What is the difference between statistical anomaly detection and rule-based intrusion detection?

1.    
List and briefly define three classes of intruders.

Ans: Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.

2.     What are two common techniques used to protect a password file?

Ans: One-way encryption: The system stores only an encrypted form of the user's password. When the user presents a password, the system encrypts that password and compares it with the stored value. In practice, the system usually performs a one-way transformation (not reversible) in which the password is used to generate a key for the encryption function and in which a fixed-length output is produced. Access control: Access to the password file is limited to one or a very few accounts

3.     What are three benefits that can be provided by an intrusion detection system?

Ans: 1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved. 2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

4.     What is the difference between statistical anomaly detection and rule-based intrusion 
detection?

Ans: Statistical anomaly detection involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Rule-Based Detection involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.

5.     What metrics are useful for profile-based intrusion detection?

Ans: Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time. Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity. Interval timer: The length of time between two related events. Resource utilization: Quantity of resources consumed during a specified period.

6.     What is the difference between rule-based anomaly detection and rule-based penetration identification?

Ans: With rule-based anomaly detection, historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns. Rules may represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on. Current behavior is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern of behavior. Rule-based penetration identification uses rules for identifying known penetrations or penetrations that would exploit known weaknesses. Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage. Typically, the rules used in these systems are specific to the machine and operating system. Also, such rules are generated by "experts" rather than by means of an automated analysis of audit records.

7.     What is a honeypot?

Ans: Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems.

8.     What is a salt in the context of UNIX password management?

Ans: The salt is combined with the password at the input to the one-way encryption routine.

9.     List and briefly define four techniques used to avoid guessable passwords.

Intrusion detection systems (IDS) play an important role in helping managed services providers (MSPs) establish robust and comprehensive security. There are several different types of IDS, which can often lead to confusion when deciding which type is best suited to the needs of your business, as well as those of your customers.

To help you understand the types of intrusion detection systems available—such as host-based, network-based, signature-based, and anomaly-based—this guide will explain the key differences and use cases for each.

What is an intrusion detection system?

An intrusion detection system is typically either a software application or a hardware device that monitors incoming and outgoing network traffic for signs of malicious activity or violations of security policies. Intrusion detection systems and IDS products are often likened to intruder alarms, notifying you of any activity that might compromise your data or network.

IDS products search for suspicious behavior or signs of a potential compromise by analyzing the packets that move across your network and the network traffic patterns to identify any anomalies. Intrusion detection systems are generally passive by nature, although some intrusion detection systems can act when they detect malicious behavior. On the whole, however, they’re largely used to achieve real-time visibility into instances of potential network compromises.

Depending on the type of intrusion detection system that has been deployed, various IDS products will behave differently. For example, a network-based intrusion detection system (NIDS) will strategically place sensors in several locations across the network itself. These sensors will then monitor network traffic without creating performance issues or bottlenecks. Host-based intrusion detection systems (HIDS), on the other hand, are run on certain devices and hosts, and are only capable of monitoring the traffic for those specific devices and hosts.

When it comes to the detection method used, both HIDS and NIDS can take either a signature-based or anomaly-based approach. Some IDS products are even able to combine both detection methods for a more comprehensive approach.

Signature vs. anomaly-based intrusion detection systems

Signature-based and anomaly-based are the two main methods of detecting threats that intrusion detection systems use to alert network administrators of signs of a threat.

Signature-based detection is typically best used for identifying known threats. It operates by using a pre-programmed list of known threats and their indicators of compromise (IOCs). An IOC might be a specific behavior that generally precedes a malicious network attack, file hashes, malicious domains, known byte sequences, or even the content of email subject headings. As a signature-based IDS monitors the packets traversing the network, it compares these packets to the database of known IOCs or attack signatures to flag any suspicious behavior.

On the other hand, anomaly-based intrusion detection systems can alert you to suspicious behavior that is unknown. Instead of searching for known threats, an anomaly-based detection system utilizes machine learning to train the detection system to recognize a normalized baseline. The baseline represents how the system normally behaves, and then all network activity is compared to that baseline. Rather than searching for known IOCs, anomaly-based IDS simply identifies any out-of-the-ordinary behavior to trigger alerts.

With an anomaly-based IDS, anything that does not align with the existing normalized baseline—such as a user trying to log in outside of standard business hours, new devices being added to a network without authorization, or a flood of new IP addresses trying to establish a connection with a network—will raise a potential flag for concern. The disadvantage here is that many non-malicious behaviors will get flagged simply for being atypical. The increased likelihood for false positives with anomaly-based intrusion detection can require additional time and resources to investigate all the alerts to potential threats.

At the same time, this potential disadvantage is also what makes anomaly-based intrusion detection able to detect zero-day exploits signature-based detection cannot. Signature-based detection is limited to a list of known, existing threats. On the other hand, it also has a high processing speed and greater accuracy for known attacks. These two detection methods have advantages and disadvantages that generally complement each other well, and are often used best in tandem.

An all-in-one solution to help protect from all angles

As you look for an intrusion detection system that suits your needs, it’s important to remember the benefits of both signature-based detection and anomaly-based detection (or behavioral detection) for the most effective threat protection.

Similarly, intrusion detection should only be one portion of your entire security machine—which should include features like remote monitoring, antivirus, patch management, and ransomware. It’s important to recognize that IDS is just one component in a wider MSP security strategy, and intrusion detection systems should not be used as standalone products.

For complete MSP security, it’s crucial that you also implement security measures such as endpoint detection and response. As an all-in-one system, SolarWinds® N-central® can help you protect your customers. SolarWinds also offers a range of other MSP security tools, including mail protection and archiving, backup and recovery, and password management.

SolarWinds N-central is an all-in-one tool with security built in, that offers a powerful suite of capabilities built to empower your MSP. N-central features the award-winning Bitdefender engine, which provides antivirus and antimalware capabilities, in addition to content filtering, flexible application and user controls, configurable two-way firewalls, and advanced ransomware protection. N-central includes Security Manager which offers signature-based, rule-based, and behavioral scans, alongside proactive notifications that keep you notified of threats in near real-time.

N-central also offers a range of other important security features, including endpoint detection and response with offline protection and machine learning capabilities, remote monitoring, patch management, automation management, backup and recovery, remote access, and mobile management. In addition to helping to improve security, the N-central comprehensive dashboard can help you maximize technician efficiency, customer retention, and service margins. A 30-day free trial is available for MSPs that want to learn more.