Module 2: Security Technology: Intrusion Detection and Prevention Systems Flashcards
These operate by monitoring network traffic, analyzing it and providing remediation tactics when malicious behavior is detected;
intrusion detection and prevention systems (IDPS)
They look for matching behavior or characteristics that would indicate malicious traffic, send out alerts and block attacks.
intrusion detection and prevention systems (IDPS)
These tools can detect malware, socially engineered attacks and other web-based threats, including DDoS attacks.
intrusion detection and prevention systems (IDPS) tools
These can provide preemptive intrusion prevention capabilities for internal threats and potentially compromised systems.
intrusion detection and prevention systems (IDPS)
The primary functions of IDPS solutions can be broken down into four main categories, what are these?
- monitoring
- alerts
- remediation
- maintenance
Category of IDPS primary functions
IDPS ____ IT systems using either signature-based or anomaly-based intrusion detection to identify abnormal behavior and signature malicious activity.
monitoring
Category of IDPS primary functions
After identifying potential threats, IDPS software will log and send out ____ to Inform administrators of abnormal activity.
alerts
Category of IDPS primary functions
IDPS tools provide blocking mechanisms for malicious threats, giving administrators time to take action. In some cases, IT teams may not be required to take action at all after an attack is blocked.
remediation
Category of IDPS primary functions
Besides monitoring for abnormal behavior, IDPS tools can also monitor the performance of IT hardware and security components with health checks. This ensures a security infrastructure is operating properly at all times.
maintenance
These are detection and monitoring tools. They do not take action on their own. This requires a human or another system to look at the results.
intrusion detection systems (IDS)
This is a controlled system. The control system accepts and rejects a packet based on the ruleset. This requires that the database gets regularly updated with new threat data.
intrusion prevention system (IPS)
What is the similarity of IDS and IPS?
They both read network packets and compare the contents to a database of known threats.
This sits between the firewall and switch.
intrusion prevention system (IPS)
This interacts and plugged in directly with the switch.
intrusion detection system (IDS)
The types of IDPS can be classified according to ____.
The types of IDPS can be classified according to what they are designed to protect.
What are the types of IDPS?
network-based ID/PS and host-based ID/PS
This monitors the inbound and outbound network traffic and the text and prevents intrusions by analyzing network protocol activities.
netword-based ID/PS
This is a software package installed in a host. It monitors the activities of a single host and the text and prevents malicious activities.
host-based ID/PS
These systems identify potential threats based on built-in rules and profiles.
intrusion detection systems (IDS) and intrusion prevention systems (IPS)
Intrusion detection systems primarily use two key intrusion detection methods. What are these?
signature-based intrusion detection and anomaly-based intrusion detection
This is used for threats we already know and have encountered in the past.
signature-based intrusion detection
This is used to detect changes in behavior.
anomaly-based intrusion detection
Designed to detect possible threats by comparing given network traffic and log data to existing attack patterns.
signature-based intrusion detection
These patterns are called ____ (hence the name) and could include byte ____, known as ____.
These patterns are called sequences (hence the name) and could include byte sequences, known as malicious instruction sequences.
This enables you to accurately detect and identify possible known attacks.
signature-based intrusion detection
Designed to pinpoint unknown attacks, such as new malware, and adapt to them on the fly using machine learning.
anomaly-based intrusion detection
Machine learning techniques enable an intrusion detection system (IDS) to create baselines of trustworthy activity—known as a ____—then compare new behavior to verified ____.
Machine learning techniques enable an intrusion detection system (IDS) to create baselines of trustworthy activity—known as a trust model—then compare new behavior to verified trust models.
False alarms can occur when using this IDS, since previously unknown yet legitimate network traffic could be falsely identified as malicious activity.
False alarms can occur when using anomaly-based IDS, since previously unknown yet legitimate network traffic could be falsely identified as malicious activity.
