SHORT ANSWER
1. __________ systems have been developed to provide early warning of an intrusion so
that defensive action can be taken to prevent or minimize damage.
2. _________ detection involves the collection of data relating to the behavior of
legitimate users over a period of time. Statistical tests are applied to observed
behavior to determine with a high level of confidence whether that behavior is not
legitimate user behavior.
3. The three classes of intruders identified by Anderson are: Masquerader, Misfeasor,
and _________ .
4. Password files can be protected in one of two ways: one-way function or __________ .
5. Metrics that are useful for profile-based intrusion detection are: counter, gauge,
resource utilization, and _________ .
6. _________ is based on the assumption that the behavior of the intruder differs from
that of a legitimate user in ways that can be quantified.
7. Two types of audit records used are Detection-specific audit records and _________
audit records.
8. _________ techniques detect intrusion by observing events in the system and applying
a set of rules that lead to a decision regarding whether a given pattern of activity is
or is not suspicious.
9. Designed to lure a potential attacker away from critical systems ____________ are
decoy systems that divert an attacker from accessing critical systems, collect
information about the hacker’s activity, and encourage the attacker to stay on the
system long enough for administrators to respond.
10. The focus of the __________ is to define data formats and exchange procedures
for sharing information of interest to intrusion detection and response
systems and to management that may need to interact with them.
11. A _________ strategy is one in which the system periodically runs its own
password cracker to find guessable passwords.
12. A fundamental tool for intrusion detection is the _________ record.
13. An example of a metric used for profile-based intrusion detection is _________ which
is a non-negative integer that may be incremented but not decremented until it is