Engineering Questions with Answers - Multiple Choice Questions
MCQs on Intrusion Detection Systems
Which of the following is an advantage of anomaly detection?
a) Rules are easy to define
b) Custom protocols can be easily analyzed
c) The engine can scale as the rule set grows
d) Malicious activity that falls within normal usage patterns is detected
Explanation: Once a protocol has been built and a behavior defined, the engine can scale more quickly and easily than the signature-based model because a new signature does not have to be created for every attack and potential variant.
A false positive can be defined as ________
a) An alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior
b) An alert that indicates nefarious activity on a system that is not running on the network
c) The lack of an alert for nefarious activity
d) Both An alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior and An alert that indicates nefarious activity on a system that is not running on the network
Explanation: A false positive is any alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior.
One of the most obvious places to put an IDS sensor is near the firewall. Where exactly in relation to the firewall is the most productive placement?
a) Inside the firewall
b) Outside the firewall
c) Both inside and outside the firewall
d) Neither inside the firewall nor outside the firewall.
Explanation: There are legitimate political, budgetary and research reasons to want to see all the “attacks” against your connection, but given the care and feeding any IDS requires, do yourself a favor and keep your NIDS sensors on the inside of the firewall.
What is the purpose of a shadow honeypot?
a) To flag attacks against known vulnerabilities
b) To help reduce false positives in a signature-based IDS
c) To randomly check suspicious traffic identified by an anomaly detection system
d) To enhance the accuracy of a traditional honeypot
Explanation: “Shadow honeypots,” as researchers call them, share all the same characteristics of protected applications running on both the server and client side of a network and operate in conjunction with an ADS.
At which two traffic layers do most commercial IDSes generate signatures?
a) Application layer and Network layer
b) Network layer and Session Layer
c) Transport layer and Application layer
d) Transport layer and Network layer
Explanation: Most commercial IDSes generate signatures at the network and transport layers. These signatures are used to ensure that no malicious operation is contained in the traffic. Nemean generates signature at application and session layer.
IDS follows a two-step process consisting of a passive component and an active component. Which of the following is part of the active component?
a) Inspection of password files to detect inadvisable passwords
b) Mechanisms put in place to reenact known methods of attack and record system responses
c) Inspection of system to detect policy violations
d) Inspection of configuration files to detect inadvisable settings
Explanation: Secondary components of mechanism are set in place to reenact known methods of attack and to record system responses. In passive components, the system I designed just to record the system’s responses in case of an intrusion.
When discussing IDS/IPS, what is a signature?
a) An electronic signature used to authenticate the identity of a user on the network
b) Attack-definition file
c) It refers to “normal,” baseline network behavior
d) It is used to authorize the users on a network
Explanation: IDSes work in a manner similar to modern antivirus technology. They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. Nemean is a popular signature generation method for conventional computer networks.
“Semantics-aware” signatures automatically generated by Nemean are based on traffic at which two layers?
a) Application layer and Transport layer
b) Network layer and Application layer
c) Session layer and Transport layer
d) Application layer and Session layer
Explanation: Nemean automatically generates “semantics-aware” signatures based on traffic at the session and application layers. These signatures are used to ensure that no malicious operation is contained in the traffic.
Which of the following is used to provide a baseline measure for comparison of IDSes?
a) Crossover error rate
b) False negative rate
c) False positive rate
d) Bit error rate
Explanation: As the sensitivity of systems may cause the false positive/negative rates to vary, it’s critical to have some common measure that may be applied across the board.
Which of the following is true of signature-based IDSes?
a) They alert administrators to deviations from “normal” traffic behavior
b) They identify previously unknown attacks
c) The technology is mature and reliable enough to use on production networks
d) They scan network traffic or packets to identify matches with attack-definition files
Explanation: They are constantly updated with attack-definition files (signatures) that describe each type of known malicious activity. They then scan network traffic for packets that match the signatures, and then raise alerts to security administrators.