type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with the intent to do malicious harm

activities that deter an intrusion

procedures and systems that identify system intrusions

activities finalized the restoration of operations to a normal state and activities seek to identify the source and method of attack for prevention

commercially available in late 1990

works like a burglar alarm

generally accepted combination

intrusion detection and prevention system terminologies

indication that attack is happening

attacker change the format and/or timing of activities to avoid being detected

event triggers alarm - no real attack

failure of IDPS to react to attack

alarm activates in the absence of an actual attack

alarms events that are accurate but don't pose threats

rules and configuration guidelines governing the implementation and operation of IDPS

ability to dynamically modify configuration in response to environmental activity

event that triggers alarms in event of real attack

adjusting an IDPS

measure of IDPS ability to correctly detect and identify type of attacks

classification of IDPS alerts

grouping almost identical alarms happening at close to the same time

act as quality control for security design and administration

types of IDPS

focused on protection network information assets

besides on computer or appliance connected to a segment of organization network

wireless, monitors packets, looks for attack patterns

known signatures in network-based

packet structure

Packet use

focused on protection server of host's information assets

resides on a particular computer or server and monitors traffic only on that system

also known as system integrity verifiers

classifies files in categories and applies various notification actions based on rules

can monitor multiple computer simultaneously

monitors and analyzes wireless network

examines application for abnormal events

tracks interaction between users and applications

two dominate methodologies

examines data traffic in search of patterns that match known signature

based on frequency on which network activities take place

collect statistical summaries of normal traffic to form baseline

similar to NIDS, reviews logs

looks for patterns signatures in log files

able to look at multiple log files from different systems

control strategies

all IDS control functions are implemented and managed in a centralized location

individual agents respond to local threats

report to a hierarchical central facility, one of the more effective methods

opposite of centralized

All control functions apply that the physical location of each ID is component

decoy systems

lure potential attackers away from critical systems

encourages attacks against themselves

collection of honey pots

connects honey pots on a subnet

contains pseudo services the emulated well-known services

protected honey pot

IDS detects attacks and transfers to simulated environment

detect intrusion and trace incident back

consist of honey pot or padded cell and alarm

help find vulnerabilities in system

allow system admin to see what the attacker sees

what is active on computer

scanning and analysis tools

validation of users identity