Which of the following is an advantage of anomaly detection?
Explanation: Once a protocol has been built and a behavior defined, the engine can scale more quickly and easily than the signature-based model because a new signature does not have to be created for every attack and potential variant.
A false positive can be defined as…
Explanation: A false positive is any alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior.
One of the most obvious places to put an IDS sensor is near the firewall. Where exactly in relation to the firewall is the most productive placement?
Explanation: There are legitimate political, budgetary and research reasons to want to see all the “attacks” against your connection, but given the care and feeding any IDS requires, do yourself a favor and keep your NIDS sensors on the inside of the firewall.
What is the purpose of a shadow honeypot?
Explanation: “Shadow honeypots,” as researchers call them, share all the same characteristics of protected applications running on both the server and client side of a network and operate in conjunction with an ADS.
At which two traffic layers do most commercial IDSes generate signatures?
Answer: b, d
Explanation: Most commercial IDSes generate signatures at the network and transport layers.
An IDS follows a two-step process consisting of a passive component and an active component. Which of the following is part of the active component?
Explanation: Second component of mechanisms are set in place to reenact known methods of attack and to record system responses.
When discussing IDS/IPS, what is a signature?
Explanation: IDSes work in a manner similar to modern antivirus technology. They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity.
“Semantics-aware” signatures automatically generated by Nemean are based on traffic at which two layers?
Answer: a, c
Explanation: Nemean automatically generates “semantics-aware” signatures based on traffic at the session and application layers.
Which of the following is used to provide a baseline measure for comparison of IDSes?
Explanation: As the sensitivity of systems may cause the false positive/negative rates to vary, it’s critical to have some common measure that may be applied across the board.
Which of the following is true of signature-based IDSes?
Explanation: They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. They then scan network traffic for packets that match the signatures, and then raise alerts to security administrators.