How can we help?

You can also find more resources in our Help Center.

35 terms

ISA3060-01-Chapter7

Security Technology: Intrusion Detection and Prevention Systems, and Other Tools
STUDY
PLAY
Intrusion
Attempted entry into or disruption of normal operations of an information system.
Intrusion Detection Systems
AKA IDS. Consist of procedures and systems that identify system intrusions.
Intrusion Prevention Systems
AKA IPS. Activities that prevent an intrusion.
Intrusion Reaction
Actions an organization takes when an intrusion is detected
Intrusion Correction
activities that finalize the restoration of operations to a normal state as quickly as possible.
Intrusion Detection and Prevention Systems
AKA IDPS. Generally used to describe current anti-intrusion technologies.
Alert or Alarm
Indication that a system has just been attacked or is under attack.
Evasion
Process by whcih attackers change the format and/or timing of their activities in order to avoid detection by the IDPS
False Attack Stimulus
Event that triggers alarm when no actual attack is in progress.
False Negative
Failure of an IDPS to react to an actual attack event.
False Positive
Alert or alarm that occurs in the absence of an actual attack.
Noise
Alarm events that are accurate and noteworthy but do pose significant threats to information security.
Site Policy
Rules and configuration guidelines governing the implementation and operation of IPDS within an organization.
Site Policy Awareness
An IDPS's ability to dynamically modify its configuration in response to environmental activity.
True Attack Stimulus
Event that triggers alarms and causes an IDPS to react as if a real attack is in progress
Tuning
Process of adjusting an IDPS to maximize its efficiency in detecting true positives, while minimizing false positives and false negatives.
Confidence Value
Measure of an IDPS's ability to correctly detect and identify certain types of attacks.
Alarm Filtering
Process of classifying IDPS alerts so they can be more effectively managed.
Alarm Clustering and Compaction
Process of grouping almost identical alarms that happen at close to the same time into a single higher level alarm.
Confidence Value
Based on fuzzy logical, experience, and past performance measurement, helps an administrator determine how likely it is that an IDPS alert or alarm indicates an actual attack in in progress.
Doorknob Rattling
Process of initially estimating the defensive state of an organization's networks and systems.
Footprinting
Aciivities that gather information about the organization and its network activities
Fingerprinting
Activities that can network locales for active systems and then identify the network services offered by the host systems.
PDS/IPS Technologies Difference.....
IPS can respond to a detected threat by attempting to prevent it from succeeding.
IDPS operate as.
Network or host-based systems
IDPS Network Systems
Focus on protecting network information assests
IDPS Host-Based Systems
Protects the server or host's information assets
NB IDPS Systems
AKA Network Behavior Analysis Systems. Examine network traffic in order to identify problems related to the flow of traffic, i.e., excessive packet flows that might occur as the result of DoS attacks, virus and worm attacks, some forms of network policy violations. This systems reside on network segments and monitor traffic across those segments.
Wireless NIDPS
Systems that monitor and analyze wireless network traffic
Host-based IDPS
AKA System Integrity Verifiers. Resides on a particular host computer or host server and monitors activity only on that system.
Signature-based IDPS
AKA Knowledge-based or Misuse-detection IDPS. Examines network traffic in search of patterns that match known signatures
Statistical-anomaly-based IDPS
AKA Behavior-based IDPS. Collects statistical summaries by observing traffic that is known to be normal.
Stateful Protocol Analysis IDPS
Process of comparing predetermined profiles that specify how particular protocols should and should not be used.
Clipping Level
When measured activities is outside or exceeds the baseline parameters.
Logo File Monitor IDPS
Similar to a NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs, looking for patterns and signatures that may indicate an attack or intrusion is in process or may have already occurred.