(1)An organisation has installed a IDS which monitor general patterns of activity and creates the database. Which of the following intrusion detection systems (IDSs) has this feature?
A. Packet filtering
B. Signature-based
C. Statistical-based
D. Neural networks
(2) The component of an IDS that collects the data is:
A. Sensor
B. Analyzer
C. User interface
D. Administration console
(3)Even for normal activity, which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms?
A. Statistical-based
B. Signature-based
C. Neural network
D. Host-based
(4)An IS auditor is reviewing installation of intrusion detection system (IDS). Which of the following is a GREATEST concern?
A. number of non-alarming events identified as alarming
B. system not able to identify the alarming attacks
C. automated tool is used for analysis of reports/logs
D. traffic from known source is blocked by IDS
(5)An organization wants to detect attack attempts that the firewall is unable to recognize. A network intrusion detection system (IDS) between the:
A. Internet and the firewall
B. firewall and organisation’s internal network
C. Internet and the IDS.
D. IDS and internal network
(6) Which of the following is a function of an intrusion detection system (IDS)?
A. obtain evidence on intrusive activity
B. control the access on the basis of defined rule
C. blocking access to websites for unauthorised users
D.preventing access to servers for unauthorised users
(7) Which of the following is the most routine problem in implementation of intrusion detection system (IDS)?
A. instances of false rejection rate.
B. instances of false acceptance rate.
C. instances of false positives.
D. denial-of-service attacks.
(8)Attempts of intrusion attacks and penetration threat to a network can be detected by which of the following by analysing the behaviour of the system?
A. Router
B. Intrusion detection system (IDs)
C. Stateful inspection
D. Packet filters
(9) To detect intrusion, BEST control would be:
A.Controlled procedure for granting user access
B.Inactive system to be automatically logged off after time limit.
C.Actively monitor unsuccessful login attempts.
D. Deactivate the user ID after specified unsuccessful login attempts.
(10)An IS auditor reviewing the implementation of IDS should be most concerned if:
A. High instances of false alarm by statistical based IDS.
B.IDS is placed between firewall and internal network.
C.IDS is used to detect encrypted traffic.
D.Signature based IDS is not able to identify new threats.
(1)Correct answer
D. Neural networks
Explanation:
Packet filtering - Packet filtering is a type of firewall and IDS.
Signature based - Signature based IDS identify the Intrusion on the basis of known type of attacks. Such known patterns are stored in form of signature. This is also known as rule based IDS.
Statistical based -Statistical based IDS determine normal (known and expected) behaviour of the system. Any activity which falls outside the scope of normal behaviour is flagged as intrusion.
Neural network -Neural network is similar to statistical based IDS but with added self-learning functionality. IDS monitor the general pattern of activities and create a database.
2.Correct Answer: A. Sensor
Explanation:
Sensors-Collects the data. Data can be in form of network packets, log files etc.
Analyzers -Analyze the data and determine the intrusive activity.
Administration Console -To manage the IDS rules and functions.
User Interface -Enable user to view results and take necessary action.
(3)Correct Answer: A. Statistical-based
Explanation:
Statistical based IDS determine normal (known and expected) behaviour of the system. Any activity which falls outside the scope of normal behaviour is flagged as intrusion. Statistical based IDS is most likely to generate false positive (i.e. false alarm) as compared to other IDS. Since normal network activity may include unexpected behaviour (e.g., frequent download by multiple users), these activities will be flagged as suspicious.
(4)Answer: B. system not able to identify the alarming attacks
Explanation:
Major concern will be of system not able to identify the alarming attacks. They present a higher risk because attacks will be unnoticed and no action will be taken to address the attack. High false positive is a concern but not a major concern. Also, logs/reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem, and an IDS does not block any traffic.
(5)Answer: B. firewall and organisation’s internal network
Explanation:
Placement of Intrusion Detection System:
(1)If a network based IDS is placed between Internet & the firewall, it will detect all the attack attempts (whether or not they enter the firewall).
(2)If a network based IDS is placed between firewall & the corporate network, it will detect only those attack attempts which enter the firewall. (i.e. cases where firewall failed to block the attack)
(6) Answer: A. obtain evidence on intrusive activity
Explanation:
Obtaining evidence on intrusive activity is a function of IDS. Other options are functions of firewall.
(7)Correct answer :C. instances of false positives.
Explanation:
Main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives (i.e. false alarm). Option A & B are the concerns of biometric implementation. Denial of service is a type of attack and is not a problem in the operation of IDSs.
(8) Answer: B. Intrusion detection system (IDs)
Explanation:
IDS determine normal (known and expected) behaviour of the system. Any activity which falls outside the scope of normal behaviour is flagged as intrusion. Router, Stateful inspection and packet filters are types of firewalls designed to block certain types of communications routed or passing through specific ports. It is not designed to discover someone bypassing or going under the firewall.
(9)Answer: C.Actively monitor unsuccessful login attempts.
Explanation: BEST method to detect the intrusion is to actively monitor the unsuccessful logins. Deactivating the user ID is preventive method and not detective.
(10)Correct answer :C.IDS is used to detect encrypted traffic.
Explanation:
IDS cannot detect attacks which are in form of encrypted traffic. So if organisation has misunderstood that IDS can detect encrypted traffic also and accordingly designed its control strategy, then it is major concern.
