it has happened
I -watches for intrusions that start within the system
F -limits access between networks to prevent intrusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Classes of Intruders

A

Cyber criminals

Activists

State-sponsored organizations

Other

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Intruder skill levels

A

Apprentice

Journeyman (sfficient to modify and extend attack toolkits)

Master (high level skill, discovering new categories of vulnerabilities, writing new attack toolkits)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

intruders typically use steps from a common attack methodology

A

Target Acquisition and Information Gathering:

  • -that is, the attacker identifies and characterizes the target systems using publicly available information, both technical and non-technical, and use network exploration tools to map target resources.
  • -Initial Access: this is typically accomplished by exploiting a remote network vulnerability, e.g., by guessing weak authentication credentials used in a remote service, or via the installation of malware on the system using some form of social engineering or drive-by-download.

• Privilege Escalation:
–Actions taken on the system, typically via a local access vulnerability, to increase the privileges available to the attacker to enable their more powerful attacks on the target system.

• Information Gathering or System Exploit:
–Actions by the attacker to access or modify information or resources on the system, or to navigate to another target system.

• Maintaining Access:
–Actions such as the installation of backdoors or other malicious software, or through the addition of covert authentication credentials or other configuration changes to the system, to enable continued access by the attacker after the initial attack.

• Covering Tracks:
–Where the attacker disables or edits audit logs, to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Components of Intrusion Detection

A

Sensors

Analyzers

User Interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Intrusion Detection Primary assumptions

A

System activities are observable

Normal and intrusive activities have distinct evidence

19
Q

IDS Classification

A

Host-based IDS
-monitors single host and events occurring within the host

Network-based IDS
-monitors network traffic for particular network segments or devices

Distributed or Hybrid IDS
-combines info from many sensors

20
Q

Analysis Approaches

A

Anomaly detection

Signature or heuristic-based detection

21
Q

Anomaly detection

A

Involves the collection of data relating to the behavior of legitimate users over a period of time. Then current observed behavior is analyzed to determine with a high level of confidence whether this behavior is that of a legitimate user or that of an intruder.

anomaly approaches aim to define or characterize normal, or expected, behaviors, in order to identify malicious or unauthorized behavior.

22
Q

Signature or heuristic-based detection

A

Signature or heuristic-based approaches directly define malicious or unauthorized behavior. They can quickly and efficiently identify known attacks. However only anomaly detection is able to detect unknown, zero-day attacks, because it starts with known good behavior and identifies anomalies to it.

23
Q

Signature or heuristic-based detection

A

Signature or heuristic-based approaches directly define malicious or unauthorized behavior.

They can quickly and efficiently identify known attacks. However only anomaly detection is able to detect unknown, zero-day attacks, because it starts with known good behavior and identifies anomalies to it.

Uses a set of known malicious data patterns or attack rules that are compared with current behavior

Also known as misuse detection

Can only identify known attacks for which it has patterns or rules

Rule based heuristic identification

24
Q

Types of Host based intrusion detection

A

Anomaly HIDS

Signature or Heuristic HIDS

Distributed HIDS

25
Network Based Intrusion Detection
Monitors traffic at selected points on a network or interconnected set of networks Typically in perimeter security infrastructure
26
2 Types/Modes of Network Sensors
Inline sensor -- inserted into network segment so traffic that it is monitors must pass through the sensor Passive sensor --monitors a copy of network traffic, so actual traffic does not pass through it
27
Anomaly Detection Classification of Approaches
* Statistical: Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics. * Knowledge based: Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior. * Machine-learning: Approaches automatically determine a suitable classification model from the training data using data mining techniques.
28
4 Locations of NIDS sensor and advantages
Place NIDS sensor just inside external firewall. Advantages: - -sees attacks originating from outside world that penetrate perimeter defenses - -highlights problems - -sees attacks targeting web or ftp server - -can recognize outgoing traffic that results from compromised server sensor between external firewall and internet or WAN. --documents number and types attacks originating on internet targeting the network sensor at major backbone networks (eg supporting internal servers/DBs) - -monitors large amount of traffic - -detects unauthorized activity within org sensor at critical subsystems (personal or financial system) - -detects attacks targeting critical systems/resources - -focuses limited resources
29
Signature Approach | Advantages & Disadvantages
Advantages: - -Low cost in time and resource use - -Wide Acceptance Disadvantages: - -Significant effort to identify and review new malware to create signatures - -inability to detect zero-day attacks
30
Rule-Based Detection
Instead of using only signatures of known attacks, a misuse detection systems can also use a more sophisticated, rule-based approach. Rule-based detection involves the use of rules for identifying known penetrations or penetrations that would exploit known vulnerabilities. Rules are specified to process and analyze activity data and match multiple signatures or patterns. Typically, the rules used in these systems are specific to the machine and operating system. The most fruitful approach to developing such rules is to analyze attack tools and scripts collected on the Internet. These rules can be supplemented with rules generated by knowledgeable security personnel. In this latter case, the normal procedure is to interview system administrators and security analysts to collect a suite of known penetration scenarios and key events that threaten the security of the target system. The SNORT system is an example of a rule-based NIDS. A large collection of rules exists for it to detect a wide variety of network attacks.
31
Network Based IDS
A network-based IDS (NIDS) monitors traffic at selected points on a network or interconnected set of networks. The NIDS examines the traffic packet by packet in real time, or close to real time, to attempt to detect intrusion patterns. The NIDS may examine network-, transport-, and/or application-level protocol activities. Note the contrast with a host-based IDS; a NIDS examines packet traffic directed toward potentially vulnerable computer systems on a network. A typical NIDS facility includes a number of sensors to monitor packet traffic, one or more servers for NIDS management functions, and one or more management consoles for the human interface. The analysis of traffic patterns to detect intrusions may be done at the sensor, at the management server, or some combination of the two
32
Inline Sensors
Used to block an attack when one is detected, performing both intrusion detection and prevention functions An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. Can be achieved by: - -Combining NIDS sensor logic with a firewall or LAN switch. This has the advantage of no additional hardware is needed - -Using a stand-alone inline NIDS sensor
33
Passive Sensors
A passive sensor monitors a copy of network traffic; the actual traffic does not pass through the device Passive sensors are more efficient
34
Firewall Versus Network IDS
Firewall - -Active filtering - -Fail-close Network IDS - -Passive monitoring - -Fail-open
35
SNORT
Open source Highly configurable Lightweight IDS Characteristics: - -Easily deployed on most nodes - -Efficient operation - -Easily configured by system administrators Performs real-time packet capture Detects a variety of attacks and probes
36
Types of attacks suitable for signature detection
Application layer reconnaissance and attacks Transport layer reconnaissance and attacks Network layer reconnaissance and attacks Unexpected application services Policy violations
37
Anomaly detection suitable for these types of attacks
Denial of service attacks Scanning Worms
38
SNORT logical components
Packet decoder: The packet decoder processes each captured packet to identify and isolate protocol headers at the data link, network, transport, and application layers. --The decoder is designed to be as efficient as possible and its primary work consists of setting pointers so that the various protocol headers can be easily extracted. ``` • Detection engine: The detection engine does the actual work of intrusion detection. This module analyzes each packet based on a set of rules defined for this configuration of Snort by the security administrator. In essence, each packet is checked against all the rules to determine if the packet matches the characteristics defined by a rule. -- The first rule that matches the decoded packet triggers the action specified by the rule. If no rule matches the packet, the detection engine discards the packet. ``` • Logger: For each packet that matches a rule, the rule specifies what logging and alerting options are to be taken. When a logger option is selected, the logger stores the detected packet in human readable format or in a more compact binary format in a designated log file. The security administrator can then use the log file for later analysis. • Alerter: For each detected packet, an alert can be sent. The alert option in the matching rule determines what information is included in the event notification. The event notification can be sent to a file, to a UNIX socket, or to a database. Alerting may also be turned off during testing or penetration studies. Using the UNIX socket, t
39
Intrusion Detection Exchange Format
# define data formats and exchange procedures for info on intrusion detection and response Functional components: Data source Sensor Analyzer Administrator Manager Operator
40
Honeypots
Honeypots are decoy systems designed to lure attackers away from critical systems. Honeypots are designed to: - -divert an attacker - -collect information about an attacker - -encourage an attacker to stay long enough for administrators to respond Honeypots are filled with fabricated information Any accesses to a honeypot trigger monitors and event loggers An attack against a honeypot is made to seem successful A honeypot has no production value There is no legitimate reason to access a honeypot Any attempt to communicate with a honeypot is most likely a probe, scan, or attack If a honeypot initiates outbound traffic, the system is most likely compromised
41
Honeypot Classifications
Low interaction High interaction
42
Low interaction honeypot:
Emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or systems Provides a less realistic target Often sufficient for use as a component of a distributed IDS to warn of imminent attack
43
High interaction honeypot
A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers More realistic target that may occupy an attacker for an extended period However, it requires significantly more resources

cs6035 Test 2 (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions