9.1 List and briefly define three classes of intruders. Get this solution
9.2 What are two common techniques used to protect a password file? Get this solution
9.3 What are three benefits that can be provided by an intrusion detection system? Get this solution
9.4 What is the difference between statistical anomaly detection and rule-based intrusion detection? Get this solution
9.5 What metrics are useful for profile-based intrusion detection? Get this solution
9.6 What is the difference between rule-based anomaly detection and rule-based penetration
identification? Get this solution
9.7 What is a honeypot? Get this solution
9.8 What is a salt in the context of UNIX password management? Get this solution
9.9 List and briefly define four techniques used to avoid guessable passwords. Get this solution
Problems
9.1 In the context of an IDS, we define a false positive to be an alarm generated by an
IDS in which the IDS alerts to a condition that is actually benign. A false negative
occurs when an IDS fails to generate an alarm when an alert-worthy condition is in
effect. Using the following diagram, depict two curves that roughly indicate false
positives and false negatives, respectively.
9.2 The overlapping area of the two probability density functions of Figure 9.1 represents the region in which there is the potential for false positives and false negatives.
Further, Figure 9.1 is an idealized and not necessarily representative depiction of the relative shapes of the two density functions. Suppose there is 1 actual intrusion for every 1000 authorized users, and the overlapping area covers 1% of the authorized users and 50% of the intruders.
a. Sketch such a set of density functions and argue that this is not an unreasonable depiction.
b. What is the probability that an event that occurs in this region is that of an authorized user? Keep in mind that 50% of all intrusions fall in this region. Get this solution
9.3 An example of a host-based intrusion detection tool is the tripwire program.This is a file integrity checking tool that scans files and directories on the system on a regular basis and notifies the administrator of any changes. It uses a protected database of cryptographic checksums for each file checked and compares this value with that recomputed on each file as it is scanned. It must be configured with a list of files and directories to check, and what changes, if any, are permissible to each. It can allow, for example, log files to have new entries appended, but not for existing entries to be changed.What are the advantages and disadvantages of using such a tool? Consider the problem of determining which files should only change rarely, which files may change more often and how, and which change frequently and hence cannot be checked. Hence consider the amount of work in both the configuration of the program and on the system administrator monitoring the responses generated. Get this solution
9.4 A taxicab was involved in a fatal hit-and-run accident at night. Two cab companies, the Green and the Blue, operate in the city.You are told that:
• 85% of the cabs in the city are Green and 15% are Blue.
• A witness identified the cab as Blue.
The court tested the reliability of the witness under the same circumstances that existed on the night of the accident and concluded that the witness was correct in identifying the color of the cab 80% of the time.What is the probability that the cab involved in the incident was Blue rather than Green? Get this solution
9.5 Explain the suitability or unsuitability of the following passwords:
a. YK 334 b. mfmitm (for “my favorite c. Natalie1 d. Washington
movie is tender mercies)
e. Aristotle f. tv9stove g. 12345678 h. dribgib Get this solution
9.6 An early attempt to force users to use less predictable passwords involved computersupplied passwords. The passwords were eight characters long and were taken from the character set consisting of lowercase letters and digits. They were generated by a pseudorandom number generator with possible starting values. Using the technology of the time, the time required to search through all character strings of length 8 from a 36-character alphabet was 112 years. Unfortunately, this is not a true reflection of the actual security of the system. Explain the problem. Get this solution
9.7 Assume that passwords are selected from four-character combinations of 26 alphabetic
characters. Assume that an adversary is able to attempt passwords at a rate of
one per second.
a. Assuming no feedback to the adversary until each attempt has been completed,
what is the expected time to discover the correct password?
b. Assuming feedback to the adversary flagging an error as each incorrect character
is entered, what is the expected time to discover the correct password? Get this solution
9.8 Assume that source elements of length are mapped in some uniform fashion into a target elements of length . If each digit can take on one of values, then the number of source elements is and the number of target elements is the smaller number .
A particular source element is mapped to a particular target element .
a. What is the probability that the correct source element can be selected by an adversary on one try?
b. What is the probability that a different source element that results in the same target element, , could be produced by an adversary?
c. What is the probability that the correct target element can be produced by an adversary on one try? Get this solution
9.9 A phonetic password generator picks two segments randomly for each six-letter password.
The form of each segment is CVC (consonant, vowel, consonant), where and .
a. What is the total password population?
b. What is the probability of an adversary guessing a password correctly? Get this solution
9.10 Assume that passwords are limited to the use of the 95 printable ASCII characters and that all passwords are 10 characters in length.Assume a password cracker with an encryption rate of 6.4 million encryptions per second. How long will it take to test exhaustively all possible passwords on a UNIX system? Get this solution
9.11 Because of the known risks of the UNIX password system, the SunOS-4.0 documentation recommends that the password file be removed and replaced with a publicly readable file called /etc/publickey. An entry in the file for user A consists of a user’s identifier , the user’s public key, , and the corresponding private key .This private key is encrypted using DES with a key derived from the user’s login password.When A logs in, the system decrypts to obtain .
a. The system then verifies that was correctly supplied. How?
b. How can an opponent attack this system? Get this solution
9.12 The encryption scheme used for UNIX passwords is one way; it is not possible to reverse it.Therefore, would it be accurate to say that this is, in fact, a hash code rather than an encryption of the password? Get this solution
9.13 It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096. But the salt is stored in plaintext in the same entry as the corresponding ciphertext password. Therefore, those two characters are known to the attacker and need not be guessed. Why is it asserted that the salt increases security? Get this solution
9.14 Assuming that you have successfully answered the preceding problem and understand the significance of the salt, here is another question.Wouldn’t it be possible to thwart completely all password crackers by dramatically increasing the salt size to, say, 24 or 48 bits? Get this solution
9.15 Consider the Bloom filter discussed in Section 9.3. Define number of hash functions; N = number of bits in hash table; and D = number of words in dictionary.
9.16 Design a file access system to allow certain users read and write access to a file, depending on authorization set up by the system. The instructions should be of the format:
READ (F, User A): attempt by User A to read file F
READ (F, User A): attempt by User A to store a possibly modified copy of F
Each file has a header record, which contains authorization privileges; that is, a list of users who can read and write.The file is to be encrypted by a key that is not shared by the users but known only to the system. Get this solution
