Lecture 10 Flashcards
What is a security intrusion?
A security event where an intruder gains or attempts to gain unauthorized access to a system or resource.
What is intrusion detection?
A service that monitors and analyzes system events to provide real-time warnings of unauthorized access attempts.
What are the three main components of an IDS?
Sensors, Analyzers, and User Interface.
What is a Host-based IDS (HIDS)?
An IDS that monitors and analyzes the internals of a computing system and its network interfaces.
What is a Network-based IDS (NIDS)?
An IDS that monitors and analyzes network traffic at selected points in real or near-real time.
What is a Distributed or Hybrid IDS?
An IDS that combines information from multiple sensors across a cooperative system design.
What is the base-rate fallacy in intrusion detection?
The difficulty of distinguishing between legitimate and malicious users due to class imbalance.
What is signature-based detection?
Detection using known malicious data patterns (signatures) or attack rules; identifies known attacks.
What is anomaly detection?
Detection based on deviations from established legitimate user behavior; identifies unknown or zero-day attacks.
What are three methods for developing IDS?
Statistical analysis, Knowledge-based (expert systems), and Machine learning techniques.
What is SNORT?
A rule-based HIDS/NIDS system for intrusion detection.
What are examples of activities monitored by HIDS?
Changes to system registry, failed login attempts, critical system file changes, and backdoor installation.
What are drawbacks of HIDS?
Resource consumption, tampering risk, false alarms, and management difficulties.
What is a honeypot?
A decoy system designed to lure attackers away from critical systems and collect information about attack strategies.
What are the types of honeypots?
Low-interaction and High-interaction honeypots.
What is a firewall?
A network security system that monitors and controls incoming and outgoing network traffic based on security rules.
Advantages of using a firewall?
Keeps unauthorized users out, protects against vulnerable services, IP spoofing, monitors events, supports VPNs.
Disadvantages of using a firewall?
Cannot protect against internal threats or attacks bypassing the firewall.
What is a packet filtering firewall?
Applies rules to incoming/outgoing IP packets based on header information to forward or discard packets.
What are weaknesses of packet filtering firewalls?
Limited application layer protection, limited logging, vulnerable to TCP/IP exploits, configuration mistakes.
What is a stateful inspection firewall?
Maintains records of active connections and makes decisions based on connection state and packet information.
What is an application proxy firewall?
Acts as a relay of application-level traffic, requiring a proxy for each application supported.
Where can firewalls be based?
Standalone machine, router, LAN switch, or server.
What is a host-based firewall?
A software module that secures an individual host, often tailored to the host’s environment.
