CYB236 Chapter 8: Host-based Intrusion Detection Systems

Questions and Answers

What is the primary purpose of a shim in a host-based IDPS?

• To intercept, analyze, and determine allowing or denying (correct)
• To analyze network traffic
• To log security events
• To generate alerts

What type of information is typically logged by host-based IDPSs?

• Timestamp, event type, event details, and prevention action (correct)
• Only IP address and port information
• Only timestamp and event type
• Timestamp, event type, and user IDs

What is a capability of host-based IDPSs?

• Code Obfuscation
• Network Traffic Encryption
• Network Configuration Monitoring (correct)
• Centralized Reporting

What is a limitation of host-based IDPSs?

Technology limitations and conflicts with existing security controls (A)

What is a type of event detected by host-based IDPSs?

Filesystem Monitoring (D)

What is a prevention capability of host-based IDPSs?

Code Analysis to prevent execution (B)

What is a security capability of host-based IDPSs?

Logging Capabilities (C)

What is a detection capability of host-based IDPSs?

Log Analysis (B)

What is the primary function of a host-based IDPS?

To monitor a single host and the events occurring within it for suspicious activity (C)

What is the typical component of most host-based IDPSs?

Detection software known as Agents (A)

What does an agent monitor in a server?

Both the operating system (OS) and common applications (A)

What type of agent is designed to monitor a specific application service only?

Application-based IDPS (B)

Where are agents typically deployed in a host-based IDPS?

On existing hosts on the organization's networks (A)

What do agents in a host-based IDPS perform?

Both detection and prevention actions (B)

What is monitored by agents designed to monitor users' hosts?

Both the operating system (OS) and common client applications (A)

What is the benefit of a host-based IDPS?

It provides protection to a single host and the events occurring within it (B)

What is the main purpose of Network Traffic Filtering?

To stop unauthorized access and acceptable use policy violations (C)

What is the primary function of Filesystem Monitoring?

To prevent files from being accessed, modified, replaced, or deleted (A)

What is the purpose of Removable Media Restriction?

To prevent malware from being transferred or copied to or from the host (A)

What is the purpose of Audiovisual Device Monitoring?

To indicate if the host has been compromised (C)

What is the purpose of Host Hardening?

To detect the disability of security function and enable it again (D)

What is the purpose of Process Status Monitoring?

To monitor the status of processes or services and the status of security programs (D)

What is the purpose of Network Traffic Sanitization?

To sanitize the network traffic that they monitor (C)

What is unique about updating agents in host-based IDPSs?

An agent’s update capability is related to the type of operating system on which it is deployed (D)

What is the main purpose of Management in host-based IDPSs?

To offer similar management capabilities (A)

Study Notes

Overview of Host-Based IDPS

• Shim serves to intercept and analyze data between the application layer and the operating system, enhancing security behavior.
• Host-based Intrusion Detection and Prevention Systems (IDPS) typically log events such as failed logins, unauthorized access attempts, and system file changes.

Capabilities and Limitations

• Host-based IDPSs can monitor user activity, detect policy violations, and assess the integrity of files.
• A limitation includes the inability to detect network-based attacks, as they focus on host rather than network level monitoring.

Detection and Prevention

• Host-based IDPSs can detect events like file manipulations, configuration changes, and unusual application behavior.
• Prevention capabilities include blocking unauthorized access attempts and terminating malicious processes.
• Security capabilities consist of ensuring compliance with security policies and monitoring for malware on the host.

Functionality and Components

• The primary function is to enhance security at the host level through continuous monitoring and real-time analysis.
• A typical component is the agent, which resides on the host and performs monitoring tasks.

Agent Roles and Deployment

• Agents monitor events and activities such as user access and application performance on servers.
• Specific application agents track activity solely related to designated services.
• Agents are generally deployed on individual hosts, such as servers and endpoint devices.

Agent Monitoring and Benefits

• Agents designed for user hosts monitor user actions, file access, and applications.
• The benefit of utilizing a host-based IDPS includes granular monitoring leading to detailed insights and responses to threats.

Specialized Monitoring Functions

• Network Traffic Filtering focuses on analyzing and blocking unauthorized or suspicious network connections.
• Filesystem Monitoring safeguards against unauthorized changes in files and directories.
• Removable Media Restriction prevents the unauthorized use of USB drives and external storage.
• Audiovisual Device Monitoring ensures that devices like webcams and microphones are not exploited for surveillance.
• Host Hardening aims to strengthen security configurations and reduce vulnerabilities on the host system.
• Process Status Monitoring keeps track of running processes to identify aberrant behavior or unauthorized execution.
• Network Traffic Sanitization cleanses network data streams to eliminate malicious content before entering the system.

Agent Updates and Management

• Updating agents in host-based IDPSs can be unique due to the coordination between systems, ensuring compatibility and functionality.
• Management is crucial for overseeing the deployment, configuration, and incident response efforts pertaining to the host-based IDPS.

Description

This quiz covers the components and architecture of host-based intrusion detection systems, including their capabilities, taxonomy of anomaly detection, and management. It also explores the characteristics of a single host and events within that host for suspicious activity.