Skip to content

Securing Networks

AP Cybersecurity · Topic 3

Train
3.1

Network Vulnerabilities and Attacks

Syllabus
Learning ObjectiveEssential Knowledge

3.1.A
Identify common network attacks.

  • 3.1.A.1 The address resolution protocol (ARP) is used by a default gateway on a network to establish a table that pairs internet protocol (IP) addresses with media access control (MAC) addresses. An ARP poisoning attack is when an adversary sends falsified ARP packets to the default gateway to modify the table so that the adversary’s device receives traffic intended for the target by linking the target’s IP address to the adversary’s MAC address. Faking a MAC address is called MAC spoofing. This is an example of an on-path attack (or man-in-the-middle attack), which is when an adversary interrupts a data stream between two parties, captures both parties’ data, and copies or alters the data before sending them on. Both parties think they are communicating directly with each other, but instead they are each communicating with the adversary who is secretly intercepting their messages.
  • 3.1.A.2 A MAC flooding attack is when an adversary sends the target switch many Ethernet frames, each with a different MAC address. This can force the switch into broadcast mode, and the adversary can then collect all of the frames on the network (because they are being broadcast), which could allow the adversary to access sensitive information. This is an example of eavesdropping (or sniffing), which is when an adversary captures data in transit and can record and copy the data.
  • 3.1.A.3 A domain name system (DNS) poisoning attack is when an adversary pretends to be an authoritative name server (NS) and plants a fake DNS record on a DNS server to redirect browser traffic to a malicious website designed to steal credentials. This is an example of credential harvesting, which is when adversaries set up a fake login site that looks like a real one. Unsuspecting users enter their real credentials, which the adversaries capture and use.
  • 3.1.A.4 A smurf attack attempts to overwhelm a network with Internet Control Message Protocol (ICMP) requests. It is a type of denial of service (DoS) attack, which makes a system or resource unavailable to authorized users. During a smurf attack, an adversary sends many ICMP requests with the victim’s address to the network’s broadcast address. The network’s gateway then sends these requests to all devices on the network. Each device on the network replies to the victim’s address, creating a flood of traffic that can block legitimate messages. When multiple devices attack the same target simultaneously, it’s called a distributed denial of service (DDoS) attack.

3.1.B
Explain how adversaries can exploit network vulnerabilities to steal, disrupt, or destroy network communication.

  • 3.1.B.1 Adversaries can send malicious traffic into a network to flood it creating a DoS, to map the internal structure of the network, or to spoof a legitimate device. Networks without firewalls, or with improperly configured firewalls, are vulnerable to these types of attacks.
  • 3.1.B.2 Adversaries that have compromised a device often attempt to leverage their access to compromise other devices on the local area network (LAN).
  • 3.1.B.3 Adversaries that physically plug into a data port can gain access to a LAN through the switch port unless port security is enabled. This allows adversaries to launch DoS attacks or perform MAC flooding or MAC spoofing attacks.
  • 3.1.B.4 Adversaries standing outside of physically secure spaces can pick up the signals and beacon frames from a wireless access point that is broadcasting outside the physical space. This allows them to gather information about the wireless network and to attempt eavesdropping and cryptographic attacks on it.
  • 3.1.B.5 Adversaries can attempt to join networks to launch attacks from within the networks. Networks that do not authenticate devices and users make it easier for adversaries to join.
  • 3.1.B.6 If there is an open network port, an adversary can plug a wireless access point into the port creating a rogue access point. The adversary could use this rogue access point to access the internal network wirelessly (maybe even from outside the physical space). This allows the adversary direct access to the LAN, bypassing any firewalls.
  • 3.1.B.7 Adversaries can attempt to break wireless encryption and intercept, steal, or compromise data on a network.

3.1.C
Assess and document risks from network vulnerabilities.

  • 3.1.C.1 Vulnerabilities on a network can lead to adversaries being able to intercept and alter data in transit, launch DoS attacks, or move laterally on a network to gain access to more sensitive or critical systems. Network vulnerabilities can constitute a risk to confidentiality, integrity, and availability.
  • 3.1.C.2 There are automated vulnerability scanners that can check networks, devices, and applications for known vulnerabilities. These scanners produce a report that often includes the vulnerabilities detected, their severity, and mitigation recommendations.
  • 3.1.C.3 Successfully exploiting a network vulnerability often requires advanced technical ability and knowledge. This can impact the likelihood of an exploit.
  • 3.1.C.4 High risks from network vulnerabilities allow an adversary to easily have a significant impact by capturing network traffic, spoofing a legitimate device on the network, or launching a DoS attack.
    • Illustrative examples for 3.1.C.4:
      • An organization has a single unsegmented internal network that is accessible via a wireless network with weak encryption, and on that network it has a server running its proprietary web-application.
  • 3.1.C.5 Moderate risks from network vulnerabilities could include vulnerabilities that might give adversaries the ability to gain information about systems or devices on a network.
    • Illustrative examples for 3.1.C.5:
      • An organization’s external firewall is not configured to block external ICMP traffic.
  • 3.1.C.6 Low risks from network vulnerabilities include vulnerabilities that would be difficult to exploit and would likely have minimal negative impacts on an organization.
    • Illustrative examples for 3.1.C.6:
      • An organization has wireless access points that broadcast a beacon frame, which contains the network service set identifier (SSID) and the wireless encryption protocols.

Source: College Board AP Course and Exam Description

A man-in-the-middle attack
DDoS: a botnet floods a server

A network connects devices so they can share data - and every connection is a possible way in. You must know the classic network attacks and the tricks behind them.

  • ARP poisoning 地址解析投毒 - the address resolution protocol (ARP) 地址解析协议 pairs IP addresses with hardware MAC addresses 物理地址. An adversary sends fake ARP messages so traffic meant for the target flows to the adversary instead. This is an on-path attack 中间人攻击 (also called man-in-the-middle): the adversary secretly sits between two parties, reading and even altering their messages.
  • MAC flooding 物理地址泛洪 - flooding a switch 交换机 with fake MAC addresses forces it into broadcast mode, so the adversary can capture all traffic. This is a form of eavesdropping 窃听.
  • DNS poisoning 域名投毒 - planting a fake record on a domain name system (DNS) 域名系统 server redirects users to a malicious site to steal credentials (credential harvesting 凭据收集).
  • Smurf attack - flooding a network with ICMP requests aimed at the broadcast address, so every device replies to the victim. It is a denial of service (DoS) 拒绝服务 attack; when many machines attack at once it becomes a distributed denial of service (DDoS) 分布式拒绝服务.

Adversaries exploit weak networks to flood, map, or spoof devices. A physical data port with no port security lets an attacker plug in; an open port lets them install a rogue access point 非法接入点 that bypasses the firewall entirely. We rate network risk by impact and by how much skill the exploit needs.

To find weaknesses before an adversary does, organisations run an automated vulnerability scanner 自动漏洞扫描器: a tool that checks networks, devices, and applications against a database of known vulnerabilities, then produces a report listing each one found, how severe it is, and a recommended mitigation 缓解措施. Fixing the highest-severity items first is a core part of managing network risk.

Explore

Identify the network attack from its evidence

Each network attack leaves a distinct trace: ARP poisoning = one IP with two MACs; MAC flooding = a surge of new MACs; DNS poisoning = misdirected web traffic; smurf/DoS = a flood that blocks legitimate traffic.

Vocabulary Train
English Chinese Pinyin
ARP poisoning 地址解析投毒 dì zhǐ jiě xī tóu dú
address resolution protocol (ARP) 地址解析协议 dì zhǐ jiě xī xié yì
MAC addresses 物理地址 wù lǐ dì zhǐ
on-path attack 中间人攻击 zhōng jiān rén gōng jī
MAC flooding 物理地址泛洪 wù lǐ dì zhǐ fàn hóng
switch 交换机 jiāo huàn jī
eavesdropping 窃听 qiè tīng
DNS poisoning 域名投毒 yù míng tóu dú
domain name system (DNS) 域名系统 yù míng xì tǒng
credential harvesting 凭据收集 píng jù shōu jí
denial of service (DoS) 拒绝服务 jù jué fú wù
distributed denial of service (DDoS) 分布式拒绝服务 fēn bù shì jù jué fú wù
rogue access point 非法接入点 fēi fǎ jiē rù diǎn
automated vulnerability scanner 自动漏洞扫描器 zì dòng lòu dòng sǎo miáo qì
mitigation 缓解措施 huǎn jiě cuò shī
3.2

Protecting Networks: Managerial Controls and Wireless Security

Syllabus
Learning ObjectiveEssential Knowledge

3.2.A
Identify managerial controls related to network security.

  • 3.2.A.1 A router security policy will set forth a minimum configuration standard for routers on an organization’s network and may include:
    • Banning local user accounts (All router logins must use an approved authentication server.)
    • Disabling unnecessary services (e.g., Telnet)
    • Requiring a firewall (An organization may opt for a firewall device separate from the router.)
  • 3.2.A.2 A switch security policy will set forth a minimum configuration standard for switches on an organization’s network and may include:
    • Banning local user accounts (All switch logins must use an approved authentication server.)
    • Requiring port security to be enabled.
    • Using MAC filtering
  • 3.2.A.3 A virtual private network (VPN) policy will detail the minimum security requirements for employees using a VPN to access an organization’s internal network, and it may include:
    • A list of roles within the organization that are allowed to use a VPN to access the organization’s internal network
    • Authentication requirements for employees using a VPN (e.g., public/private key system or MFA)
    • A prohibition against split tunneling (also called dual tunneling)
  • 3.2.A.4 A wireless security policy will establish the minimum security requirements for wireless networks within an organization and may include:
    • Requiring users to authenticate to the wireless network through an extensible authentication protocol (EAP) connected to an approved authentication server
    • Requiring all wireless traffic to be encrypted using AES encryption with a minimum key length
    • Disabling beacon frames on wireless access points

3.2.B
Configure wireless network security features.

  • 3.2.B.1 Organizations can disable beacon frame broadcasting on wireless access points (WAPs) to make it harder for adversaries to find their wireless network and learn its basic properties.
  • 3.2.B.2 Organizations can control the broadcast direction and signal strength of a WAP so the signal does not extend beyond the physical space the access point is meant to cover.
  • 3.2.B.3 Organizations should enable strong wireless encryption protocols to ensure wireless frames are not readable by adversaries who might intercept them.
    • WEP, WPS, and the original WPA wireless encryption protocols have known vulnerabilities and are insecure.
    • WPA3 is currently the strongest wireless encryption algorithm.
  • 3.2.B.4 Organizations can enable MAC filtering to prevent unauthorized devices from accessing the network, and they can require users to authenticate when joining a network.

Source: College Board AP Course and Exam Description

Good network security starts with written policies that set a minimum standard: a router security policy and switch security policy ban local accounts and require port security; a VPN policy sets authentication rules and forbids split tunneling 分离隧道; and a wireless security policy requires strong encryption and authenticated access.

For wireless networks specifically, organisations disable beacon frames so the network is harder to find, control signal strength so it does not leak outside the building, enable strong encryption - WPA3 无线加密协议 is the current strongest, while old WEP and the original WPA are broken - and use MAC filtering to allow only known devices.

Vocabulary Train
English Chinese Pinyin
split tunneling 分离隧道 fēn lí suì dào
WPA3 无线加密协议 wú xiàn jiā mì xié yì
3.3

Protecting Networks: Segmentation

Syllabus
Learning ObjectiveEssential Knowledge

3.3.A
Identify techniques for segmenting a network.

  • 3.3.A.1 Firewall zones and rules can be used to create a screened subnet (also known as a demilitarized zone, or DMZ)—a network segment that sits between public, external networks like the internet and internal, private networks. A screened subnet is typically a lower security zone than the internal, private networks, and it typically holds an organization’s publicly facing resources, separating them from the internal network.
  • 3.3.A.2 Subnetting can be used to create different subnets based on IP addressing. If a device is compromised by an adversary, subnets can contain a security breach to reduce the number of exposed devices.
  • 3.3.A.3 Switches can be used to create VLANs, which logically separate devices physically connected to central switches.

3.3.B
Explain why network segmentation can increase network security.

  • 3.3.B.1 Network segmentation refers to the process of dividing a network into smaller, isolated segments or subnetworks (subnets).
  • 3.3.B.2 Dividing a network into smaller subnets isolates network traffic, which can prevent attacks on one subnet from impacting devices on other subnets.
  • 3.3.B.3 Network segmentation can allow for different security policies and controls to be applied to different segments of the network, allowing for higher security zones and lower security zones.
  • 3.3.B.4 Port security on a switch can prevent MAC flooding by limiting the number of addresses assignable to any single switch port.

Source: College Board AP Course and Exam Description

Network segmentation 网络分段 divides one network into smaller, isolated pieces (subnets 子网). If one subnet is breached, the damage is contained and cannot spread.

A key pattern is the screened subnet 屏蔽子网 (also called a DMZ 隔离区). It sits between the public internet and the private internal network, holding an organisation's public-facing servers in a lower-security zone - separated from the sensitive internal systems.

A screened subnet (DMZ) puts public servers between two firewalls, away from the private network A screened subnet (DMZ) puts public servers between two firewalls, away from the private network

Segments can also be built with subnetting (by IP address) or VLANs 虚拟局域网 (logically separating devices on the same switch). Each segment can then get its own security policy - higher-security and lower-security zones.

Vocabulary Train
English Chinese Pinyin
Network segmentation 网络分段 wǎng luò fēn duàn
subnets 子网 zi wǎng
screened subnet 屏蔽子网 píng bì zi wǎng
DMZ 隔离区 gé lí qū
VLANs 虚拟局域网 xū nǐ jú yù wǎng
3.4

Protecting Networks: Firewalls

Syllabus
Learning ObjectiveEssential Knowledge

3.4.A
Identify types of network-based firewalls.

  • 3.4.A.1 A firewall is used to allow or deny network traffic in or out of a network. The firewall itself is software that can be hosted on a standalone device or integrated into another network device, such as a router.
  • 3.4.A.2 A stateless firewall filters traffic based on information in packet headers, such as IP addresses, ports, and protocols.
  • 3.4.A.3 A stateful firewall (also known as dynamic packet filtering) tracks the state of network connections passing through the firewall and can filter according to connection-related rules in addition to the filtering done by a stateless firewall. This allows for more control over content allowed in and out of a network.
  • 3.4.A.4 A next-generation firewall (NGFW) has both the capabilities of typical stateless and stateful firewalls and additional advanced features, such as intrusion prevention, deep packet inspection, and filtering by application type.

3.4.B
Explain how a firewall uses an access control list to allow or deny traffic entering or leaving a network.

  • 3.4.B.1 Network administrators create a set of rules, called an access control list (ACL), that a firewall uses to permit or deny inbound and outbound network traffic.
  • 3.4.B.2 ACL rules are checked in order and the first rule that matches the criteria will be executed for the specified data.
  • 3.4.B.3 A typical ACL will specify the direction of traffic (inbound or outbound), the criterion to filter by (IP addresses, logical port, service, or application), and the action to take (permit or deny).

3.4.C
Determine the effective placement of firewalls in a network.

  • 3.4.C.1 Each segment of a network should have a firewall to control the flow of data in and out of that segment.
  • 3.4.C.2 Network segments may have different security needs based on the data and services within them. The level of security for each firewall can be set independently.
  • 3.4.C.3 Each point of data ingress and egress between the internal network and the public internet should have a firewall.

3.4.D
Configure a firewall to manage the flow of network traffic.

  • 3.4.D.1 The requirements for a firewall will specify what type of traffic from which sources or to which destinations should be allowed or denied.
  • 3.4.D.2 Specific rules for a firewall can allow or deny inbound or outbound traffic based on source or destination port or IP address, service, protocol, or application.
    • Illustrative examples for 3.4.D.2:
      • Allow inbound TCP port 22 from ALL; (this rule will allow all inbound TCP traffic with destination port 22, which is the designated port for the SSH protocol)
      • Deny inbound TCP port 80 from 192.168.1.0/24; (this rule will deny inbound TCP traffic with destination port 80 from IP addresses in the 192.168.1.0-192.168.1.255 range)
  • 3.4.D.3 Rules are implemented in order, and changing the order of a set of rules can change which traffic is allowed or denied. Consideration must be given to the precedence of filtering priorities when establishing the order of rules.
    • Illustrative examples for 3.4.D.3:
      • This set of rules would allow SSH traffic and deny other inbound TCP traffic
      • Rule 1: ALLOW inbound TCP port 22 from ALL;
      • Rule 2: DENY inbound TCP ALL from ALL;
      • Reversing the order of those rules would deny all inbound TCP traffic including SSH traffic.

Source: College Board AP Course and Exam Description

How a firewall decides

A firewall 防火墙 allows or denies traffic entering or leaving a network. There are several kinds:

  • Stateless 无状态 - filters on packet headers alone (IP, port, protocol).
  • Stateful 有状态 - also tracks the state of each connection for finer control.
  • Next-generation (NGFW) - adds advanced features like intrusion prevention and deep packet inspection.

A firewall follows an access control list (ACL) 访问控制列表 - an ordered set of rules. Rules are checked in order, and the first match wins, so the order of rules changes which traffic gets through. Each rule specifies a direction, a thing to filter by (IP, port, service), and an action (permit or deny).

A firewall checks its ACL top to bottom; the first matching rule decides A firewall checks its ACL top to bottom; the first matching rule decides

Worked example. A firewall has Rule 3: DENY TCP 443 from 192.168.*, and lower down Rule 7: ALLOW TCP 443 from ALL. A user at 192.168.45.37 cannot reach port 443 - even though Rule 7 would allow them - because Rule 3 matches first, and the first match wins. The fix is to move the ALLOW rule above the DENY. This is why rule order, not just rule content, decides what traffic gets through.

Firewalls belong at every point where data crosses between zones - at each network segment and at every gateway to the public internet.

Rack-mounted network switches with many ethernet cables Real network hardware: a firewall is a device (or software) sitting where these cables meet the outside world

Vocabulary Train
English Chinese Pinyin
firewall 防火墙 fáng huǒ qiáng
Stateless 无状态 wú zhuàng tài
Stateful 有状态 yǒu zhuàng tài
access control list (ACL) 访问控制列表 fǎng wèn kòng zhì liè biǎo
3.5

Detecting Network Attacks

Syllabus
Learning ObjectiveEssential Knowledge

3.5.A
Identify types of automated security tools used to detect network attacks.

  • 3.5.A.1 Automated detection tools analyze data collected from an organization’s network and devices, such as switches and routers, servers, firewalls, and user computers. These data are often collected in a log file.
  • 3.5.A.2 A network intrusion detection system (NIDS) is an automated tool that analyzes data to determine if malicious activity is taking place on a network. When an attack is detected, it generates an alert.
  • 3.5.A.3 A network intrusion prevention system (NIPS) is an automated tool that, like an IDS, analyzes data to determine if malicious activity is taking place on a network. A NIPS can also mitigate or halt an attack by closing ports, blocking specific IP or MAC addresses, or rejecting specific protocols.
  • 3.5.A.4 A security information and event management (SIEM) system collects and analyzes data from multiple sources (including firewalls, NIDS/NIPS, device logs, and application logs) to detect patterns that may indicate a cyberattack and raises an alert if a potential attack is detected. Security analysts investigate the alert to determine whether it represents a true threat and follow standard operating procedures to resolve or escalate the alert.

3.5.B
Explain how organizations can leverage artificial intelligence (AI) to enhance threat detection and response.

  • 3.5.B.1 Computers log every action that users take. Firewalls, IDS, IPS, and other network sensors log all the traffic passing through various points in a network. A medium-sized organization’s network is logging millions (or even tens of millions) of data points per day. Even a large team of humans is incapable of analyzing so much data.
  • 3.5.B.2 Threat detection teams are creating AI algorithms to analyze large amounts of data and classify the data patterns as malicious or normal.
  • 3.5.B.3 AI models for threat detection are based on probabilistic calculations; they report a percentage to indicate the likelihood that something is malicious.
  • 3.5.B.4 Organizations determine their own thresholds for what percentage of likelihood of a threat results in an alert. If the threshold is set too high, real attacks may go undetected; if the threshold is too low, the security team will be overwhelmed with false alerts.

3.5.C
Determine a network detection method.

  • 3.5.C.1 Volume of network traffic is a criterion for determining a detection method. Signature-based detection is more efficient for networks with high traffic volume. Signature-based detection compares detection data to a database of known indicators of compromise (IoCs), called signatures. Signature databases must be updated with IoCs for the latest attacks. Signature-based detection runs more quickly than anomaly-based detection.
  • 3.5.C.2 Consistency of network traffic patterns is a criterion for determining a detection method. Anomaly-based detection is most effective on networks with consistent traffic patterns. Anomaly-based detection compares detection data to a baseline of recorded activity. Baselines must be recorded on uncompromised systems to establish expected data types and volumes. Anomaly-based detection triggers an alert or action when data types or volumes outside of a specified tolerance range are recorded. Anomaly-based detection relies on consistent patterns in network traffic to detect anomalous traffic patterns.
  • 3.5.C.3 Degree of sensitivity or criticality of a network is a criterion for determining a detection method. Networks with more sensitive or critical data or services will likely consider a hybrid approach. Hybrid detection combines signature-based and anomaly-based detection. Hybrid detection is more expensive than using either signature- or anomaly-based detection alone, and hybrid-detection models generate more alerts.
  • 3.5.C.4 Likelihood of novel attacks on a network is a criterion for determining a detection method. Signature-based detection cannot detect a new attack. When an organization suspects that adversaries are likely to attempt a new attack on a network, anomaly-based detection is the preferred method when the cost of hybrid detection is prohibitively high.

3.5.D
Evaluate the impact of a network detection method.

  • 3.5.D.1 Speed of detection is a factor in evaluating the impact of a network detection method. Faster detection enables faster response. Signature-based detection methods are faster than anomaly-based detection methods, especially on networks with high traffic volume.
  • 3.5.D.2 Cost is a factor in evaluating the impact of a network detection method. Detection tools and ongoing costs need to be within a budget. Anomaly-based detection systems require more expensive hardware to operate than signature based. Hybrid detection is the most expensive option because it combines both anomaly- and signature-based methods.
  • 3.5.D.3 False positive rate is a factor in evaluating the impact of a network detection method. Signature-based detection has almost no false positives. Anomaly-based or hybrid detection will have higher false positive rates. Impacts of high false positive rates include:
    • Time and resources are put toward investigating alerts for nonmalicious activity.
    • Alert fatigue is a condition that occurs when responders get accustomed to false positives and take alerts less seriously because they assume alerts are false positives before investigating them.
  • 3.5.D.4 False negative rate is a factor in evaluating the impact of a network detection method. A false negative occurs when an adversary can bypass a detection system. Signature-based detection systems are easier to bypass than anomaly-based or hybrid systems. False negatives can result in adversaries causing loss, harm, disruption, or destruction to data and systems.

3.5.E
Apply detection techniques to identify indicators of network attacks by analyzing log files.

  • 3.5.E.1 Evil-twin attacks can be detected by regularly scanning for service set identifiers (SSIDs) that look suspicious or similar to local legitimate SSIDs. Signal triangulation can be used to locate and disable an access point broadcasting an evil-twin network.
  • 3.5.E.2 Jamming attacks can be detected by recognizing that no wireless devices in a specific physical space are able to connect to a wireless network and by scanning for electromagnetic (EM) noise in the wireless range.
  • 3.5.E.3 ARP poisoning attacks can be detected by monitoring network traffic for unusual ARP messages (particularly duplicate MAC address ARP packets) and checking the ARP table on the default gateway.
  • 3.5.E.4 MAC flooding attacks can be detected by monitoring network traffic for an unexpected surge of Ethernet frames with different MAC addresses and checking the MAC address table on a switch.
  • 3.5.E.5 DNS poisoning attacks are difficult to detect. However, if an organization’s website experiences an abrupt and otherwise inexplicable drop in traffic, DNS records should be examined as a potential cause.
  • 3.5.E.6 Smurf attacks can be detected by watching network traffic for a sudden increase in ICMP requests sent to the network’s broadcast address.
  • 3.5.E.7 Network-based IoCs are discovered when analyzing network traffic, often in the form of packet capture files. Indicators can be found in source and destination IP addresses, ports, and protocols. These can include:
    • Connections to known malicious IP addresses
    • Unauthorized network scans
    • Unusual spikes or slow downs in network traffic
    • Mismatched port-application traffic

Source: College Board AP Course and Exam Description

When prevention fails, detection takes over. Automated tools read the log files 日志文件 that record network activity:

  • a network intrusion detection system (NIDS) 网络入侵检测系统 analyses traffic and raises an alert, but does not block;
  • a network intrusion prevention system (NIPS) 网络入侵防御系统 can also stop an attack by closing ports or blocking addresses;
  • a security information and event management (SIEM) 安全信息与事件管理 system gathers data from many sources to spot patterns.

There are two detection methods. Signature-based 基于特征 detection compares traffic to a database of known attack signatures - fast and low on false alarms, but blind to brand-new attacks. Anomaly-based 基于异常 detection compares traffic to a normal baseline 基线 and flags anything unusual - it can catch novel attacks but needs more resources and raises more false alarms. A hybrid approach combines both.

Examining captured traffic (packet-capture files), analysts hunt for network-based indicators of compromise 网络入侵指标 in the source and destination IP addresses, ports, and protocols. Four common ones: connections to known-malicious IP addresses, unauthorized network scans (an outsider probing your ports), unusual spikes or slowdowns in traffic, and mismatched port-application traffic (for example, non-web traffic flowing over port 80). These complete the host-, file-, and behaviour-based indicators a single device logs.

AI, thresholds, and alert fatigue

A medium network logs millions of events a day - far more than any team can read - so organisations train AI models to sort likely-malicious patterns from normal ones. These models are probabilistic 概率的: rather than a yes/no, each event gets a percentage likelihood of being malicious.

The organisation then sets a threshold 阈值 - the likelihood at which an alert fires - and that choice is a genuine trade-off:

  • set the threshold too high and real attacks slip through undetected;
  • set it too low and the team is overwhelmed with false alerts.

Too many false alerts cause alert fatigue 警报疲劳: responders get so used to false positives that they start assuming an alert is false before investigating it - so a real attack, when it finally comes, is waved away. This is exactly why a low false-positive rate matters: signature-based detection has almost none, while anomaly-based and hybrid detection trade a higher false-positive rate for the ability to catch novel attacks.

Signature-based detection matches known attacks; anomaly-based detection flags deviations from normal Signature-based detection matches known attacks; anomaly-based detection flags deviations from normal

Vocabulary Train
English Chinese Pinyin
log files 日志文件 rì zhì wén jiàn
network intrusion detection system (NIDS) 网络入侵检测系统 wǎng luò rù qīn jiǎn cè xì tǒng
network intrusion prevention system (NIPS) 网络入侵防御系统 wǎng luò rù qīn fáng yù xì tǒng
security information and event management (SIEM) 安全信息与事件管理 ān quán xìn xī yǔ shì jiàn guǎn lǐ
Signature-based 基于特征 jī yú tè zhēng
Anomaly-based 基于异常 jī yú yì cháng
baseline 基线 jī xiàn
network-based indicators of compromise 网络入侵指标 wǎng luò rù qīn zhǐ biāo
probabilistic 概率的 gài lǜ de
threshold 阈值 yù zhí
alert fatigue 警报疲劳 jǐng bào pí láo
3.5

Exam tips

  • For firewall-ACL questions, read the rules top-to-bottom and stop at the first match - a Deny rule above an Allow blocks the traffic even though the Allow exists lower down.
  • Pair each attack with its tell-tale sign: ARP poisoning = one IP with two MAC addresses; MAC flooding = a surge of new MAC addresses; DNS poisoning = an unexplained drop in web traffic.
  • Read packet captures for network-based IoCs: known-malicious IPs, unauthorized scans, traffic spikes/slowdowns, and mismatched port-application traffic.
  • Run vulnerability scanners to find known weaknesses proactively, and fix the highest-severity findings first.
  • Signature-based = fast, few false positives, misses new attacks (more false negatives); anomaly-based = catches new attacks, costs more, more false positives. Memorise this trade-off.
  • A screened subnet / DMZ holds public-facing servers between the internet and the private network - name it whenever a question separates public services from internal data.
  • WPA3 is the strong wireless encryption; WEP and original WPA are insecure.

Log in or create account

IGCSE & A-Level