1/24
Flashcards covering the fundamentals of Intrusion Detection Systems (IDS), including types of intruders, behavior steps, HIDS vs. NIDS, detection approaches, and Snort rule basics.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai | Chat |
|---|
No analytics yet
Send a link to your students to track their progress
Intrusion
A significant security problem for networked systems involving hostile, or at least unwanted, trespass (entering without permission) by users or software.
User Trespass
Unauthorized logon to a machine or, in the case of an authorized user, the acquisition of privileges or performance of actions beyond those that have been authorized.
Software Trespass
A form of intrusion that can take the form of a virus, worm, or Trojan horse.
Cyber criminals
Individuals or members of an organized crime group with a goal of financial reward.
Activists
Also known as hacktivists; individuals or members of a larger group of outsider attackers motivated by social or political causes, often with a quite low skill level.
State-sponsored organizations
Groups of hackers sponsored by governments to conduct espionage or sabotage activities, also known as Advanced Persistent Threats (APTs).
Security Intrusion
A security event, or combination of events, in which an intruder gains or attempts to gain unauthorized access to a system or system resource.
Intrusion Detection
A security service that monitors and analyzes system events to find and provide real-time or near real-time warnings of unauthorized access attempts.
Sensors (IDS Component)
The logical components of an Intrusion Detection System responsible for collecting data.
Analyzers (IDS Component)
Components that receive input from sensors to determine if an intrusion occurred, provide evidence for that conclusion, and offer guidance on actions to take.
User Interface (IDS Component)
Enables a user to view system output or control the behavior of the Intrusion Detection System.
Host-based IDS (HIDS)
Monitors the characteristics and events occurring within a single host, such as process identifiers and system calls, for evidence of suspicious activity.
Network-based IDS (NIDS)
Monitors network traffic for particular segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.
Distributed or hybrid IDS
A system that combines information from a number of sensors, often both host and network-based, into a central analyzer for better identification and response.
Signature Recognition
Also known as misuse detection; it identifies events that indicate misuse of a system resource by matching traffic against a database of known intrusion patterns.
Anomaly Detection
Detects intrusions by collecting and processing sensor data from normal operations and identifying deviations based on fixed behavioral characteristics.
Statistical Anomaly Detection
Analysis of observed behavior using univariate, multivariate, or time-series models of observed metrics.
Knowledge-based Anomaly Detection
Approaches using an expert system to classify behavior according to a set of rules that model legitimate behavior.
Machine-learning Anomaly Detection
Approaches that automatically determine a suitable classification model from training data using data mining techniques.
Protocol Anomaly Detection
A type of detection where models explore anomalies in the way vendors deploy the TCP/IP specification.
Rule-based Heuristic Identification
Involves the use of rules specific to a machine and OS to identify known penetrations or those exploiting known weaknesses.
Passive NIDS Sensor
A sensor that monitors a copy of network traffic via a monitoring interface in promiscuous mode with no IP address, separate from its management interface.
Snort
An open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.
Snort Rule Header
The part of a Snort rule that identifies the rule's actions (e.g., alert, log, pass), protocol, IP addresses, ports, and direction.
Snort Rule Options
The part of a Snort rule that identifies specific alert messages and content to be searched for within a packet.