Computer Security Ch 8 - Exam III

The flashcards below were created by user mjweston on FreezingBlue Flashcards.

  1. masquerader
    clandestine user
    three classes of intruders
  2. intruder (hacker or cracker) and malware
    two most publicized threats to security
  3. masquerader
    an individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account - likely an outsider
  4. misfeasor
    a legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges - generally an insider
  5. clandestine user
    an individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection - insider or outsider
  6. hackers - motivated by thrill
    criminal enterprise - for money
    insider attacks - motivated by revenge -difficult to detect
    three intruder behavior patterns
  7. security intrusion
    a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so
  8. intrusion detection
    a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner
  9. Intrusion Detection System
  10. Intrusion Prevention System
  11. Computer Emergency Response Team
  12. host-based IDS
    monitors the characteristics of a single host and the events occurring within that host for suspicious activity - can detect both external and internal intrusions
  13. network-based IDS
    monitors network traffic for particular network segments or devices and analyzes network, transport, and appliction protocols to identify suspicious activity - real-time or near real-time
  14. host-based IDS
    network-based IDS
    two types/classifications of IDSs
  15. sensors - collect data
    analyzers - receive input from sensors
    user interface - enables user to view output/control behavior of the system
    three logical components that an IDS is comprised of
  16. false positives
    a loose intrepretation of intruder behavior which will catch more intruders - authorized users identified as intruders
  17. false negatives - most dangerous b/c there is an incident, but no alarm
    a tight interpretation of intruder behavior leads to intruders not identified as intruders
  18. misfeasor
    a legitimate user performing in an unauthorized fashion
  19. anomaly detection - define "normal" or expected behavior (effective against masqueraders)
    signature detection - define proper behavior (effective against misfeasors)
    two general approaches to host-based IDS
  20. threshold detection - defining thresholds, independent of user for the frequency of occurrence of various events

    profile based - detect changes in the behavior of individual accounts
    two approaches to statistical anomaly detection
  21. native audit records
    detection-specific audit records
    two types of audit plans
  22. rule-based anomaly detection
    historical audit records are analyzed to identify usage patterns and to generate automaticallly rules that describe those patterns
  23. rule-based penetration identification
    the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses - identifying suspicious behavior even if it's within the bounds of established patterns of usage
  24. base-rate fallacy
    the actual numbers of intrusions is low compared to the number of legitimate uses of a system, causing the false alarm rate to be high unless the test is extremely discriminating - the difficulty of meeting the standard of high rate of detections with a low rate of false alarms
  25. distributed host-based intrusion detection
    coordination and cooperation among IDSs across the network - rather than stand-alone IDSs on each host
  26. inline sensor
    a network sensor inserted into a network segment so that the traffic that it is monitoring must pass through the sensor - block an attack when one is detected (detection & prevention)
  27. passive sensors (more efficient than inline as it doesn't interfere)
    a network sensor that monitors a copy of network traffic; the actual traffic does not pass through the device
  28. distributed adaptive intrusion detection (ie: autonomic enterprise security)
    cooperated systems that can recognize attacks based on subtle clues and then adapt quickly - using each end host and each network device as potential sensors
  29. security policy
    the predefined, formally documented statement that defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements
  30. honeypot
    decoy systems that are designed to lure a potential attacker away from critical systems - to: divert an attacker, collect info about the attacker, & encourage the attacker to stay long enough for admin to respond
Card Set:
Computer Security Ch 8 - Exam III
2013-11-21 12:16:06
Intrusion Detection

Intrusion Detection
Show Answers: