chapter 4 q and a

8/11/2019 chapter 4 q and a

1/15

INFORMATION SECURITY

QUESTIONS AND ANSWERS

BY

Prof.R.G.HIREGOUDAR

Dept of CSE

TKIET Warananaar


2/15

CHAPTER 4: SYSTEM SECURITY

Q1. What are different classes f intr!ders and e"#lain $ith e"a%#le&

Ans:

Three classes of intruders:

Mas'!erader: An individual who is not authorized to use the computer and who

penetrates a systems access controls to exploit a legitimate users account.

Misfeasr: A legitimate user who accesses data, programs, or resources for which such

access is not authorized, or who is authorized for such access but misuses his or her

privileges.

Clandestine !ser: An individual who seizes supervisory control of the system and uses

this control to evade auditing and access controls or to suppress audit collection.

The masuerader is li!ely to be an outsider"

The misfeasor generally is an insider"

The clandestine user can be either an outsider or an insider.

#ntruder attac!s range from the benign to the serious. At the benign end of the scale, there

are many people who simply wish to explore internets and see what is out there. At the

serious end are individuals who are attempting to read privileged data, perform

unauthorized modifications to data, or disrupt the system.

E"a%#les f intruders

$erforming a remote root compromise of an e%mail server

&efacing a 'eb server

(uessing and crac!ing passwords

)opying a database containing credit card numbers

*iewing sensitive data, including payroll records and medical information, without

authorization

+unning a pac!et sniffer on a wor!station to capture usernames and passwords.


3/15

Q2. Explain Diferent approaches used or Intrusion detection?

Ans:

There are Two approaches or Intrusion detection

1. Statistical an%al( detectin:

#nvolves the collection of data relating to the behavior of legitimate users over a

period of time. Then statistical tests are applied to observed behavior to determine

with a high level of confidence whether that behavior is not legitimate user behavior.

a. Threshold detection:

This approach involves defining thresholds, independent of user, for the freuency of

occurrence of various events. Threshold detection involves counting the number of

occurrences of a specific event type over an interval of time. #f the count surpasses what

is considered a reasonable number that one might expect to occur, then intrusion is

assumed.

b. Prfile )ased: A profile of the activity of each user is developed and used

to detect changes in the behavior of individual accounts.

E"a%#les f %etrics that are !sef!l fr #rfile*)ased intr!sin detectin are

the fll$in+:

C!nter: A nonnegative integer that may be incremented but not decremented until it is

reset by management action. Typically, a count of certain event types is !ept over a

particular period of time. xamples include the number of logins by a single user during

an hour.

,a!+e: A nonnegative integer that may be incremented or decremented. ypically, a

gauge is used to measure the current value of some entity. xamples include the number

of logical connections assigned to a user application and the number of outgoing

messages ueued for a user process.

Inter-al ti%er: The length of time between two related events. An example is the

length of time between successive logins to an account.


4/15


5/15

detection system. ne advantage of such an approach is that it could be made vendor

independent and ported to a variety of systems. The disadvantage is the extra overhead

involved in having, in effect, two accounting pac!ages running on a machine.

detectin*s#ecific a!dit recrds fields are

S!)3ect: #nitiators of actions. A sub/ect is typically a terminal user but might also be a

process acting on behalf of users or groups of users. All activity arises through commands

issued by sub/ects. 0ub/ects may be grouped into different access classes, and these

classes may overlap.

Actin: peration performed by the sub/ect on or with an ob/ect" for example, login,

read, perform #1, execute.

)3ect: +eceptors of actions. xamples include files, programs, messages, records,

terminals, printers, and user% or program%created structures. 'hen a sub/ect is the

recipient of an action, such as electronic mail, then that sub/ect is considered an ob/ect.

b/ects may be grouped by type. b/ect granularity may vary by ob/ect type and by

environment. 2or example, database actions may be audited for the database as a whole

or at the record level.

E"ce#tin*Cnditin: &enotes which, if any, exception condition is raised on return.

Res!rce*Usa+e: A list of uantitative elements in which each element gives the

amount used of some resource 3e.g., number of lines printed or displayed, number of

records read or written, processor time, #1 units used, session elapsed time4.

Ti%e*Sta%#: 5niue time%and%date stamp identifying when the action too! place.

Q4. 2escri)e the architect!re fr distri)!ted intr!sin detectin s(ste%.

Ans:


6/15

Architect!re fr distri)!ted intr!sin detectin s(ste%is one developed

at the 5niversity of )alifornia at &avis which consists of three main components:

Hst a+ent %d!le: An audit collection module operating as a bac!ground process on

a monitored system. #ts purpose is to collect data on security related events on the host

and transmit these to the central manager.

5A %nitr a+ent %d!le: perates in the same fashion as a host agent module

except that it analyzes 6A7 traffic and reports the results to the central manager.

Central %ana+er %d!le: +eceives reports from 6A7 monitor and host agents and

processes and correlates these reports to detect intrusion.

The scheme is designed to be independent of any operating system or system auditing


7/15

implementation.

2ig. Agent Architecture.

Q6. E"#lain Uni" #ass$rd sche%e &

Ans:

s'hen a user attempts to log on to a 57#8 system, the user provides an

#& and a password. The operating system uses the #& to index into the password file and

retrieve the plaintext salt and the encrypted password. The salt and user%supplied


8/15

password are used as input to the encryption routine. #f the result matches the stored

value, the password is accepted.

The encryption routine is designed to discourage guessing attac!s.

0oftware implementations of &0 are slow compared to hardware versions, and the use

of 9 iterations multiplies the time reuired by 9. ;owever, since the original design of

this algorithm, two changes have occurred. 2irst, newer implementations of the algorithm

itself have resulted in speedups. 0econd, hardware performance continues to increase, so

that any software algorithm executes more uic!ly.

Thus, there are two threats to the 57#8 password scheme. 2irst, a user can gain access

on a machine using a guest account or by some other means and then run a password

guessing program, called a password crac!er, on that machine. The attac!er should be

able to chec! hundreds and perhaps thousands of possible passwords with little resource

consumption. #n addition, if an opponent is able to obtain a copy of the password file,

then a crac!er program can be run on another machine.

-


9/15

pronounceable, the user may have difficulty remembering it and so be tempted to write it

down. #n general, computer%generated password schemes have a history of poor

acceptance by users. 2#$0 $5> ?@? defines one of the best%designed automated password

generators. The standard includes not only a description of the approach but also a

complete listing of the ) source code of the algorithm. The algorithm generates words by

forming pronounceable syllables and concatenating them to form a word. A random

number generator produces a random stream of characters used to construct the syllables

and words.

A reacti-e #ass$rd chec9in+ strategy is one in which the system periodically runs its

own password crac!er to find guessable passwords. The system cancels any passwords

that are guessed and notifies the user. This tactic has a number of drawbac!s.

2irst, it is resource intensive if the /ob is done right. >ecause a determined opponent who

is able to steal a password file can devote full )$5 time to the tas! for hours or even

days, an effective reactive password chec!er is at a distinct disadvantage.

2urthermore, any existing passwords remain vulnerable until the reactive password

chec!er finds them.

#racti-e #ass$rd chec9er. #n this scheme, a user is allowed to select his or her own

password.

;owever, at the time of selection, the system chec!s to see if the password is allowable

and, if not, re/ects it. 0uch chec!ers are based on the philosophy that, with sufficient

guidance from the system, users can select memorable passwords from a fairly large

password space that are not li!ely to be guessed in a dictionary attac!.

The tric! with a proactive password chec!er is to stri!e a balance between user

acceptability and strength. #f the system re/ects too many passwords, users will complain

that it is too hard to select a password. #f the system uses some simple algorithm to define

what is acceptable, this provides guidance to password crac!ers to refine their guessing

techniue. #n the remainder of this subsection, we loo! at possible approaches to

proactive password chec!ing .


10/15

Q. E"#lain -erall ta"n%( f %alici!s #r+ra%s&

Ans:


11/15

Q;. E"#lain T(#es f -ir!s &

A-ir!sclassification by tar+etincludes the following categories:

ecause

the bul! of the virus is encrypted with a different !ey for each instance, there is no

constant bit pattern to observe.

. Stealth -ir!s: A form of virus explicitly designed to hide itself from detection by

antivirus software.Thus, the entire virus, not /ust a payload is hidden.

Pl(%r#hic -ir!s: A virus that mutates with every infection, ma!ing detection by the

signatureB of the virus impossible.

Meta%r#hic -ir!s: As with a polymorphic virus, a metamorphic virus mutates with

every infection.The difference is that a metamorphic virus rewrites itself completely at

each iteration, increasing the difficulty of detection. =etamorphic viruses may change

their behavior as well as their appearance.


12/15

Q=. E"#lain >ir!s c!nter %eas!res &

+

E"#lain Anti-ir!s A##raches &

Ans:

2irst generation: simple scanners

0econd generation: heuristic scanners

Third generation: activity traps

2ourth generation: full%featured protection

A first*+eneratin scanner reuires a virus signature to identify a virus. The virus may

contain wildcardsB but has essentially the same structure and bit pattern in all copies.

0uch signature%specific scanners are limited to the detection of !nown viruses. Another

type of first%generation scanner maintains a record of the length of programs and loo!s

for changes in length.

A secnd*+eneratin scanner does not rely on a specific signature. +ather, the scanner

uses heuristic rules to search for probable virus infection. ne class of such scanners

loo!s for fragments of code that are often associated with viruses. 2or example, a scanner

may loo! for the beginning of an encryption loop used in a polymorphism virus and

discover the encryption !ey. nce the !ey is discovered, the scanner can decrypt the virus

to identify it, then remove the infection and return the program to service.

Another second%generation approach is integrity chec!ing. A chec!sum can be appended

to each program. #f a virus infects the program without changing the chec!sum, then an

integrity chec! will catch the change. To counter a virus that is sophisticated enough to

change the chec!sum when it infects a program, an encrypted hash function can be used.

The encryption !ey is stored separately from the program so that the virus cannot

generate a new hash code and encrypt that. >y using a hash function rather than a simpler

chec!sum, the virus is prevented from ad/usting the program to produce the same hash

code as before.


13/15

Third*+eneratin programs are memory%resident programs that identify a virus by its

actions rather than its structure in an infected program. 0uch programshave the advantage

that it is not necessary to develop signatures and heuristics for a wide array of viruses.

+ather, it is necessary only to identify the small set of actions that indicate an infection is

being attempted and then to intervene.

7!rth*+eneratinproducts are pac!ages consisting of a variety of antivirus techniues

used in con/unction. These include scanning and activity trap components.

#n addition, such a pac!age includes access control capability, which limits the ability of

viruses to penetrate a system and then limits the ability of a virus to update files in order

to pass on the infection.

Ad-anced Anti-ir!s Techni'!es:

Gener!" De"r#pt!on (eneric decryption 3(&4 technology enables the antivirus program

to easily detect even the most complex polymorphic viruses while maintaining fast

scanning speeds

CPU e%!latr: A software%based virtual computer. #nstructions in an executable file are

interpreted by the emulator rather than executed on the underlying processor. The

emulator includes software versions of all registers and other processor hardware, so that

the underlying processor is unaffected by programs interpreted on the emulator.

>ir!s si+nat!re scanner: A module that scans the target code loo!ing for !nown virus

signatures.

E%!latin cntrl %d!le: )ontrols the execution of the target code.


14/15

Q1?. E"#lain 2ifferent T(#es f fire$alls&

1. Pac9et*filterin+ R!ter:

Applies a set of rules to each incoming #$ pac!et and then forwards or discards

he pac!et

2ilter pac!ets going in both directions The pac!et filter is typically set up as a list of rules based on matches to fields in

the #$ or T)$ header

Two default policies 3discard or forward4

Ad-anta+es:

C 0implicityC Transparency to users

C ;igh speed

2isad-anta+es:

C &ifficulty of setting up pac!et filter rules

C 6ac! of Authentication

/.A##licatin*le-el ,ate$a(

a. Also called proxy server

b. Acts as a relay of application%level traffic

Ad-anta+es:

c. ;igher security than pac!et filters

d. nly need to scrutinize a few allowable applications

e. asy to log and audit all incoming traffic

2isad-anta+es:

f. Additional processing overhead on each connection 3gateway as splice

point4.

0.Circ!it*le-el ,ate$a(

g. 0tand%alone system or

h. 0pecialized function performed by an Application%level (ateway


15/15

i. 0ets up two T)$ connections

/. The gateway typically relays T)$ segments from one connection to

the other without examining the contents

4. Screened hst fire$all@ d!al*h%ed )astin cnfi+!ratin

a. The pac!et%filtering router is not completely compromised

b. Traffic between the #nternet and other hosts on the private networ! has to

flow through the bastion host.

7i+. T(#es f fire$alls

Date post:	03-Jun-2018
Category:	Documents
Upload:	sushrut-bhosale
View:	224 times
Download:	0 times

chapter 4 q and a

Documents