1.) Which of the following is an advantage of anomaly detection? c. The engine can scale as the rule set grows.

Answer from IDS: Signature versus anomaly detection: A disadvantage of anomaly-detection engines is the difficultly of defining rules. Each protocol being analyzed must be defined, implemented and tested for accuracy. The rule development process is also compounded by differences in vendor implementations of the various protocols. Custom protocols traversing the network cannot be analyzed without great effort. Moreover, detailed knowledge of normal network behavior must be constructed and transferred into the engine memory for detection to occur correctly. On the other hand, once a protocol has been built and a behavior defined, the engine can scale more quickly and easily than the signature-based model because a new signature does not have to be created for every attack and potential variant.

<< Back to quiz 

2.) A false positive can be defined as… d. Both a. and b.

Answer from How to limit false positives in IPSes: As intrusion-prevention systems (IPSes) are increasingly deployed in corporate datacenters and network edges around the world, the issue of false positives grows. A false positive is any alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior. Too many false positives can reduce the intrinsic value of the data received from the system and can become a problem as network attacks increase over time (think of The boy who cried wolf).

Answer from Maximizing IDS/IPS implementations: Many security products provide fantastic detail on the alerts they generate. Unfortunately, much of that detail is irrelevant for a large number of networks. Be sure to tune the alerts so they reflect the "ground truth" of your network. For example, if it's not running any instances of Microsoft SQL Server, the IDS/IPS shouldn't be monitoring for SQL Server exploits -- that's just asking for false positives!

<< Back to quiz 

3.) One of the most obvious places to put an IDS sensor is near the firewall. Where exactly in relation to the firewall is the most productive placement? a. Inside the firewall

Answer from Where to place IDS sensors: There are legitimate political, budgetary and research reasons to want to see all the "attacks" against your connection, but given the care and feeding any IDS requires, do yourself a favor and keep your NIDS sensors on the inside of the firewall. We all know the Internet has a lot of evil traffic, so there's usually no need to waste the resources to prove it.

<< Back to quiz 

4.) What is the purpose of a shadow honeypot? c. To randomly check suspicious traffic identified by an anomaly detection system.

A nswerHybrid honeypots 'shadow' intrusion prevention systms: "Shadow honeypots," as researchers call them, share all the same characteristics of protected applications running on both the server and client side of a network and operate in conjunction with an ADS. When sensors detect something suspicious, it's sent to the shadow honeypot for further analysis. This reduces the number of false positives immediately generated by the ADS. As a backup, the traffic sent through is randomly checked again by the shadow honeypot to increase accuracy and prevent actual attacks from getting into the network.

<< Back to quiz 

5.) At which two traffic layers do most commercial IDSes generate signatures? b. network layer d. transport layer

AnswNew 'semantics-aware' IDS reduces false posiives: Most commercial IDSes generate signatures at the network and transport layers.

<< Back to quiz 

6.) An IDS follows a two-step process consisting of a passive component and an active component. Which of the following is part of the active component? b. Mechanisms put in place to reenact known methods of attack and record system responses.

Answer from the SearchSecurity.com glossary: Typically, an ID system follows a two-step process. The first procedures are host-based and are considered the passive component, these include: inspection of the system's configuration files to detect inadvisable settings; inspection of the password files to detect inadvisable passwords; and inspection of other system areas to detect policy violations. The second procedures are network-based and are considered the active component: mechanisms are set in place to reenact known methods of attack and to record system responses.

<< Back to quiz 

7.) When discussing IDS/IPS, what is a signature? b. Attack-definition file

Briddging the gap between perimeter and hostsecurity: Signature-based intrusion-detection systems (IDSes) work in a manner similar to modern antivirus technology. They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity.

<< Back to quiz 

8.) "Semantics-aware" signatures automatically generated by Nemean are based on traffic at which two layers? a. application layer c. session layer

AnswNew 'semantics-aware' IDS reduces false posiives: Nemean automatically generates "semantics-aware" signatures based on traffic at the session and application layers.

<< Back to quiz 

9.) Which of the following is used to provide a baseline measure for comparison of IDSes? a. crossover error rate

Answer from Evaluating and tuning an intrusion detection system The Crossover Error Rate (CER) is often used to provide a baseline measure for comparison of intrusion-detection systems. As the sensitivity of systems may cause the false positive/negative rates to vary, it's critical to have some common measure that may be applied across the board. The CER for a system is determined by adjusting the system's sensitivity until the false positive rate and the false negative rate are equal, as shown in the figure below. You may then evaluate several different IDSs by running them on the same network and measuring the CER for each. If you're interested in achieving a balance between false positives and false negatives, you may then simply select the system with the lowest CER. On the other hand, if detecting every single attack is of the utmost priority, you may still wish to select the system with the lowest false negative rate recognizing that this selection may increase the administrative overhead associated with false positive reports.

<< Back to quiz 

10.) Which of the following is true of signature-based IDSes? d. They scan network traffic or packets to identify matches with attack-definition files.

Answer from Bridging the gap between perimeter and host security 

  • Signature-based intrusion-detection systems (IDSes) work in a manner similar to modern antivirus technology. They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. They then scan network traffic for packets that match the signatures, and then raise alerts to security administrators.
  • Anomaly-based IDSes work on a different principle. They learn the profile of "normal" network activity by monitoring the network over time, and then alert administrators to any deviations from that norm. The major advantage to anomaly-based systems is their ability to identify previously unknown attacks. Unfortunately, they haven't quite entered the mainstream of information security and reached the point of maturity where they're reliable enough for use on production networks. 

    << Back to quiz

This was last published in August 2005

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.