Intrusion Detection and Prevention Methods

Questions and Answers

What is the primary goal of intrusion detection and prevention systems?

To gather information and train the system

To conform to statistically predictable patterns

To detect and prevent hostile or unwanted trespass (correct)

To predict future bad behavior

What is the key characteristic of a rule-based anomaly detection system?

It relies on user input to identify anomalies

It detects anomalies based on statistically predictable patterns

It trains the system with known bad behaviors

It uses a set of predefined rules to identify anomalies (correct)

What is the main difference between anomaly-based detection and signature-based detection?

Signature-based detection sets a baseline for normal behavior

Anomaly-based detection trains the system with known bad behaviors

Signature-based detection focuses on identifying unknown threats

Anomaly-based detection identifies anomalies based on statistically predictable patterns (correct)

What is the primary characteristic of a system that is not under attack?

User actions conform to statistically predictable patterns

What is the definition of intrusion?

Hostile or unwanted trespass by users or software

What is the formula for Detection Rate (DR) in Intrusion Detection Systems?

TP/(TP+FN)

Which of the following IDS/IPS products is suitable for small and medium businesses and is free?

Suricata

What is the primary objective of IDS/IPS systems?

Detecting intrusions

What is the name of the chapter in the Stallings book that covers Email Security and Social Engineering Attacks?

Chapter 8

What is the primary approach of an IDS/IPS system that uses known attack patterns to identify intrusions?

Signature-based

What is the term for a type of attack that tricks users into divulging sensitive information?

Phishing attack

What is the main purpose of a peer-to-peer gossip protocol in an intrusion detection system?

To inform central system of attacks

What is the primary function of a Policy Enforcement Point (PEP) in a Distributed or Hybrid Network Intrusion Detection System?

To correlate distributed information and make local decisions

What is the purpose of the IETF Intrusion Detection Working Group?

To define data formats and exchange procedures for sharing information

What is the primary function of a Honeypot in an intrusion detection system?

To lure potential attackers away from critical systems

What is the main difference between a Low Interaction Honeypot and a High Interaction Honeypot?

The level of realism provided to the attacker

What is the primary function of Snort in an intrusion detection system?

To use a combination of rules and preprocessors to detect intrusions

What is the primary function of an Intrusion Prevention System (IPS)?

To detect and prevent malicious traffic

What is a major advantage of using an Intrusion Detection System (IDS) in a network?

Has no impact on network performance

What is a major challenge in detecting and preventing insider attacks?

Employees have access to systems and knowledge

What is a key component of an overall security strategy to prevent insider attacks?

Enforcing least privilege and monitoring logs

What is the primary goal of an Intrusion Detection System?

To detect a wide variety of intrusions, including unknown attacks

What is the approach used by a rootkit to conceal information?

Manipulating system calls and programs

According to Denning's Model, what is a characteristic of exploiting vulnerabilities?

Using normal commands in an abnormal way

What is the primary advantage of Anomaly Detection over other models of Intrusion Detection?

It can detect unknown attacks

What is the purpose of benchmark data sets in Anomaly Detection?

To train the system with usual behavior

What is the goal of Misuse Detection in Intrusion Detection?

To detect known attacks

What is the primary challenge of analyzing commands in Intrusion Detection?

Impact on response time of the system

What is the purpose of a threshold metric in Anomaly Detection?

To count the number of events that occur within a certain range

What is the primary benefit of a simple and easy-to-understand user interface in Intrusion Detection Systems?

It is critical for monitoring many systems

What is the fundamental principle of Specification-based detection in Intrusion Detection?

What is good is known, and what is not good is bad

What is the primary purpose of PGP in email security?

To provide all of the above

Which of the following is NOT a symmetric key crypto algorithm supported by OpenPGP?

RSA

What is the purpose of the session key in PGP encryption?

To encrypt the plaintext with an encryption algorithm

What is the benefit of compressing plaintext in PGP?

It strengthens cryptographic security

What is the purpose of the sender's private key in PGP?

To sign the message

What is the primary difference between PGP and S/MIME?

PGP uses public key crypto, while S/MIME uses symmetric key crypto

What is the purpose of the receiver's public key in PGP?

To encrypt the session key

What is the benefit of using PGP in email security?

It strengthens cryptographic security

What is the purpose of the hash function in PGP?

To provide authentication and integrity

What is the primary advantage of using a hybrid cryptosystem like PGP?

It combines the benefits of symmetric and public key crypto