Final exam infa 630 | Computer Science homework help

INFA 630

 Intrusion Detection and Intrusion Prevention

Final Exam


INFA 630 -Intrusion Detection and Intrusion Prevention-Final Exam




You are to take this test during the week. Work alone. You may not confer with other class members, or anyone else, directly or by e-mail or otherwise, regarding the questions, issues, or your answers. You may use your notes, textbooks, other published materials, and Internet sources, keeping in mind your responsibility to give proper attribution to sources of material you use in your responses. Avoid using personal blogs and dotcom sites. The material on these sites generally is not peer reviewed.


The test is scored on the basis of 100 points for the test.


For the short answer section, bear in mind that a clear concise response that directly answers the question asked is always preferable to providing large volumes of potentially irrelevant information in the hope that the “right” answer will somehow be included. Too much extraneous information may cause negative impact on grade for the exam.


When composing your answers to the essay questions, be thorough. Do not simply examine one alternative if two or more alternatives exist. The more complete your answer, the higher your score will be. Be sure to identify any assumptions you are making in developing your answers, and describe how your answer would change if the assumptions were different. Use paragraph for different points


While composing your answers to the essay questions, be very careful to cite your sources with page numbers for the book. It is easy to get careless and forget to footnote a source. Remember, failure to cite sources constitutes an academic integrity violation. Use APA style for citations and references. So far I haven’t penalized for not using APA style but it may not be so for the final.


In preparing your exam for submission, please follow these instructions precisely:


1.      Use this document as a template, i.e., fill in your answers in the indicated locations.

2.      Modify the header to show your name.

3.      Submit your completed exam as a Microsoft Word or RTF document via your LEO Assignments folder no later than 11:59 p.m. Eastern Standard Time.. Late submissions are subject to a grade penalty. But let me know if you difficulty in submitting on time.

4.      Include Self Certification; failure may cause negative impact (small) on the grade.


Please submit questions regarding the exam to your instructor at [email protected]  If questions submitted via email are generic, your instructor will post them in a LEO Q&A conference area, without revealing their source.


Exam Questions


Part 1: True or False Questions. (10 questions at 1 point each) Add reason


  1. T  F      To have a Snort rule match on both inbound and outbound traffic, the rule should use the flow:to_server,from_client,established;option.          Answer: _____




  1. T  F      Host-based IDS can be used to monitor compliance with corporate policies such as acceptable use of computer resources.       Answer: _____




  1. T  F      An on-demand operational IDS model is not suitable if legally admissible data collection is required.      Answer: _____




  1. T  F      Current criminal and civil procedure laws and rules of evidence do not provide clear guidance on digital and electronic forms of evidence such as IDS logs.    Answer: _____




  1. T  F      Snort unified output plug-ins can be used to off-load computing tasks from the core Snort program to improve overall performance.    Answer: _____




  1. T  F      Thresholds used in Snort alert rules can cause false negatives if the attacker works slowly enough.     Answer: _____




  1. T  F      Network-based IDS provides no protection against internal threats.  Answer: _____



  1. T  F      When a “pass” rule is matched in Snort, no other rules are evaluated.             Answer: _____




  1. T  F      To ensure proper execution of Snort rules using the “uricontent” option the HTTP Inspect preprocessor must be installed and configured in Snort.   Answer: _____




  1. T  F      There are no monitoring situations that justify real-time intrusion response.          Answer: _____








Part 2: Short Answer Questions. (10 questions at 6 points each)


  1. False positive and False negative
    1. Define and differentiate false positive and false negative.
    2. Which is worse, and why?
    3. Give one example of each, drawn from any context that demonstrates your understanding of the terms.






  1. Snort rule
    1. Describe the components of the following Snort rule.

alert ip any any -> any any (msg:”BAD-TRAFFIC same SRC/DST”; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,; classtype:bad-unknown; sid:527; rev:8;)

a.       What sort of attack is it intended to detect?

b.      What network traffic pattern information is it looking for?







  1. User-centric and target-centric monitoring:
    1. What are the key differences between user-centric and target-centric monitoring in behavioral data forensics?
    2. Is one perspective preferred over the other?
    3. If so, what are some of the advantages of the preferred choice, or disadvantages of the non-preferred choice?







  1. Write a rule using Snort syntax to detect an internal user executing a Windows “tracert” command to identify the network path to an external destination. What changes, if any, would you need to make to this rule to make it also work for a Unix/Linux “traceroute”? 






  1. As Trost noted, most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks.
    1. Describe at least two intrusion detection scenarios where specialized types of monitoring and analysis are called for
    2.  what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.






  1. Multi-event signature
    1. What is a multi-event signature?
    2. Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.







  1. Anomaly-based intrusion detection
    1. What are the operational requirements necessary to perform anomaly-based intrusion detection?
    2. How does the information gathered about network traffic by anomaly-based IDS tools differ from the information gathered by signature-based NIDS?







  1. Many people perceive intrusion detection to be a constant, all-the-time security function.
    1. Identify and describe at least two “part-time” intrusion detection operational models,
    2. and for each give an example of a usage scenario that would call for part-time monitoring.







  1. Are organizations legally obligated to use intrusion detection capabilities? Why or why not?







  1. Imagine you are tasked with monitoring network communication in an organization that uses encrypted transmission channels.
    1. What are the limitations of using intrusion detection systems in this environment?
    2. What methods would you employ to accomplish this task?







 Part 3: Essay Questions. Maximum length: 2 pages each, excluding references. (Two questions at 15 points each)


  1. In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear, and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Last week, U.S. cyber security czar Howard Schmidt publicly called for enterprise network intrusion detection, and asked, “Why haven’t we done this already?” ( Clearly, the obsolescence of IDS tools by 2005 did not occur as Gartner predicted.
    1. What factors have been most important in the continued viability of the IDS market?
    2. Based on what you have learned about IDS and IPS tools, do you think these tools will continue to be used as a key security component? Why or why not?




  1. In early 2008, the U.S. Department of Homeland Security stated publicly that it wanted more intrusion detection capabilities, in particular citing a need to move to mandatory real-time intrusion detection for federal government networks, as an expansion of current passive, voluntary monitoring. The current manifestation of this goal is the Einstein program, which while officially in a pilot phase is likely to be expanded significantly soring in 2011. (See
    1. Using what we have learned in this course and your own knowledge of IDS operational models, requirements, and other characteristics associated with selecting and using the most appropriate types of intrusion detection and prevention, what is your response to the proposal to implement comprehensive intrusion detection and prevention for all network traffic to or from U.S. government agencies?
    2. What are some of the key obstacles faced in rolling out an intrusion detection capability of this sort?
    3. Identify and describe at least three (3) challenges that DHS should consider when planning the Einstein deployment.



Calculate your paper price
Pages (550 words)
Approximate price: -

Why Work with Us

Top Quality and Well-Researched Papers

We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.

Professional and Experienced Academic Writers

We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.

Free Unlimited Revisions

If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.

Prompt Delivery and 100% Money-Back-Guarantee

All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.

Original & Confidential

We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.

24/7 Customer Support

Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.

Try it now!

Calculate the price of your order

Total price:

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.


Essay Writing Service

No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.


Admission Essays & Business Writing Help

An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.


Editing Support

Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.


Revision Support

If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.