Scribd
Upload
10 views17 pages

CRJ 322 Intrusion Detection Exam Review

This document provides a review for the final exam in CRJ322 Intrusion Detection taught by Professor M. Nazrul Islam at Farmingdale State University. The review covers the topics of IDS/IPS architecture, intrusion analysis, incident response, and strengthening defense. It outlines the key concepts to be assessed in each topic area and provides an exam schedule with details.

Uploaded by

Ron Kempski
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views17 pages

CRJ 322 Intrusion Detection Exam Review

This document provides a review for the final exam in CRJ322 Intrusion Detection taught by Professor M. Nazrul Islam at Farmingdale State University. The review covers the topics of IDS/IPS architecture, intrusion analysis, incident response, and strengthening defense. It outlines the key concepts to be assessed in each topic area and provides an exam schedule with details.

Uploaded by

Ron Kempski
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

CRJ 322

Intrusion Detection
Fall 2010

M. Nazrul Islam
Department of Criminal Justice and Security
Systems
Farmingdale State University of New York
Review for Final
Exam

CRJ322: M N Islam, Fall 2010 2


Topics
 IDS/IPS architecture
 Intrusion analysis
 Incident response
 Strengthening defense

CRJ322: M N Islam, Fall 2010 3


IDS/IPS Architecture
 Architecture basics
◦ Definition
◦ Requirement
 Tiered architecture
◦ Definition
◦ Types
 Single-tiered architecture
◦ Definition
◦ Features

CRJ322: M N Islam, Fall 2010 4


IDS/IPS Architecture
 Multi-tiered architecture
◦ Components
◦ Sensors
 Functions
 Network- and host-based sensors
 Deployment
◦ Agents
 Functions
 Features
 Deployment
◦ Manager
 Functions
 Deployment
◦ Features
CRJ322: M N Islam, Fall 2010 5
IDS/IPS Architecture
 Peer-to-peer architecture
◦ Structure
◦ Features

CRJ322: M N Islam, Fall 2010 6


Intrusion Analysis
 Intrusion instances
 Intrusion events
 Information sources for intrusion analysis
 Intrusion detection principle
 Intrusion detection rules
◦ Signature-based
◦ Anomaly-based
◦ Integrity checker
 Anomaly detection
◦ Principle
◦ Statistical models
◦ Categories
CRJ322: M N Islam, Fall 2010 7
Intrusion Analysis
 Signature-based detection
◦ Principle
◦ Types
 Normal traffic signature
 Well-known attack signature
◦ Signature analysis
 Header analysis
 Payload analysis
◦ Attacks
 Single-packet
 Multiple packet

CRJ322: M N Islam, Fall 2010 8


Intrusion Analysis
 Capturing packets
◦ Packet sniffers
◦ Packet analysis
 Normal traffic analysis
◦ Packet features
◦ Signatures: ping, FTP, Web
 Suspicious traffic signature
◦ Categories
 Informational
 Reconnaissance
 Unauthorized access
 Denial of service
CRJ322: M N Islam, Fall 2010 9
Intrusion Analysis
 Suspicious traffic signature
◦ Ping sweeps
◦ Port scans
◦ Random back door scan
◦ Trojan scans
◦ Nmap scan
 Intrusion detection
◦ Packet header discrepancies
◦ Advanced attacks
◦ Remote procedure calls (RPC) abuses

CRJ322: M N Islam, Fall 2010 10


Incident Response
 IDS rules
◦ Actions
◦ Options
 Security incident response team (SIRT)
◦ Goals
◦ Responsibilities
◦ Team members

CRJ322: M N Islam, Fall 2010 11


Incident Response
 Incident response process
◦ Preparation
◦ Notification
◦ Response
◦ Countermeasures
◦ Recovery
◦ Follow-up

CRJ322: M N Islam, Fall 2010 12


Incident Response
 False alarms
◦ Filtering alerts
◦ Disabling signatures
 Legitimate security alerts
◦ Assessment of the impact
◦ Development of action plan
◦ Internal incidents
◦ Working under pressure

CRJ322: M N Islam, Fall 2010 13


Strengthening Defense
 Strengthening control: security event
management
◦ Network devices
◦ Monitoring events
◦ Managing data from multiple sensors
◦ Evaluating IDS signatures
◦ Managing change

CRJ322: M N Islam, Fall 2010 14


Strengthening Defense
 Strengthening analysis: security
auditing
◦ Operational auditing
◦ Independent auditing
 Strengthening detection: managing
IDS
◦ Maintaining current system
◦ Changing/adding software
◦ Changing/addition hardware
CRJ322: M N Islam, Fall 2010 15
Strengthening Defense
 Strengthening defense: improving
defense-in-depth
◦ Active defense-in-depth
◦ Adding security layers
 Strengthening
performance: keeping
pace with network needs
◦ IDS performance
◦ Managing memory and storage
◦ Managing bandwidth
◦ Managing knowledge base

CRJ322: M N Islam, Fall 2010 16


Exam Schedule
 Date and time
◦ December 16, 2010 (Thursday)
◦ 6:00 pm – 8:00 pm
 Platform
◦ ANGEL and/or paper
 Questions
◦ True/false
◦ Multiple choice
◦ Fill up the blanks
◦ Short answers
◦ Numerical calculations
CRJ322: M N Islam, Fall 2010 17

You might also like