CS3609 - Cyber Security past papers exam question and answer
110 views 3 purchases
Course
(CS3609)
Institution
Brunel University (BU)
CS3609 - Cyber Security past paper exam question and answer from past few years. I sat my exam in may 2023 and most of the questions are same and literally picked from past papers. This got me easy A+ in the exam.
Question A.1
Anomaly-based Intrusion Detection Systems (IDS) are often employed to defend against cyber-
attacks.
a) Define what anomaly-based IDS are and describe the three different approaches, giving
examples of the specific techniques that are used in each approach [15 marks]
An IDS system is a device or piece of software that monitors networks for malicious activity, policy
violations or unwanted intrusions. An anomaly-based IDS is a Specialised intelligent analysis of
security events through statistics, machine learning and artificial intelligence.
The 1st approach is statistical. This approach looks for correlations and significant changes
and deviations from normal data. Examples of this approach include:
o Chi-squared
o Pearson’s Correlation
o T-tests
o ANOVA
o Kruskal-Wallis
o Principal Component Analysis
The 2nd approach is Supervised. Uses a known dataset to build a ‘normal’ model and make
predictions for future data points. Examples of this approach include:
o Support Vector Machines
o Neural Networks
o Decision Trees
o Nearest Neighbour
o Regression
o Bayesian Networks
The 3rd approach is Unsupervised. Infers relationships by grouping points in unlabelled data.
Examples of this approach include:
o Hierarchical Clustering
o K-means Clustering
o Self-Organising Maps
o Hidden Markov Models
Statistical looks for correlations and significant changes and deviations from the normal
data. Hence it identifies distinctive features and establishes a baseline for ‘normality’ and
monitors behaviour from baseline ‘anomaly’. It builds a distribution model for normal
behaviour profile and detects low probability events and flags them as potential intrusion.
The longer the system is on the network, the more accurate it becomes. All packets are
given an anomaly score (indicating the degree of irregularity) and if the anomaly score is
higher than a certain threshold, the IDS will generate an alert. The key is for it to learn to
distinguish normal from anomalous network activity. One specific technique is chi-squared
which is used to determine if there is a significant difference between observed and actual
results. Anova is another technique that helps to identify anomalies by comparing the means
of different data sets. Example if the mean size of incoming packets is significantly different
than mean size of outgoing packets, it will detect an anomaly in the network.
Another approach is supervised IDS which uses a known dataset to build a normal model
and make predictions for future data points. It uses pre-defined rules/models to define what
, is normal and the IDS then compares incoming network traffic and system activity to this
datasets/models to detect any anomalies and specific techniques include rule-based system,
neural networks and decision trees. Neural network is a type of machine learning algorithm
and in this case, it’s trained on normal but also deviated traffic behaviour for it to learn and
quickly identify patterns. Another such technique is decision trees that constructs a tree like
model of decisions and possible consequences. Each decision in the tree is based on specific
feature or attributes of the data being analysed and it can be effective for detecting attacks
but perhaps not so much at new or unknown attacks.
Lastly are unsupervised IDS which infers relationships by grouping points in unlabelled data.
One common technique is K-means clustering that groups data based on clusters
(similarities). K-means clustering will cluster all data into the corresponding groups before
applying a classifier for classification purposes with reasonable false alarm rate and has led
to high accuracy and good detection rates. The algorithm selects K points as the initial
centroid and assigns each data point to the nearest centroid. The algorithm then
recalculates the centroid based on the mean value of each centroid and reassigns data
values until clusters no longer change. It can detect unusual patterns and outliers which can
indicate a potential cyber-attack such as an increase in traffic to a specific IP address.
Question A.2
a) Identify the key elements of risk that need to be properly documented for risk management and
explain the relationships between them. You should use a diagram to aid your explanation.
[15 marks]
Identify the key elements of risk that need to be properly documented for risk management
are stakeholders, threat agents, risk, vulnerabilities, threats, assets and existing controls.
These are the 7 risk identifiers.
o Stakeholder – people who are wanting to minimize risks to assets. They do this by
imposing controls and are aware of vulnerabilities.
o Threats – these are possible attacks that an attacker may use to gain unauthorized
access to a system and/or take down a system. Threats led to vulnerabilities within a
system.
o Assets – these are valuable assets to an organization or stakeholders which need
protection.
o Risk – this is the level of impact towards and asset the likelihood of an asset being
attacked.
o Threat agent – is an attacker who wishes to abuse and/or cause harm to assets by
creating threats to assets
o Existing controls – these are countermeasures to mitigate attacks from threat
agents.
, The next step is to conduct a risk analysis on these identifiers. This includes assessment of
the impact from the risk, assessment of likelihood and the level of risk determination. The
final stage is to conduct a risk evaluation based on risk evaluation criteria.
Risks may be analysed using either Quantitative or Qualitative risk methodologies. The
quantitative methodology includes performing calculations based on the actual value of
assets such as ALE (Annualized Loss Expectancy).
The qualitative methodology includes creating a table which analyses the current risks that
can affect the system and where vulnerabilities may lie. This methodology also helps to
identify what kind of effect a threat has through CIA (confidentiality, integrity and
availability). It uses the qualitative risk scale to calculate the risk using the likelihood and
impact.
b) Describe and compare quantitative and qualitative risk analysis approaches, explaining the
associated advantages and disadvantages of each type of approach. [25 marks]
Quantitative risk analysis:
What is it - Quantitative risk analysis is a method of evaluating risks by using data and statistical
analysis to estimate the likelihood and potential impact of each risk. It is an approach where the cost
or value of the identified risk and its financial impact are examined. By quantifying risks, a financial
business decision can be made in alignment with a risk transfer strategy (e.g., buying more insurance
coverage). In the quantitative approach, the data is not always provided, its subjective, in terms of
scale, we use categories marked out of 10, high medium low.
Advantages:
Easier to automate than qualitative assessments - Quantitative risk assessment requires a lot
of data and calculations, which can be easily obtained and processed through automated
tools. For example, automated tools can easily collect and analyse data from various
sources, such as vulnerability scanners, network monitoring tools, and security logs.
More objective than a qualitative analysis in that it attempts to describe risk in financial
terms and put a dollar value on each risk. As this is objective, it gives more accurate findings
to understand values of the assets that an organization has.
Helps identify more valuable assets to understand what assets should have a higher level of
protection
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller tailr019304. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.31. You're not tied to anything after your purchase.