Intrusion Detection/Prevention Systems
The intent of the Intrusion Detection/Prevention Systems (IDS) Knowledge Unit is to provide students with knowledge and skills related to detecting and analyzing vulnerabilities and threats and taking steps to mitigate associated risks.
Topics
- Intrusion response a. Device Reconfiguration b. Notifications i. Logging ii. SNMP Trap iii. Email iv. Visual/Audio Alert
- Host-based Intrusion Detection and Prevention
- Network-based Intrusion Detection and Prevention
- Deep Packet Inspection
- Distributed Intrusion Detection
- Hierarchical IDS's
- Configure IDS/IPS systems to reduce false positives and false negatives.
- Anomaly Detection a. Establishing profiles b. Anomaly algorithms, such as: i. Statistical Techniques ii. Correlation Techniques iii. Fuzzy Logic Approaches iv. Artificial Intelligence v. Filtering Algorithms vi. Neural Networks
- Log File Analysis
- Cross Log Comparison and Analysis
- Log Aggregation
- Anomaly Detection
- Intrusion response
- Notifications
- Logging
- SNMP Trap
- Visual/Audio Alert
- Misuse Detection (Signature Detection)
- Specification-based Detection
- Honeynets/Honeypots
- Stealth mode
Outcomes
- Detect, identify, resolve and document host or network intrusions.
- Use tools and algorithms to detect various types of malware (keyloggers, rootkits) and unauthorized devices (rogue wireless access points) on a live network.
- Configure IDS/IPS systems to reduce false positives and false negatives.
- Deploy reactive measures to respond to detected intrusion profiles.
KSA-T
Below are the Knowledge, Skills, Abilities and Tasks (KSA-T) identified as being required to perform this work role.
Learn More about the KAS-T's.
| ID | DESCRIPTION |
|---|---|
| K0046 | Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions. |
| K0054 | Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. |
| K0440 | Knowledge of host-based security products and how those products affect exploitation and reduce vulnerability. |
| K0481 | Knowledge of methods and techniques used to detect various exploitation activities. |
| K0536 | Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network). |
| K0405 | Knowledge of current computer-based intrusion sets. |
| K0430 | Knowledge of evasion strategies and techniques. |
| K0062 | Knowledge of packet-level analysis. |
| K0301 | Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump). |
| K0324 | Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications. |
| K0145 | Knowledge of security event correlation tools. |
| K0229 | Knowledge of applications that can log errors, exceptions, and application faults and logging. |
| K0040 | Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins). |
| K0015 | Knowledge of computer algorithms. |
| K0018 | Knowledge of encryption algorithms |
| K0131 | Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies. |
| K0453 | Knowledge of indications and warning. |
| ID | DESCRIPTION |
|---|---|
| S0156 | Skill in performing packet-level analysis. |
| S0079 | Skill in protecting a network against malware. (e.g., NIPS, anti-malware, restrict/prevent external devices, spam filters). |
| S0173 | Skill in using security event correlation tools. |
| S0109 | Skill in identifying hidden patterns or relationships. |
| ID | DESCRIPTION |
|---|---|
| A0128 | Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies. |
| ID | DESCRIPTION |
|---|