Question 1
Which of the following is NOT identified as a intruder "class"? (6.1)
| A. | |
| B. | |
| C. | |
| D. | |
The following are identified by the text (page 177) as intruder classes;
1. Masquerader: An individual who is not authorized to use the computer and who
penetrates a system's access controls to exploit a legitimate user's account.
2. Misfeasor: A legitimate user who accesses data, programs, or resources for which
such access is not authorized, or who is authorized for such access but misuses his
or her privileges.
3. Clandestine user: An individual who seizes supervisory control
of the system and uses this control to evade auditing and access controls or to
suppress audit collection.
1. Masquerader: An individual who is not authorized to use the computer and who
penetrates a system's access controls to exploit a legitimate user's account.
2. Misfeasor: A legitimate user who accesses data, programs, or resources for which
such access is not authorized, or who is authorized for such access but misuses his
or her privileges.
3. Clandestine user: An individual who seizes supervisory control
of the system and uses this control to evade auditing and access controls or to
suppress audit collection.
Question 2
Which of the following is NOT a desirable characteristics of an IDS? (6.5)
| A. | |
| B. | |
| C. | |
| D. | |
| E. | |
| F. | |
These are desirable characteristics (specified in textbook, p 183) of an IDS;
•Run continually with minimal human supervision.
•Be fault tolerant in the sense that it must be able to recover from system crashes
and reinitializations.
•Resist subversion. The IDS must be able to monitor itself and detect if it has been
modified by an attacker.
•Impose a minimal overhead on the system where it is running.
•Be able to be configured according to the security policies of the system that is
being monitored.
•Be able to adapt to changes in system and user behavior over time.
•Be able to scale to monitor a large number of hosts.
•Provide graceful degradation of service in the sense that if some components of
the IDS stop working for any reason, the rest of them should be affected as little as
possible.
•Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without
having to restart it.
•Run continually with minimal human supervision.
•Be fault tolerant in the sense that it must be able to recover from system crashes
and reinitializations.
•Resist subversion. The IDS must be able to monitor itself and detect if it has been
modified by an attacker.
•Impose a minimal overhead on the system where it is running.
•Be able to be configured according to the security policies of the system that is
being monitored.
•Be able to adapt to changes in system and user behavior over time.
•Be able to scale to monitor a large number of hosts.
•Provide graceful degradation of service in the sense that if some components of
the IDS stop working for any reason, the rest of them should be affected as little as
possible.
•Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without
having to restart it.
Question 3
Which of the following ARE useful for profile-based intrusion detection? (6.7)
| A. | |
| B. | |
| C. | |
| D. | |
| E. | |
| F. | |
All the following ARE useful for profile-based intrusion detection (see textbook page 186);
Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time.
Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity.
Interval timer: The length of time between two related events.
Resource utilization: Quantity of resources consumed during a specified period.
Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time.
Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity.
Interval timer: The length of time between two related events.
Resource utilization: Quantity of resources consumed during a specified period.
Question 4
Which of the following best describes the "operation" of a virus or worm? (7.3)
| A. | |
| B. | |
| C. | |
| D. | |
| E. | |
| F. | |
Typical phases (as described by the textbook on page 220) of operation are; a dormant phase, a propagation phase, a triggering phase, and an execution phase.
Question 5
Which of the following is NOT an effective worm countermeasure? (7.7)
| A. | |
| B. | |
| C. | |
| D. | |
| E. | |
| F. | |
| G. | |
A "DNS base scanning worm detector" would likely fail to detect an IM worm outbreak, because an IM worm’s attack payload will most likely be forwarded through the IM server, using the target’s user ID instead of a target IP address (Yan, Xiao,& Eidenbenz, 2008 pg 2).
See page 236 of textbook for details on the following.
See page 236 of textbook for details on the following.
Signature-based worm scan filtering: This type of approach generates a worm
signature, which is then used to prevent worm scans from entering/leaving a
network/host. Typically, this approach involves identifying suspicious flows and
generating a worm signature. This approach is vulnerable to the use of
polymorphic worms: Either the detection software misses the worm or, if it is
sufficiently sophisticated to deal with polymorphic worms, the scheme may take a
long time to react. [NEWS05] is an example of this approach.
Filter-based worm containment: This approach is similar to class A but focuses on
worm content rather than a scan signature. The filter checks a message to
determine if it contains worm code. An example is Vigilante [COST05], which
relies on collaborative worm detection at end hosts. This approach can be quite
effective but requires efficient detection algorithms and rapid alert dissemination.
Payload-classification-based worm containment: These network-based
techniques examine packets to see if they contain a worm. Various anomaly
detection techniques can be used, but care is needed to avoid high levels of false
positives or negatives. An example of this approach is reported in [CHIN05],
which looks for exploit code in network flows. This approach does not generate
signatures based on byte patterns but rather looks for control and data flow
structures that suggest an exploit.
Threshold random walk (TRW) scan detection: TRW exploits randomness in
picking destinations to connect to as a way of detecting if a scanner is in operation
[JUNG04]. TRW is suitable for deployment in high-speed, low-cost network
devices. It is effective against the common behavior seen in worm scans.
Rate limiting: This class limits the rate of scanlike traffic from an infected host.
Various strategies can be used, including limiting the number of new machines a
host can connect to in a window of time, detecting a high connection failure rate,
and limiting the number of unique IP addresses a host can scan in a window of
time. [CHEN04] is an example. This class of countermeasures may introduce
longer delays for normal traffic. This class is also not suited for slow, stealthy
worms that spread slowly to avoid detection based on activity level.
Rate halting: This approach immediately blocks outgoing traffic when a threshold
is exceeded either in outgoing connection rate or diversity of connection attempts
[JHI07]. The approach must include measures to quickly unblock mistakenly
blocked hosts in a transparent way. Rate halting can integrate with a signature- or
filter-based approach so that once a signature or filter is generated, every blocked
host can be unblocked. Rate halting appears to offer a very effective
countermeasure. As with rate limiting, rate-halting techniques are not suitable for
slow, stealthy worms.
Yan, G., Xiao, Z. & Eidenbenz, S., 2008. Catching instant messaging worms with change-point detection techniques. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. San Francisco, California: USENIX Association, pp. 1-10. Available at: http://portal.acm.org/citation.cfm?id=1387715 [Accessed March 14, 2010].
signature, which is then used to prevent worm scans from entering/leaving a
network/host. Typically, this approach involves identifying suspicious flows and
generating a worm signature. This approach is vulnerable to the use of
polymorphic worms: Either the detection software misses the worm or, if it is
sufficiently sophisticated to deal with polymorphic worms, the scheme may take a
long time to react. [NEWS05] is an example of this approach.
Filter-based worm containment: This approach is similar to class A but focuses on
worm content rather than a scan signature. The filter checks a message to
determine if it contains worm code. An example is Vigilante [COST05], which
relies on collaborative worm detection at end hosts. This approach can be quite
effective but requires efficient detection algorithms and rapid alert dissemination.
Payload-classification-based worm containment: These network-based
techniques examine packets to see if they contain a worm. Various anomaly
detection techniques can be used, but care is needed to avoid high levels of false
positives or negatives. An example of this approach is reported in [CHIN05],
which looks for exploit code in network flows. This approach does not generate
signatures based on byte patterns but rather looks for control and data flow
structures that suggest an exploit.
Threshold random walk (TRW) scan detection: TRW exploits randomness in
picking destinations to connect to as a way of detecting if a scanner is in operation
[JUNG04]. TRW is suitable for deployment in high-speed, low-cost network
devices. It is effective against the common behavior seen in worm scans.
Rate limiting: This class limits the rate of scanlike traffic from an infected host.
Various strategies can be used, including limiting the number of new machines a
host can connect to in a window of time, detecting a high connection failure rate,
and limiting the number of unique IP addresses a host can scan in a window of
time. [CHEN04] is an example. This class of countermeasures may introduce
longer delays for normal traffic. This class is also not suited for slow, stealthy
worms that spread slowly to avoid detection based on activity level.
Rate halting: This approach immediately blocks outgoing traffic when a threshold
is exceeded either in outgoing connection rate or diversity of connection attempts
[JHI07]. The approach must include measures to quickly unblock mistakenly
blocked hosts in a transparent way. Rate halting can integrate with a signature- or
filter-based approach so that once a signature or filter is generated, every blocked
host can be unblocked. Rate halting appears to offer a very effective
countermeasure. As with rate limiting, rate-halting techniques are not suitable for
slow, stealthy worms.
Yan, G., Xiao, Z. & Eidenbenz, S., 2008. Catching instant messaging worms with change-point detection techniques. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. San Francisco, California: USENIX Association, pp. 1-10. Available at: http://portal.acm.org/citation.cfm?id=1387715 [Accessed March 14, 2010].
Question 6
Which of the following is NOT a typical USE of a BOT? (7.8)
| A. | |
| B. | |
| C. | |
| D. | |
| E. | |
| F. | |
| G. | |
| H. | |
See page 240 of the textbook for details.The following are uses for bots; Distributed Denial of Service (DDoS) attack, Spamming, an attacker is able to send massive amounts of bulk e-mail (spam), Keylogging, captures keystrokes on the infected machine, Spreading new malware, Botnets are used to spread new bots, Installing advertisement add-ons and browser helper objects (BHOs), Botnets are used to gain finanical advantages, Attacking IRC chat networks, Botnets are also used for attacks against internet relay channel (IRC) networks, and Manipulating online pols / games, since every bot will have a unique ip address, every vote will have the same crediability as a vote by a realp person.