Chapter 22 1 Examples Include The Number Logical Connections Assigned

CHAPTER 11: INTRUDERS

TRUE OR FALSE

T F 1. Unauthorized intrusion into a computer system or network is one

of the most serious threats to computer security.

T F 2. Trojan horses and viruses are confined to network based attacks.

T F 3. Intrusion detection involves detecting unusual patterns of activity

or patterns of activity that are known to correlate with intrusions.

T F 4. Statistical approaches attempt to define proper behavior and rule-

based approaches attempt to define normal or expected behavior.

T F 5. The main advantage of the use of statistical profiles is that a prior

knowledge of security flaws is not required.

T F 6. One important element of intrusion prevention is password

management.

T F 7. The ID determines the privileges accorded to the user.

T F 8. Insider attacks are among the easiest to detect and prevent.

T F 9. The hacking community is a strong meritocracy in which status is

determined by level of competency.

T F 10. Penetration identification is an approach developed to detect

deviation from previous usage patterns.

T F 11. A weakness of the IDES approach is its lack of flexibility.

T F 12. To be of practical use an intrusion detection system should detect

a substantial percentage of intrusions while keeping the false

alarm rate at an acceptable level.

T F 13. System administrators can stop all attacks and hackers from

penetrating their systems by installing software patches

periodically.

T F 14. Password crackers rely on the fact that some people choose easily

guessable passwords.

T F 15. Traditional hackers usually have specific targets, or at least

classes of targets in mind.

MULTIPLE CHOICE

1. Software trespass can take the form of a _________ .

A) virus B) worm

C) Trojan horse D) all of the above

2. A _________ is an individual who is not authorized to use the computer and who

penetrates a system’s access controls to exploit a legitimate user’s account.  

A) sniffer B) misfeasor

C) clandestine user D) masquerader

3. _________ involves counting the number of occurrences of a specific event type over

an interval of time.

A) Rule-based detection B) Resource usage

C) Threshold detection D) Profile-based system

4. A ________ is a legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but

misuses his or her privileges.

A) clandestine user B) misfeasor

C) emissary D) masquerader

5. The simplest statistical test is to measure the _________ of a parameter over some

historical period, which would give a reflection of the average behavior and its

variability.

A. multivariate B. mean and standard deviation

C. time series D. Markov process

6. _________ detection focuses on characterizing the past behavior of individual users or

related groups of users and then detecting significant deviations.

A. Action condition B. Threshold

C. Profile-based anomaly D. Statistical anomaly

7. A ________ is an individual who seizes supervisory control of the system and uses this

control to evade auditing and access controls or to suppress audit collection.  

A. clandestine user B. misfeasor

C. masquerader D. mole

8. The _________ model is used to establish transition probabilities among various states,

such as looking at transitions between certain commands.

A. multivariate B. profile-based

C. Markov process D. operational

9. The _________ is based on a judgment of what is considered abnormal rather than an

automated analysis of past audit records.

A. Markov process B. mean and standard deviation

C. time series D. operational model

10. The ________ is an audit collection module operating as a background process on a

monitored system whose purpose is to collect data on security related events on the

host and transmit these to the central manager.

A. central manager module B. host agent module

C. intruder alert module D. LAN monitor agent module

11. The _________ prevents duplicate passwords from being visible in the password file. If

two users choose the same password, those passwords will be assigned at different

times.

A. honeypot B. salt

C. audit record D. rule based intrusion detection

12. An operation such as login, read, perform, I/O or execute that is performed by the

subject on or with an object is the _________ audit record field.

A. resource-usage B. subject

C. object D. action

13. A ________ is used to measure the current value of some entity. Examples include the

number of logical connections assigned to a user application and the number of

outgoing messages queued for a user process.

A. gauge B. interval timer

C. resource utilization D. counter

14. A ________ model is based on correlations between two or more variables.

A. mean and standard deviation B. multivariate

C. Markov process D. operational

15. The most promising approach to improved password security is __________ .

A. user education

B. a proactive password checker

C. computer generated passwords

D. a reactive password checking strategy

SHORT ANSWER

1. __________ systems have been developed to provide early warning of an intrusion so

that defensive action can be taken to prevent or minimize damage.

2. _________ detection involves the collection of data relating to the behavior of

legitimate users over a period of time. Statistical tests are applied to observed

behavior to determine with a high level of confidence whether that behavior is not

legitimate user behavior.

3. The three classes of intruders identified by Anderson are: Masquerader, Misfeasor,

and _________ .

4. Password files can be protected in one of two ways: one-way function or __________ .

5. Metrics that are useful for profile-based intrusion detection are: counter, gauge,

resource utilization, and _________ .

6. _________ is based on the assumption that the behavior of the intruder differs from

that of a legitimate user in ways that can be quantified.

7. Two types of audit records used are Detection-specific audit records and _________

audit records.

8. _________ techniques detect intrusion by observing events in the system and applying

a set of rules that lead to a decision regarding whether a given pattern of activity is

or is not suspicious.

9. Designed to lure a potential attacker away from critical systems ____________ are

decoy systems that divert an attacker from accessing critical systems, collect

information about the hacker’s activity, and encourage the attacker to stay on the

system long enough for administrators to respond.

10. The focus of the __________ is to define data formats and exchange procedures

for sharing information of interest to intrusion detection and response

systems and to management that may need to interact with them.

11. A _________ strategy is one in which the system periodically runs its own

password cracker to find guessable passwords.

12. A fundamental tool for intrusion detection is the _________ record.

13. An example of a metric used for profile-based intrusion detection is _________ which

is a non-negative integer that may be incremented but not decremented until it is

reset by management action. Examples include the number of logins by a single

user during an hour, the number of times a given command is executed during a

single user session, and the number of password failures during a minute.

14. _________ identification takes a very different approach to intrusion detection. The

key feature of such systems is the use of rules for identifying known penetration or

penetrations that would exploit known weaknesses. Typically the rules used in

these systems are specific to the machine and operating system.

15. One of the most important results from probability theory is known as

________ , which is used to calculate the probability that something really is the

case, given evidence in favor of it.

TRUE OR FALSE

MULTIPLE CHOICE

SHORT ANSWER