Deck 8: Intrusion Detection

Those who hack into computers do so for the thrill of it or for status.

Signature-based approaches attempt to define normal,or expected,
behavior,whereas anomaly approaches attempt to define proper behavior.

An inline sensor monitors a copy of network traffic; the actual traffic
does not pass through the device.

An intruder can also be referred to as a hacker or cracker.

Anomaly detection is effective against misfeasors.

The objective of the intruder is to gain access to a system or to increase
the range of privileges accessible on a system.

To be of practical use an IDS should detect a substantial percentage of
intrusions while keeping the false alarm rate at an acceptable level.

Network-based intrusion detection makes use of signature detection
and anomaly detection.

The masquerader is most likely an insider.

The primary purpose of an IDS is to detect intrusions,log suspicious
events,and send alerts.

The IDS component responsible for collecting data is the user interface.

A common location for a NIDS sensor is just inside the external
firewall.

Intrusion detection is based on the assumption that the behavior of the
intruder differs from that of a legitimate user in ways that can be quantified.

Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.

_________ are cooperative ventures that collect information about system vulnerabilities and disseminate it to systems mangers.

A ________ IDS monitors traffic at selected points on a network or interconnected set of networks.

__________ is a security service that monitors and analyzes system events for the purpose of finding,and providing real-time warning of attempts to access system resources in an unauthorized manner.

The three classes of intruders are masquerader,clandestine user and _________.

The _________ detection approach involves defining thresholds,independent of user,for the frequency of occurrence of various events.

_________ anomaly detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations.

A ________ is a legitimate user who accesses data,programs,or resources for which such access is not authorized,or who is authorized for such access but misuses his or her privileges.

An IDS comprises three logical components: analyzers,user interface and _____.

A distributed IDS consists of three main components: host agent module,central manager module,and ___________ module.

________ detection techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious.

________ are decoy systems that are designed to lure a potential attacker away from critical systems.

A Snort installation consists of four logical components: packet decoder,detection engine,logger,and ________.

The functional components of an _________ are: data source,sensor,analyzer,administration,manager,and operator.

The _________ is the predefined formally documented statement that defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements.

The _________ (RFC 4766)document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF).