Homework type/no: 4__________________________ Course instructor: Miss madhu b Date of allotment: _3/04/2011______.

Course code: CSE403 ___

course tutor:

Date of submission: 18/04/2011

Student roll no: _Rf27e2A13______________. Section no: f27e2____________________ Declaration: I declare that this assignment is my individual work. I have not copied from any other students work or from any other source except where due acknowledgment is made explicitly in the text, nor has been written for me another person. Students signature: RAM KRISHNA GAUTAM_ Evaluators comments: Marks obtained _____________________ out of ______________________________ Content of home work should start from this page only

Part (A)

1. What metrics are useful for profile-based intrusion detection?

Ans:- Parameters or measures of quantitative assessment used for measurement, comparison or to track performance or production. Analysts use metrics to compare the performance of different companies, despite the many variations between firms The following metrics can be very useful in the profile-based intrusion system-: Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time. Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity.

Interval timer: The length of time between two related events. Resource utilization: Quantity of resources consumed during a specified period.

2. It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096. But the salt is stored in plaintext in the same entry as the corresponding ciphertext password. Therefore, those two characters are known to the attacker and need not be guessed. Why is it asserted that the salt increases security? Ans-:It was asserted that the salt increases security because of the following reason-:
Without the salt, the attacker can guess a password and encrypt it. If ANY of the users on a system use that password, then there will be a match. With the salt, the attacker must guess a password and then encrypt it oncefor each user, using the particular salt for each user. Increases password length. Thwarts brute force attack hardware implementation.

3. What are typical phases of operation of a virus or worm?

Ans:- virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs. During its lifetime, a typical virus goes through the following four phases: Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.

Most viruses carry out their work in a manner that is specific to a particular operating system and, in some cases, specific to a particular hardware platform. Thus, they are designed to take advantage of the details and weaknesses of particular systems.

PART-B 4. How does behavior-blocking software work?

Ans:- Behavior blocking monitors file activities, preventing certain modifications to the operating system or related files. example, behavior blockers may monitor the system registry, and warn users accordingly if a file being executed is attempting to modify it. Some programs, of course, do this legitimately, i.e. a SETUP program. Other files, however, may have malicious intent. The key benefit to a behavior blocker is that it questions whether the action was expected and whether the user wants to allow it. While some users find behavior blocking intrusive, it can be a valuable addition to defending systems against the threat of viruses and other forms of malware. The biggest downside to behavior blocking is that it requires a higher level of expertise on the part of the user, who must individually make decisions about what is - or is not -allowed. One example of behavior blocking is included in the popular Spybot Search & Destroy which includes advanced features dubbed TeaTimer and SDHelper (neither are enabled by default) that use behavior blocking to guard against unintended registry edits as well as to guard against unauthorized installations of ActiveX controls. It bears repeating, however, that behavior blocking is best kept in the hands of an experienced user who can understand and respond appropriately to the types of alerts it delivers.

5. The necessity of the "no read up" rule for a multilevel secure system is fairly obvious. What is the importance of the "no write down" rule?
Ans: Multilevel security has a long tradition in military environments and is an important requirement in the TCSEC (Trusted Computer System Evaluation Criteria) for the A and B security classes. Subjects and objects of a system are assigned security classes (e.g. high and low) with a specific order (high_ low). A well known MLS model is the Bell-LaPadula model . The two most prominent rules are No-read-up and No-writedown which state that a low-level subject is not allowed to read high-level objects, and high-level objects can only be written by lowlevel subjects. These two rules result in an information flow from low to high. For more comprehensive information .

6. In an IPv4 packet, the size of the payload in the first fragment, in octets, is equal to Total Length (4 x IHL). If this value is less than the required minimum (8 octets for TCP), then this fragment and the entire packet are rejected. Suggest an alternative method of achieving the same result using only the Fragment Offset field.
Ans:- The IP packet (Layer 3 in the OSI model) is created by taking the layer 4 TCP or UDP datagram and adding IP headers to it. The IP packet is then sent to Layer 2 where more headers are added to it, creating a frame or cell (Ethernet, Frame Relay, ATM, etc), which is then transmitted along the physical Layer 1.. The packet length is a very important consideration, since all network administrators need to minimize SAR (Segmentation And Reassembly), or fragmentation. Therefore, they need to know the MTU (Maximum Transmission Unit), which is the largest IP packet that can travel through from sender to receiver, self-contained, with no fragmentation. The MTU applies to the entire path, and includes all devices that a packet passes through. You can discover this value using pings (see However, the MTU value may change, depending on the route taken, so it is best to run the ping test repeatedly, several times a week, for about one month. Here we detail only v4 packets. The packet length differs for IPv4 and IPv6 (IPnG - IP next Generation). IPv4 is still by far, the predominant protocol, with IPv6 a long way off:

IPv4 - The IPv4 packet length field is 16 bits, for a maximum size of 65535 bytes. IPv6 - The extended length option provides for a 32 bit length field, supporting packet length's up to 4294967295 bytes. IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size. Every network link has a characteristic size of messages that may be transmitted, called the maximum transmission unit (MTU).