CYB236 Chapter 8: Host-based Intrusion Detection Systems

Questions and Answers

PDF Questions PDF Answers

What is the primary purpose of a shim in a host-based IDPS?

To intercept, analyze, and determine allowing or denying (correct)

To analyze network traffic

To log security events

To generate alerts

What type of information is typically logged by host-based IDPSs?

Timestamp, event type, event details, and prevention action (correct)

Only IP address and port information

Only timestamp and event type

Timestamp, event type, and user IDs

What is a capability of host-based IDPSs?

Code Obfuscation

Network Traffic Encryption

Network Configuration Monitoring (correct)

Centralized Reporting

What is a limitation of host-based IDPSs?

Technology limitations and conflicts with existing security controls

What is a type of event detected by host-based IDPSs?

Filesystem Monitoring

What is a prevention capability of host-based IDPSs?

Code Analysis to prevent execution

What is a security capability of host-based IDPSs?

Logging Capabilities

What is a detection capability of host-based IDPSs?

Log Analysis

What is the primary function of a host-based IDPS?

To monitor a single host and the events occurring within it for suspicious activity

What is the typical component of most host-based IDPSs?

Detection software known as Agents

What does an agent monitor in a server?

Both the operating system (OS) and common applications

What type of agent is designed to monitor a specific application service only?

Application-based IDPS

Where are agents typically deployed in a host-based IDPS?

On existing hosts on the organization's networks

What do agents in a host-based IDPS perform?

Both detection and prevention actions

What is monitored by agents designed to monitor users' hosts?

Both the operating system (OS) and common client applications

What is the benefit of a host-based IDPS?

It provides protection to a single host and the events occurring within it

What is the main purpose of Network Traffic Filtering?

To stop unauthorized access and acceptable use policy violations

What is the primary function of Filesystem Monitoring?

To prevent files from being accessed, modified, replaced, or deleted

What is the purpose of Removable Media Restriction?

To prevent malware from being transferred or copied to or from the host

What is the purpose of Audiovisual Device Monitoring?

To indicate if the host has been compromised

What is the purpose of Host Hardening?

To detect the disability of security function and enable it again

What is the purpose of Process Status Monitoring?

To monitor the status of processes or services and the status of security programs

What is the purpose of Network Traffic Sanitization?

To sanitize the network traffic that they monitor

What is unique about updating agents in host-based IDPSs?

An agent’s update capability is related to the type of operating system on which it is deployed

What is the main purpose of Management in host-based IDPSs?

To offer similar management capabilities

Study Notes

Overview of Host-Based IDPS

• Shim serves to intercept and analyze data between the application layer and the operating system, enhancing security behavior.
• Host-based Intrusion Detection and Prevention Systems (IDPS) typically log events such as failed logins, unauthorized access attempts, and system file changes.

Capabilities and Limitations

• Host-based IDPSs can monitor user activity, detect policy violations, and assess the integrity of files.
• A limitation includes the inability to detect network-based attacks, as they focus on host rather than network level monitoring.

Detection and Prevention

• Host-based IDPSs can detect events like file manipulations, configuration changes, and unusual application behavior.
• Prevention capabilities include blocking unauthorized access attempts and terminating malicious processes.
• Security capabilities consist of ensuring compliance with security policies and monitoring for malware on the host.

Functionality and Components

• The primary function is to enhance security at the host level through continuous monitoring and real-time analysis.
• A typical component is the agent, which resides on the host and performs monitoring tasks.

Agent Roles and Deployment

• Agents monitor events and activities such as user access and application performance on servers.
• Specific application agents track activity solely related to designated services.
• Agents are generally deployed on individual hosts, such as servers and endpoint devices.

Agent Monitoring and Benefits

• Agents designed for user hosts monitor user actions, file access, and applications.
• The benefit of utilizing a host-based IDPS includes granular monitoring leading to detailed insights and responses to threats.

Specialized Monitoring Functions

• Network Traffic Filtering focuses on analyzing and blocking unauthorized or suspicious network connections.
• Filesystem Monitoring safeguards against unauthorized changes in files and directories.
• Removable Media Restriction prevents the unauthorized use of USB drives and external storage.
• Audiovisual Device Monitoring ensures that devices like webcams and microphones are not exploited for surveillance.
• Host Hardening aims to strengthen security configurations and reduce vulnerabilities on the host system.
• Process Status Monitoring keeps track of running processes to identify aberrant behavior or unauthorized execution.
• Network Traffic Sanitization cleanses network data streams to eliminate malicious content before entering the system.

Agent Updates and Management

• Updating agents in host-based IDPSs can be unique due to the coordination between systems, ensuring compatibility and functionality.
• Management is crucial for overseeing the deployment, configuration, and incident response efforts pertaining to the host-based IDPS.

Description

This quiz covers the components and architecture of host-based intrusion detection systems, including their capabilities, taxonomy of anomaly detection, and management. It also explores the characteristics of a single host and events within that host for suspicious activity.