Lecture 18: Intrusion Detection
Network Intrusion Detection (NIDS)
What is an advantage of using a NIDS?
NIDS Evasion Attacks
Suppose we install a NIDS that alerts for a path traversal attack whenever it sees
.. or its hex encoding in a packet. What evasion attack(s) could an attacker try on this scheme?
What is a disadvantage of using a NIDS?
Host-Based Intrusion Detection (HIDS)
What are some tradeoffs between HIDS and NIDS?
What are some advantages and disadvantages of logging?
System Call Monitoring
Which intrusion detection method would be most appropriate for detecting a DoS attack?
Note: This is one of the longer lectures of the semester. If you want to watch it in two sittings, this is a good halfway point to take a study break.
False Positives and False Negatives
Detection Tradeoffs, Base Rate Fallacy
System A has a false positive rate of 0.05% and a false negative rate of 1%. System B has a false positive rate of 1% and a false negative rate of 0.05%. The cost of a false positive is $100, and the cost of a false negative is $10000. Which system is better?
Does signature-based detection use a blacklist (default allow) or a whitelist (default deny)?
Which detection scheme is least useful for detecting never-before-seen attacks? A: Anomaly-based B: Signature-based C: Specification-based D: Behavioral-based
Summary of Evasion Issues
Intrusion Detection Conclusion