Intrusion Detection Flashcards
_______ tries to stop intrusion from happening(Firewall or IDS)
firewallP2 L4
_______ tries to evaluate an intrusion after it has happened(Firewall or IDS)
IDSP2 L4
_______ watches for intrusions that start within the system(Firewall or IDS)
IDSP2 L4
_______ limits access between networks to prevent intrusion
FirewallP2 L4
An intruder can also be referred to as a hacker or cracker
trueP2 L4
Activists are either individuals or members of an organized crime group with a goal of financial reward
falseP2 L4
Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion
trueP2 L4
Those who hack into computer do so for the thrill of it or for status
falseP2 L4
Intruders typically use steps from a common attack methodology
trueP2 L4
This backdoor is hard to detect because it modifies machine code
Object code backdoorsP2 L4
This backdoor can only be used by the person who created it, even if it is discovered by others
Asymmetric backdoorsP2 L4
This backdoor inserts backdoors into other programs during compilation
Compiler backdoorsP2 L4
The longer an anomaly detection system is in use, the more it learns about network activity
trueP2 L4
If malicious activity looks like normal traffic to the anomaly detection system, it will not detect an attack
trueP2 L4
False positives from an anomaly detection system can become a problem, normal usage can be mistaken for an attack
trueP2 L4
With signature based detection, new threats can be detected immediately
falseP2 L4
With signature based detection, when a new virus is identified, it must be added to the signature databases
trueP2 L4
Signature-based detection systems can only detect an intrusion attempt if it matches a pattern that is in the database
trueP2 L4
Which of the following could be considered an anomaly to a typical networkA) An IP addressB) A port addressC) Packet lengthD) Flag setting
All of themP2 L4
with _________, any action that does not fit the normal behavior profile is considered an attack
statistical intrusion detectionP2 L4
with _________, any action that is not classified as normal is considered to be an attack
knowledge based intrusion detectionP2 L4
_______ anomaly detection detects attacks similar to past attacks
machine learning intrusion detectionP2 L4
One of the weaknesses of anomalous intruder detection is that a system must learn what is normal behavior. WHile it is learning this, the network is vulnerable to attack. What can be done to mitigate this weakness?
use a firewall.P2 L4
In the thriving 0-day attack marketplace hackers sell information on software vulnerabilities. Can you guess some of the buyers?A) AppleB) Google C) Microsoft,D) U.S. Government
allP2 L4
with a(n) _______ attack, an attacker sends various kinds of packets to probe a system or network for vulnerability that can be exploited
scanning attackP2 L4
with a(n) _______ attack, the attack attempts to slow down or completely shut down a target so as to disrupt the service for legitimate users
DOSP2 L4
with a(n) _______ attack, an attacker gains unauthorized control of a system
penetrationP2 L4
Can you think of a way to reduce the impact of excessive reporting on a system’s administrator?
Prioritize the alertsP2 L4
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified
trueP2 L4
The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
trueP2 L4
Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior
falseP2 L4
A network IDS sensor monitors a copy of network traffic, the actual traffic does not pass through the devices
trueP2 L4
Network-based intrusion detection can make use of signature detection and anomaly detection
trueP2 L4
When using sensors, which of the following is considered good practice?A) Set the IDS level to the highest sensitivity to detect every attackB) Monitor both outbound and inbound trafficC) Use a shared network resource to gather NIDS dataD) NIDS sensors are not turnkey solutions, system administrators must interpret alerts
B) monitor both outbound and inbound trafficD) NIDS sensors are not turnkey solutions, system administrators must interpret alertsP2 L4
A common location for a NIDS sensor is just inside the external firewall
trueP2 L4
A honeypot can be a workstation that a user uses for work
falseP2 L4
There is no benefit of deploying a NIDS or honeypot outside of the firewall
falseP2 L4
To improve detection performance, an IDS should reduce false alarm rate while detecting as many intrusions as possible
trueP2 L4
to improve detection performance, an IDS should apply detection models at all unfiltered packet data directly.
falseP2 L4
to improve detection performance, an IDS should apply detection models at processed event data that has higher base rate
trueP2 L4
To defeat an IDS, attackers can send a huge amount of traffic
trueP2 L4
To defeat an IDS, attackers can embed attack in packets which cause non-uniform processing by different operating systems, e.g. bad checksum, overlapping fragments
trueP2 L4
To defeat an IDS, attackers can send traffic that purposely matches detection rules
trueP2 L4
To defeat an IDS, attackers can send a packet that would trigger a buffer-overload in the IDS code
true P2 L4
