Knowledge Unit - Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems

The intent of the Intrusion Detection/Prevention Systems (IDS) Knowledge Unit is to provide students with knowledge and skills related to detecting and analyzing vulnerabilities and threats and taking steps to mitigate associated risks.

Topics

Intrusion response a. Device Reconfiguration b. Notifications i. Logging ii. SNMP Trap iii. Email iv. Visual/Audio Alert
Host-based Intrusion Detection and Prevention
Network-based Intrusion Detection and Prevention
Deep Packet Inspection
Distributed Intrusion Detection
Hierarchical IDS's
Configure IDS/IPS systems to reduce false positives and false negatives.
Anomaly Detection a. Establishing profiles b. Anomaly algorithms, such as: i. Statistical Techniques ii. Correlation Techniques iii. Fuzzy Logic Approaches iv. Artificial Intelligence v. Filtering Algorithms vi. Neural Networks
Log File Analysis
Cross Log Comparison and Analysis
Log Aggregation
Anomaly Detection
Intrusion response
Notifications
Logging
SNMP Trap
Email
Visual/Audio Alert
Misuse Detection (Signature Detection)
Specification-based Detection
Honeynets/Honeypots
Stealth mode

Outcomes

Detect, identify, resolve and document host or network intrusions.
Use tools and algorithms to detect various types of malware (keyloggers, rootkits) and unauthorized devices (rogue wireless access points) on a live network.
Configure IDS/IPS systems to reduce false positives and false negatives.
Deploy reactive measures to respond to detected intrusion profiles.

KSA-T

Below are the Knowledge, Skills, Abilities and Tasks (KSA-T) identified as being required to perform this work role.
Learn More about the KAS-T's.

ID	DESCRIPTION
K0046	Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.
K0054	Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
K0440	Knowledge of host-based security products and how those products affect exploitation and reduce vulnerability.
K0481	Knowledge of methods and techniques used to detect various exploitation activities.
K0536	Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).
K0405	Knowledge of current computer-based intrusion sets.
K0430	Knowledge of evasion strategies and techniques.
K0062	Knowledge of packet-level analysis.
K0301	Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
K0324	Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.
K0145	Knowledge of security event correlation tools.
K0229	Knowledge of applications that can log errors, exceptions, and application faults and logging.
K0040	Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).
K0015	Knowledge of computer algorithms.
K0018	Knowledge of encryption algorithms
K0453	Knowledge of indications and warning.
K0131	Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.

ID	DESCRIPTION
S0156	Skill in performing packet-level analysis.
S0079	Skill in protecting a network against malware. (e.g., NIPS, anti-malware, restrict/prevent external devices, spam filters).
S0173	Skill in using security event correlation tools.
S0109	Skill in identifying hidden patterns or relationships.
S0120	Skill in reviewing logs to identify evidence of past intrusions.

ID	DESCRIPTION
A0128	Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.

ID	DESCRIPTION