A amplification attack For More InformationŽ You can find THC online at www.thehackerschoice.com. See Also: scanner amplification attack Any type of attack that magnifies the effect of a single attacking host. Overview Amplification attacks work by having one packet gen- erate multiple responses. The resulting effect is that a single attacking host appears as multiple hosts, with the goal of intensifying the effect of the attack to bring down entire networks. Distributed denial-of-service (DDoS) attacks are classic examples of amplification attacks in which intermediary compromised hosts are used to multiply the malicious intent of a single intruder. The Smurf attack is another type of amplifica- tion attack and relies on the fact that a single spoofed Internet Control Message Protocol (ICMP) echo request will cause multiple hosts on a network to gener- ate ICMP echo replies, the amplification factor here being the number of accessible hosts on the compro- mised network. See Also: distributed denial of service (DDoS), Smurf attack Annual Computer Security Applications Conference (ACSAC) An annual conference on computer security organized and sponsored by Applied Computer Security Associ- ates (ACSA). Overview Since 1985, the Annual Computer Security Applica- tions Conference (ACSAC) has helped advance the principles and practices of computer security. Confer- ence attendees work primarily in technical fields and include engineers, researchers, and practitioners in the field of computer security. Attendance at ACSAC aver- ages around 250 people and is heavily weighted toward industry and government. 18 anomaly-based IDS For More Information For information on upcoming conference schedules and registration, see www.acsac.org. See Also: Applied Computer Security Associates (ACSA) anomaly-based IDS An intrusion detection system (IDS) that uses a baseline instead of signatures to detect intrusions. Overview While signature-based (or rule-based) IDSs are more common, they are limited to recognizing known attacks and require their signature database to be updated regu- larly. An anomaly-based IDS takes a different approach and begins by capturing network traffic to form a profile or baseline of acceptable network events. Once this database has been created, an anomaly-based IDS then compares current traffic to baseline traffic and uses pattern-recognition algorithms to identify possible intrusion events by detecting traffic anomalies. To make the process more efficient, anomaly-based IDSs usually begin by filtering out known “safe” traffic such as Sim- ple Mail Transfer Protocol (SMTP) mail or Domain Name System (DNS) lookups to reduce the amount of data they need to inspect. Anomaly-based IDSs tend to be good at detecting the initial stage of an attack when an intruder is probing the network using port scans and sweeps. They can also detect when a new network service appears on any host on the network, indicating a possible breach of that host’s security. The downside of anomaly-based IDSs is that they tend to be more difficult to configure than signature-based IDSs, because it is sometimes difficult to distinguish what constitutes “normal” traffic from “abnormal” and, as a result, they tend to generate more false alerts than signature-based ones. As a result, anomaly-based IDSs usually require a larger degree of human intervention in order to determine the status of “questionable” traffic and reconfigure the IDS to accept or reject such traffic in the future. Finally, anomaly-based IDSs usually need to be deployed in a distributed fashion across a network, close to the servers they are protecting, in order to A amplification attack For More InformationŽ You can find THC online at www.thehackerschoice.com. See Also: scanner amplification attack Any type of attack that magnifies the effect of a single attacking host. Overview Amplification attacks work by having one packet gen- erate multiple responses. The resulting effect is that a single attacking host appears as multiple hosts, with the goal of intensifying the effect of the attack to bring down entire networks. Distributed denial-of-service (DDoS) attacks are classic examples of amplification attacks in which intermediary compromised hosts are used to multiply the malicious intent of a single intruder. The Smurf attack is another type of amplifica- tion attack and relies on the fact that a single spoofed Internet Control Message Protocol (ICMP) echo request will cause multiple hosts on a network to gener- ate ICMP echo replies, the amplification factor here being the number of accessible hosts on the compro- mised network. See Also: distributed denial of service (DDoS), Smurf attack Annual Computer Security Applications Conference (ACSAC) An annual conference on computer security organized and sponsored by Applied Computer Security Associ- ates (ACSA). Overview Since 1985, the Annual Computer Security Applica- tions Conference (ACSAC) has helped advance the principles and practices of computer security. Confer- ence attendees work primarily in technical fields and include engineers, researchers, and practitioners in the field of computer security. Attendance at ACSAC aver- ages around 250 people and is heavily weighted toward industry and government. 18 anomaly-based IDS For More Information For information on upcoming conference schedules and registration, see www.acsac.org. See Also: Applied Computer Security Associates (ACSA) anomaly-based IDS An intrusion detection system (IDS) that uses a baseline instead of signatures to detect intrusions. Overview While signature-based (or rule-based) IDSs are more common, they are limited to recognizing known attacks and require their signature database to be updated regu- larly. An anomaly-based IDS takes a different approach and begins by capturing network traffic to form a profile or baseline of acceptable network events. Once this database has been created, an anomaly-based IDS then compares current traffic to baseline traffic and uses pattern-recognition algorithms to identify possible intrusion events by detecting traffic anomalies. To make the process more efficient, anomaly-based IDSs usually begin by filtering out known “safe” traffic such as Sim- ple Mail Transfer Protocol (SMTP) mail or Domain Name System (DNS) lookups to reduce the amount of data they need to inspect. Anomaly-based IDSs tend to be good at detecting the initial stage of an attack when an intruder is probing the network using port scans and sweeps. They can also detect when a new network service appears on any host on the network, indicating a possible breach of that host’s security. The downside of anomaly-based IDSs is that they tend to be more difficult to configure than signature-based IDSs, because it is sometimes difficult to distinguish what constitutes “normal” traffic from “abnormal” and, as a result, they tend to generate more false alerts than signature-based ones. As a result, anomaly-based IDSs usually require a larger degree of human intervention in order to determine the status of “questionable” traffic and reconfigure the IDS to accept or reject such traffic in the future. Finally, anomaly-based IDSs usually need to be deployed in a distributed fashion across a network, close to the servers they are protecting, in order to . multiple hosts, with the goal of intensifying the effect of the attack to bring down entire networks. Distributed denial -of- service (DDoS) attacks are classic examples of amplification attacks. principles and practices of computer security. Confer- ence attendees work primarily in technical fields and include engineers, researchers, and practitioners in the field of computer security. Attendance. multiple hosts, with the goal of intensifying the effect of the attack to bring down entire networks. Distributed denial -of- service (DDoS) attacks are classic examples of amplification attacks