IDS(intrusion detection system) Interview Questions & Answers

Question 1. What Is An Intrusion Detection System?

Answer :

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS).

Question 2. What Is Ips And Ids?

Answer :

If an IPS is a control tool, then an IDS is a visibility tool. Intrusion Detection Systems sit off to the side of the network, monitoring traffic at many different points, and provide visibility into the security posture of the network.

Question 3. What Are The Functions Of Intrusion Detection?

Answer :

Intrusion detection functions include:

1. Monitoring and analyzing both user and system activities.
2. Analyzing system configurations and vulnerabilities.
3. Assessing system and file integrity.
4. Ability to recognize patterns typical of attacks.
5. Analysis of abnormal activity patterns.
6. Tracking user policy violations.

Question 4. What Is Ids In Networking?

Answer :

An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.

Question 5. Explain Host Based (hids)?

Answer :

Host Based (HIDS) : Often referred to as HIDS, host based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior on a specific device. HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity. The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and alerting.

Examples of HIDS:

• OSSEC - Open Source Host-based Intrusion Detection System.
• Tripwire.
• AIDE - Advanced Intrusion Detection Environment.
• Prelude Hybrid IDS.

Question 6. Explain Physical (physical Ids)?

Answer :

Physical (Physical IDS) : Physical intrusion detection is the act of identifying threats to physical systems. Physical intrusion detection is most often seen as physical controls put in place to ensure CIA. In many cases physical intrusion detection systems act as prevention systems as well.

Examples of Physical intrusion detections are:

• Security Guards
• Security Cameras
• Access Control Systems (Card, Biometric)
• Firewalls
• Man Traps
• Motion Sensors

Question 7. What Do Ids Detect?

Answer :

• Anomaly detection: Activity that deviates from the normal behavior.
• Misuse detection: Execution of code that results in break-ins.
• Specifcation based detection: Activity involving privileged software that is inconsistent with respect to a policy/specification.

Question 8. What Are The Types Of Ids?

Answer :

Types of IDS :

Host Based IDS :

• Installed locally on machines.
• Monitoring local user activity.
• Monitoring execution of system programs.
• Monitoring local system logs.

Network IDS (NIDS) :

• Sensors are installed at strategic locations on the network.
• Monitor changes in traffic pattern/ connection requests.
• Monitor Users’ network activity – Deep Packet inspection.

Question 9. What Are The Types Of Nids?

Answer :

Signature Based IDS : Compares incoming packets with known signatures.

E.g. Snort, Bro, Suricata, etc.

Anomaly Detection Systems : Learns the normal behavior of the system.Generates alerts on packets that are different from the normal behavior.

Question 10. Explain Signature Based Nids?

Answer :

Signature based NIDS : Signature-based IDS refers to the detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. This terminology originates from anti-virus software, which refers to these detected patterns as signatures.
Problems:

• “Zero-day” attacks.
• Polymorphic attacks.
• Botnets – Inexpensive re-usable IP addresses for attackers.

Question 11. Explain Anomaly-based Intrusion Detection System?

Answer :

An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation.

Question 12. What Are The Strengths Of Nids?

Answer :

NIDS can perform the following functions to enhance the security :

1. Measurements and analysis of typical and atypical user behavior. For example an anomaly based NIDS is capable of detecting high volume traffic flows, flash crowds, load imbalance in the network, sudden changes in demand of a port usage, sudden surge of traffic from/to a specific host, etc.
2. Detection of known worms, viruses, and exploitation of a known security hole. Signature based NIDS can detect these events with fairly high degree of accuracy. An appropriate signature will also ensure a low false positive probability.
3. Some advanced NIDS systems also enable recognitions of patterns of system events that correspond to a known security threat.
4. Enforcement of the security policies in a given network. For example a NIDS can be configured to block all communication between certain sets of IP addresses and or ports. A NIDS can also be used to enforce network wide access controls.
5. Anomaly based NIDS can also recognize, with a certain false positive probability, new attacks and abnormal patterns in the network traffic, whose signatures are not yet generated. This will alert the network administrator early, and potentially reduce the damage caused by the new attack.

Question 13. What Are The Limitations Of Nids?

Answer :

Limitations of NIDS :

1. A mere Workaround: A number of researchers have argued that a NIDS is more or a less a workaround for the flaws and weak or missing security mechanisms in an operating system, an application, and/or a protocol.
2. False Positives: NIDS comes with a bane, i.e. false positives. A false positive is an event when a NIDS falsely raises a security threat alarm for harmless traffic. Signatures can be tuned precisely to reduce such false positives, however fine signatures create a significant performance bottleneck, which is the next limitation of NIDS. Current Anomaly based algorithms lead to even higher false positives .
3. Performance issues: Current signature based NIDS systems use regular expressions signatures which creates a significant performance bottleneck. In order to reduce false positives long signatures are required which further reduces the performance. The data throughput of current NIDS systems is limited to a few gigabit per second.
4. Encryption: The ultimate threat to the very existence of the signature based NIDS systems is the increasing use of data encryption. Everybody dreams to encrypt their data before transmission. Once the packet payloads are encrypted, the existing signatures will become completely useless in identifying the anomalous and harmful traffic.
5. New and sophisticated attacks: Commercial NIDS which are signature based are unable to detect new attacks whose signatures are not yet devised. Anomaly based NIDS can detect such attacks but due to the limitations of the current anomaly detection algorithms, an intelligent attacker can always develop attacks that remain undetected.
6. Human intervention: Almost all NIDS systems require a constant human supervision, which slows down the detection and the associated actions. Some recent systems such as Network Intrusion Prevention Systems (NIPS) can automatically take pre-programmed actions but these are limited only to the well known attacks.
7. Evasion of signatures: A number of researchers have argued that it is not difficult for an attacker to evade a signature. Additionally there has been an increase in polymorphic worms which can automatically change their propagation characteristics thereby effectively changing their signatures. Such worms also pose a critical threat to the current NIDS.

Question 14. What Are The Types Of Attacks?

Answer :

Attack Types :

• Confidentiality: In such kinds of attacks, the attacker gains access to confidential and otherwise inaccessible data.
• Integrity: In such kinds of attacks, the attacker can modify the system state and alter the data without proper authorization from the owner.
• Availability: In such kinds of attacks, the system is either shut down by the attacker or made unavailable to general users. Denial of Service attacks fall into this category.
• Control: In such attacks the attacker gains full control of the system and can alter the access privileges of the system thereby potentially triggering all of the above three attacks.

Question 15. What Are Attacks Detected By A Nids?

Answer :

Attacks detected by a NIDS:
Scanning Attack : In such attacks, an attacker sends various kinds of packets to probe a system or network for vulnerability that can be exploited.
Denial of Service (DoS) Attacks : A Denial of Service attack attempts to slow down or completely shut down a target so as to disrupt the service and deny the legitimate and authorized users an access. Such attacks are very common in the Internet where a collection of hosts are often used to bombard web servers with dummy requests . Such attacks can cause significant economic damage to ecommerce businesses by denying the customers an access to the business. There are a number of different kinds of DoS attacks, some of which are mentioned below.

• Flaw Exploitation DoS Attacks
• Flooding DoS Attacks

Penetration Attacks : In penetration attack, an attacker gains an unauthorized control of a system, and can modify/alter system state, read files, etc. Generally such attacks exploit certain flaws in the software, which enables the attacker to install viruses, and malware in the system. The most common types of penetration attacks are:

• User to root
• Remote to user
• Remote to root
• Remote disk read
• Remote disk write

Question 16. What Is A Network Intrusion?

Answer :

A network intrusion is any unauthorized activity on a computer network. Detecting an intrusion depends on the defenders having a clear understanding of how attacks work.

Question 17. What Is Meant By Intruders In Network Security?

Answer :

An Intruder is a person who attempts to gain unauthorized access to a system, to damage that system, or to disturb data on that system. In summary, this person attempts to violate Security by interfering with system Availability, data Integrity or data Confidentiality.

Question 18. What Is A Nids?

Answer :

Host intrusion detection systems (HIDS) and network intrusion detection systems (NIDS) are methods of security management for computers and networks.

Question 19. What Is A Network Based Ids?

Answer :

A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to protect a system from network-based threats. A NIDS reads all inbound packets and searches for any suspicious patterns.

Question 20. What Is A Smart Jack Used For?

Answer :

A smartjack is a type of NID with capabilities beyond simple electrical connection, such as diagnostics. An optical network terminal (ONT) is a type of NID used with fiber-to-the-premises applications.

Question 21. Difference Between Firewall And Intrusion Detection System?

Answer :

A firewall is a hardware and/or software which functions in a networked environment to block unauthorized access while permitting authorized communications. Firewall is a device and/or a sotware that stands between a local network and the Internet, and filters traffic that might be harmful.

An Intrusion Detection System (IDS) is a software or hardware device installed on the network (NIDS) or host (HIDS) to detect and report intrusion attempts to the network.

We can think a firewall as security personnel at the gate and an IDS device is a security camera after the gate. A firewall can block connection, while a Intrusion Detection System (IDS) cannot block connection. An Intrusion Detection System (IDS) alert any intrusion attempts to the security administrator.

However an Intrusion Detection and Prevention System (IDPS) can block connections if it finds the connections is an intrusion attempt. 

Question 22. Specify Some Of The Leading Intrusion Detection Systems (ids) Products?

Answer :

Some leading Intrusion Detection Systems (IDS) Products are

• Snort.
• CounterAct.
• AirMagnet.
• Bro Intrusion Detection System.
• Cisco Intrusion Prevention System (IPS).
• Juniper Networks Intrusion Detection & Prevention (IDP).
• McAfee Host Intrusion Prevention for server.
• Sourcefire Intrusion Prevention System (IPS).