Intrusion Detection Flashcards
Are either individuals, usually working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes
Aim of their attacks is often to promote and publicize their cause typically through:
Website defacement
DoS attacks
theft and distribution of data that results in negative publicity or compromise of their targets.
Activists
Individuals or members of an organized crime group with a goal of financial reward
Cyber Criminals
Groups of hackers sponsored by governments to conduct espionage or sabotage activities
State-Sponsored Organizations (APTs)
Hackers with minimal technical skill who primarily use existing attack toolkits
Apprentice
Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities
Journeyman
Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities
Master
What are the Intruder Skill Levels?
Apprentice
Journeyman
Master
What is Intruder Behavior
Target acquisition and information gathering Initial access Privilege escalation Information gathering or system exploit Maintaining access Covering tracks
A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.
Security Intrusion
A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.
Intrusion Detection
What are the three logical components of the Intrusion Detection System (IDS)
- Sensors - collect data
- Analyzers - determine if intrusion has occurred
- User interface - view output or control system behavior
Monitors the characteristics of
a single host for suspicious activity
Host-based IDS (HIDS)
Monitors network traffic and
analyzes network, transport, and application protocols to identify suspicious activity
Network-based IDS (NIDS)
Combines information from a number of sensors, often both
host and network based, in a central analyzer that is able to
better identify and respond to intrusion activity
Distributed or hybrid IDS
Involves the collection of data relating to the behavior of legitimate users over a period of time
Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder
Anomaly detection
What are analysis approaches?
Anomaly detection
Signature/Heuristic detection
Uses a set of known malicious data patterns or attack rules that are compared with current behavior
Also known as misuse detection
Can only identify known attacks for which it has patterns or rules
Signature/Heuristic detection
What are the classification approaches used for Anomaly Detection
Statistical
Knowledge based
Machine learning
Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics
Statistical
Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior
Knowledge based
Approaches automatically determine a suitable classification model from the training data using data mining techniques
Machine learning
