CS406 Study Guide

Unit 8: Intrusion Detection and Prevention Systems

8a. Discuss intrusion detection systems (IDS) and intrusion prevention systems (IPS) the purpose and the need for each system

  • What is the difference between intrusion detection systems (IDS) and intrusion prevention systems (IPS)?
  • What are four intrusion detection evasion techniques?
  • What are four terms associated with the terminology used to determine if detection is successful?

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) both detect system intrusions. The main difference is that an IPS will detect and will also attempt to protect against traffic gaining access to the system. Intrusion protection systems perform as preventive and proactive technology, whereas IDSes are more of a detective technology that recognizes an intrusion after it has occurred.

Four intrusion detection evasion techniques are fragmentation, flooding, obfuscation, and encryption. Fragmentation occurs by sending fragmented packets that must be reassembled but the packets are sent over longer periods of time so that the target computer will time out before the packets can be assembled. Flooding is when so many requests are sent that the IDS is overwhelmed, resulting in all traffic being allowed into the system. Obfuscation is concealing the data in a message so that it is not identified as nefarious code. Encryption is used on malware so that an IDS will not match the code to the signatures in the database, and the code will be allowed into the system.

The four terms associated with intrusion detection are true positive, false positive, true negative, and false negative. A true positive means that an intrusion has been correctly identified. An IDS indicates the system is being attacked and it is correct in that the system is being attacked. A false positive means that the IDS indicates there is an attack but when there no attack is occurring. A true negative means that the IDS indicates there is no attack in progress and nothing has happened. A false negative means that the IDS is not detecting an attack when an attack has occurred. The false negative is the worst-case scenario because the IDS is not recognizing an attack that has occurred or is in progress.

To review, see The Basics of Intrusion Detection Systems, Intrusion Detection Systems, and Comparison of IDS and IPS.

 

8b. Compare and contrast the characteristics of signature-based, anomaly-based, and rule-based IDS technologies

  • What is the difference between signature and anomaly-based intrusion detection systems (IDS)?
  • Why would an anomaly-based intrusion detection system (IDS) be the best type of IDS to identify zero-day attacks?
  • How is a rule-based intrusion detection system (IDS) similar to a firewall?

Both signature-based and anomaly-based intrusion detection systems (IDS) identify system intrusions, but in a different way. Signature-based IDS looks for patterns, also known as the intruder's signature. Anomaly-based IDS looks for unusual behaviors. Signature-based IDS works best for known methods of attack, and anomaly-based IDS works best to detect unknown methods of attack.

Zero-day attacks are methods of attack that are unknown to those who would normally mitigate the attack. A signature-based IDS would not identify a zero-day attack because it compares the signature of known attacks to a database. Rule-based IDS identifies attacks based on a set of rules. An anomaly-based IDS would be the best type of IDS because it detects unknown methods of attack.

Firewalls use a set of rules, called IPtables in Linux systems, to determine if traffic should be allowed. A rule-based IDS also uses rules but to determine if there is an attack on a system. A subject must meet a specific rule before access to an object is allowed, and the rule can be applied to all subjects without regard to identity. This type of rule is sometimes called if/then; if something happens then something else is allowed.

To review, see Signature-based IDS, Anomaly-based IDS, Rule-based IDS, Signature and Anomaly-based IDS, and Rule-based IDS Example.

 

8c. Compare and contrast network-based intrusion detection system (NIDS) and host-based intrusion detection systems (HIDS)

  • What type of technology can be used by network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS)?
  • What are the advantages of intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS)?
  • What are the disadvantages of intrusion detection systems (IDS)?

Network-based intrusion detection systems (NIDS) are used on networks, and host-based intrusion detection systems (HIDS) are used with hosts. Both NIDS and HIDS can use knowledge-based, signature-based, statistical anomaly-based, and rule-based intrusion detection systems. When NIDS is used, the network interface card (NIC) is set to promiscuous mode to allow all network traffic to be examined, while HIDS examines activity on a host.

Using both NIDS and HIDS at the same time is advantageous as what one system may not detect the other may identify. An advantage of NIDS is that the system can detect attacks that were unsuccessful and can identify attacks in real time as they are occurring. HIDS can verify that an attack occurred and can monitor system activities.

The disadvantages of IDS are that the system can be expensive, and false positives and false negatives are generated. For these reasons, qualified technicians must be on staff to monitor the systems. The disadvantages are attributed to cost and to time and resources.

To review, see Network Intrusion Detection, A Review of Intrusion Detection, and Host-based Intrusion Detection Systems (HIDS).

 

8d. Explain the methodology of common system information and event management (SIEM) systems

  • What is the purpose of a system information and event management system (SIEM)?
  • When is a SIEM a necessary tool?
  • What is a common vulnerability exposure (CVE)?

A system information and event management system (SIEM) is a software tool that collects data and log information generated by systems. The information is then compiled into one platform to be viewed and analyzed by technicians. The advantage to using a SIEM is that all the data for the system can be seen at one time which helps to identify the origins of an issue or an attack.

Often when a system is large or has a lot of activity, many logs and incidents are generated. A lot of time must be spent reviewing each log to look for malicious activity. This is a time-consuming, difficult, and tedious task that takes a lot of manpower. The use of a SIEM tool can make reviewing these logs much more efficient and faster.

 A common vulnerability exposure (CVE) identifies known vulnerabilities. CVE's are numbers assigned to vulnerabilities, and the CVE describes the vulnerability and provides links to important information connected to that vulnerability. The list of CVE's is kept in a freely accessed database and is funded by the Department of Homeland Security (DHS).

To review, see Security Incident and Event Management (SIEM), Scanners, Network Scans, Web Application Scans, and Splunk for Security.

 

Unit 8 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

  • anomaly-based intrusion detection system (IDS)
  • common vulnerability exposure (CVE)
  • evasion
  • false negative
  • false positive
  • firewall
  • flooding
  • fragment
  • host-based intrusion detection system (HIDS)
  • intrusion detection systems
  • intrusion prevention systems
  • Linux
  • malware
  • network-based intrusion detection system (NIDS)
  • preventive
  • proactive
  • rule-based intrusion detection system (IDS)
  • signature-based intrusion detection system (IDS)
  • system information and event management system (SIEM)
  • true negative
  • true positive
  • zero-day