Homework type/no: 4__________________________ Course instructor: Miss madhu b Date of allotment: _3/04/2011______.

Course code: CSE403 ___

course tutor:

Date of submission: 18/04/2011

Student roll no: _Rf27e2A13______________. Section no: f27e2____________________ Declaration: I declare that this assignment is my individual work. I have not copied from any other student’s work or from any other source except where due acknowledgment is made explicitly in the text, nor has been written for me another person. Student’s signature: RAM KRISHNA GAUTAM_ Evaluator’s comments: Marks obtained _____________________ out of ______________________________ Content of home work should start from this page only

Part (A)

1. What metrics are useful for profile-based intrusion detection?
Ans:- Parameters or measures of quantitative assessment used for measurement, comparison or to track performance or production. Analysts use metrics to compare the performance of different companies, despite the many variations between firms The following metrics can be very useful in the profile-based intrusion system-: Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time. Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity.

Therefore. The function may be harmless. or damaging. using the particular salt for each user. 2.Interval timer: The length of time between two related events. including a count of the number of times that this copy of the virus has made copies of itself. those two characters are known to the attacker and need not be guessed. 3. Once a virus is executing. The virus will eventually be activated by some event. Not all viruses have this stage. Each infected program will now contain a clone of the virus. But the salt is stored in plaintext in the same entry as the corresponding ciphertext password. then there will be a match. As with the dormant phase. What are typical phases of operation of a virus or worm? Ans:. which will itself enter a propagation phase. Execution phase: The function is performed. the attacker can guess a password and encrypt it. Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Resource utilization: Quantity of resources consumed during a specified period. it can perform any function. .  Thwarts brute force attack hardware implementation. During its lifetime. the presence of another program or file. the attacker must guess a password and then encrypt it oncefor each user. a typical virus goes through the following four phases: Dormant phase: The virus is idle. The only difference is that it attaches itself to another program and executes secretly when the host program is run. Triggering phase: The virus is activated to perform the function for which it was intended. such as the destruction of programs and data files.  With the salt. Why is it asserted that the salt increases security? Ans-:It was asserted that the salt increases security because of the following reason-:  Without the salt. It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096. or the capacity of the disk exceeding some limit. the triggering phase can be caused by a variety of system events.  Increases password length.  If ANY of the users on a system use that password. such as erasing files and programs. such as a message on the screen.virus can do anything that other programs do. such as a date.

 It bears repeating. that behavior blocking is best kept in the hands of an experienced user who can understand and respond appropriately to the types of alerts it delivers. may have malicious intent. and warn users accordingly if a file being executed is attempting to modify it. PART-B 4. behavior blockers may monitor the system registry.Behavior blocking monitors file activities. These two rules result in an information flow from ‘low’ to ‘high’.  While some users find behavior blocking intrusive. they are designed to take advantage of the details and weaknesses of particular systems. For more comprehensive information . specific to a particular hardware platform. Subjects and objects of a system are assigned security classes (e. however. . preventing certain modifications to the operating system or related files. The biggest downside to behavior blocking is that it requires a higher level of expertise on the part of the user. Other files. Thus. and high-level objects can only be written by lowlevel subjects. do this legitimately. ‘high’ and ‘low’) with a specific order (high_ low). however.g. A well known MLS model is the Bell-LaPadula model . The key benefit to a behavior blocker is that it questions whether the action was expected and whether the user wants to allow it. in some cases. of course. How does behavior-blocking software work?  Ans:.  One example of behavior blocking is included in the popular Spybot Search & Destroy which includes advanced features dubbed TeaTimer and SDHelper (neither are enabled by default) that use behavior blocking to guard against unintended registry edits as well as to guard against unauthorized installations of ActiveX controls. The two most prominent rules are No-read-up and No-writedown which state that a low-level subject is not allowed to read high-level objects.  example. a SETUP program. i. What is the importance of the "no write down" rule? Ans: Multilevel security has a long tradition in military environments and is an important requirement in the TCSEC (Trusted Computer System Evaluation Criteria) for the A and B security classes. 5. who must individually make decisions about what is . it can be a valuable addition to defending systems against the threat of viruses and other forms of malware. Some programs. The necessity of the "no read up" rule for a multilevel secure system is fairly obvious.or is not -allowed.e.Most viruses carry out their work in a manner that is specific to a particular operating system and.

The packet length is a very important consideration. for a maximum size of 65535 bytes. Every network link has a characteristic size of messages that may be transmitted. If this value is less than the required minimum (8 octets for TCP). with IPv6 a long way off: • • • IPv4 . The IP packet is then sent to Layer 2 where more headers are added to it.. so it is best to run the ping test repeatedly. and includes all devices that a packet passes through. In an IPv4 packet. Therefore. called the maximum transmission unit (MTU). creating a frame or cell (Ethernet. for about one month. in octets. depending on the route taken. .6. or fragmentation. with no fragmentation. etc). Suggest an alternative method of achieving the same result using only the Fragment Offset field. self-contained. IPv6 .The extended length option provides for a 32 bit length field. Here we detail only v4 packets. You can discover this value using pings (see However.The IP packet (Layer 3 in the OSI model) is created by taking the layer 4 TCP or UDP datagram and adding IP headers to it. Frame Relay. the predominant protocol. The MTU applies to the entire path. supporting packet length's up to 4294967295 bytes. which is the largest IP packet that can travel through from sender to receiver.IP next Generation). ATM. the MTU value may change. Ans:. several times a week. The packet length differs for IPv4 and IPv6 (IPnG . IPv4 is still by far. they need to know the MTU (Maximum Transmission Unit). IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size. the size of the payload in the first fragment. which is then transmitted along the physical Layer 1. since all network administrators need to minimize SAR (Segmentation And Reassembly). is equal to Total Length (4 x IHL).The IPv4 packet length field is 16 bits. then this fragment and the entire packet are rejected.