Study Material

5.

c) What is Demilitarized Zone? Explain with a diagram. [6]

Ans: In computer network, Demilitarized Zone is computer host or a small private network which is placed in “neutral zone” between the private network of company and the internet .It prevent outsider from direct access to a server that has companies data. DMZ acts as a proxy server and provide very effective mean of firewall.

In DMZ configuration, the outsider can access only DMZ host. DMZ host contains the website of the company but not the other data of the company. If an attacker attacks the website in DMZ then he can corrupt only the website but cannot do any harm to company’s data.

6.

b) What are the three classes of intruders? Discuss any three metrics used in profile-based anomaly detection. Explain the architecture of a distributed intrusion detection system (with a suitable diagram) and name the various components. [10]

Ans: Three classes of intruders are:

1. Masquerader: An individual who has no authority to use a computer system using the system by exploiting the user account.
2. Misfeasor: A legitimate user who is accessing data, program or resources of a system in spite of not has permission to access.
3. Clandestine: A individual who grab the supervisory control a system and use it to avoid auditing and access control.

A distributed IDS (dIDS) consists of multiple Intrusion Detection Systems (IDS) over a large network, all of which communicate with each other, or with a central server that facilitates advanced network monitoring, incident analysis, and instant attack data. By having these co-operative agents distributed across a network, incident analysts, network operations, and security personnel are able to get a broader view of what is occurring on their network as a whole.

The Central Analysis Server

The central analysis server is really the heart and soul of the operation. This server would ideally consist of a database and Web server. This allows the interactive querying of attack data for analysis as well as a useful Web interface to allow the corporate guys upstairs to see the current attack status of your network.

The Co-operative Agent Network

The co-operative agent network is one of the most important components of the dIDS. An agent is a piece of software that reports attack information to the central analysis server. The use of multiple agents across a network allows the incident analysis team a broader view of the network than can be achieved with single IDS systems.

Attack Aggregation

Attack aggregation is another core part of the dIDS system. This part of the system is programming logic based on the central server. Aggregation simply refers to the method in which users or group order the information gathered from the agent network. One example of this would be to aggregate information according to attacker IP, putting all attacks from an attacking IP together with other attacks from the same IP.