Computer Networks Questions & Answers – Intrusion Detection Systems
1. Which of the following is an advantage of anomaly detection?
a) Rules are easy to define
b) Custom protocols can be easily analyzed
c) The engine can scale as the rule set grows
d) Malicious activity that falls within normal usage patterns is detected
Answer: c
Explanation: Once a protocol has been built and a behavior defined, the engine
can scale more quickly and easily than the signature-based model because a new
signature does not have to be created for every attack and potential variant.
2. A false positive can be defined as…
a) An alert that indicates nefarious activity on a system that, upon further
inspection, turns out to represent legitimate network traffic or behavior
b) An alert that indicates nefarious activity on a system that is not running
on the network
c) The lack of an alert for nefarious activity
d) Both An alert that indicates nefarious activity on a system that, upon
further inspection, turns out to represent legitimate network traffic or
behavior and An alert that indicates nefarious activity on a system that is not
running on the network
Answer: d
Explanation: A false positive is any alert that indicates nefarious activity on
a system that, upon further inspection, turns out to represent legitimate
network traffic or behavior.
3. One of the most obvious places to put an IDS sensor is near the firewall.
Where exactly in relation to the firewall is the most productive placement?
a) Inside the firewall
b) Outside the firewall
c) Both inside and outside the firewall
d) Neither inside the firewall nor outside the firewall.
Answer: a
Explanation: There are legitimate political, budgetary and research reasons to
want to see all the “attacks” against your connection, but given the care and
feeding any IDS requires, do yourself a favor and keep your NIDS sensors on the
inside of the firewall.
4. What is the purpose of a shadow honeypot?
a) To flag attacks against known vulnerabilities
b) To help reduce false positives in a signature-based IDS
c) To randomly check suspicious traffic identified by an anomaly detection
system
d) To enhance the accuracy of a traditional honeypot
Answer: c
Explanation: “Shadow honeypots,” as researchers call them, share all the same
characteristics of protected applications running on both the server and client
side of a network and operate in conjunction with an ADS.
5. At which two traffic layers do most commercial IDSes generate signatures?
a) Application layer
b) Network layer
c) Transport layer
d) both Transport layer and Network layer
Answer: d
Explanation: Most commercial IDSes generate signatures at the network and
transport layers.
6. An IDS follows a two-step process consisting of a passive component and
an active component. Which of the following is part of the active component?
a) Inspection of password files to detect inadvisable passwords
b) Mechanisms put in place to reenact known methods of attack and record system
responses
c) Inspection of system to detect policy violations
d) Inspection of configuration files to detect inadvisable settings
Answer: b
Explanation: Second component of mechanisms are set in place to reenact known
methods of attack and to record system responses.
7. When discussing IDS/IPS, what is a signature?
a) An electronic signature used to authenticate the identity of a user on the
network
b) Attack-definition file
c) It refers to “normal,” baseline network behavior
d) None of the above
Answer: b
Explanation: IDSes work in a manner similar to modern antivirus technology.
They are constantly updated with attack-definition files (signatures) that
describe each type of known malicious activity.
8. “Semantics-aware” signatures automatically generated by Nemean are based
on traffic at which two layers?
a) Application layer
b) Network layer
c) Session layer
d) both Application layer and Session layer
Answer: d
Explanation: Nemean automatically generates “semantics-aware” signatures based
on traffic at the session and application layers.
9. Which of the following is used to provide a baseline measure for
comparison of IDSes?
a) Crossover error rate
b) False negative rate
c) False positive rate
d) Bit error rate
Answer: a
Explanation: As the sensitivity of systems may cause the false
positive/negative rates to vary, it’s critical to have some common measure that
may be applied across the board.
10. Which of the following is true of signature-based IDSes?
a) They alert administrators to deviations from “normal” traffic behavior
b) They identify previously unknown attacks
c) The technology is mature and reliable enough to use on production networks
d) They scan network traffic or packets to identify matches with
attack-definition files
Answer: d
Explanation: They are constantly updated with attack-definition files
(signatures) that describe each type of known malicious activity. They then
scan network traffic for packets that match the signatures, and then raise
alerts to security administrators.
Explanation: Once a protocol has been built and a behavior defined, the engine can scale more quickly and easily than the signature-based model because a new signature does not have to be created for every attack and potential variant.
Explanation: A false positive is any alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior.
Explanation: There are legitimate political, budgetary and research reasons to want to see all the “attacks” against your connection, but given the care and feeding any IDS requires, do yourself a favor and keep your NIDS sensors on the inside of the firewall.
Explanation: “Shadow honeypots,” as researchers call them, share all the same characteristics of protected applications running on both the server and client side of a network and operate in conjunction with an ADS.
Explanation: Most commercial IDSes generate signatures at the network and transport layers.
Explanation: Second component of mechanisms are set in place to reenact known methods of attack and to record system responses.
Explanation: IDSes work in a manner similar to modern antivirus technology. They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity.
Explanation: Nemean automatically generates “semantics-aware” signatures based on traffic at the session and application layers.
Explanation: As the sensitivity of systems may cause the false positive/negative rates to vary, it’s critical to have some common measure that may be applied across the board.
Answer: d
Explanation: They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. They then scan network traffic for packets that match the signatures, and then raise alerts to security administrators.
Explanation: They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. They then scan network traffic for packets that match the signatures, and then raise alerts to security administrators.
ليست هناك تعليقات:
إرسال تعليق