1
Q
What are the three main parts of Chapter 6?
A
Network Monitoring, Industrial Intrusion Detection, and Honeypots.
2
Q
What is the main goal of detective measures in industrial networks?
A
To identify activities that indicate an attack or policy violation.
3
Q
Why are detective measures needed even when preventive measures exist?
A
Because segmentation, firewalls, and other preventive controls cannot stop every attack.
4
Q
What are the two main monitoring concepts emphasized early in Chapter 6?
A
Exception reporting and anomaly detection.
5
Q
What is exception reporting in industrial security monitoring?
A
It identifies and reports security-policy violations in a zone or conduit.
6
Q
What is an example of exception reporting in a zone?
A
A user, system, or application interacts with devices outside the operational parameters defined for the zone or conduit.
7
Q
What is anomaly detection in industrial monitoring?
A
It identifies suspicious patterns that deviate from expected behavior patterns.
8
Q
What does anomaly detection rely on?
A
It relies on establishing an invariant baseline of operational behavior and detecting deviations from it.
9
Q
What is a key quality requirement for anomaly-detection algorithms?
A
They should have low false-positive rates.
10
Q
Why are anomaly-detection algorithms often statistical?
A
Because they compare current observations against learned normal behavior.
11
Q
What is a log?
A
A record of events that occur in a computer system.
12
Q
What should good log data reveal?
A
Security-relevant information about what happened, when, where, who initiated it, which parameters were used, what the result was, and who reported it.
13
Q
What does ‘what happened’ mean in good log data?
A
The event type and category.
14
Q
What does ‘when it happened’ mean in good log data?
A
The event timestamp.
15
Q
What does ‘where it happened’ mean in good log data?
A
The affected system, host, or process.
16
Q
What does ‘who initiated the action’ mean in good log data?
A
The responsible user, IP address, or other origin identifier.
17
Q
What does ‘what parameters were used’ mean in log data?
A
Details such as an HTTP request, command arguments, or protocol fields.
18
Q
What does ‘what the result was’ mean in log data?
A
The outcome, such as success, failure, or access denied.
19
Q
What does ‘who reported the action’ mean in log data?
A
The component that produced the log message, such as a firewall or SSH daemon.
20
Q
Why are logs important for industrial security?
A
They provide evidence and context for detecting, understanding, and later investigating incidents.
21
Q
What are the three deployment approaches for network monitoring shown in the lecture?
A
Inline deployment, network taps, and switch spanning ports.
22
Q
What is inline network monitoring?
A
A monitor is placed directly in the traffic path so all monitored traffic passes through it.
23
Q
Why is inline network monitoring uncommon?
A
Because it makes connectivity dependent on monitor health and is usually used only when other options are not possible.
24
Q
Why is inline monitoring often only a temporary or emergency solution?
A
Because it introduces operational risk by putting the monitor directly into the communication path.
25
What is a network tap in monitoring?
A passive device that creates a copy of network traffic for a monitoring system.
26
What is a switch spanning port in monitoring?
A switch port configured to mirror traffic so a monitor can inspect it.
27
What is a potential limitation of switch spanning ports?
They can miss traffic during burst periods.
28
What is the most important deployment requirement for any network monitor?
It must be placed so that it can observe all relevant traffic.
29
Why does sensor placement matter in monitoring?
Because what the monitor can detect depends entirely on what traffic it can see.
30
What is the dilemma of monitoring security zones?
Network-wide situation awareness requires data from many zones, but sharing data across zones can weaken their isolation.
31
Why can centralized monitoring put security zones at risk?
Because routing security data out of isolated zones creates additional connections and therefore additional attack surface.
32
What is a possible solution to the monitoring-zones dilemma?
A data diode or one-way gateway.
33
Why is a data diode useful for centralized monitoring?
It allows security data to leave a zone without allowing traffic back into the zone.
34
Why can routes through zone firewalls to a centralized monitor be dangerous?
Because every permitted path is a potential vulnerability.
35
What does SIEM stand for?
Security Information and Event Management.
36
What does a SIEM combine conceptually?
Security event management and security information management.
37
What does SEM contribute to a SIEM?
Real-time monitoring, event correlation, notifications, and use of threat intelligence.
38
What does SIM contribute to a SIEM?
Long-term storage, analysis, reporting, and console views of log data.
39
Where is a SIEM typically deployed?
In a security operations center (SOC).
40
What is a SOC in this context?
A control room where devices and networks are monitored, assessed, and defended.
41
What is the first step in the SIEM workflow?
Collect data from log sources.
42
What happens in the log-collection step of a SIEM?
Log data from various sources is obtained, aggregated, and normalized.
43
What happens in SIEM event correlation?
Different events are linked together to detect sophisticated attacks.
44
What happens in SIEM alerting?
The SOC is notified and the system may automatically react to threats.
45
What happens in SIEM reporting?
Security and compliance reports are generated to visualize event data.
46
What happens in SIEM archiving?
Historical logs are stored long-term to support later investigation and correlation over time.
47
Why is SIEM useful in industrial security?
It provides centralized, higher-level situation awareness across many systems and log sources.
48
What is intrusion detection?
The process of continuously monitoring and examining events on devices or in networks to detect security incidents.
49
Why is intrusion detection considered attractive for industrial networks?
Because it is comparatively easy to retrofit.
50
What is an intrusion detection system (IDS)?
An automated system that monitors traffic or host events to detect intrusions and raise alarms.
51
What is an intrusion prevention system (IPS)?
A special type of IDS that also attempts to stop an intrusion automatically.
52
Why are IPSs rare in industrial networks?
Because active intervention can endanger safety and availability.
53
What do people often mean when they say IDS in practice?
They often use the term broadly to include IPS functionality as well.
54
How do firewalls differ from IDSs?
Firewalls actively filter traffic using predefined rules, while IDSs passively analyze traffic or events to detect suspicious behavior.
55
How do IPSs differ from IDSs?
IPSs not only detect malicious behavior but also enforce countermeasures automatically.
56
How does an IPS differ from a firewall?
An IPS analyzes traffic behavior before acting, while a firewall mainly checks predefined filtering rules.
57
How are network monitoring and intrusion detection related?
They go hand in hand because monitored network data often serves as input to an IDS.
58
How can IDS output be used by a SIEM?
IDS events can be forwarded into a SIEM for correlation, monitoring, and incident handling.
59
Why are SIEM and IDS sometimes tightly coupled?
Because a unified platform can both analyze events and provide operational monitoring and alerting.
60
What is the main assumption underlying intrusion detection?
Intruder behavior differs from legitimate behavior in a quantifiable way.
61
What unavoidable consequence follows from that assumption?
There will always be false positives and false negatives.
62
Why should intrusion detection operate in near real time?
So that security teams can react quickly, and prevention becomes feasible if needed.
63
What are the core goals of intrusion detection?
Detect many types of attacks, detect them in time, provide understandable alarms, and minimize false alarms and missed detections.
64
Why must IDSs detect both known and unknown attacks?
Because industrial systems face both previously known attack patterns and new or modified attacks.
65
Why should alarms be easy to understand?
Because security teams must verify and interpret them quickly.
66
What ideal alarm format is mentioned in the lecture?
A simple binary distinction between normal and malicious activity.
67
Why is real IDS output often more complex than a simple binary decision?
Because expert analysis is usually still needed to interpret alerts correctly.
68
What is the Bayesian or base-rate fallacy in intrusion detection?
When real intrusions are rare, even a good detector can still produce many false alarms relative to the number of true alarms.
69
Why is the base-rate fallacy especially relevant to IDSs?
Because true attacks are typically much rarer than benign events.
70
What lesson does the lecture’s medical-test analogy convey for IDSs?
A positive alert does not automatically mean an intrusion is likely if the event being detected is rare.
71
Why can a detector with good sensitivity still be operationally problematic?
Because a low base rate of attacks can make most alarms false positives.
72
What is a confusion matrix in intrusion detection?
A table that compares detection results with ground truth using true positives, false positives, true negatives, and false negatives.
73
What is a true positive?
An intrusion occurs and the IDS raises an alarm.
74
What is a false positive?
No intrusion occurs, but the IDS raises an alarm.
75
What is a true negative?
No intrusion occurs and the IDS raises no alarm.
76
What is a false negative?
An intrusion occurs but the IDS fails to raise an alarm.
77
What is accuracy in intrusion detection?
The fraction of all decisions that are correct.
78
What is precision in intrusion detection?
The fraction of alarms that are actually correct alarms.
79
What is recall in intrusion detection?
The fraction of actual intrusions that are detected.
80
Why are time-series-aware metrics desirable in industrial intrusion detection?
Because industrial events are not independent and often form ordered temporal patterns.
81
Along which two dimensions can IDSs be classified?
Detection method and deployment method.
82
What are the two main detection methods in the lecture?
Misuse-based detection and anomaly-based detection.
83
What are the two main deployment methods in the lecture?
Host-based and network-based intrusion detection.
84
What is misuse-based detection?
Detection based on known malicious signatures, rules, or attack patterns.
85
What is signature-based detection?
Matching observed data against a large collection of known bad patterns.
86
What kinds of data can signature-based approaches inspect?
Data generated on a host or data traveling over a network.
87
What is a key limitation of signature-based detection?
It is limited to known attacks and can miss new or mutated attacks.
88
Why do signature-based systems require ongoing effort?
Because new attacks must be reviewed and new signatures must be created.
89
Why are mutations difficult for signature-based IDSs?
Because slightly changed attacks may no longer match the existing signature.
90
Why can honeypots help misuse-based detection?
They can act as early targets and help collect new attack signatures.
91
What is rule-based heuristic detection?
A detection approach that identifies suspicious behavior through expert-derived rules rather than exact signatures.
92
How are rule-based heuristics often derived?
By analyzing attack tools, scripts, ports, and recurring suspicious behavior.
93
What is anomaly-based detection?
Detection based on deviations from a learned model of normal behavior.
94
What is the training phase in anomaly detection?
The phase where normal-operation data is collected and a model of expected behavior is built.
95
What is the detection phase in anomaly detection?
The phase where current behavior is compared against the model to decide whether it is normal or anomalous.
96
What kinds of anomaly-detection approaches are named in the lecture?
Statistical approaches and machine-learning approaches.
97
What statistical anomaly models are mentioned?
Univariate, multivariate, and time-series models.
98
What do machine-learning anomaly detectors do conceptually?
They derive a suitable model automatically from extracted features.
99
What is a key challenge of anomaly-based detection?
Training data must represent normal operation and must not already contain attacks.
100
What is another key challenge of anomaly-based detection?
It can have high false-alarm rates.
101
What components typically appear in an IDS deployment architecture?
Sensors or agents, a management server, a database server, and a console.
102
What does an IDS sensor or agent do?
It monitors and analyzes events either in the network or on hosts.
103
What does the management server do in an IDS architecture?
It processes information from sensors and agents.
104
What does the database server do in an IDS architecture?
It stores monitoring data and analysis results.
105
What does the console do in an IDS architecture?
It provides an interface for the administrator or security team.
106
What is a host-based intrusion detection system (HIDS)?
An IDS that monitors activities on a single host.
107
What data sources can a HIDS use?
System-call traces, audit records, file-integrity checksums, and Windows registry access.
108
What is a major limitation of HIDSs?
They only have a local view of an attack.
109
Why are HIDSs uncommon on industrial devices?
Because embedded industrial devices such as PLCs often cannot support them easily.
110
What kinds of detection methods can HIDSs use?
Anomaly-based, signature-based, or rule-based methods.
111
Why does host-based monitoring not scale as easily as network-based monitoring?
Because each host needs its own local monitoring and analysis.
112
What is a network-based intrusion detection system (NIDS)?
An IDS that monitors traffic at selected points in a network.
113
Why is a NIDS attractive for industrial environments?
Because it can be retrofitted without modifying every endpoint.
114
What can a NIDS inspect depending on the vantage point?
Network-layer, transport-layer, and application-layer parameters.
115
What sensor types can a NIDS use?
Inline sensors and passive sensors.
116
What is an inline NIDS sensor?
A sensor inserted into a network segment so monitored traffic must pass through it.
117
What can an inline NIDS additionally enable?
Intrusion prevention, since it can actively block traffic.
118
What is a passive NIDS sensor?
A sensor that monitors a copy of network traffic via a tap or mirror port.
119
What is the main architectural difference between inline and passive NIDS sensors?
Inline sensors sit in the path, while passive sensors only observe copied traffic.
120
Why is NIDS sensor placement critical?
Because the position determines what attacks and traffic the system can observe.
121
What can a NIDS detect when colocated with an external firewall?
Incoming attacks, misconfigured firewalls, and outgoing traffic.
122
What can a NIDS see when placed between an external firewall and the Internet?
The types and volume of attacks originating from outside.
123
What can a NIDS detect when located inside the network?
Unauthorized insider activities and internal misuse.
124
Why does an internal NIDS see only a fraction of traffic?
Because it only observes traffic crossing its own vantage point, not the entire network.
125
What are the two fundamentally different ways to analyze packets in a NIDS?
Header-only analysis and deep packet inspection (DPI).
126
What is header-only packet analysis?
Analyzing only packet headers without inspecting payload contents.
127
What is a benefit of header-only packet analysis?
It works on nearly all network traffic.
128
What is a limitation of header-only packet analysis?
It provides less information for intrusion detection.
129
What is deep packet inspection?
Inspection of packet contents in addition to headers.
130
What is a benefit of deep packet inspection?
It provides rich information that can be leveraged for detection.
131
What limits deep packet inspection?
Encrypted communication and processing overhead.
132
Which popular free NIDSs are mentioned in the lecture?
Zeek, Snort, and Suricata.
133
What is Zeek?
An event-driven network intrusion detection system with rich protocol analyzers and a scripting language.
134
What is Snort?
A rule-based intrusion detection and prevention system.
135
What is Suricata?
A rule-based intrusion detection and prevention system with features such as multithreading and file extraction.
136
What kind of output is highlighted for Zeek?
Detailed logs for analysts and SIEM systems.
137
What is Zeek’s fundamental design style?
It is event-driven and based on passive network monitoring.
138
What are key Zeek features mentioned in the lecture?
Rich application-layer analysis, a custom scripting language, prewritten policy scripts, and signature-matching capabilities.
139
On which kinds of systems can Zeek run?
Standard computers with standard network cards, typically on FreeBSD, Linux, or macOS.
140
What packet-capture library basis is mentioned for Zeek?
libpcap, similar to tcpdump.
141
What can Zeek use for prefiltering?
tcpdump-style packet filters.
142
What are the major internal components of Zeek?
Protocol decoding in the event engine and analysis logic in the policy-script interpreter.
143
What does the Zeek event engine do?
It performs protocol decoding and emits events.
144
What does the Zeek script engine do?
It handles events, updates state, makes decisions, and realizes the actual detection logic.
145
Why does the lecture say Zeek itself is only the engine behind the scenes?
Because output and decisions are mainly produced by the scripts.
146
What outputs can Zeek produce?
Logs and notifications.
147
What kinds of notifications are mentioned for Zeek?
Logging a notice, logging and emailing notices, and sending alert messages.
148
Give one example of a Zeek notification from the lecture.
A login from an unexpected country.
149
Why are industrial networks particularly suitable for anomaly-based IDS?
Because they often have regular machine-to-machine communication and repetitive physical processes.
150
Why is anomaly detection harder in traditional IT networks?
Because normal behavior is much less predictable.
151
What makes building a normal-behavior model feasible in industrial networks?
Communication is regular, distinct patterns are limited, and the physical process is often stable and known.
152
What additional source of structure exists in industrial intrusion detection that ordinary IT often lacks?
Knowledge of the controlled physical process and its physical limits.
153
What is host-based industrial intrusion detection mainly used for in practice?
Traditional HMI or SCADA systems running on standard hardware.
154
Why can standard host-security tools often be used on HMIs or SCADA servers?
Because they are often essentially normal Windows machines.
155
Which host-based tools are mentioned for industrial environments?
Anti-malware tools and HIDSs such as Wazuh (OSSEC), MozDef, and Samhain.
156
Why are host-based IDSs rare for PLCs and other embedded devices?
Because embedded industrial hardware rarely supports this kind of monitoring.
157
What is the rare PLC-oriented example named in the lecture?
Orpheus.
158
What does Orpheus do conceptually?
It traces the PLC program and behavior at runtime.
159
How can traditional NIDSs already help in industrial networks?
They support industrial protocols and can detect known malicious packets or suspicious protocol use.
160
Which industrial protocols are explicitly mentioned as supported by Zeek or Snort?
Protocols such as Modbus and DNP3, and Snort rules also cover many industrial packets.
161
What are example malicious industrial packets mentioned in the lecture?
Modbus TCP Force Listen Only Mode, Restart Communications Option, non-DNP3 communication on a DNP3 port, and IEC 61850 enumeration attempts.
162
What is a major limitation of traditional NIDSs in industrial environments?
They have only a limited sense of legitimate process behavior.
163
Why can traditional NIDSs miss attacks even when they understand industrial protocols?
Because they may not understand the physical process and may not detect compromised devices sending otherwise valid packets.
164
Why can a crafted but legitimate packet evade traditional signature-based industrial NIDSs?
Because the packet itself may be protocol-correct even though it causes harmful process behavior.
165
What communication characteristics are typical of industrial networks according to the lecture?
Highly frequent exchanges, many similar messages over time, and periodic communication patterns.
166
Why is packet analysis often feasible in industrial networks?
Because many industrial protocols are still unencrypted.
167
What inspection depths are possible for industrial packet analysis?
Transport-layer parsing, partial application-layer parsing, and full stateful application-layer parsing.
168
What are the two main types of industrial intrusion detection emphasized in the lecture?
Communication-based industrial intrusion detection and process-state-aware industrial intrusion detection.
169
What is communication-based industrial intrusion detection?
Detection that looks for anomalies in timings and message sequences of industrial communication.
170
What is process-state-aware industrial intrusion detection?
Detection that reasons about the physical process state over time.
171
Where can the data for process-state-aware detection come from?
From a central data sink such as a control center or from network packets via deep packet inspection.
172
What is the core idea of communication-based industrial intrusion detection?
Leverage stable communication patterns common in industrial domains and protocols.
173
What is a typical stable communication pattern mentioned in the lecture?
A SCADA master periodically polls field devices.
174
Why can communication-based IDS detect attacks that use only valid messages?
Because even valid messages can create abnormal timing or ordering patterns.
175
Which attacks are explicitly listed as examples for communication anomalies?
Flooding attacks, injection attacks, and TCP-sequence prediction attacks.
176
What are the two broad classes of communication anomalies?
Timing irregularities and wrong message-sequence order.
177
What deployment and detection style is typical for communication-based industrial IDS?
Network-based and anomaly-based.
178
What is inter-arrival time in network monitoring?
The time between the reception of two network packets.
179
What is the purpose of timing-based anomaly detection using inter-arrival time?
To detect inserted or dropped messages by identifying anomalous packet timings.
180
What are the two model families used for inter-arrival-time detection in the lecture?
The mean model and the range model.
181
What does the mean model detect?
A shift in the central tendency of inter-arrival times.
182
What does the range model detect?
A change in the dispersion of inter-arrival times.
183
What is the typical anomaly-detection workflow for inter-arrival time?
Extract timestamps, learn models from training data, and then use a detector on testing data.
184
Why is the inter-arrival-time approach called protocol independent in the lecture workflow?
Because it ultimately works on timestamps rather than requiring full protocol semantics.
185
What kinds of industrial traffic files can feed the workflow?
Packet captures from protocols such as Modbus, S7, or IEC 104.
186
What theorem is used to motivate the mean model for inter-arrival times?
The central limit theorem.
187
What values are estimated in the mean model?
The mean and standard deviation of inter-arrival times.
188
How is a detection threshold applied in the mean model?
A threshold interval is set around the estimated mean using the standard deviation.
189
What is the threshold level in the mean model?
A performance parameter that calibrates the trade-off between false positives and false negatives.
190
Why must the lower detection limit in the mean model stay positive?
Because inter-arrival times cannot be negative.
191
When is an inter-arrival time considered normal in the mean model?
When it falls within the allowed threshold band around the estimated mean.
192
When is an inter-arrival time considered anomalous in the mean model?
When it falls outside the threshold band around the estimated mean.
193
Which attack is used as the example for the mean model?
A flooding attack.
194
Why does a flooding attack affect the mean model?
Because many repeated messages in a short time reduce inter-arrival times.
195
What is the operational effect of flooding in the lecture example?
Normal commands are disrupted by a huge number of repeated commands.
196
What statistic is central to the range model?
The sample range, that is, the maximum minus minimum inter-arrival time within a sample set.
197
What does the range model estimate?
The center of the distribution of sample ranges and its standard deviation.
198
How can the range model be asymmetric?
The lower limit is taken from the smallest event inter-arrival time in the learning period, while the upper bound is threshold-based.
199
When is behavior considered normal in the range model?
When observed inter-arrival-time ranges stay between the learned lower and upper bounds.
200
Which attack is used as the example for the range model?
An injection attack.
201
Why does an injection attack affect the range model?
Because injected messages alter the learned dispersion of valid inter-arrival times.
202
What is the basic problem illustrated by prediction attacks against timing-based IDS?
An attacker may learn expected timing and send malicious packets so that the timing still appears normal.
203
What kind of spoofing attack is explicitly mentioned in the lecture’s timing example?
A TCP-sequence prediction attack.
204
How can an attacker exploit timing knowledge in the lecture example?
By jamming a legitimate packet and sending a manipulated packet afterward, or by sending first so the benign packet is dropped as a duplicate.
205
What does the prediction-attack example show about timing-based IDS?
That timing information alone may be insufficient against skilled attackers.
206
What is sequence-aware intrusion detection designed to detect?
Deviations from predictable communication cycles or message sequences.
207
What is a sequence attack?
An attack that reorders or misplaces otherwise valid events in an industrial sequence.
208
Why are sequence attacks difficult?
Because the individual events may not be malicious by themselves.
209
What kinds of harm can sequence attacks cause?
Problems arise because valid events are rearranged into harmful operational order.
210
What formal model is used for sequence-aware intrusion detection in the lecture?
Discrete-time Markov chains (DTMCs).
211
What is a DTMC?
A state-transition system with probabilities assigned to transitions between states in discrete time steps.
212
What does the Markov property mean?
The next state depends only on the current state, not on the full history.
213
What are the three key ingredients of a DTMC?
States, transitions, and probabilities.
214
What do DTMC states represent?
Possible configurations or abstracted event classes of the modeled system.
215
What do DTMC transitions represent?
State changes in discrete time.
216
What do DTMC probabilities represent?
The likelihood of moving from one state to another.
217
What kinds of DTMC properties are named in the lecture?
Path-based properties, transient properties, steady-state properties, and expectations.
218
What is a path-based DTMC property?
The probability of observing a particular behavior or class of behaviors.
219
What is a transient DTMC property?
The probability of being in a certain state after a given number of steps.
220
What is a steady-state DTMC property?
The long-run probability of being in each state.
221
What is an expectation in DTMC analysis?
An average value such as the average number of transmission attempts required.
222
Why must input data be sequenced for sequence-aware detection?
Because the IDS needs time-ordered events to model and detect sequence anomalies.
223
How are log files handled for sequence-aware IDS?
They are already time-ordered and mainly require filtering.
224
How are process variables handled for sequence-aware IDS?
Their evolution is interpreted as a time-ordered sequence of events.
225
How is network traffic handled for sequence-aware IDS?
Protocol-specific mappings are needed to transform messages into ordered event tuples.
226
What Modbus example mapping is given for sequence-aware IDS?
A request-response pair can be mapped to a tuple of transaction identifier, function code, and data.
227
What information is stored in a sequence-aware state according to the lecture?
Data, type, number of events, first time seen, and last time seen.
228
What does the 'Data' field of a state represent?
Information shared by the events belonging to that state.
229
What does the 'Type' field of a state represent?
Whether the state groups request-response pairs, just requests, or just responses.
230
What does '#Events' in a state represent?
How many events in the sequence belong to that state.
231
What do 'First time seen' and 'Last time seen' in a state represent?
The timestamps of the first and last event assigned to the state.
232
What information is stored in a sequence-aware transition according to the lecture?
Probability, number of jumps, first jump, last jump, average time elapsed, and standard deviation of elapsed time.
233
How is the transition probability defined in the sequence-aware model?
As the number of jumps from source to destination divided by the number of jumps from the source to any destination.
234
What does '#Jumps' represent in a sequence-aware transition?
How often the source-to-destination transition appears in the observed sequence.
235
What do 'First jump' and 'Last jump' record?
The first and last occurrence of that transition in the sequence.
236
What does 'Average time elapsed' represent for a transition?
The average time between the source and destination event pair.
237
What does the standard deviation on elapsed time represent?
Variation in the timing of that transition.
238
How does sequence-aware detection work at runtime?
It continuously builds DTMCs during detection and compares them against the learned system model.
239
What is an unknown state anomaly?
A state appears during detection that never appeared in training.
240
What is an example of an unknown state anomaly?
A semantic attack with known attributes but implausible values.
241
What is an unknown transition anomaly?
A transition appears during detection that never appeared in training.
242
What is an example of an unknown transition anomaly?
An order-based sequence attack.
243
What is an unknown probability anomaly?
Known states and transitions occur, but their probabilities differ significantly from the training model.
244
What is an example of an unknown probability anomaly?
A time-based sequence attack.
245
What are the main attack categories covered by communication-based industrial IDS according to the lecture summary?
Malicious packets or commands, message insertions or drops, and unusual communication sequences.
246
Which tools are given as examples for malicious packet or command detection?
Zeek and Snort.
247
What is one limitation of communication-based detection regarding packet types?
It cannot be applied to all network packets, such as spontaneous messages.
248
What is another limitation of communication-based detection regarding coverage?
It does not cover all types of communication.
249
What is the key limitation of communication-based detection regarding the process itself?
It cannot detect anomalies in the physical process.
250
What is the core idea of process-state-aware industrial intrusion detection?
Use characteristics of the physical process state for intrusion detection.
251
Why does process-state-aware IDS fit industrial systems well?
Because physical processes are often repetitive and predictable.
252
What example process is mentioned in the lecture for process-aware IDS?
A PLC controls a pump to keep the water fill level within bounds.
253
What is a physical process state in the lecture’s sense?
A combined snapshot of process information from sensors and actuators aggregated over multiple packets.
254
Why does process-state-aware IDS abstract from packet-specific information?
Because it focuses on physical behavior rather than only on communication artifacts.
255
What information sources are mentioned for process-aware detection?
Correlations between sensors over time, known critical states, and prediction of future states from past observations.
256
What are correlation-based process-aware methods looking for?
Expected relationships among one or a few sensors over time.
257
What are critical-state-based process-aware methods looking for?
Known forbidden or dangerous physical states defined a priori.
258
What are prediction-based process-aware methods looking for?
Deviations between predicted future states and actually observed states.
259
Why can process-aware IDS detect attacks missed by communication-based IDS?
Because the communication may look valid while the physical process behaves abnormally.
260
What is a honeypot in the context of security monitoring?
A decoy system designed to attract attackers and reveal their behavior.
261
Why are honeypots useful in industrial security?
They help observe attacker behavior and may provide material for signature extraction.
262
What is the server-vs-client distinction for honeypots?
Server honeypots wait to be contacted, while client honeypots actively interact with external targets.
263
What is the passive-vs-active distinction associated with honeypots in the lecture?
It distinguishes whether the honeypot mainly waits to be attacked or actively initiates interaction.
264
Why are both server and client honeypots useful?
Because they represent different target types and attack situations.
265
What is a physical honeypot?
A honeypot realized with real hardware.
266
What is a virtual honeypot?
A honeypot realized as a virtualized or simulated system.
267
What does the choice between physical and virtual honeypots depend on?
Available hardware and resources.
268
What is a low-interaction honeypot?
A simpler honeypot with limited interaction and lower operational effort.
269
What is a high-interaction honeypot?
A more realistic honeypot that allows more interaction and deeper observation of attackers.
270
What is an advantage of low-interaction honeypots?
They are easier to deploy and can more easily integrate new vulnerabilities.
271
What is a disadvantage of low-interaction honeypots?
They are easier for attackers to recognize as decoys.
272
What is an advantage of high-interaction honeypots?
They are more authentic and have a higher chance of revealing unknown attacks.
273
What additional benefit do high-interaction honeypots provide?
They allow more in-depth system analysis of attacker behavior.
274
What is the trade-off of high-interaction honeypots?
They require more effort and resources.
275
Which honeypot combination is the most realistic according to the lecture quiz?
A physical, high-interaction honeypot.
276
Why is industrial intrusion detection often anomaly-based rather than purely signature-based?
Because industrial communication and processes are regular enough that deviations from normal behavior can be modeled.
277
Why is safety and availability still a design constraint for industrial IDS?
Because aggressive prevention or intrusive monitoring can itself disrupt the process.
278
Why is passive monitoring often preferred in industrial IDS?
Because it reduces the risk of interfering with process communication.
279
Why is encryption both good and bad for detection?
It protects confidentiality and integrity but makes deep packet inspection harder.
280
Why can industrial IDSs benefit from process knowledge?
Because harmful behavior may be visible only when communication is interpreted in relation to the controlled physical system.
281
What does Chapter 6 identify as the basis for overseeing an industrial network?
Network monitoring.
282
What kind of events should IDSs ideally analyze in industrial settings?
Events in real time with only a small number of false and missed alarms.
283
What broad idea connects SIEM, network monitoring, and IDS?
Centralized collection, interpretation, and correlation of security-relevant events.
284
What is the main difference between communication-based and process-aware industrial IDS?
Communication-based IDS models message behavior, while process-aware IDS models physical state behavior.
285
Why are honeypots not a primary protection mechanism?
Because they mainly help observe and study attacker behavior rather than directly secure production systems.
286
What is one operational benefit of centralized monitoring in ICS?
It improves network-wide situation awareness.
287
What is one security drawback of centralized monitoring in ICS?
It can weaken zone isolation if security data paths are not carefully controlled.
288
Why are false positives especially costly in industrial intrusion detection?
Because alarms often require manual verification and can distract operators or security teams.
289
Why are false negatives dangerous in industrial intrusion detection?
Because missed attacks can continue affecting critical processes unnoticed.
290
Why is a small number of false alarms operationally important?
Because teams must still be able to trust and react to alarms.
291
Why is industrial IDS often easier to retrofit than preventive cryptographic upgrades?
Because a passive monitoring system can be inserted without necessarily changing protocol endpoints.
292
Why are stable polling patterns useful for detection?
Because deviations in timing or sequence become easier to recognize.
293
Why can a compromised device still be hard to detect with traditional industrial NIDS rules?
Because it may send protocol-valid traffic that only appears malicious when seen in process context.
294
What is the broader lesson of Chapter 6 about detection in ICS?
Effective detection needs both cyber-level visibility and, where possible, knowledge of industrial communication patterns or physical process behavior.
Industrial Network Security
flashcards
Decks in class (6)
# Cards
