A. An electronic signature used to authenticate the identity of a user on the network
B. Attack-definition file
C. It refers to ?normal,? baseline network behavior
D. It is used to authorize the users on a network
Explanation: IDSes work in a manner similar to modern antivirus technology. They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. Nemean is a popular signature generation method for conventional computer networks.
A. Rules are easy to define
B. Custom protocols can be easily analyzed
C. The engine can scale as the rule set grows
D. Malicious activity that falls within normal usage patterns is detected
Explanation: Once a protocol has been built and a behavior defined, the engine can scale more quickly and easily than the signature-based model because a new signature does not have to be created for every attack and potential variant.
A. An alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior
B. An alert that indicates nefarious activity on a system that is not running on the network
C. The lack of an alert for nefarious activity
D. Both an alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior and an alert that indicates nefarious activity on a system that is not running on the network
Explanation: A false positive is any alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior.
A. Inside the firewall
B. Outside the firewall
C. Both inside and outside the firewall
D. Neither inside the firewall nor outside the firewall.
Explanation: There are legitimate political, budgetary and research reasons to want to see all the “attacks” against your connection, but given the care and feeding any IDS requires, do yourself a favor and keep your NIDS sensors on the inside of the firewall.
A. To flag attacks against known vulnerabilities
B. To help reduce false positives in a signature-based ids
C. To randomly check suspicious traffic identified by an anomaly detection system
D. To enhance the accuracy of a traditional honeypot
Explanation: “Shadow honeypots,” as researchers call them, share all the same characteristics of protected applications running on both the server and client side of a network and operate in conjunction with an ADS.
A. Application layer and network layer
B. Network layer and session layer
C. Transport layer and application layer
D. Transport layer and network layer
Explanation: Most commercial IDSes generate signatures at the network and transport layers. These signatures are used to ensure that no malicious operation is contained in the traffic. Nemean generates signature at application and session layer.
A. Inspection of password files to detect inadvisable passwords
B. Mechanisms put in place to reenact known methods of attack and record system responses
C. Inspection of system to detect policy violations
D. Inspection of configuration files to detect inadvisable settings
Explanation: Secondary components of mechanism are set in place to reenact known methods of attack and to record system responses. In passive components, the system I designed just to record the system’s responses in case of an intrusion.
A. Application layer and transport layer
B. Network layer and application layer
C. Session layer and transport layer
D. Application layer and session layer
Explanation: Nemean automatically generates “semantics-aware” signatures based on traffic at the session and application layers. These signatures are used to ensure that no malicious operation is contained in the traffic.
A. Crossover error rate
B. False negative rate
C. False positive rate
D. Bit error rate
Explanation: As the sensitivity of systems may cause the false positive/negative rates to vary, it’s critical to have some common measure that may be applied across the board.
A. They alert administrators to deviations from ?normal” traffic behavior
B. They identify previously unknown attacks
C. The technology is mature and reliable enough to use on production networks
D. They scan network traffic or packets to identify matches with attack-definition files
Explanation: They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. They then scan network traffic for packets that match the signatures, and then raise alerts to security administrators.