occurs when attacker attempts to gain entry or disrupt normal operations of information systems, almost always with intent to do harm
consists of procedures and systems that identify system intrusions
encompasses actions an organization takes when intrusion is detected
consists of activities that deter intrusion
activities finalize restoration of operations to a normal state and seek to identify source and method of intrusion to ensure same type of attack cannot occur again
intrusion detection system (IDS)
device similar to a burglar alarm in that it detects a violation and activates an alarm.
intrusion prevention system (IPS)
device that can detect intrusion and launch an active response
intrusion detection/prevention system (IDPS)
term that describes current anti-intrusion technologies
alert or alarm
indication a system has just been attacked or is under attack
process by which attacker changes the format and/or timing of their activities to avoid being detected by the IDPS
false attack stimulus
event that triggers alarm when no actual attack is in progress
failure of an IDPS to react to an actual attack event
alert or alarm that occurs in the absence of an actual attack
accurate alarm events that do not pose significant threat to information security
rules and configuration guidelines governing implementation and operation of IDPSs within an organization
site policy awareness
IDPS's ability to dynamically modify its configuration in response to environmental activity
true attack stimulus
event that triggers alarms and causes an IDPS to react as if a real attack is in progress
process of adjusting IDPS to maximize efficiency in detecting true positives, while minimizing false positives and false negatives
value placed upon an IDPS's ability to detect/identify certain attacks correctly
running system for a while to track types of false positives it generates and then adjusting IDPS alarm classifications
alarm clustering and compaction
process of grouping almost identical alarms occurring at almost same time into single higher-level alarm
a systematic survey of all of the target organization's Internet addresses that is conducted to identify network services offered by hosts in that range
the organized research of the Internet addresses owned or controlled by a target organization.
network-based IDPS (NIDPS)
these reside on a computer or appliance connected to network segment and monitor network traffic
monitoring port (SPAN port)
a specially configured connection on a network device that is capable of viewing all the traffic that moves through the entire device.
protocol stack verification
process in which an NIDPS look for invalid data packets - packets that are malformed under the rules of the TCP/IP protocol
application protocol verification
process in which an NIDPS inspects the higher-order protocols (HTTP, FTP, Telnet) are examined for unexpected packet behavior or improper use
Network Behavior Analysis
NIDPS system that examines network traffic in order to identify problems related to the flow of traffic. Most sensors are passive mode deployment only.
type of sensor deployed in such a way that the network traffic it is monitoring must pass through it.
host-based IDPS (HIPDS)
an IDPS that resides on particular computer or server (the host) and monitors activity only on that system. Also known as system integrity verifiers.
signature-based (knowledge-based, misuse-detection) IDPS
IDPS that examines network traffic in search of patterns that match known signatures
statistical anomaly-based (stat, behavior-based) IDPS
IDPS that compares sampled network activity to established baseline
stateful protocol analysis (SPA) IDPS
IDPS that uses profiles to detect anomalous protocol behavior
log file monitor (LFM) IDPS
IDPS that reviews log files from servers, network devices, and other IDPSs for signatures indicating an attack or intrusion
attacker who utilizes tactics designed to trip the organization's IDPS, essentially causing the organization to conduct its own DoS attack, but overreacting to an actual, but insignificant, attack.
centralized control strategy
strategy in which all IDPS control functions are implemented and managed in a central location
fully distributed control strategy
strategy in which all control functions are applied at the physical location of each IDPS component
partially distributed control strategy
strategy that combines the best of the other two strategies; while individual agents still analyze and respond to local threats, their reporting to a hierarchical central facility enables the organization to detect widespread attacks
decoy systems designed to lure potential attackers away from critical systems
collection of honey pots connecting several honey pot systems on a subnet
honey pot that has been protected so it cannot be easily compromised—in other words, a hardened honey pot
trap and trace
a combination of techniques used to detect an intrusion and then to trace it back to its source
the act of hacking into a hacker's system to find out as much as possible about the hacker
the process of attracting attention to a system by placing tantalizing information in key locations.
the action of luring an individual into committing a crime.