Chapter 5: Intrusion Detection
The most prominent
threats to computer system:
- Virus
- Intrusion
detection
6.1
Intruders
- What are the
three classes of intruders identified by Anderson?
- What are the
serious attacks of intrusion detection?
- Read briefly
about intruder behavior patterns.
- How does an
intruder exploit buffer overflow problem to gain access to a system?
- Can you find
an example of a software vulnerability that allows user to open to execute
a code that opens a back door into a system? How does an intruder exploit
this vulnerability?
- How does IDS
work to counter insider attack? Why is access control of higher
priority than IDS to counter insider attack?
6.2 Intrusion
Detection
- How is it
possible to differentiate between an intruder and a legitimate user? How
will you identify a misfeasor?
- In page 183,
there is a list of requirements as desirable for an IDS. Justify each
requirement. How does each requirement enhance the process of intrusion
detection?
6.3 Host Based
Intrusion Detection
- How does a
host-based IDS detect both external and internal detection?
- What is the
difference between anomaly detection and signature detection?
- Why is anomaly
detection not effective for countering misfeasors?
- How does audit
record help with intrusion detection?
- Read carefully
about anomaly detection procedure. How are metrics such as counter,
gauge, interval timer and resource utilization used in anomaly
detection? Can you think of any other metric that will be useful in
anomaly detection?
- Do some search
in the Internet and try to find out how the following models work to
detect anomaly:
§
Multivariate
model
§
Markov
process
§
Time series
§
Operational
model
- Study table
6.2. Find out how each measure detects the corresponding type of intrusion
mentioned in the table.
- What is
base-rate fallacy? Why is it impossible to minimize false alarm and
maximum number of detections at the same time?
6.4 Distributed
Host-based Intrusion Detection
- Why is
distributed intrusion detection system more useful than a centralized one?
What is the difference between a distributed host-based system and a
network-based system?
- How do sensors
work in network-based system?
- Compare
signature detection techniques of network-based IDS with that of
host-based IDS. Do the same for anomaly detection techniques.
- What are the
two key unsolved problems with these IDSs that attackers try to exploit?
6.5 Distributed
Adaptive Intrusion Detection
- How does
distributed adaptive intrusion detection system work?
6.6 Intrusion
Detection Exchange Format: Read
briefly.
6.7 Honeypots
- What are the
advantages and disadvantages of honeypots?
- What are
advantages and disadvantages of external honeypots?
6.8 SNORT