Intrusion Detection

Question 1

What is a definition for an intrusion detection system?

Answer 1

An intrusion detection system (IDS) is an additional component to protect a system during operation. The IDS monitors selected aspects of the system’s behavior and raises an alarm if it observes suspicious behavior.

Question 2

What are the 5 relevant aspects for an IDS?

Answer 2

• Time and Resources
• Location and Connection
• Intrusion and Suspiciousness
• Model Complexity and Observed Data
• Response to an alarm

Question 3

What different approaches are there regarding Time and Resources? What are the trade-offs?

Answer 3

• monitor during runtime
• monitor post mortem (asynchrounously)

challenges, trade-offs:

• higher value from detecting attacks?
• is detection fast enough? does it scale?
• is a full analysis of all observed events necessary?

Question 4

What different approaches are there regarding Location and Connection? What are the trade-offs?

Answer 4

• host-based monitoring
• network-based monitoring

challenges, trade-offs:

• depends on architecture of monitored system
• depends on availability of monitored information

Question 5

What different approaches are there regarding Intrusion and Suspiciousness?

Answer 5

• signature based: explicit rules or stochastic profiles
• anomaly based: aberrations from defined normal behavior
• hybrids

Question 6

What different approaches are there regarding Model Complexity and Observed Data?

Answer 6

• rule-based
• statistical model
• machine learning

Question 7

What different approaches are there regarding Response to an alarm?

Answer 7

• Security information and event management (SIEM): central collection and management of incident reports
• Intrusion detection and prevention systems (IDPS): immediate reaction in the monitored system