Intrusion Detection and Prevention Systems

Question 1

What is a Intrusion Detection System

Answer 1

Wire tap between the internal and External network
Can detect wide variety of intrusions
Presents analysis in simple format
Aims to block intrusions

Question 2

What is monitored?

Answer 2

Network traffic
Users Resources
Command and program execution
read/write - execute some cmds

Question 3

What are 2 intrusion detection processes?

Answer 3

Signature Based approach

Anomaly Based approach

Question 4

What is Misuse Detection?

Answer 4

– What is bad, is known
– What is not bad, is good
Determines whether a sequence of instructions being executed is known to violate the security policy.
IDS matches data against a set of rules.

Question 5

What is signature based detection?

Answer 5

– What is good, is known

– What is not good, is bad

Question 6

What are Vulnerability based signatures?

Answer 6

Once a new vulnerability is disclosed, researchers develop signatures that anticipate the nature of yet-to-be-created threats

Question 7

Specific based detection

Answer 7

what are good are included in the rules

If any deviations from the rules, IDS detects a potential intrusion.

Question 8

What are Anomaly-based Approaches

Answer 8

– What is usual, is known

– What is unusual, is bad

Question 9

What are Statistical Moments

Answer 9

Activity measures, CPU, I/O Process size

Question 10

Pros/ Cons on Anomaly based

Answer 10

May detect zero-day attacks

Usually higher false positive rate

Question 11

Pros/ Cons on Signature-based

Answer 11

Usually lower false positive rate

May not detect zero-day attacks

Question 12

What is a honey pot

Answer 12

A system deployed to lure attackers