Chapter 2 Questions

Question 1

Which sequence correctly represents NSM processing?

A. Detector → Sensor → Parser → Actuator
B. Sensor → Parser → Integrator → Detector
C. Parser → Sensor → Detector → Inspector
D. Integrator → Sensor → Detector → Parser

Answer 1

Answer: B

Question 2

A system combines duplicate alerts into a single event.

Which component is responsible?

A. Sensor
B. Parser
C. Integrator
D. Detector

Answer 2

Answer: C

Question 3

Which detection method is MOST likely to produce false positives?

A. Signature-based
B. Rule-based
C. Unsupervised ML
D. Static analysis

Answer 3

Answer:

Question 4

Which is the FIRST step in NSM?

A. Detector
B. Parser
C. Sensor
D. Actuator

Answer 4

Answer: C

Explanation:
Sensor collects raw data first → everything else depends on it.

Question 5

Which component standardises log formats?

A. Sensor
B. Parser
C. Integrator
D. Detector

Answer 5

Answer: B

Explanation:
Parser converts logs into a common structure

Question 6

Which component combines multiple data sources?

A. Detector
B. Parser
C. Integrator
D. Sensor

Answer 6

Answer: C

Explanation:
Integrator correlates events and removes duplicates

Question 7

Which detection method cannot detect zero-day attacks?

A. Unsupervised ML
B. Behavioural
C. Signature-based
D. Statistical

Answer 7

Correct answer: C. Signature‑based

Signature‑based detection cannot identify zero‑day attacks because it relies on known patterns, hashes, or signatures of previously discovered threats. A zero‑day exploit is new and unknown, so no signature exists yet.

Question 8

What is the main purpose of Network Security Monitoring (NSM)?

A. Prevent all attacks
B. Detect intrusions and respond
C. Encrypt traffic
D. Replace firewalls

Answer 8

Answer: B

Explanation:
NSM focuses on detecting attackers already inside the network and responding quickly. Unlike prevention tools, NSM assumes attacks will happen (“prevention will fail”) and emphasises visibility, detection, and response before damage occurs.

Question 9

How does NSM differ from continuous monitoring?

A. NSM focuses on vulnerabilities
B. Continuous monitoring focuses on attackers
C. NSM is threat-centric
D. Both are the same

Answer 9

Answer: C

Explanation:
NSM is threat-centric, meaning it focuses on identifying adversaries and malicious activity. Continuous monitoring is vulnerability-centric, focusing on system weaknesses and configurations. This distinction is frequently tested in exams.

Question 10

What does a sensor do in NSM?

A. Analyse logs
B. Collect network data
C. Correlate events
D. Respond to attacks

Answer 10

Answer: B

Explanation:
Sensors collect raw data such as packets or logs from network devices. Tools like Wireshark act as sensors. This is the first step in NSM, as all analysis depends on the data collected at this stage.

Question 11

What is parsing?

A. Encrypting logs
B. Extracting structured data from logs
C. Deleting logs
D. Blocking traffic

Answer 11

Answer: B

Explanation:
Parsing converts raw log data into a structured format. Since logs come from different systems with different formats, parsing ensures consistency so they can be analysed and correlated effectively.

Question 12

What does the integrator do?

A. Collect logs
B. Standardise logs
C. Correlate events
D. Execute malware

Answer 12

Answer: C

Explanation:
The integrator combines data from multiple sources and correlates related events. This helps identify patterns such as multiple alerts forming a single attack. It also reduces redundancy in collected data.

Question 13

Which detection method cannot detect zero-day attacks?

A. Unsupervised ML
B. Behavioural
C. Signature-based
D. Statistical

Answer 13

Answer: C

Explanation:
Signature-based detection relies on known attack patterns. Since zero-day attacks are new and unknown, they do not have signatures, making them undetectable by this method. This is a key limitation discussed in lectures.

Question 14

What is the role of an actuator?

A. Collect logs
B. Analyse traffic
C. Perform response actions
D. Store data

Answer 14

Answer: C

Explanation:
The actuator is responsible for responding to detected threats, either manually or automatically. This can include actions like blocking IPs, isolating systems, or triggering alerts to security teams.

Question 15

NSM is:

A. Vulnerability-centric
B. Threat-centric
C. Encryption-based
D. Policy-based

Answer 15

Answer: B

Explanation:
NSM is threat-centric, meaning it focuses on identifying adversaries and malicious activity. This differs from continuous monitoring, which focuses on system weaknesses rather than attackers.

Question 16

Continuous monitoring focuses on:

A. Attackers
B. Vulnerabilities
C. Logs
D. Encryption

Answer 16

Answer: B

Explanation:
Continuous monitoring tracks system configurations and vulnerabilities to ensure systems remain secure. It is proactive, while NSM is reactive and focused on detecting threats.

Question 17

What does a sensor do?

A. Analyse logs
B. Collect network data
C. Correlate events
D. Respond

Answer 17

Answer: B

Explanation:
Sensors collect raw data such as network traffic or logs. Tools like Wireshark act as sensors. This data is then passed to other NSM components for processing and analysis.

Question 18

What is parsing?

A. Encrypt logs
B. Convert logs into structured format
C. Delete logs
D. Block traffic

Answer 18

Answer: B

Explanation:
Parsing extracts relevant information from raw logs and converts it into a structured format. This is important because logs from different systems have different formats, and parsing standardises them.

Question 19

What does the integrator do?

A. Collect logs
B. Standardise logs
C. Correlate events
D. Execute malware

Answer 19

Answer: C

Explanation:
The integrator combines data from multiple sources and correlates related events. This helps identify patterns and reduces duplicate alerts, improving detection accuracy.

Question 20

Detector role?

A. Collect data
B. Identify suspicious activity
C. Store logs
D. Encrypt

Answer 20

Answer: B

Explanation:
The detector analyses data to identify malicious behaviour. It may use signature-based methods or data-driven approaches such as machine learning to detect anomalies.

Question 21

Signature-based detection:

A. Detects unknown attacks
B. Detects known patterns
C. Uses ML
D. Encrypts logs

Answer 21

Answer: B

Explanation:
Signature-based detection works by matching activity against known attack patterns. It is effective for known threats but cannot detect new or unknown attacks (zero-days).

Question 22

Which can detect zero-day attacks?

A. Signature-based
B. Supervised ML
C. Unsupervised ML
D. Rule-based

Answer 22

Answer: C

Explanation:
Unsupervised machine learning detects anomalies by identifying behaviour that deviates from normal patterns. This allows it to potentially detect previously unknown attacks, although it may produce false positives.

Question 23

What does an actuator do?

A. Collect logs
B. Analyse data
C. Respond to incidents
D. Store logs

Answer 23

Answer: C

Explanation:
The actuator performs response actions after an incident is detected. This may include blocking IP addresses, isolating systems, or triggering automated responses to mitigate threats.