Intrusion Detection and Prevention Methods

Questions and Answers

What is the primary goal of intrusion detection and prevention systems?

• To gather information and train the system
• To conform to statistically predictable patterns
• To detect and prevent hostile or unwanted trespass (correct)
• To predict future bad behavior

What is the key characteristic of a rule-based anomaly detection system?

• It relies on user input to identify anomalies
• It detects anomalies based on statistically predictable patterns
• It trains the system with known bad behaviors
• It uses a set of predefined rules to identify anomalies (correct)

What is the main difference between anomaly-based detection and signature-based detection?

• Signature-based detection sets a baseline for normal behavior
• Anomaly-based detection trains the system with known bad behaviors
• Signature-based detection focuses on identifying unknown threats
• Anomaly-based detection identifies anomalies based on statistically predictable patterns (correct)

What is the primary characteristic of a system that is not under attack?

User actions conform to statistically predictable patterns (C)

What is the definition of intrusion?

Hostile or unwanted trespass by users or software (C)

What is the formula for Detection Rate (DR) in Intrusion Detection Systems?

TP/(TP+FN) (D)

Which of the following IDS/IPS products is suitable for small and medium businesses and is free?

Suricata (C)

What is the primary objective of IDS/IPS systems?

Detecting intrusions (B)

What is the name of the chapter in the Stallings book that covers Email Security and Social Engineering Attacks?

Chapter 8 (A)

What is the primary approach of an IDS/IPS system that uses known attack patterns to identify intrusions?

Signature-based (D)

What is the term for a type of attack that tricks users into divulging sensitive information?

Phishing attack (B)

What is the main purpose of a peer-to-peer gossip protocol in an intrusion detection system?

To inform central system of attacks (B)

What is the primary function of a Policy Enforcement Point (PEP) in a Distributed or Hybrid Network Intrusion Detection System?

To correlate distributed information and make local decisions (A)

What is the purpose of the IETF Intrusion Detection Working Group?

To define data formats and exchange procedures for sharing information (C)

What is the primary function of a Honeypot in an intrusion detection system?

To lure potential attackers away from critical systems (D)

What is the main difference between a Low Interaction Honeypot and a High Interaction Honeypot?

The level of realism provided to the attacker (C)

What is the primary function of Snort in an intrusion detection system?

To use a combination of rules and preprocessors to detect intrusions (A)

What is the primary function of an Intrusion Prevention System (IPS)?

To detect and prevent malicious traffic (B)

What is a major advantage of using an Intrusion Detection System (IDS) in a network?

Has no impact on network performance (C)

What is a major challenge in detecting and preventing insider attacks?

Employees have access to systems and knowledge (B)

What is a key component of an overall security strategy to prevent insider attacks?

Enforcing least privilege and monitoring logs (C)

What is the primary goal of an Intrusion Detection System?

To detect a wide variety of intrusions, including unknown attacks (C)

What is the approach used by a rootkit to conceal information?

Manipulating system calls and programs (C)

According to Denning's Model, what is a characteristic of exploiting vulnerabilities?

Using normal commands in an abnormal way (D)

What is the primary advantage of Anomaly Detection over other models of Intrusion Detection?

It can detect unknown attacks (B)

What is the purpose of benchmark data sets in Anomaly Detection?

To train the system with usual behavior (C)

What is the goal of Misuse Detection in Intrusion Detection?

To detect known attacks (A)

What is the primary challenge of analyzing commands in Intrusion Detection?

Impact on response time of the system (C)

What is the purpose of a threshold metric in Anomaly Detection?

To count the number of events that occur within a certain range (B)

What is the primary benefit of a simple and easy-to-understand user interface in Intrusion Detection Systems?

It is critical for monitoring many systems (A)

What is the fundamental principle of Specification-based detection in Intrusion Detection?

What is good is known, and what is not good is bad (A)

What is the primary purpose of PGP in email security?

To provide all of the above (C)

Which of the following is NOT a symmetric key crypto algorithm supported by OpenPGP?

RSA (B)

What is the purpose of the session key in PGP encryption?

To encrypt the plaintext with an encryption algorithm (B)

What is the benefit of compressing plaintext in PGP?

It strengthens cryptographic security (A)

What is the purpose of the sender's private key in PGP?

To sign the message (A)

What is the primary difference between PGP and S/MIME?

PGP uses public key crypto, while S/MIME uses symmetric key crypto (C)

What is the purpose of the receiver's public key in PGP?

To encrypt the session key (C)

What is the benefit of using PGP in email security?

It strengthens cryptographic security (D)

What is the purpose of the hash function in PGP?

To provide authentication and integrity (A)

What is the primary advantage of using a hybrid cryptosystem like PGP?

It combines the benefits of symmetric and public key crypto (B)