Security problem. IDS. Recall that the anomaly-based IDS example presented in th
ID: 653869 • Letter: S
Question
Security problem. IDS.
Recall that the anomaly-based IDS example presented in the slides is based on file-use statistics. The expected file use percentages (the Hi values in the Table are periodically updated, which can be viewed as a moving average) (a) Why is it necessary to update the expected file use percentages? (b) When we update the expected file use percentages, it creates a potential avenue of attack for Trudy. How and why is this the case? (c) Suppose that at the time interval following the results in the second update of the table in the slides, Alice?s file use statistics are given by A0=0.05, A1 =0.25, A2=0.25, and A3=0.45. Is this normal for Alice? Compute the updated values of H0 through H3.Explanation / Answer
a)If you gone through that explaination, it was clearly stated the values must significantly change over time otherwise more number of false alarms would have come.If it changes always..risk from attackers also get reduced.
b)Yeah I got your question. Even though we update the expected use file percentages..that means trudy changes the values the alice doent far from his behaviour. For example at some point alice may access file 1 and trudy is slighly less than alice values...but may for accessing second file trude may access because of high rate values...at some point any one either alice/trude ..one of them mat restricted to only one file so that anamoly detector may become normal any one of them. So thats why potential avenue of attack for trudy happens.
c)Given A0=0.05,A1=0.25,A2=0.25,A3=0.45
yes as values are increasing..it is normal for alice.Although ididnt found any table there.
H0=0.10,H1=0.38 H2=0.364,H3=0.156