Difference between statistical anomaly detection and rule-based intrusion detection

FIT3031 Tutorial 9

Page 1 of 4

FIT3031 TUTORIAL 9 SOLUTIONS

INTRUSION DETECTION

REVIEW QUESTIONS

Q1. List and briefly define three classes of intruders.

ANS: Masquerader: An individual who is not authorized to use the

computer and who penetrates a system's access controls to exploit a

legitimate user's account.

Misfeasor: A legitimate user who accesses data, programs, or

resources for which such access is not authorized, or who is authorized

for such access but misuses his or her privileges.

Clandestine user: An individual who seizes supervisory control

of the system and uses this control to evade auditing and access

controls or to suppress audit collection.

Q2. What are two common techniques used to protect a password file?

ANS: One-way encryption: The system stores only an encrypted form of the

user's password. When the user presents a password, the system

encrypts that password and compares it with the stored value. In

practice, the system usually performs a one-way transformation (not

reversible) in which the password is used to generate a key for the

encryption function and in which a fixed-length output is produced.

Access control: Access to the password file is limited to one

or a very few accounts.

Q3. What are the benefits that can be provided by an intrusion detection

system?

ANS: 1. If an intrusion is detected quickly enough, the intruder can be

identified and ejected from the system before any damage is done or

any data are compromised. Even if the detection is not sufficiently

timely to preempt the intruder, the sooner that the intrusion is detected,

the less the amount of damage and the more quickly that recovery can

be achieved.

2. An effective intrusion detection system can serve as a deterrent, so

acting to prevent intrusions.

3. Intrusion detection enables the collection of information about

intrusion techniques that can be used to strengthen the intrusion

prevention facility.

Q4. What is the difference between statistical anomaly detection and rule-

based intrusion detection?

ANS: Statistical anomaly detection involves the collection of data relating to

t he behavior of legitimate users over a period of time. Then statistical

1.    
List and briefly define three classes of intruders.

Ans: Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.

2.     What are two common techniques used to protect a password file?

Ans: One-way encryption: The system stores only an encrypted form of the user's password. When the user presents a password, the system encrypts that password and compares it with the stored value. In practice, the system usually performs a one-way transformation (not reversible) in which the password is used to generate a key for the encryption function and in which a fixed-length output is produced. Access control: Access to the password file is limited to one or a very few accounts

3.     What are three benefits that can be provided by an intrusion detection system?

Ans: 1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved. 2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

4.     What is the difference between statistical anomaly detection and rule-based intrusion detection?

Ans: Statistical anomaly detection involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Rule-Based Detection involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.

5.     What metrics are useful for profile-based intrusion detection?

Ans: Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time. Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity. Interval timer: The length of time between two related events. Resource utilization: Quantity of resources consumed during a specified period.

6.     What is the difference between rule-based anomaly detection and rule-based penetration identification?

Ans: With rule-based anomaly detection, historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns. Rules may represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on. Current behavior is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern of behavior. Rule-based penetration identification uses rules for identifying known penetrations or penetrations that would exploit known weaknesses. Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage. Typically, the rules used in these systems are specific to the machine and operating system. Also, such rules are generated by "experts" rather than by means of an automated analysis of audit records.

7.     What is a honeypot?

Ans: Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems.

8.     What is a salt in the context of UNIX password management?

Ans: The salt is combined with the password at the input to the one-way encryption routine.

9.     List and briefly define four techniques used to avoid guessable passwords.

Ans: User education: Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords. Computer-generated passwords: Users are provided passwords generated by a computer algorithm. Reactive password checking: the system periodically runs its own password cracker to find guessable passwords. The system cancels any passwords that are guessed and notifies the user. Proactive password checking: a user is allowed to select his or her own password. However, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it.

What is IDS What is the difference between statistical anomaly detection and rule

What is the difference between anomaly detection and signature intrusion detection?

What is statistical anomaly

What is rule