collect statistical summaries of normal traffic to form baseline

IDS detects attacks and transfers to simulated environment

classification of IDPS alerts

attacker change the format and/or timing of activities to avoid being detected

report to a hierarchical central facility, one of the more effective methods

alarms events that are accurate but don't pose threats

types of IDPS

can monitor multiple computer simultaneously

act as quality control for security design and administration

event that triggers alarms in event of real attack

focused on protection network information assets

alarm activates in the absence of an actual attack

based on frequency on which network activities take place

indication that attack is happening

what is active on computer

procedures and systems that identify system intrusions

help find vulnerabilities in system

wireless, monitors packets, looks for attack patterns

two dominate methodologies

tracks interaction between users and applications

consist of honey pot or padded cell and alarm

measure of IDPS ability to correctly detect and identify type of attacks

opposite of centralized

ability to dynamically modify configuration in response to environmental activity

collection of honey pots

adjusting an IDPS

activities that deter an intrusion

all IDS control functions are implemented and managed in a centralized location

looks for patterns signatures in log files

encourages attacks against themselves

event triggers alarm - no real attack

monitors and analyzes wireless network

examines data traffic in search of patterns that match known signature

classifies files in categories and applies various notification actions based on rules

lure potential attackers away from critical systems

scanning and analysis tools

generally accepted combination

validation of users identity

control strategies

besides on computer or appliance connected to a segment of organization network

All control functions apply that the physical location of each ID is component

focused on protection server of host's information assets

similar to NIDS, reviews logs

grouping almost identical alarms happening at close to the same time

able to look at multiple log files from different systems

intrusion detection and prevention system terminologies

packet structure

contains pseudo services the emulated well-known services

allow system admin to see what the attacker sees

resides on a particular computer or server and monitors traffic only on that system

works like a burglar alarm

Packet use

commercially available in late 1990

protected honey pot

decoy systems

activities finalized the restoration of operations to a normal state and activities seek to identify the source and method of attack for prevention

type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with the intent to do malicious harm

also known as system integrity verifiers

known signatures in network-based

individual agents respond to local threats

rules and configuration guidelines governing the implementation and operation of IDPS

detect intrusion and trace incident back

examines application for abnormal events

connects honey pots on a subnet

failure of IDPS to react to attack