Duration: 1h30

Closed-book exam
Lecturer: Slim Rekhis
Number of pages: 02
Exam
Intrusion Detection
INDP3-CySeD - 2022/2023
Exercise 1
A company uses its website to market its products and all its entire revenue stream depends upon its ability to make sales
from its website. The e-commerce server, which hosts a web application, collects and stores customer Personally Identifiable
Information (PII) data (that includes credit card information) on a back-end database that is not directly accessible from
Internet. The primary domain controller is also hosting a DNS Server for the enterprise. The network architecture of this
company is shown in the following Figure.

The executive managers were asked about the worst fears. They responded as follows:
- Fear 1: “All of our customers credit card information getting stolen. We will have to pay huge fines, our customers
won’t trust us anymore, and business will suffer.”
- Fear 2: “Something bad happens to our website causing it to be inaccessible for an extended time. At a certain point,
this might threaten the continuity of the business.”
- Fear 3: “An individual finds a bug that allows them to place orders on the website without paying for them. This
could result in lost revenues.”

1. Propose the different IDSs to deploy the proposed architecture. Justify you answer and show the sensors’ locations
on the network architecture.
2. For each IDS describe the list of data sources to use for detection. Argument the choice of each data source showing
how it can help detection.
3. Knowing that the primary domain controller is hosting a DNS server for the enterprise, describe an intrusion
detection technique to apply over the DNS logs, so that it becomes possible to detect any compromised internal
user machines which would attempt to resolve potentially malicious hostnames to download additional tools, or
exert some form of command and control on the network.
1/2
 4. A file integrity checking software was installed on the web server, but the latter is generating a lot of false alarms
a. Explain how can integrity checking mechanisms detect intrusions?
b. Explain the potential reasons for false alarms.
c. Knowing that log files are continuously updated by the system, can such a solution be used to detect
suspicious modifications to log files?
5. Two approaches can be taken to verify alerts: passive verification and active verification. Explain their principles and
their advantages/disadvantages.
6. The company security administrator says that collecting assets inventory and vulnerability assessment reports can
incredibly be useful to reduce false positives generated by the Network Intrusion Detection Systems. Do you agree?
Justify your answer.
7. The enterprise security analysts require a concise view of the generated alerts, a better description of the detected
incident, and a reduced volume of generated alerts. Propose the different techniques to use to meet these
requirements.

Exercise 2
A network IDS aggregates packets to assemble flow records as follows. A flow record is identified based upon five attributes
(source IP address, source port, destination IP address, destination port, and transport protocol). When a new packet is
analyzed and contains the same 5-tuple attribute values, then that data is appended to the flow record that already exists.
Data will be appended to this flow record for as long as packets matching the 5-tuple attribute values are observed. There
are three conditions in which a flow record might be terminated:
- Natural Timeout: Whenever communication naturally ends based upon the specification of the protocol (e.g., RST
packets or FIN sequences in TCP)
- Idle Timeout: When no data for a flow has been received within thirty seconds of the last packet, the flow record is
terminated. Any new packets with the same 5-tuple attribute values after these thirty seconds has elapsed will result
in the generation of a new flow record.
- Active Timeout: When a flow has been open for two minutes, the flow record is terminated and a new one is created
with the same 5-tuple attribute values.
Consider the following generated flow records shown by the following Figure
Z sec

X sec Y sec

1. What are the main reasons contributing to insertion and evasion attacks on intrusion detection and prevention
systems?
2. Provide three example values for X, Y and Z.
3. Provide a detailed description of an Insertion attack on the described IDS (you should mention all details and
assumptions required to understand you attack: topology, flow records, delays, timeouts, …).

2/2