Intrusion Detection System Overview Questions and answers

1. 

What is the purpose of an intrusion detection system (IDS)?

1. To prevent unauthorized access to network resources

2. To prevent users from accessing network resources

3. To detect intrusions on the network

4. To detect security flaws

2. 

What are the three phases of an attack?

1. Reconnaissance, Attack, DoS

2. DoS, Objective, Attack

3. Attack, Reconnaissance, DoS

4. Objective, Reconnaissance, Attack

3. 

What are the three types of attacks?

1. Attack, Reconnaissance, data manipulation

2. DoS, Reconnaissance, Access

3. Objective, Reconnaissance, Access

4. Objective, Reconnaissance, Attack

4. 

What is the difference between host-based and network-based intrusion detection?

1. Host-based systems detect attacks on the hosts and network-based systems don’t

2. Network-based systems detect attacks against the IDS and host-based systems only detect attacks against the host

3. Host-based IDSs only determine if an attack was successful

4. Network-based IDSs rely on the use of network probes, while host-based systems rely on software installed on each host

5. 

What are the four types of security threats?

1. Internal, external, secured, nonsecured

2. External, Structured-internal, Unstructured-external, Internal

3. Internal, Structured, Unstructured, External

4. Internal-structured, External-structured, Internal-structured, Internal-unstructured

6. 

What is a false negative?

1. Results when an attack or an intrusion goes undetected

2. An alert sent to an incorrect management station

3. Results when the IDS system reports an alarm, although an actual intrusion doesn’t occur on the network

4. There is no such thing as a false negative

7. 

What type of triggering mechanism is most likely to create a false negative?

1. Anomaly detection

2. Misuse detection

3. Profile based

4. Network based

8. 

What is a false positive?

1. A false positive results when an attack or intrusion causes an alarm to be generated

2. A false positive is an alert sent to an incorrect management station

3. A false positive results when the IDS system reports an alarm, although no actual intrusion occurs on the network

4. There is no such thing as a false positive

9. 

What type of triggering mechanism is most likely to create a false positive?

1. Anomaly detection

2. Misuse detection

3. Network based

4. Host based

10. 

Which of the following is a limitation to host-based intrusion detection?

1. Unable to detect attacks launched from the system console

2. Unable to detect attacks launched against the host from the network

3. Unable to detect attacks against the host from multiple locations

4. Unable to detect reconnaissance attacks

11. 

Which of the following is a benefit of host-based intrusion detection?

1. Easier to manage

2. Can detect if an attack is successful

3. Detect more intrusions

4. Administrators have a higher degree of confidence in host-based IDSs

12. 

Which of the following is a limitation of network-based intrusion detection?

1. Can only detect attacks performed over the network

2. Can only detect attacks against the network infrastructure

3. Can’t detect new attack methods

4. Easy to manipulate

13. 

Which of the following is a benefit of network-based intrusion detection?

1. Can determine if an attack was successful

2. Have a lower occurrence of false positives

3. Have a higher occurrence of false negatives

4. Have a complete view of network traffic

14. 

What are the two types of triggering mechanisms used by an IDS?

1. Network based and host based

2. Misuse and anomaly detection

3. Signature and misuse detection

4. Anomaly and profile-based detection

15. 

What is the difference between anomaly detection and misuse detection?

1. Anomaly detection uses profiles, while misuse detection uses signatures

2. Misuse detection uses profiles, while anomaly uses signatures

3. Anomaly detection uses network-based, while misuse detection uses
   host based

4. No difference exists between misuse detection and anomaly detection

16. 

In the context of an IDS, what is an anomaly?

1. A normal traffic pattern

2. Any computer activity that matches a user profile

3. Any traffic or activity that isn’t normal

4. Any traffic pattern or activity that matches a signature in the signature database

17. 

What is a signature and what is it used for?

1. A definition of intrusive activity and is used to build user profiles

2. A definition of intrusive activity and is used to detect intrusions

3. A definition of normal activity and is used to distinguish normal activity from intrusive activity

4. A set of rules describing intrusive activity and is used to build rule-based profiles

18. 

What are the three ways to build user profiles?

1. Signatures, neural networks, rule based

2. Rule based, neural networks, statistical sampling

3. Host statistical sampling, network statistical sampling, neural networks

4. Signatures, statistical sampling, neural networks

19. 

Which of the following is a benefit of misuse detection?

1. Lower occurrence of false negatives

2. Easier to install and understand

3. Can detect new attack methods

4. Can be used for both network based and host based

20. 

Which of the following is a benefit of anomaly detection?

1. Easier to understand

2. Easier to configure

3. Can be used to prevent intrusions

4. Can be used to detect new attack methods

21. 

What is a major drawback to misuse detection?

1. Unable to detect new attack methods

2. Hard to understand and configure

3. Results in too many false positives

4. Can only be used with host-based IDSs

22. 

What is a major drawback to anomaly detection?

1. Results in a high number of false negatives

2. Hackers are aware of what activity will generate an alert

3. Relies on a defined profile defining normal activity

4. Has no major drawbacks