Yunze Wang

ITS 370







  1. A key feature of hybrid IDPS systems is event correlation. After researching event correlation online, define the following terms as they are used in this process: compression, suppression, and generalization.


IDPS(Intrusion detection/prevention system)can be used to describe to describe current anti-intrusion technologies.

Use an IDPS:

         To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system.

         To detects attacks and other security violations that or not prevented by other security measures.

         To detect and deal with the preambles to attack.

         To document the existing threat to an organization.

         To acts quality control for security design and administration, especially of large and complex enterprises.

         To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors.

          Event correlation is defined in many different ways, an event correlator attempts to do exactly as the name suggests, associate events with one another in useful ways. The object of event correlation is to attempt to pinpoint larger problems which could be causing many different symptoms to emerge.

There are several subcategories of event correlation, including compression (deduplication), count, suppression, and generalization.


Compression reduces multiple occurrences of the same event into a single event, likely with some kind of counter. This allows an engineer to see that an event is recurring without having to see every instance individually, especially if the problem is already known, but events keep being received.


Count is defined to be somewhat similar to compression: itis the substitution of a specified number of similar alarms with a single alarm. It is important to note that these need not necessarily be the same event, and also that there is a threshold associated with such a relation.


Suppression associates a priority with alarms, and may choose to hide a lower priority alarm if a higher priority alarm exists.


Finally, in the practice of generalization, alarms are associated with some sort of a superclass which is reported rather than the specific alarm. This could be seen to be useful to correlate events referring to multiple ports on the same switch or router if it has completely failed; it is unnecessary to see each particular failure if it can be determined that the entire unit is having problems.


  1. Zone Alarm is a PC-based firewall and IDPS tool. Visit the product manufacturer at and find the product specification for the IDPS features of Zone Alarm. Which Zone Alarm products offer these features?


Zone Alarm – Firewall and IDS tool IDS (Intrusion Detection Service) is a service provided by the software. It alarms the legitimate user of the system if an intrusion into the system is occurred.

Zone Alarm is a brand name of variety of security software developed by Zone Labs and Check Point Software Technologies, Inc. The list of products by Zone Labs that offers IDS feature is below.

• Zone Alarm Internet Security Suite

• Zone Alarm PRO Antivirus + Firewall

• Zone Alarm PRO Firewall These three products have IDS feature. If the user installs these products in their systems the IDS feature of the product will alert the legitimate user if any unauthorized changes are made to the system.


Case Exercises:

Discussion Questions

1.      Miller Harrison was still working his way through his attack protocol. Nmap started out as it usually did, by giving the program identification and version number. Then it started reporting back on the first host in the SLS network. It reported all of the open ports on this server. The program moved on to a second host and began reporting back the open ports on that system, too. Once it reached the third host, however, it suddenly stopped. Miller restarted Nmap, using the last host IP as the starting point for the next scan. No response. He opened another command window and tried to ping the first host he had just port-scanned. No luck. He tried to ping the SLS firewall. Nothing. He happened to know the IP address for the SLS edge router. He pinged that and got the same result. He had been blackholed, meaning his IP address had been put on a list of addresses from which the SLS edge router would no longer accept packets. Ironically, the list was his own doing. The IDPS he had been helping SLS configure seemed to be working just fine at the moment. His attempt to hack the SLS network was shut down cold.


1.      Do you think Miller is out of options as he pursues his vendetta? If you think he could take additional actions in his effort to damage the SLS network, what are they?


Since he already tried an insider attack, he could try monitoring the system for a close in attack, hijack attack, contact a previous colleague and attempt a buffer overflow, continue an exploit attack, and or look for a password attack.


2.      Suppose a system administrator at SLS read the details of this case. What steps should he or she take to improve the company’s information security program?


I have discovered that some essential strides can have a request of size change of security administration the way things are today in your condition. Keep in mind these means might be successful if best administration concur that security is essential and support the security exercises to be attempted.

Step one: Conduct a hazard appraisal to decide precisely what data and information is most vital to your association and distinguish security vulnerabilities to those assets. Make a hazard enlist which distinguishes basic frameworks, vulnerabilities, inner and outside dangers, and controls required. This is a vital initial step, along these lines, in the event that you don't feel that you have the mastery in-house it is reasonable to have an educated security expert play out this errand for you to give you a decent pattern from which to work. It additionally gives an instrument to distinguish ventures for planning and arranging purposes.

Step two: Based on the vulnerabilities and dangers recognized create approaches like secret key strategies, adequate utilize arrangements, encryption approaches, and so on. to distinguish appropriate process and gauges of training the association needs took after. In any case, perceive that individuals don't generally take after these approaches, process and methods.

Step three: Implement vital specialized controls safeguard that they are outlined and executed by proficient work force: appropriate preparing to inside staff on the new advances. The explanation behind specialized controls is that, wherever conceivable, we should attempt to shield people from their own particular awful practices. So, in the event that they feel constrained to work around security controls the innovation won't enable them to do as such.

Step four: Implement security mindfulness preparing over the whole staff – from board to most minimal levels in the association. Again, this ought to be led by proficient individuals and getting experienced coaches would be brilliant as well as most financially savvy. Preparing to address social building and Internet/email great practices will go far to ensuring an association.

Step five: Implement a decent security checking program. Frequently numerous oddities or irregularities in arrange movement or frameworks get to is an antecedent for a more serious assault to come. Ensure that security logs are kept and checked on a week after week premise, increasingly if the advantages you are ensuring are to a great degree basic to the survival of your association or its clients.

Step six: In security we have our own mantra: Trust however Verify. In this way, don't just trust that means one through five when finish is adequate. Innovation, business operations, programmers, and dangers are all persistently changing and developing. What works today may not work tomorrow. In this way, lead normal at any rate once every year powerlessness tests. Utilize a free outsider so you get the genuine scoop on your security pose not what your association's kin believe is politically right.


3.      Consider Miller’s hacking attempt in light of the intrusion kill chain described earlier and shown in Figure 7-1. At which phase in the kill chain has SLS countered his vendetta?


Kill chain has SLS countered his vendetta on Exploitation phase.


Ethical Decision Making

1.      It seems obvious that Miller is breaking at least a few laws in his attempt at revenge. Suppose that when his scanning efforts had been detected, SLS not only added his IP address to the list of sites banned from connecting to the SLS network, the system also triggered a response to seek out his computer and delete key files on it to disable his operating system.

Would such an action by SLS be ethical? Do you think that action would be legal?

Suppose instead that Miller had written a routine to constantly change his assigned IP address to other addresses used by his ISP. If the SLS intrusion system determined what Miller was doing and then added the entire range of ISP addresses to the banned list, thus stopping any user of the ISP from connecting to the SLS network, would SLS’s action be ethical?

What if SLS were part of an industry consortium that shared IP addresses flagged by its IDPS, and all companies in the group blocked all of the ISP’s users for 10 minutes? These users would be blocked from accessing perhaps hundreds of company networks. Would that be an ethical response by members of the consortium? What if these users were blocked for 24 hours??


1) t would be unethical since Miller could change his IP address and still will have the option to get to their network. The activity would be illegal.

2) The action would not be ethical. The reason is Miller will be able to access their network after changing     the IP address. This kind of action is not legal.

3) it would be an ethical reaction to prevent further damage.