Intrusion Detection

Question 1

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. (T/F)

Answer 1

True

Question 2

o be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level. (T/F)

Answer 2

True

Question 3

An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.(T/F)

Answer 3

False

Question 4

A common location for a NIDS sensor is just inside the external firewall.(T/F)

Answer 4

True

Question 5

Network-based intrusion detection makes use of signature detection and anomaly detection.(T/F)

Answer 5

True

Question 6

A _______ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

Answer 6

host-based IDS

Question 7

_______ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.

Answer 7

Signature detection

Question 8

_______ involves the collection of data relating to the behavior of legitimate users over a period of time.

Answer 8

Anomaly detection

Question 9

A(n) ______ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.

Answer 9

inline sensor

Question 10

The ______ is the IDS component that examines the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.

Answer 10

analyzer

Question 11

Intrusion Defined

Answer 11

any attack that aims to compromise the security goals of an organization

Question 12

Intrusion Examples

Answer 12

• Performing a remote root compromise of an e-mail server
• Defacing a Web server with inappropriate web contents
• Guessing and cracking passwords
• Stealing a database containing credit card numbers
• Reading sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission

Question 13

Firewalls distinguished from IDS

Answer 13

Firewalls and IDS’s are both part of a network security system. A firewall is designed to prevent an intrusion and an IDS is designed to detect an intrusion.

F - tries to stop intrusion from happening
I - tries to evaluate an intrusion after it has happened
I -watches for intrusions that start within the system
F -limits access between networks to prevent intrusion

Question 14

Classes of Intruders

Answer 14

Cyber criminals

Activists

State-sponsored organizations

Other

Question 15

Intruder skill levels

Answer 15

Apprentice

Journeyman (sfficient to modify and extend attack toolkits)

Master (high level skill, discovering new categories of vulnerabilities, writing new attack toolkits)

Question 16

intruders typically use steps from a common attack methodology

Answer 16

Target Acquisition and Information Gathering:

• -that is, the attacker identifies and characterizes the target systems using publicly available information, both technical and non-technical, and use network exploration tools to map target resources.
• -Initial Access: this is typically accomplished by exploiting a remote network vulnerability, e.g., by guessing weak authentication credentials used in a remote service, or via the installation of malware on the system using some form of social engineering or drive-by-download.

• Privilege Escalation:
–Actions taken on the system, typically via a local access vulnerability, to increase the privileges available to the attacker to enable their more powerful attacks on the target system.

• Information Gathering or System Exploit:
–Actions by the attacker to access or modify information or resources on the system, or to navigate to another target system.

• Maintaining Access:
–Actions such as the installation of backdoors or other malicious software, or through the addition of covert authentication credentials or other configuration changes to the system, to enable continued access by the attacker after the initial attack.

• Covering Tracks:
–Where the attacker disables or edits audit logs, to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code.

Question 17

Components of Intrusion Detection

Answer 17

Sensors

Analyzers

User Interface

Question 18

Intrusion Detection Primary assumptions

Answer 18

System activities are observable

Normal and intrusive activities have distinct evidence

Question 19

IDS Classification

Answer 19

Host-based IDS
-monitors single host and events occurring within the host

Network-based IDS
-monitors network traffic for particular network segments or devices

Distributed or Hybrid IDS
-combines info from many sensors

Question 20

Analysis Approaches

Answer 20

Anomaly detection

Signature or heuristic-based detection

Question 21

Anomaly detection

Answer 21

Involves the collection of data relating to the behavior of legitimate users over a period of time. Then current observed behavior is analyzed to determine with a high level of confidence whether this behavior is that of a legitimate user or that of an intruder.

anomaly approaches aim to define or characterize normal, or expected, behaviors, in order to identify malicious or unauthorized behavior.

Question 22

Signature or heuristic-based detection

Answer 22

Signature or heuristic-based approaches directly define malicious or unauthorized behavior. They can quickly and efficiently identify known attacks. However only anomaly detection is able to detect unknown, zero-day attacks, because it starts with known good behavior and identifies anomalies to it.

Question 23

Signature or heuristic-based detection

Answer 23

Signature or heuristic-based approaches directly define malicious or unauthorized behavior.

They can quickly and efficiently identify known attacks. However only anomaly detection is able to detect unknown, zero-day attacks, because it starts with known good behavior and identifies anomalies to it.

Uses a set of known malicious data patterns or attack rules that are compared with current behavior

Also known as misuse detection

Can only identify known attacks for which it has patterns or rules

Rule based heuristic identification

Question 24

Types of Host based intrusion detection

Answer 24

Anomaly HIDS

Signature or Heuristic HIDS

Distributed HIDS

Question 25

Network Based Intrusion Detection

Answer 25

Monitors traffic at selected points on a network or interconnected set of networks

Typically in perimeter security infrastructure

Question 26

2 Types/Modes of Network Sensors

Answer 26

Inline sensor
– inserted into network segment so traffic that it is monitors must pass through the sensor

Passive sensor
–monitors a copy of network traffic, so actual traffic does not pass through it

Question 27

Anomaly Detection Classification of Approaches

Answer 27

• Statistical: Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
• Knowledge based: Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.
• Machine-learning: Approaches automatically determine a suitable classification model from the training data using data mining techniques.

Question 28

4 Locations of NIDS sensor and advantages

Answer 28

Place NIDS sensor just inside external firewall. Advantages:

• -sees attacks originating from outside world that penetrate perimeter defenses
• -highlights problems
• -sees attacks targeting web or ftp server
• -can recognize outgoing traffic that results from compromised server

sensor between external firewall and internet or WAN.
–documents number and types attacks originating on internet targeting the network

sensor at major backbone networks (eg supporting internal servers/DBs)

• -monitors large amount of traffic
• -detects unauthorized activity within org

sensor at critical subsystems (personal or financial system)

• -detects attacks targeting critical systems/resources
• -focuses limited resources

Question 29

Signature Approach

Advantages & Disadvantages

Answer 29

Advantages:

• -Low cost in time and resource use
• -Wide Acceptance

Disadvantages:

• -Significant effort to identify and review new malware to create signatures
• -inability to detect zero-day attacks

Question 30

Rule-Based Detection

Answer 30

Instead of using only signatures of known attacks, a misuse detection systems can also use a more sophisticated, rule-based approach.

Rule-based detection involves the use of rules for identifying known penetrations or penetrations that would exploit known vulnerabilities.
Rules are specified to process and analyze activity data and match multiple signatures or patterns.

Typically, the rules used in these systems are specific to the machine and operating system.
The most fruitful approach to developing such rules is to analyze attack tools and scripts collected on the Internet.
These rules can be supplemented with rules generated by knowledgeable security personnel. In this latter case, the normal procedure is to interview system administrators and security analysts to collect a suite of known penetration scenarios and key events that threaten the security of the target system.

The SNORT system is an example of a
rule-based NIDS. A large collection of rules exists for it to detect a wide variety of
network attacks.

Question 31

Network Based IDS

Answer 31

A network-based IDS (NIDS) monitors traffic at selected points on a network or interconnected set of networks. The NIDS examines the traffic packet by packet in real time, or close to real time, to attempt to detect intrusion patterns. The NIDS may examine network-, transport-, and/or application-level protocol activities. Note the contrast with a host-based IDS; a NIDS examines packet traffic directed toward potentially vulnerable computer systems on a network.

A typical NIDS facility includes a number of sensors to monitor packet traffic, one or more servers for NIDS management functions, and one or more management consoles for the human interface. The analysis of traffic patterns to detect intrusions may be done at the sensor, at the management server, or some combination of the two

Question 32

Inline Sensors

Answer 32

Used to block an attack when one is detected, performing both intrusion detection and prevention functions

An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.

Can be achieved by:

• -Combining NIDS sensor logic with a firewall or LAN switch. This has the advantage of no additional hardware is needed
• -Using a stand-alone inline NIDS sensor

Question 33

Passive Sensors

Answer 33

A passive sensor monitors a copy of network traffic; the actual traffic does not pass through the device

Passive sensors are more efficient

Question 34

Firewall Versus Network IDS

Answer 34

Firewall

• -Active filtering
• -Fail-close

Network IDS

• -Passive monitoring
• -Fail-open

Question 35

SNORT

Answer 35

Open source

Highly configurable

Lightweight IDS

Characteristics:

• -Easily deployed on most nodes
• -Efficient operation
• -Easily configured by system administrators

Performs real-time packet capture

Detects a variety of attacks and probes

Question 36

Types of attacks suitable for signature detection

Answer 36

Application layer reconnaissance and attacks

Transport layer reconnaissance and attacks

Network layer reconnaissance and attacks

Unexpected application services

Policy violations

Question 37

Anomaly detection suitable for these types of attacks

Answer 37

Denial of service attacks

Scanning

Worms

Question 38

SNORT logical components

Answer 38

Packet decoder: The packet decoder processes each captured packet to identify and isolate protocol headers at the data link, network, transport, and application layers.
–The decoder is designed to be as efficient as possible and its primary work consists of setting pointers so that the various protocol headers can be easily extracted.

• Detection engine: The detection engine does the actual work of intrusion detection. This module analyzes each packet based on a set of rules defined for this configuration of Snort by the security administrator. In essence, each packet is checked against all the rules to determine if the packet matches the characteristics defined by a rule.
-- The first rule that matches the decoded packet triggers the action specified by the rule. If no rule matches the packet, the detection engine discards the packet.

• Logger: For each packet that matches a rule, the rule specifies what logging and alerting options are to be taken. When a logger option is selected, the logger stores the detected packet in human readable format or in a more compact binary format in a designated log file. The security administrator can then use the log file for later analysis.

• Alerter: For each detected packet, an alert can be sent. The alert option in the matching rule determines what information is included in the event notification.
The event notification can be sent to a file, to a UNIX socket, or to a database. Alerting may also be turned off during testing or penetration studies.
Using the UNIX socket, t

Question 39

Intrusion Detection Exchange Format

Answer 39

define data formats and exchange procedures for info on intrusion detection and response

Functional components:
Data source

Sensor

Analyzer

Administrator

Manager

Operator

Question 40

Honeypots

Answer 40

Honeypots are decoy systems designed to lure attackers away from critical systems.

Honeypots are designed to:

• -divert an attacker
• -collect information about an attacker
• -encourage an attacker to stay long enough for administrators to respond

Honeypots are filled with fabricated information

Any accesses to a honeypot trigger monitors and event loggers

An attack against a honeypot is made to seem successful

A honeypot has no production value

There is no legitimate reason to access a honeypot

Any attempt to communicate with a honeypot is most likely a probe, scan, or attack

If a honeypot initiates outbound traffic, the system is most likely compromised

Question 41

Honeypot Classifications

Answer 41

Low interaction

High interaction

Question 42

Low interaction honeypot:

Answer 42

Emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or systems

Provides a less realistic target

Often sufficient for use as a component of a distributed IDS to warn of imminent attack

Question 43

High interaction honeypot

Answer 43

A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers

More realistic target that may occupy an attacker for an extended period

However, it requires significantly more resources