Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. Define Intrusion Prevention System (IPS).
Answer: IPS is a security tool that monitors network traffic and actively blocks or prevents malicious activities in real time.

2. What is the main difference between IDS and IPS?
Answer: IDS only detects and alerts about threats, whereas IPS detects and automatically blocks or prevents threats.

3. List any two limitations of IPS.
Answer:

1. Can generate false positives and block legitimate traffic.
2. May degrade network performance due to inline deployment.

4. Mention any two types of machine learning used in IDS.
Answer:

1. Supervised Learning
2. Unsupervised Learning

5. What is the objective of Vulnerability Analysis?
Answer: To identify, assess, and prioritize security weaknesses in systems before attackers can exploit them.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain Anomaly-Based Detection with an example.
Answer:
Anomaly-based detection builds a model of normal behavior and flags deviations.
Example: A user normally logs in during office hours. If the user logs in at midnight from a different location, the IDS flags it as an anomaly.
Advantages: Can detect unknown attacks.
Limitations: High false positives due to dynamic user behavior.

7. What are the advantages and limitations of Non-Credentialed Vulnerability Scanning?
Answer:
Advantages:

• Simulates external attacker’s perspective.
• Easy to configure (no login required).

Limitations:

• Cannot access deep system configurations.
• Higher chance of false positives or missed issues.

8. Describe the Alert Generation and Response/Action phase in IDS Process Models.
Answer:

• Alert Generation: When an IDS detects a threat, it generates an alert based on detection rules or models.
• Response/Action: The system logs the event, notifies administrators, or integrates with other tools (like SIEM) to initiate countermeasures like isolation, blocking IPs, or updating rules.

9. Write a short note on the integration of IPS with SIEM systems.
Answer:

• SIEM collects and analyzes security data from various sources including IPS.
• IPS provides real-time threat data to SIEM.
• SIEM correlates IPS alerts with other logs for better visibility.
• Helps in faster incident detection and response by centralizing data analysis.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Compare all four IDS analysis models (Signature, Anomaly, Hybrid, Machine Learning) with examples and advantages.
Answer:

• Summary:
  • Signature: Low false positives, limited to known threats.
  • Anomaly: Good for unknowns, but high false alarms.
  • Hybrid: Reduces weaknesses of both.
  • ML: Smart, but depends on quality of training data.

11. Explain the Deployment Strategies of IPS and discuss their pros and cons with suitable examples.
Answer:

1. Inline Deployment:

• IPS is placed directly in the path of network traffic.
• Pros: Immediate threat blocking.
• Cons: Can cause delays or single point of failure.
• Example: Deployed between router and internal network.

2. Parallel Deployment (Out-of-Band):

• IPS monitors mirrored traffic but doesn’t block directly.
• Pros: No network disruption.
• Cons: Cannot block threats in real-time.
• Example: Connected via SPAN port on a switch.

3. Host-Based IPS:

• Installed on individual endpoints.
• Pros: Protects internal systems and stops insider threats.
• Cons: Difficult to manage on many devices.
• Example: IPS agent on a server or workstation.

Conclusion: Strategy selection depends on network architecture, performance requirements, and threat environment.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is Signature-Based Detection in IDS?
Answer: It detects threats by comparing network traffic with a database of known attack patterns or signatures.

2. Define Hybrid Vulnerability Scanning.
Answer: It combines credentialed and non-credentialed scans to assess both internal and external vulnerabilities comprehensively.

3. Name two real-world tools used in IDS or IPS.
Answer: Snort (IDS), Suricata (IPS).

4. List any two components of the IPS Response System.
Answer:

1. Alert generation module
2. Blocking or prevention mechanism (e.g., packet dropper)

5. What is the role of Feature Extraction in IDS process models?
Answer: It selects and transforms raw data into meaningful variables that help the IDS detect malicious patterns effectively.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Write a short note on Reinforcement Learning in IDS.
Answer:

• Reinforcement Learning (RL) in IDS involves an agent learning by interacting with the environment and receiving feedback.
• The system learns optimal actions (like blocking traffic) based on rewards or penalties.
• It adapts to changing threats over time.
• Example: An IDS learns to block IPs that show repeated suspicious activity.

7. What are the key benefits of using Process Models in IDS?
Answer:

• Provides a clear, structured approach to threat detection.
• Improves detection accuracy through well-defined phases (e.g., data collection, preprocessing, detection).
• Facilitates automation and scalability.
• Helps in designing consistent and repeatable IDS systems.

8. Compare Credentialed and Non-Credentialed Vulnerability Analysis in terms of scope and result accuracy.

9. Describe the limitations of IPS in terms of performance and detection evasion.
Answer:

• Performance Issues:
  • Inline deployment can introduce latency.
  • High traffic volume may slow down packet inspection.
• Detection Evasion:
  • Encrypted traffic may hide threats.
  • Attackers use techniques like fragmentation or polymorphism to bypass detection.
  • False positives may lead to blocking legitimate traffic.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Explain IPS Detection Methods in detail. How do signature-based, anomaly-based, and stateful protocol analysis differ?
Answer:

• Signature-Based Detection:

  • Matches traffic patterns with known attack signatures.
  • Fast and accurate for known threats.
  • Example: Detecting a known malware file.

• Anomaly-Based Detection:

  • Compares current traffic behavior with established normal behavior.
  • Detects unknown or zero-day attacks.
  • May produce false positives.

• Stateful Protocol Analysis:

  • Verifies if the traffic complies with expected protocol behavior (e.g., HTTP, FTP).
  • Detects protocol misuse or manipulation.
  • More accurate but resource-intensive.

Comparison Table:

11. Design a real-world scenario where an IPS and IDS are used together. Explain their roles and interactions in that setup.
Answer:

Scenario:
A financial institution deploys IDS and IPS to protect its online banking system.

Deployment:

• IPS:

  • Placed inline between the internet and the internal network.
  • Blocks known malicious traffic in real time (e.g., DDoS, SQL injection attempts).

• IDS:

  • Deployed in a passive mode inside the network.
  • Monitors employee activities and internal traffic for policy violations or insider threats.
  • Logs and alerts for unusual behavior, such as abnormal file access.

Interaction:

• IDS detects internal anomalies and informs security teams.
• IPS handles immediate threat blocking at the perimeter.
• Together, they create a layered security system: prevention + monitoring.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is the purpose of IPS Sensors in its architecture?
Answer: IPS sensors monitor network traffic in real time to detect and stop threats before they reach the system.

2. Define Data Preprocessing in IDS process models.
Answer: Data preprocessing involves cleaning and formatting raw data to prepare it for analysis and detection.

3. Mention two use cases of Credentialed Vulnerability Analysis.
Answer:

1. Checking missing security patches inside a system.
2. Verifying weak or reused passwords by logged-in access.

4. What is the importance of True Positive (TP) and False Positive (FP) in IDS evaluation?
Answer:

• TP: Correctly detected attacks show IDS effectiveness.
• FP: Wrong alerts reduce trust and waste time.

5. List two advantages of using statistical analysis models in IDS.
Answer:

1. Detect unusual trends based on past behavior.
2. Works well for unknown or zero-day attacks.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Describe how anomaly-based IDS establishes a baseline and detects threats.
Answer:

• IDS observes normal behavior over time (baseline).
• Compares new activity to this baseline.
• If a big change is found, it alerts.
• Example: User accessing system at odd hours triggers alert.

7. Explain the working of Application Layer IPS with examples.
Answer:

• Monitors traffic at application level (Layer 7).
• Blocks specific threats like SQL injection or cross-site scripting.
• Example: Prevents uploading of malicious files via web form.
• Used in web servers, email servers for deep inspection.

8. What are the challenges in implementing vulnerability scanning in large organizations?
Answer:

• Huge number of devices to scan.
• Network slowdowns during scans.
• Managing scan credentials securely.
• Scheduling scans without affecting business hours.

9. How does IPS integration with Endpoint Protection improve security?
Answer:

• IPS blocks threats on network; Endpoint protects individual devices.
• Together, they catch threats missed by one alone.
• Example: IPS stops malware before reaching endpoint; endpoint stops it if already there.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Compare and contrast the process flows of Signature-Based, Anomaly-Based, and Hybrid IDS detection models.
Answer:

Summary:
Signature is simple and fast, anomaly is flexible but noisy, hybrid balances both for better detection.

11. Explain how Machine Learning enhances IDS functionality. Discuss supervised, unsupervised, and real-time learning with examples.
Answer:

• Machine Learning (ML) makes IDS smarter by learning from data.

Supervised Learning:

• Trained with labeled attack data.
• Learns patterns and predicts future attacks.
• Example: Decision Trees trained on malware logs.

Unsupervised Learning:

• No labels, finds patterns on its own.
• Example: K-Means clustering detects traffic spikes.
• Good for unknown threats.

Real-Time Learning (Online Learning):

• Learns continuously from new data.
• Example: IDS adapting to a new type of DDoS attack during the attack.

Benefits:

• Reduces false alerts.
• Adapts to new attack types.
• Increases speed and accuracy of detection.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is Stateful Protocol Analysis in IPS?
Answer: It checks if network traffic follows correct protocol rules by comparing it with known protocol behavior.

2. Define Alert in IPS Response Actions.
Answer: An alert is a notification generated when IPS detects suspicious or malicious activity.

3. Mention any two common algorithms used in supervised learning IDS.
Answer: Decision Tree, Support Vector Machine (SVM).

4. What is the function of the Analysis Engine in IPS architecture?
Answer: It inspects data packets and applies detection rules to identify threats.

5. Give two examples of when Non-Credentialed Analysis is preferred.
Answer:

1. Scanning public-facing web servers.
2. Testing security from an attacker’s viewpoint.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain the role of SIEM systems when integrated with IDS and IPS.
Answer:

• Collects logs from IDS and IPS.
• Correlates events to detect advanced threats.
• Centralized dashboard for monitoring.
• Helps in compliance and quick response.

7. What is the significance of Response/Action phase in IDS Process Model?
Answer:

• Decides what to do after detection.
• Can block, log, or alert.
• Critical for reducing damage.
• Automates defense and saves time.

8. Discuss the limitations of anomaly-based IDS models and how hybrid models solve them.
Answer:
Limitations:

• High false positives.
• Needs constant tuning.
• Hard to define normal behavior.
  Hybrid Models:
• Combine with signature detection.
• Reduce false alarms.
• Increase detection accuracy.

9. Describe the process of establishing a baseline in statistical IDS models.
Answer:

• Collect normal behavior data over time.
• Analyze metrics like traffic volume, login times.
• Define statistical ranges.
• Use them to detect when values go beyond normal.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Explain in detail the architecture of an IPS. How do its components work together to detect and respond to threats?
Answer:

• Sensor: Captures traffic from the network.
• Analysis Engine: Inspects traffic using rules or AI.
• Signature/Rules Database: Contains known threat patterns.
• Response Module: Blocks, alerts, or logs the threat.
• Management Console: Allows admin control and monitoring.

Working Together:
Traffic flows through sensor → analysis engine checks for threats using database → if threat found, response module acts → all events shown in management console.

11. A company is planning to use IDS for its cloud-based network. Recommend a suitable IDS model and process flow. Justify your recommendation.
Answer:

Recommended Model: Anomaly-based IDS with Machine Learning.
Justification:

• Detects unknown cloud-specific threats.
• Learns from dynamic traffic patterns.
• Scales well with cloud environments.

Process Flow:

1. Data Collection from cloud services.
2. Preprocessing to remove noise.
3. Baseline creation using ML.
4. Detection of abnormal activities.
5. Alert and response handling through cloud SIEM.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is the function of the Management and Reporting component in IPS?
Answer: It provides logs, alerts, and reports for admin review and allows configuration of IPS settings.

2. Define Hybrid IDS with an example.
Answer: Hybrid IDS combines signature and anomaly-based detection. Example: Suricata.

3. Mention two key differences between anomaly detection and machine learning in IDS.
Answer:

1. Anomaly detection uses fixed rules; ML learns from data.
2. Anomaly may give false alarms; ML can improve accuracy over time.

4. What is the importance of integrating IDS with firewalls?
Answer: It allows automatic blocking of detected threats and provides layered security.

5. List two reasons why attackers use evasion techniques against IDS/IPS.
Answer:

1. To bypass detection.
2. To keep malicious activity hidden for longer.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain how Quarantine works as a response action in IPS.
Answer:

• IPS isolates the affected system from the network.
• Prevents spread of attack.
• Used when infection is suspected.
• Keeps logs for later analysis.

7. What are the process characteristics of anomaly-based detection in IDS?
Answer:

• Learns normal behavior (baseline).
• Flags anything unusual.
• Adaptive to new threats.
• May produce false positives.

8. Compare the learning mechanisms of supervised and unsupervised IDS models.
Answer:

9. Discuss the benefits and challenges of using OpenVAS as a vulnerability analysis tool.
Answer:
Benefits:

• Free and open-source.
• Regular updates.
• Supports many scan types.

Challenges:

• Can be slow.
• May produce false positives.
• Requires technical knowledge to configure.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Discuss the challenges of deploying IPS in high-speed networks. Suggest possible solutions to overcome them.
Answer:

Challenges:

• Packet loss due to speed.
• Delayed response.
• High CPU load.
• Missed threats in encrypted traffic.

Solutions:

• Use high-performance IPS appliances.
• Load balancing with multiple IPS units.
• Apply selective inspection.
• Decrypt and inspect SSL traffic securely.

11. Design an IDS process model for a university campus. Include data sources, detection method, and response actions.
Answer:

Data Sources:

• Student network logs
• Server logs
• Wi-Fi traffic
• Email activity

Detection Method:

• Hybrid IDS (signature + anomaly)
• ML to detect abnormal usage like large downloads or late-night access

Response Actions:

• Alert to admin
• Temporary block
• Quarantine infected device
• Notify user and log incident

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is the role of sensors in an IPS?
Answer: Sensors capture and monitor network traffic to detect suspicious or malicious activity before sending it to the analysis engine.

2. Define anomaly in the context of IDS.
Answer: An anomaly refers to any behavior or activity that deviates from the established normal pattern, possibly indicating a threat.

3. Mention two types of data collected by IDS for detection.
Answer:

1. Network traffic (packets, protocols)
2. System logs (authentication, file access)

4. List any two advantages of using a hybrid IDS model.
Answer:

1. Can detect both known and unknown threats.
2. Reduces false positives and increases accuracy.

5. What is meant by quarantine in IPS response actions?
Answer: Quarantine means isolating the affected system or user to prevent the spread of malicious activity.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain the difference between inline and out-of-band IPS deployment strategies with examples.
Answer:

• Inline IPS: Placed directly in the data path; blocks malicious traffic in real time.
  Example: IPS between router and internal switch.
• Out-of-Band IPS: Monitors traffic via a copy (SPAN port) but does not block it directly.
  Example: IPS analyzing mirrored traffic from a network switch.
  Difference: Inline prevents threats actively; out-of-band only detects and alerts.

7. Describe the phases involved in the anomaly-based IDS detection process.
Answer:

1. Data Collection: Gathers traffic or system behavior logs.
2. Preprocessing: Filters and normalizes data for analysis.
3. Profile Learning: Builds a baseline of normal behavior.
4. Detection: Compares current activity to baseline and flags deviations.
5. Alerting: Generates alerts when anomalies are detected.

8. What are the key benefits of integrating IPS with a firewall in a network?
Answer:

• Layered Security: Firewall filters general traffic; IPS blocks deeper threats.
• Improved Threat Response: IPS acts on threats the firewall misses.
• Centralized Management: Rules and alerts can be correlated.
• Real-Time Protection: Ensures quick action against attacks.

9. Compare supervised and unsupervised learning techniques in IDS with suitable examples.
Answer:

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Explain the working of a hybrid vulnerability analysis approach. How does it combine the benefits of both scan types?
Answer:

• Hybrid Vulnerability Analysis uses both credentialed and non-credentialed scans.
• Credentialed Scan:
  • Uses login credentials.
  • Scans internal settings like patches, configurations.
• Non-Credentialed Scan:
  • No login.
  • Simulates external attacker perspective.
• Benefits:
  • Full visibility inside and outside.
  • Fewer false positives.
  • Better security posture.
• Example:
  • A credentialed scan finds outdated software.
  • A non-credentialed scan spots exposed services.

11. Describe in detail the IPS architecture. Explain the function of each component with a diagram if needed.
Answer:

IPS Architecture Components:

1. Sensor: Captures network traffic in real time.
2. Analysis Engine: Examines traffic for threats using signatures and behavior rules.
3. Signature Database: Stores known attack patterns.
4. Response Module: Executes actions like blocking or alerting.
5. Management Console: User interface to configure, monitor, and review logs.

Diagram (Textual):

[Sensor] → [Analysis Engine] → [Signature DB]  
            ↓  
            [Response Module]  
            ↓  
            [Management Console]
            

Explanation:

• The sensor sends data to the engine.
• The engine uses the database to detect threats.
• The response module acts immediately.
• Admins monitor and adjust settings through the console.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is a false positive in an IDS, and why is it a problem?
Answer: A false positive occurs when the IDS wrongly identifies normal activity as a threat. It’s a problem because it can waste time, reduce trust in the system, and cause alert fatigue.

2. Define vulnerability analysis in simple terms.
Answer: Vulnerability analysis is the process of finding weaknesses in a system that attackers could use to cause harm.

3. List any two detection methods used by IPS.
Answer:

1. Signature-based detection
2. Anomaly-based detection

4. Mention any two tools used for vulnerability scanning.
Answer:

1. Nessus
2. OpenVAS

5. What is meant by baseline behavior in anomaly detection?
Answer: Baseline behavior refers to the normal patterns of system or user activity. Anomaly detection compares new behavior to this baseline to find threats.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain how IPS detects and blocks a SQL injection attack.
Answer:

• IPS uses signature-based or protocol analysis methods to inspect data packets.
• When a SQL pattern like ' OR 1=1 -- is detected in input fields, the IPS identifies it as malicious.
• The IPS then blocks the packet, drops the connection, and alerts the administrator.
• This helps prevent unauthorized access or data leakage.

7. Describe the process flow of a signature-based IDS model.
Answer:

1. Data Collection: IDS captures network traffic or system logs.
2. Preprocessing: Data is cleaned and formatted.
3. Signature Matching: Traffic is compared to a database of known attack signatures.
4. Alert Generation: If a match is found, the system raises an alert.
5. Logging/Response: The event is logged and may trigger a response action.

8. What are the key differences between credentialed and non-credentialed vulnerability analysis?

9. Write a short note on the advantages of using a hybrid IDS model in a campus network.
Answer:

• Combines the strengths of signature-based and anomaly-based IDS.
• Detects both known threats and new, unknown attacks.
• Reduces false positives and improves detection accuracy.
• Ideal for dynamic environments like campus networks with many users and devices.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Explain the process model of IDS with all phases. Support your answer with a labeled diagram.
Answer:

Phases of IDS Process Model:

1. Data Collection: IDS gathers logs, traffic, and system activities.
2. Preprocessing: Data is filtered and converted into usable formats.
3. Feature Extraction: Important characteristics are selected for analysis.
4. Detection Engine: Applies rules, signatures, or ML models to detect threats.
5. Alert Generation: Issues an alert if suspicious behavior is detected.
6. Response/Action: Logs the event and may trigger countermeasures.

Diagram (Text-Based):

[Data Collection] → [Preprocessing] → [Feature Extraction] → [Detection Engine] → [Alert Generation] → [Response]
            

Explanation: This flow helps identify threats early and act quickly to reduce damage.

11. Discuss the limitations of IPS and suggest practical ways to overcome them in real-world scenarios.
Answer:

Limitations:

1. False Positives: Can block normal traffic mistakenly.
2. Performance Issues: May slow down networks under heavy load.
3. Encrypted Traffic: Hard to inspect without decryption.
4. Evasion Techniques: Attackers may use fragmentation or obfuscation.

Solutions:

• Tuning Rules: Regularly update and fine-tune detection rules.
• Load Balancing: Use high-performance hardware or distributed IPS.
• Decryption Gateways: Deploy SSL/TLS termination points for encrypted traffic.
• Layered Security: Combine IPS with firewall, IDS, and endpoint protection for better coverage.

Conclusion: IPS should be well-configured and regularly updated to remain effective in protecting real-world systems.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is the purpose of intrusion detection in a network?
Answer: To monitor network or system activities for malicious behavior and raise alerts to help prevent attacks.

2. Define signature in signature-based detection.
Answer: A signature is a predefined pattern or rule that identifies known threats based on attack behavior or code.

3. List two common response actions taken by an IPS.
Answer:

1. Blocking malicious traffic.
2. Sending alerts to security administrators.

4. What is the role of feature extraction in the IDS process?
Answer: Feature extraction identifies and selects key data attributes that help distinguish between normal and malicious activity.

5. Mention any two use cases of non-credentialed vulnerability scanning.
Answer:

1. Scanning a public-facing website for exposed services.
2. Simulating an external attacker's view for security testing.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain the working of anomaly-based IPS with a real-life example.
Answer:

• Anomaly-based IPS learns normal behavior of network traffic.
• It compares current activity to the learned baseline.
• If the activity deviates significantly, it flags or blocks it.
  Example: A user normally downloads small files, but suddenly downloads 5 GB at midnight. IPS blocks it as an anomaly.

7. Describe the architecture of IPS with the role of each component.
Answer:

1. Sensor: Captures and monitors live traffic.
2. Analysis Engine: Examines traffic using detection techniques.
3. Signature Database: Stores known attack patterns.
4. Response Module: Executes actions like blocking or alerting.
5. Management Console: Interface for configuration and monitoring.

Flow: Traffic → Sensor → Engine → Match Signature → Response → Admin via Console.

8. Compare the strengths and weaknesses of signature-based and anomaly-based IDS models.

9. How does vulnerability analysis help in securing a network? Explain with examples.
Answer:

• Identifies weaknesses in systems before attackers exploit them.
• Helps prioritize patching based on risk.
  Example:
• Finds unpatched software on a server → Admin applies patch.
• Detects open ports on a router → Admin restricts access.
• Overall, it strengthens the network by fixing known flaws.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. A company wants to secure its wireless network. Suggest a suitable IPS type and explain how it works with practical benefits.
Answer:

Suggested IPS Type: Wireless Intrusion Prevention System (WIPS)

How It Works:

• Monitors wireless airspace for unauthorized access points and devices.
• Detects rogue APs, evil twins, and suspicious Wi-Fi traffic.
• Blocks unauthorized connections and alerts administrators.

Practical Benefits:

• Prevents Wi-Fi-based attacks like sniffing or spoofing.
• Ensures only trusted devices can connect.
• Protects sensitive business data in wireless environments.
• Reduces insider and outsider Wi-Fi risks.

11. Explain the IDS evaluation metrics (TP, FP, FN, Precision, Recall, F1-Score) in detail using a simple example.
Answer:

Example Scenario:
Out of 100 events,

• 40 were actual attacks.
• IDS correctly detected 30 (TP).
• Missed 10 real attacks (FN).
• Raised 20 wrong alerts (FP).

Metrics:

• True Positive (TP): Real attacks correctly detected = 30
• False Positive (FP): Normal actions wrongly flagged = 20
• False Negative (FN): Real attacks missed = 10
• Precision: TP / (TP + FP) = 30 / (30 + 20) = 0.6
• Recall: TP / (TP + FN) = 30 / (30 + 10) = 0.75
• F1-Score: 2 * (Precision * Recall) / (Precision + Recall)
  = 2 * (0.6 * 0.75) / (0.6 + 0.75) ≈ 0.666

Conclusion:

• Precision shows correctness of alerts.
• Recall shows how well IDS detects actual threats.
• F1 balances both, useful for overall performance measure.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is a host-based IPS and where is it used?
Answer: A host-based IPS (HIPS) is installed on individual devices like servers or computers to monitor and block threats locally. It is used to protect endpoints from internal and external attacks.

2. Mention any two disadvantages of anomaly-based detection.
Answer:

1. High rate of false positives.
2. Requires constant updates to the baseline as behavior changes.

3. What does the analysis engine do in IPS architecture?
Answer: It examines captured data and applies detection rules or models to identify suspicious or malicious activity.

4. Define the term “hybrid model” in the context of IDS.
Answer: A hybrid IDS model combines signature-based and anomaly-based detection methods to improve accuracy and cover both known and unknown threats.

5. List two advantages of credentialed vulnerability scanning.
Answer:

1. Provides deeper visibility into system configurations.
2. Reduces false positives by authenticating and accessing internal settings.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain the difference between detection and prevention in network security.
Answer:

• Detection: Identifies and alerts about malicious activity without stopping it (e.g., IDS).
• Prevention: Actively blocks or stops threats in real time (e.g., IPS).
  Example: An IDS detects a DDoS attempt; an IPS blocks the malicious traffic.

7. Write a short note on machine learning models used in IDS.
Answer:

• Supervised Learning: Trained with labeled data (e.g., SVM, Decision Tree) to detect known attack types.
• Unsupervised Learning: Finds anomalies in unlabeled data (e.g., K-Means, Isolation Forest).
• Reinforcement Learning: Learns optimal response actions by interacting with the environment.
  Benefit: Adapts to new threats and improves detection accuracy.

8. Describe how IPS integrates with firewalls and endpoint protection tools.
Answer:

• With Firewalls: IPS adds deep-packet inspection beyond firewall rules. It blocks threats the firewall might miss.
• With Endpoints: Works with antivirus/EDR to monitor behavior locally and network-wide.
• Integration Benefits: Better coordination, layered defense, reduced gaps in coverage.

9. Explain the process of anomaly detection using baseline profiling with an example.
Answer:

1. Baseline Creation: System learns normal behavior (e.g., login time, file access).
2. Monitoring: Current behavior is compared to the baseline.
3. Detection: Significant deviation is flagged as a possible threat.
   Example: A user logs in at midnight from a new location — flagged as anomaly.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Explain the complete vulnerability analysis process using both credentialed and non-credentialed methods. Give practical use cases.
Answer:
Credentialed Scanning:

• Uses login credentials to scan systems internally.
• Checks configuration files, software versions, and patch status.
• Use Case: Internal audit for compliance.

Non-Credentialed Scanning:

• Scans like an outsider with no login.
• Finds exposed ports, services, and known vulnerabilities.
• Use Case: Simulating an external attacker view.

Complete Process:

1. Define scope (devices, IPs).
2. Choose scan types (credentialed + non-credentialed).
3. Run scans using tools (e.g., Nessus, OpenVAS).
4. Analyze results and prioritize vulnerabilities.
5. Apply patches or mitigation measures.
6. Re-scan to verify resolution.

11. Describe different types of Intrusion Prevention Systems (NIPS, HIPS, WIPS, AL-IPS) with suitable examples.
Answer:

Summary:

• NIPS: Best for network-wide protection.
• HIPS: Useful for internal host-level defense.
• WIPS: Prevents Wi-Fi-based attacks.
• AL-IPS: Protects against app-specific threats like SQL injection.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is meant by real-time traffic monitoring in IPS?
Answer: It refers to the continuous inspection of network traffic as it flows, allowing the IPS to detect and block malicious packets instantly.

2. Define the term “false negative” in intrusion detection.
Answer: A false negative occurs when an IDS fails to detect a real attack, allowing it to go unnoticed and cause harm.

3. Name any two machine learning algorithms used in IDS.
Answer:

1. Support Vector Machine (SVM)
2. K-Means Clustering

4. What is the purpose of alert generation in IDS process models?
Answer: To notify security teams when suspicious or malicious activity is detected, enabling quick investigation and response.

5. Mention two factors considered while selecting a process model for IDS.
Answer:

1. Type of environment (e.g., cloud, enterprise)
2. Desired detection method (signature-based, anomaly-based, or hybrid)

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Describe the advantages and limitations of wireless intrusion prevention systems (WIPS).
Answer:
Advantages:

• Detects rogue access points and unauthorized devices.
• Protects against wireless-specific threats like Evil Twin attacks.

Limitations:

• May generate false positives from legitimate devices.
• Can be bypassed if not updated regularly with new threat patterns.

7. Explain how an IPS blocks malicious traffic. Use a simple example to support your answer.
Answer:

• IPS inspects incoming packets using signatures or behavior analysis.
• If traffic matches a known threat, it blocks or drops the packets.
  Example: If a packet contains SQL injection code like OR 1=1, the IPS recognizes it as malicious and drops it before it reaches the database server.

8. What are the key challenges faced during IDS deployment in large organizations?
Answer:

• Scalability: Handling huge volumes of data across multiple locations.
• False Positives: May overwhelm security teams.
• Integration: Difficulties integrating with existing security infrastructure.
• Latency: Real-time analysis may slow down the network.

9. Compare the roles of Snort and Zeek as intrusion detection tools.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Describe the working of a hybrid IDS process model with each phase explained clearly.
Answer:
A hybrid IDS combines signature-based and anomaly-based detection for better accuracy.

Phases:

1. Data Collection: Captures network/system data like traffic logs and user activity.
2. Preprocessing: Filters and normalizes data to remove noise and standardize input.
3. Feature Extraction: Identifies key attributes (e.g., IP addresses, port numbers, packet sizes).
4. Signature Matching: Compares data against a database of known attack patterns.
5. Anomaly Detection: Evaluates deviation from normal behavior using statistical or ML models.
6. Correlation and Decision Engine: Integrates results from both methods to reduce false positives.
7. Alert Generation: If a threat is confirmed, generates an alert.
8. Response/Action: May involve logging, alerting, or triggering an external response.

Benefit: Detects both known and unknown threats with lower error rates.

11. A company is planning to implement IDS and vulnerability scanning. Suggest a suitable setup and explain how the systems will work together.
Answer:

Suggested Setup:

• Network IDS (e.g., Snort): Deployed at the perimeter and key network segments to monitor traffic.
• Host-based IDS (HIDS): Installed on critical servers to track file integrity and system activity.
• Credentialed Vulnerability Scanning (e.g., Nessus): Performed regularly inside the network to detect misconfigurations and unpatched software.
• Non-Credentialed Scanning: Used externally to simulate an attacker’s view.

How They Work Together:

• Vulnerability Scanners: Find weaknesses (e.g., open ports, outdated software).
• IDS: Monitors and detects if any vulnerabilities are being exploited.
• Integration: Scan results help IDS prioritize alerts; IDS alerts help scanning tools focus on high-risk areas.
• Outcome: Continuous protection with proactive identification and reactive detection of threats.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is meant by anomaly in network behavior?
Answer: An anomaly is any unusual or unexpected pattern in network traffic that deviates from normal behavior and may indicate a security threat.

2. Define the role of the response system in IPS architecture.
Answer: The response system takes action when a threat is detected—such as blocking traffic, dropping packets, or sending alerts to mitigate the risk.

3. Mention two common sources of data for IDS.
Answer:

1. Network traffic (e.g., packet captures)
2. System logs (e.g., login attempts, file access logs)

4. What is meant by automated response in IPS?
Answer: Automated response refers to the IPS taking immediate predefined actions (like blocking malicious IPs) without human intervention.

5. List two benefits of using machine learning in IDS.
Answer:

1. Can detect new and unknown threats (zero-day attacks).
2. Reduces false positives by learning from patterns.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain how non-credentialed scans simulate external hacker behavior.
Answer:

• Non-credentialed scans operate without login credentials.
• They view the system from an outsider's perspective.
• These scans test publicly accessible services, open ports, and known vulnerabilities.
• Example: A scan reveals outdated software exposed to the internet, mimicking how a hacker would find a target.

7. What are the steps involved in signature-based intrusion detection?
Answer:

1. Data Collection: Traffic or system data is captured.
2. Preprocessing: The data is cleaned and structured.
3. Signature Matching: The data is compared to a database of known attack patterns.
4. Alert Generation: If a match is found, an alert is generated.
5. Logging: The event is logged for further analysis.

8. Compare IPS and IDS in terms of functionality and usage.

9. Describe how a statistical model can be used in IDS with an example.
Answer:

• A statistical model uses data like average login attempts per hour or average packet size.
• It sets thresholds for "normal" behavior.
• If activity exceeds this threshold, it's flagged.
  Example: If a user typically logs in twice a day but logs in 20 times suddenly, it’s flagged as an anomaly.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Write a detailed note on the challenges faced in vulnerability analysis and suggest ways to handle them effectively.
Answer:

Challenges:

1. Large Number of Systems: Scanning thousands of systems may be time-consuming.
2. False Positives: Not all flagged issues are real threats.
3. Scan Interruptions: Scans can slow down or crash weak systems.
4. Incomplete Coverage: Credential issues or network errors can miss parts of the system.
5. Patch Prioritization: Not all vulnerabilities can be fixed at once.

Solutions:

• Use scheduling to scan during off-hours.
• Tune scanners to reduce false positives.
• Combine credentialed and non-credentialed scans.
• Integrate with patch management tools.
• Use risk-based prioritization based on CVSS and business impact.

11. Design a simple IPS deployment for a small office network. Include type of IPS, placement, and basic actions.
Answer:

Type of IPS:

• Network-Based IPS (NIPS) for monitoring internet traffic.
• Optional Host-Based IPS (HIPS) for key servers.

Placement:

• NIPS placed between the router and internal switch (inline).
• HIPS installed on important machines like file servers.

Basic Actions:

• Block known threats using signature-based rules.
• Drop suspicious traffic using anomaly detection.
• Send alerts to the administrator dashboard.
• Quarantine infected systems using automated rules.

Benefits:

• Real-time protection for internal users.
• Early warning for abnormal behavior.
• Easy to manage and update with limited resources.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is the purpose of IPS in a network security system?
Answer: The purpose of IPS is to monitor network traffic in real time and automatically block or prevent malicious activities before they cause harm.

2. Define the term “threat signature.”
Answer: A threat signature is a predefined pattern or rule that identifies a known type of malicious behavior or attack.

3. List two key limitations of using only non-credentialed scanning.
Answer:

1. Limited visibility into internal system configurations.
2. Higher chances of false positives or missed internal vulnerabilities.

4. Mention two types of alerts that can be generated by IDS.
Answer:

1. Suspicious login attempts
2. Malware or exploit detection alerts

5. What does an IPS do when it identifies a malicious packet?
Answer: The IPS blocks or drops the packet and may also alert the administrator and log the event for further analysis.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain the difference between a host-based and network-based intrusion detection system.
Answer:

• Host-Based IDS (HIDS):

  • Monitors individual systems for suspicious activity.
  • Detects file changes, unauthorized access, or malware.
  • Example: OSSEC

• Network-Based IDS (NIDS):

  • Monitors entire network traffic for attack patterns.
  • Detects DoS, port scanning, or protocol misuse.
  • Example: Snort

7. Describe how machine learning can help reduce false positives in IDS.
Answer:

• ML models learn from real-world data and improve detection accuracy.
• By analyzing patterns of normal and malicious behavior, ML can distinguish between real threats and safe anomalies.
• Supervised learning helps classify events correctly, while unsupervised learning finds hidden threats without prior labeling.
• Example: A model trained to ignore large file transfers during backup times avoids false alerts.

8. Explain the importance of integrating IPS with a SIEM tool.
Answer:

• SIEM aggregates data from various sources, including IPS.
• IPS alerts sent to SIEM are correlated with logs from other systems (firewalls, servers, etc.).
• This provides a complete view of threats and helps prioritize responses.
• Improves incident detection, investigation, and compliance reporting.

9. How does the use of baseline behavior help anomaly-based IDS detect threats?
Answer:

• Baseline behavior represents normal activity patterns.
• Anomaly-based IDS compares current activity to this baseline.
• Any significant deviation is flagged as suspicious.
• Example: If a user suddenly downloads hundreds of files, it's detected as an anomaly.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Explain the complete process of implementing credentialed vulnerability analysis in a corporate environment.
Answer:
Steps:

1. Planning:

   • Identify systems to scan.
   • Define access policies and scan frequency.

2. Credential Setup:

   • Create secure read-only user accounts for scanning.
   • Store credentials securely in the scanner.

3. Tool Selection:

   • Use tools like Nessus or OpenVAS that support credentialed scans.

4. Scanning:

   • Scan systems using valid credentials to access deeper system info.
   • Identify missing patches, insecure configurations, and outdated software.

5. Analysis:

   • Review scan results.
   • Prioritize vulnerabilities based on severity and impact.

6. Remediation:

   • Apply patches and reconfigure systems.
   • Re-scan to verify resolution.

Benefits:

• Accurate detection
• Fewer false positives
• Comprehensive view of internal risks

11. Discuss the role and working of IPS in stopping a DDoS attack with a real-life example.
Answer:
Role of IPS:

• Monitors traffic for high-volume, unusual patterns.
• Identifies and blocks malicious IPs or request floods.
• Prevents service disruption by controlling the flow of data.

Working Example:

• A retail website faces a SYN flood attack.
• IPS detects an abnormal surge in TCP SYN packets.
• It blocks the source IPs or rate-limits the connections.
• Normal users continue to access the site, and the attack impact is reduced.

Real-Life Example:

• Cloudflare’s IPS protects websites during DDoS campaigns by filtering malicious traffic in real-time and allowing only legitimate requests.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is meant by deep packet inspection in IPS?
Answer: Deep packet inspection (DPI) is the process of examining the contents of data packets beyond just headers to detect malicious code, policy violations, or intrusion attempts.

2. Define the term "true negative" in the context of IDS.
Answer: A true negative occurs when the IDS correctly identifies normal, non-malicious activity and does not generate a false alert.

3. List any two deployment challenges in IPS.
Answer:

1. Network latency due to inline deployment.
2. Complex configuration and tuning to avoid false positives.

4. What is a baseline profile in anomaly detection?
Answer: It is a statistical model of normal system or network behavior used to detect deviations that may indicate threats.

5. Mention two reasons for using hybrid IDS models.
Answer:

1. To detect both known and unknown attacks.
2. To reduce false positives by combining strengths of different detection methods.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Write a short note on the use of Snort as an intrusion detection system.
Answer:

• Snort is an open-source, signature-based IDS.
• It uses rules to detect known attack patterns in network traffic.
• Snort can perform real-time traffic analysis and log alerts.
• It supports packet sniffing, protocol analysis, and content searching.

7. Explain how IPS can respond to a brute-force attack attempt.
Answer:

• IPS detects repeated failed login attempts from the same IP or user.
• It uses behavior or threshold-based rules to recognize brute-force patterns.
• Once detected, IPS can block the attacking IP, throttle login attempts, or alert administrators.
• This prevents system overload and protects against credential theft.

8. Compare and contrast the alert generation phase in signature-based and anomaly-based IDS.

9. What are the benefits of combining IDS with automated vulnerability scanning tools?
Answer:

• Improves threat detection by correlating live threats with known system weaknesses.
• Helps prioritize alerts based on real-time vulnerability data.
• Enables faster patching and incident response.
• Reduces manual effort and increases efficiency in identifying and fixing security gaps.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Explain how a hybrid IPS system operates in an enterprise network and improves threat detection accuracy.
Answer:

• Hybrid IPS combines signature-based and anomaly-based detection methods.
• Signature Engine: Matches incoming traffic with a database of known threats.
• Anomaly Engine: Detects new, unknown threats by monitoring deviations from normal behavior.
• Deployment: Inline between internet gateway and internal network.
• Operation:
  • Signature detects known malware, exploits, worms.
  • Anomaly detects zero-day attacks or insider threats.
• Response: Blocks packets, drops connections, alerts security team.
• Benefit: High accuracy, reduced false positives, and broader threat coverage.
• Example: Detects a known ransomware signature and flags a suspicious pattern of abnormal file transfers.

11. Describe the complete flow of IDS process from data collection to response, using a labeled diagram.
Answer:

Phases of IDS Process:

1. Data Collection:

   • Gathers logs, packet data from hosts/network.

2. Preprocessing:

   • Cleans and formats data (removes noise, normalizes).

3. Feature Extraction:

   • Identifies relevant indicators like IPs, ports, protocols.

4. Detection Engine:

   • Applies detection logic (signature or anomaly).

5. Alert Generation:

   • Issues an alert if suspicious behavior is detected.

6. Response/Logging:

   • Logs the event and notifies admin or triggers automatic responses.

Diagram (Text-based):

[Data Collection]  
            ↓  
            [Preprocessing]  
            ↓  
            [Feature Extraction]  
            ↓  
            [Detection Engine]  
            ↓  
            [Alert Generation]  
            ↓  
            [Response & Logging]
            

Explanation: This flow ensures timely threat detection and appropriate response in an automated, layered security setup.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What does it mean when an IDS operates in promiscuous mode?
Answer: In promiscuous mode, an IDS captures and inspects all network traffic, not just traffic addressed to it, allowing comprehensive monitoring of the entire network segment.

2. Define “event correlation” in the context of intrusion detection.
Answer: Event correlation is the process of linking multiple security alerts or logs to identify patterns that indicate coordinated or complex attacks.

3. Mention any two use cases of IPS in industrial control systems (ICS).
Answer:

1. Blocking unauthorized access to SCADA systems.
2. Preventing malware from reaching programmable logic controllers (PLCs).

4. What is meant by post-compromise detection in IDS?
Answer: Post-compromise detection refers to identifying attacker activities that occur after an initial system breach, such as lateral movement or data exfiltration.

5. Why is log retention important for forensic analysis in IDS/IPS?
Answer: Log retention ensures that historical data is available for analyzing past attacks, understanding the attack path, and supporting legal evidence if needed.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. How can a DNS tunneling attack be detected using intrusion detection techniques?
Answer:

• DNS tunneling can be identified by inspecting DNS query patterns.
• Unusual length of queries, high frequency, or encoded payloads are red flags.
• An IDS can flag repetitive, abnormally long or rare domain queries.
• Correlation with network behavior helps confirm the presence of covert channels.

7. Describe the differences in detection goals between endpoint detection and intrusion detection systems.
Answer:

• Endpoint Detection (EDR): Focuses on individual devices; detects malware, file tampering, or suspicious processes.
• Intrusion Detection (IDS): Monitors network traffic for unauthorized access or attack patterns.
• EDR Goal: Protect endpoints from internal compromise.
• IDS Goal: Monitor network perimeters and traffic patterns for threats.

8. What precautions should be taken while scanning IoT devices for vulnerabilities?
Answer:

• Use passive scanning when possible to avoid device crashes.
• Schedule scans during maintenance windows.
• Update scanning tools with IoT-specific signatures.
• Ensure secure access credentials and avoid brute-force testing.
• Test on isolated networks to prevent operational disruptions.

9. Explain how IDS logs can support incident response and legal investigation.
Answer:

• Logs provide a timeline of suspicious activities and attack patterns.
• Help identify compromised systems, data accessed, and attacker origin.
• Serve as evidence in legal cases when properly preserved.
• Assist in recreating the attack scenario during incident analysis.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. As a cybersecurity officer in a hospital network, design an intrusion monitoring approach that balances patient data privacy, real-time detection, and system performance.
Answer:

• Approach Overview: Use a hybrid IDS with role-based access controls and privacy-aware logging.
• Data Privacy:
  • Encrypt sensitive logs.
  • Mask patient identifiers in detection rules.
  • Use tokenization to anonymize logs without losing analytical value.
• Real-Time Detection:
  • Deploy inline IDS for critical systems (e.g., patient records, lab results).
  • Monitor internal and external traffic separately.
• Performance Balance:
  • Use lightweight, behavior-based agents on medical devices.
  • Offload intensive analysis to a central SIEM.
  • Schedule scans during off-peak hours.
• Response Plan:
  • Immediate alerts for data access anomalies.
  • Integration with endpoint tools to isolate infected systems.
  • Incident playbooks tailored to medical compliance standards like HIPAA.

11. Explain the role of deception technologies (like honeypots and honeytokens) in enhancing IDS efficiency. Include deployment strategy and use cases.
Answer:

• Role:
  • Honeypots act as fake systems to lure attackers and study their behavior.
  • Honeytokens are fake credentials or files planted to trigger alerts if accessed.
• Enhancing IDS:
  • Diverts attackers from real systems.
  • Detects zero-day or stealthy intrusions early.
  • Reduces false positives by isolating unexpected interactions.
• Deployment Strategy:
  • Place honeypots in segmented, monitored zones.
  • Deploy honeytokens in shared drives, databases, or APIs.
  • Integrate with IDS to log access attempts as high-severity alerts.
• Use Cases:
  • Detect insider threats in corporate environments.
  • Monitor targeted attacks in government or financial networks.
  • Test attacker tactics in controlled research labs.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is an evasion-aware intrusion detection strategy?
Answer: It is a detection approach that anticipates and identifies attacker techniques designed to bypass IDS, such as packet fragmentation, encoding, or timing manipulation.

2. State the meaning of behavioral whitelisting in network security.
Answer: Behavioral whitelisting allows only pre-approved patterns of system or user behavior, blocking any unrecognized or abnormal activity to prevent intrusions.

3. Give two examples of low-interaction intrusion decoys used in detection.
Answer:

1. Fake login portals that log access attempts.
2. Dummy SSH services that record connection trials.

4. What is “alert fatigue,” and how does it affect analyst response quality?
Answer: Alert fatigue occurs when analysts are overwhelmed by too many alerts, leading to slower response times, missed real threats, or desensitization to important warnings.

5. Define session reconstruction in the context of IDS analysis.
Answer: Session reconstruction involves reassembling fragmented network packets into complete sessions to better analyze user behavior or detect complex attack sequences.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain how protocol-aware detection helps in reducing false alerts in modern traffic inspection.
Answer:

• Protocol-aware detection understands the expected structure and behavior of specific protocols (e.g., HTTP, DNS).
• It distinguishes between normal and suspicious use, avoiding misinterpretation of legitimate variations.
• Reduces false positives caused by malformed but non-malicious packets.
• Enables deeper inspection at the application layer for protocol misuse or tunneling.

7. How does lateral threat movement within segmented networks challenge conventional intrusion detection tools?
Answer:

• Lateral movement uses internal connections that may not be visible to perimeter IDS.
• Attackers mimic legitimate users moving between segments.
• Conventional IDS often lack visibility into east-west traffic or require extensive reconfiguration.
• Detection requires deeper behavioral analytics and endpoint visibility within each segment.

8. What considerations must be made when deploying IDS in a 5G edge computing environment?
Answer:

• Low Latency: IDS must operate without introducing delay.
• Distributed Architecture: IDS should scale across many edge nodes.
• Bandwidth Constraints: Efficient data collection and analysis are needed.
• Mobility and Dynamic Topology: IDS must adapt to changing device locations and sessions.
• Privacy Compliance: Ensure compliance with regional and data sovereignty laws.

9. Discuss the implications of using anonymized logs for collaborative IDS model training across organizations.
Answer:

• Benefits: Enables shared threat intelligence without revealing sensitive data.
• Challenges: Anonymization may remove important context or patterns.
• Security Risk: Improperly anonymized logs may be deanonymized.
• Outcome: If handled correctly, fosters collective defense and strengthens ML-based IDS across industries.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Design a strategy to detect insider threats using identity behavior analytics and peer group comparison in a university network.
Answer:

• Step 1: Identity Mapping

  • Link user IDs with devices, locations, and access levels.

• Step 2: Behavior Profiling

  • Track login times, file access patterns, and application use for each user.

• Step 3: Peer Group Modeling

  • Group users by role (e.g., students, faculty) and define normal behavior ranges.

• Step 4: Anomaly Detection

  • Detect outliers like a faculty member downloading large student data sets at night.

• Step 5: Alert & Investigate

  • Trigger alerts for unusual behavior compared to peers.
  • Combine with access logs and physical presence for correlation.

• Privacy Safeguard:

  • Use anonymized metadata and ensure compliance with institutional policies.

11. Propose a scalable intrusion detection model for smart cities involving public infrastructure, and explain how it addresses visibility, latency, and interoperability.
Answer:

• Architecture:

  • Distributed IDS sensors on transport, utility, and IoT systems.
  • Centralized analytics in cloud or municipal data center.
  • Edge processing units for time-sensitive decisions.

• Visibility:

  • Monitor diverse sources like traffic signals, water systems, CCTV.
  • Use API integrations with legacy and modern devices.

• Latency Control:

  • Lightweight IDS at the edge for real-time actions (e.g., isolate traffic light nodes).
  • Delay-tolerant event forwarding to the central dashboard.

• Interoperability:

  • Standardized protocols like MQTT, OPC-UA, and syslog.
  • AI-based adapters for non-standard legacy systems.

• Benefits:

  • Prevents sabotage or failure of public systems.
  • Ensures safe, responsive, and connected urban infrastructure.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is anomaly scoring, and how is it different from binary threat classification?
Answer: Anomaly scoring assigns a risk score to events based on their deviation from normal behavior, while binary classification labels events as simply "normal" or "malicious," without ranking severity.

2. Define time-to-detection (TTD) and explain its significance in intrusion response.
Answer: TTD is the time taken to detect an intrusion after it occurs. Lower TTD enables faster containment, reducing damage and recovery time.

3. What is meant by microsegmentation in networks, and how does it relate to detection scope?
Answer: Microsegmentation divides a network into small, isolated zones. It narrows the detection scope, making lateral movement more visible and attacks easier to contain.

4. Name two ways deception grids improve threat hunting capabilities.
Answer:

1. They lure attackers into fake environments, revealing intent and tactics.
2. They create false targets, allowing analysts to trace intrusion paths without risking real assets.

5. What does “kill chain disruption” refer to in the context of proactive detection?
Answer: It involves identifying and interrupting steps in an attack lifecycle (like reconnaissance or lateral movement) before the attacker completes their objective.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. How does cross-domain intrusion detection work in military-grade networks with isolated trust zones?
Answer:

• Each domain operates within strict security boundaries.
• Detection occurs independently in each zone using domain-specific IDS.
• Cross-domain correlation engines (air-gapped or controlled links) aggregate and analyze alerts.
• Specialized gateways ensure that only metadata or sanitized threat signals are shared across zones.

7. Discuss how privacy-preserving intrusion detection is implemented in healthcare using federated anomaly models.
Answer:

• Federated learning trains models across hospitals without centralizing patient data.
• Each institution keeps its data locally while contributing model updates.
• Anomaly detection models are shared and improved collaboratively.
• This protects patient confidentiality and complies with health data privacy laws like HIPAA.

8. Explain the benefits of integrating intrusion detection into DevSecOps pipelines.
Answer:

• Enables early detection of insecure code or misconfigurations during development.
• Automates vulnerability scanning and behavior profiling in CI/CD workflows.
• Reduces attack surface before deployment.
• Encourages collaboration between developers and security teams, fostering a “shift-left” mindset.

9. What role does temporal data analysis play in detecting slow-developing multi-stage attacks?
Answer:

• Tracks events over time to identify patterns that might be missed in single-point detections.
• Detects gradual privilege escalation or staged data exfiltration.
• Helps correlate low-severity alerts into high-risk incidents by observing progression.
• Useful in identifying advanced persistent threats (APTs).

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Design an intrusion monitoring and prevention framework for autonomous delivery drones, focusing on real-time telemetry anomalies and control signal validation.
Answer:

Framework Components:

1. Telemetry Anomaly Detection:

   • Monitor GPS drift, altitude deviation, or power anomalies.
   • Real-time onboard ML model compares sensor data against known flight profiles.

2. Control Signal Validation:

   • Enforce cryptographic authentication of remote commands.
   • Use nonce or timestamp validation to prevent replay attacks.

3. Edge-based IDS:

   • Lightweight IDS module on drone processes data locally.
   • Alerts relayed to central controller via secure channel.

4. Cloud Integration:

   • Fleet-wide behavior analytics to detect coordinated attacks.
   • Threat intelligence feedback loop improves model accuracy.

5. Fail-safe Response:

   • In case of anomaly, drone enters lockdown mode, returns to base, or disables remote access.

Benefits:

• Minimizes damage from hijacks or command spoofing.
• Enhances reliability of delivery infrastructure.

11. As a cybersecurity lead in a financial tech company, propose a method for detecting fraud-based intrusions using contextual identity, location, and transaction intelligence.
Answer:

Proposed Method:

1. Contextual Identity Tracking:

   • Create user behavior profiles (login time, device fingerprint, IP history).
   • Detect anomalies like simultaneous logins from different geolocations.

2. Location Intelligence:

   • Correlate geolocation data with known client behavior.
   • Use velocity checks (e.g., can't be in India and US within 10 minutes).

3. Transaction Intelligence:

   • Analyze transaction frequency, amount, and recipient patterns.
   • Flag unexpected transfers or sudden changes in behavior.

4. Adaptive Risk Scoring:

   • Assign dynamic risk scores to each session.
   • Trigger step-up authentication or alert when score exceeds threshold.

5. Real-time Response Integration:

   • Automatically pause suspicious sessions.
   • Alert fraud team and log all evidence for investigation.

Outcome:

• Reduces fraud loss.
• Enhances customer trust.
• Ensures compliance with financial regulations like PCI DSS.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is meant by event-based rule triggering in basic IDS tools?
Answer: It refers to triggering alerts when specific events (like failed login attempts or unusual traffic) match predefined rules in the IDS configuration.

2. Define blacklisting and whitelisting in simple terms.
Answer:

• Blacklisting: Blocking known bad items (e.g., IPs or files).
• Whitelisting: Allowing only known safe items and blocking everything else.

3. What is an intrusion log, and why is it stored?
Answer: An intrusion log is a record of detected suspicious activities. It is stored to review, analyze threats, and support future investigations.

4. Give two examples of simple rules that can be configured in IDS tools.
Answer:

1. Alert if more than 5 failed login attempts in 1 minute.
2. Block traffic from a specific IP address.

5. What does “pattern matching” mean in basic intrusion detection?
Answer: It means checking data for specific known sequences or keywords (like malicious commands) that match attack patterns.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain the use of colored alerts (e.g., green, yellow, red) in visual dashboards for intrusion detection systems.
Answer:

• Green: Normal or safe activity; no action needed.
• Yellow: Warning or suspicious activity; requires attention.
• Red: Confirmed or high-risk attack; needs immediate response.
  Color coding helps staff quickly understand threat levels and respond faster.

7. How can basic port scanning activity be flagged using IDS?
Answer:

• IDS can monitor for repeated connection attempts to many ports in a short time.
• If an external IP tries accessing unused ports or multiple services, it triggers an alert.
• Tools like Snort can use port-scan detection rules to log and block such scans.

8. Discuss the importance of updating threat detection rules in small business IDS setups.
Answer:

• New threats appear frequently; outdated rules miss them.
• Updating ensures the IDS can detect recent malware or attack patterns.
• Small businesses are often targets due to weak security, so regular updates are critical.
• Many tools offer automatic updates to make this easier.

9. Describe a simple way to monitor login failures as a sign of potential intrusion.
Answer:

• Set up a rule to log or alert if multiple failed logins occur within a short period.
• Example: More than 3 failed attempts in 1 minute.
• This can indicate brute-force attack attempts or unauthorized access.
• Admins can be notified or accounts temporarily locked.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Imagine a small company with limited technical staff. Suggest a beginner-friendly intrusion monitoring plan using open-source tools and explain how it works.
Answer:
Plan Overview:

• Use Snort for network-based intrusion detection.
• Use OSSEC for host-based monitoring of servers.
• Use Wazuh (GUI over OSSEC) for easy dashboard viewing.

Steps:

1. Install Snort on the network gateway to monitor traffic.
2. Install OSSEC on important machines to watch for file changes and login issues.
3. Set simple rules: Failed login alerts, suspicious IP alerts, file change detection.
4. Automate alerts: Configure email alerts or desktop notifications.
5. Train non-technical staff: Use a traffic light system (Green, Yellow, Red) to interpret alerts.
6. Update rules weekly with free community rule sets.
7. Backup logs and review them weekly or during incidents.

Benefit:

• Low-cost, low-maintenance solution.
• Beginner-friendly with visual dashboards.
• Enough to detect common threats like brute-force and port scans.

11. Create a simple chart showing how an IDS could handle three basic threat types (unauthorized login, file change, and port scan), including detection and action steps.

Explanation:
This table helps beginners understand how basic threats are handled step-by-step in an IDS setup. Detection is based on behavior, and actions are pre-defined to respond automatically.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What is the role of protocol state tracking in Stateful Protocol Analysis?
Answer: It ensures that communication follows expected protocol rules by monitoring each stage of the session.

2. How do evasion techniques affect the accuracy of IDS/IPS models?
Answer: They hide malicious traffic, causing IDS/IPS to miss threats or generate false negatives.

3. Mention two drawbacks of relying solely on signature databases in modern network environments.
Answer:

1. Cannot detect new or unknown attacks.
2. Needs frequent updates to stay effective.

4. What does the F1-score indicate in IDS performance evaluation?
Answer: It balances precision and recall, showing overall accuracy of detecting threats correctly.

5. How can baseline drift impact anomaly-based IDS?
Answer: If normal behavior slowly changes, the IDS may fail to detect real threats or raise false alarms.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain how autoencoders can be used in unsupervised anomaly detection for IDS.
Answer:

• Autoencoders learn to compress and reconstruct normal data.
• When tested on abnormal data, reconstruction error is high.
• IDS flags inputs with high error as potential threats.
• No need for labeled data.

7. Describe the working of a hybrid IPS that incorporates application-layer detection and machine learning models.
Answer:

• Monitors both network and application-level traffic.
• ML model learns patterns from past attacks.
• Detects threats like SQL injection, XSS at app layer.
• Works in real-time with better accuracy.

8. Discuss how encrypted traffic poses challenges for both IDS and IPS systems.
Answer:

• Encrypted data hides attack content.
• IDS/IPS can’t inspect payload without decryption.
• May miss malware, C2 communication.
• Solution: SSL/TLS termination for inspection (adds complexity).

9. Compare inline vs out-of-band IPS deployment in terms of threat handling, latency, and data integrity.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Critically evaluate the trade-offs between detection accuracy, false positives, and resource consumption in statistical IDS models. Provide real-world implications.
Answer:

• High Accuracy often means complex models, increasing CPU/RAM use.
• Low False Positives needs fine-tuning, delaying deployment.
• High Resource Use impacts performance, especially in real-time setups.
• Real-world: Hospitals or banks need accuracy without delay; balance must be maintained to avoid blocking normal services.

11. As a cybersecurity architect, propose a layered security framework using IPS, IDS, and vulnerability analysis to protect an enterprise network. Justify your design choices.
Answer:

Layered Framework:

1. Perimeter: IPS (inline) to block real-time threats.
2. Internal: IDS (passive) to monitor and alert on suspicious behavior.
3. Hosts: Regular credentialed vulnerability scans to patch systems.
4. SIEM Integration: Central analysis and logging.

Justification:

• IPS blocks attacks early.
• IDS detects bypassed or insider threats.
• Vulnerability analysis finds and fixes weak points.
• Together, they ensure defense in depth.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. What makes polymorphic and metamorphic attacks difficult to detect for traditional IDS/IPS systems?
Answer: These attacks change their code structure each time, bypassing signature-based detection by avoiding known patterns.

2. Define precision and recall in the context of IDS evaluation and explain why both are important.
Answer:

• Precision: Proportion of detected threats that are actual threats.
• Recall: Proportion of actual threats that are detected.
  Both are needed to measure accuracy and coverage of IDS.

3. How can misconfigured anomaly thresholds lead to operational security failures?
Answer:

• Too strict: Many false alarms, ignoring real alerts.
• Too loose: Misses real threats.
  Both reduce trust and effectiveness.

4. Mention two reasons why real-time IDS in cloud-native environments is challenging.
Answer:

1. Dynamic scaling and ephemeral instances.
2. Encrypted and distributed traffic flow.

5. Why is the separation of data collection and analysis layers important in scalable IDS design?
Answer:
It enables parallel processing, reduces bottlenecks, and allows independent scaling of traffic capture and detection logic.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Explain how reinforcement learning improves over traditional ML approaches in adaptive IDS environments.
Answer:

• Learns from interaction and feedback (reward/punishment).
• Adapts to evolving threats in real-time.
• Doesn't need labeled data.
• Example: Adjusts firewall rules based on attack success.

7. Discuss the architectural and operational trade-offs in combining SIEM with IDS and IPS in a SOC.
Answer:
Pros:

• Centralized visibility.
• Faster incident response.
• Correlation of diverse data sources.
  Cons:
• High setup and maintenance cost.
• Complexity in tuning rules.
• Risk of data overload without proper filters.

8. How does the choice of feature engineering techniques affect the performance of ML-based IDS models?
Answer:

• Good features improve accuracy, reduce overfitting.
• Irrelevant/noisy features cause false alerts or missed threats.
• Proper normalization and selection boost model performance.

9. Describe the impact of false negatives in credentialed vulnerability scanning in high-stakes environments like banking or healthcare.
Answer:

• Missed vulnerabilities may allow undetected exploitation.
• Can lead to data breaches, financial loss, and legal issues.
• Affects trust, patient/customer safety, and compliance status.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. A large-scale organization is facing repeated zero-day attacks despite using hybrid IDS. Design a modified detection model incorporating ML and real-time behavior analysis to minimize attack success rate.
Answer:
Proposed Model:

• Combine Hybrid IDS with ML-based behavior profiling.
• Use deep learning (e.g., LSTM) for sequential behavior analysis.
• Monitor user and process activity in real time.

Components:

1. Data Collection Layer - From endpoints, apps, and network.
2. Feature Extraction - Time-based and behavior features.
3. ML Engine - Trained on normal behavior, detects deviations.
4. Anomaly Scoring - Prioritized alerts based on severity.
5. Response System - Auto-isolation, alerting, and ticketing.

Advantages:

• Detects previously unknown attacks.
• Learns and updates from behavior patterns.
• Context-aware, reducing false positives.

11. Critically analyze the limitations of current IDS process models in detecting multi-vector attacks (e.g., combining social engineering and technical exploits). Propose improvements.
Answer:
Limitations:

• Focus mostly on technical vectors.
• Lack of context about user behavior or intent.
• Can’t correlate cross-layer attacks (e.g., phishing → malware).
• Separate treatment of email, network, and endpoint data.

Proposed Improvements:

• Cross-channel correlation using XDR (Extended Detection & Response).
• Behavioral analytics integration.
• NLP-based email scanning for social engineering.
• Real-time graph-based attack path mapping.

Result:

• Better visibility of multi-step attacks.
• Early detection and unified response.
• Higher protection against modern threats.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. Why do false positives in anomaly-based IDS pose a long-term threat to SOC efficiency?
Answer: They overwhelm analysts, causing real threats to be ignored and reducing trust in the system over time.

2. Explain the concept of alert fatigue and its relation to IDS/IPS deployment.
Answer: When too many alerts are generated, especially false ones, analysts become desensitized and may miss actual threats.

3. How does encrypted DNS (DoH/DoT) impact the visibility of IPS systems?
Answer: It hides DNS queries, preventing IPS from inspecting domain-level traffic and detecting malicious domains.

4. Define zero-day attack in the context of machine learning-based intrusion detection.
Answer: It's an unknown attack with no prior signature or pattern, making it hard for ML models trained on old data to detect.

5. How does the lack of labeled datasets limit the performance of supervised learning IDS?
Answer: The model cannot learn accurate patterns, leading to poor detection of real threats and increased false results.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Compare the efficiency of flow-based vs. packet-based detection in large-scale IDS systems.
Answer:

• Flow-based:
  • Uses metadata (IP, port, size).
  • Scalable and fast.
  • May miss payload-based attacks.
• Packet-based:
  • Inspects full content.
  • Accurate but slower.
  • Requires more storage and processing.

7. Discuss how adversarial machine learning can be used to bypass ML-based IDS models.
Answer:

• Attackers modify inputs slightly (adversarial examples) to fool IDS.
• Example: Malware modified to look like normal traffic.
• Exploits weaknesses in model training and feature sensitivity.

8. Propose a strategy for reducing computational overhead in real-time hybrid intrusion prevention systems without sacrificing accuracy.
Answer:

• Use layered filtering:

1. Lightweight signature check first.
2. ML analysis only on suspicious traffic.

• Implement parallel processing with GPU support.
• Apply caching and adaptive sampling.

9. Explain how behavior-based fingerprinting can enhance traditional vulnerability scanning techniques.
Answer:

• Tracks software or device behavior over time.
• Detects misconfigurations or risky usage not seen in static scans.
• Helps identify zero-day exposure and insider threats.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Design an advanced IDS model capable of detecting lateral movement within a zero-trust enterprise network. Highlight the data sources, analysis methods, and response logic.
Answer:

Data Sources:

• Endpoint logs
• Network flows
• User behavior (UEBA)
• Identity and access logs (IAM)

Analysis Methods:

• Graph-based anomaly detection
• Time-sequence behavior modeling (e.g., LSTM)
• Role-based access deviation checks
• Cross-layer correlation (host + network)

Response Logic:

• Alert on privilege misuse
• Auto-isolate suspicious hosts
• Block lateral connections
• Notify SOC and log to SIEM

Goal:
Detect insider threats, unauthorized access, and privilege escalation using real-time behavioral patterns.

11. Evaluate the limitations of current vulnerability analysis tools when used in DevOps pipelines. Propose a framework that integrates continuous vulnerability assessment without interrupting CI/CD workflows.
Answer:

Limitations:

• Slow scans interrupt builds.
• High false positives cause delay.
• Limited visibility into runtime behavior.
• Poor integration with containerized workflows.

Proposed Framework:

• Pre-Commit Stage: Lightweight static scans.
• Build Stage: Dependency checkers (e.g., Snyk, Trivy).
• Post-Deploy: Runtime scanners (e.g., Falco).
• CI/CD Integration: Use plugins with thresholds to allow non-critical issues to pass.
• Central Dashboard: Aggregates alerts, tracks remediation.

Benefits:

• Continuous visibility.
• Minimal impact on pipeline speed.
• Automated security enforcement.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. How does time-based evasion impact the detection logic of intrusion prevention systems?
Answer: It spreads attack steps over time to avoid triggering rate-based or threshold-based detection rules.

2. Define the concept of ‘concept drift’ in IDS and explain one implication in real-time environments.
Answer: Concept drift is the change in normal behavior patterns over time. It can cause outdated models to misclassify benign actions as threats or miss actual attacks.

3. Why is feature correlation important in high-dimensional IDS datasets?
Answer: It helps identify redundant or irrelevant features, improving model accuracy and reducing processing time.

4. How does the use of tunneling protocols affect IDS visibility and effectiveness?
Answer: Tunneling hides malicious payloads within allowed traffic, bypassing deep inspection and reducing IDS detection capability.

5. What is the impact of virtualization on the deployment of host-based IPS in dynamic cloud environments?
Answer: Frequent VM creation/destruction complicates agent management and real-time protection, requiring automated orchestration.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Propose an optimized data preprocessing pipeline for real-time IDS in edge networks.
Answer:

• Data Collection: Lightweight sensor capture.
• Filtering: Remove duplicates and irrelevant logs.
• Normalization: Convert logs into a standard format.
• Feature Selection: Use PCA or mutual information to reduce noise.
• Batching & Streaming: Micro-batch processing for speed.
• Enables low-latency, resource-efficient IDS at the edge.

7. Explain the role of ensemble learning techniques in improving the resilience of machine learning-based IDS models.
Answer:

• Combines multiple classifiers (e.g., Random Forest, Voting, Bagging).
• Increases accuracy and robustness.
• Reduces overfitting and adapts to varied attack types.
• Ensures consistent performance under adversarial conditions.

8. Discuss the challenges of implementing centralized logging and analysis for IDS in geographically distributed systems.
Answer:

• Latency: Delays in log transmission.
• Bandwidth: Large volume of data stresses networks.
• Time-sync issues: Affects event correlation.
• Scalability: Need for distributed SIEM solutions.
• Security: Ensuring encrypted, tamper-proof transmission.

9. How can blockchain be used to enhance the integrity and auditability of IPS alert logs?
Answer:

• Logs are recorded as blockchain transactions.
• Immutable and timestamped.
• Enables trusted auditing and compliance checks.
• Prevents tampering even by insiders.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. A national-level data center needs to defend against APTs (Advanced Persistent Threats). Design a multi-stage IDS/IPS framework using hybrid AI techniques, deception technologies, and active threat intelligence feeds.
Answer:

Framework Design:

1. Perimeter Layer:

   • AI-driven IPS (signature + anomaly).
   • Real-time threat intel feeds (STIX/TAXII).

2. Internal Monitoring:

   • Host-based IDS with behavioral ML.
   • UEBA to detect lateral movement.

3. Deception Layer:

   • Honeypots and decoy services.
   • Detect silent reconnaissance and APT footholds.

4. Threat Correlation:

   • SIEM + SOAR for automated triage.
   • AI correlates cross-vector attacks.

5. Response:

   • Automated containment (e.g., microsegmentation).
   • Threat sharing with national CERT.

Result:
Real-time, adaptive defense that traps APTs early and reacts based on learned behavior.

11. Analyze the weaknesses of periodic vulnerability scanning in agile development. Propose an intelligent agent-based model for continuous in-depth scanning and automated patch prioritization.
Answer:

Weaknesses of Periodic Scanning:

• Misses short-lived vulnerabilities in fast CI/CD cycles.
• Delays in detection → late patching.
• Manual triaging creates backlog.

Proposed Model:

• Agent-based Scanners:

  • Deployed across environments (VMs, containers).
  • Run continuously with low system impact.

• Real-time Prioritization Engine:

  • Uses exploitability, asset criticality, and threat intel.
  • Ranks patches using AI-driven scoring.

• Integration with DevOps:

  • Hooks into CI tools (e.g., Jenkins, GitLab CI).
  • Triggers scans post-build and post-deploy.

• Dashboard & Automation:

  • Auto-patching for low-risk fixes.
  • Analyst alert for critical CVEs.

Outcome:
Zero-delay detection, reduced backlog, and automated mitigation with minimal disruption.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. How do timing side-channels affect the detection reliability of IPS under encrypted traffic flows?
Answer: They leak sensitive timing patterns even in encrypted traffic, which attackers can use to mimic benign behavior and evade IPS detection.

2. Why is memory forensics rarely integrated into live IDS/IPS systems, and what risks does this pose?
Answer: It is resource-intensive and disrupts system performance; this omission allows fileless malware and in-memory attacks to go undetected in real time.

3. How can cross-layer evasion strategies render multi-modal IDS ineffective?
Answer: Attackers spread indicators across layers (e.g., app + network) to stay under detection thresholds at each layer, defeating isolated or poorly-correlated IDS models.

4. Explain why high entropy in traffic patterns is a red flag and how anomaly detectors struggle to quantify it.
Answer: High entropy suggests encrypted or obfuscated payloads; anomaly detectors often lack contextual baselines to distinguish legitimate encryption from malicious obfuscation.

5. Why is zero-trust architecture inherently in conflict with traditional perimeter-based IDS models?
Answer: Zero-trust assumes no trusted internal zones, while perimeter IDS focuses on border monitoring, making it blind to internal lateral threats.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Critically evaluate how graph-based anomaly detection could be applied to detect insider threats in hybrid cloud environments.
Answer:

• Models user and resource interactions as dynamic graphs.
• Detects unusual node-link behavior (e.g., abnormal access paths).
• Works across cloud and on-prem systems by correlating logs.
• Challenges include data volume, real-time computation, and false graph anomalies.

7. Explain how container orchestration (e.g., Kubernetes) introduces new attack surfaces and complicates intrusion detection.
Answer:

• Dynamic pods/IPs hinder consistent tracking.
• Control-plane components (e.g., kube-apiserver) are targets.
• Lateral movement via shared volumes or namespaces is hard to detect.
• Traditional IDS lacks visibility into inter-pod and intra-cluster traffic.

8. What are the architectural implications of deploying IPS in high-frequency trading systems where latency is intolerable?
Answer:

• Inline IPS adds microseconds, unacceptable for trades.
• Solutions: Out-of-band passive IDS, hardware-based accelerators.
• Must balance between detection depth and nanosecond precision.
• Requires lossless packet capture with zero buffering.

9. Discuss how polymorphic worms challenge ML-based IDS models and propose a potential counter-approach using adversarial robustness techniques.
Answer:

• Polymorphic worms mutate their payloads, confusing pattern learners.
• ML models overfit to past samples, fail on new variants.
• Counter-Approach:
  • Use adversarial training with synthetic worm variations.
  • Employ feature-hardening and regularization to resist evasion.
  • Use generative models (e.g., GANs) to simulate unseen attacks.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. Design an enterprise-wide, self-healing security architecture that dynamically adapts IDS/IPS thresholds and models based on real-time threat intelligence, business continuity requirements, and AI-driven SLA priorities.
Answer:

Architecture Components:

1. Dynamic Risk Engine:

   • Consumes live threat intel (MITRE ATT&CK, CVE feeds).
   • Adjusts IDS/IPS detection thresholds in real time.

2. AI-Powered SLA Manager:

   • Maps threat response to service importance.
   • Prioritizes defense for critical applications (e.g., finance vs. dev servers).

3. Self-Healing Loop:

   • Uses reinforcement learning to adapt detection models.
   • Triggers automated mitigation (e.g., isolation, patch deployment).

4. Data Lake + SIEM:

   • Ingests telemetry from endpoints, cloud, and network.
   • Enables unified analytics and historical baselining.

5. Policy Layer:

   • Defines business continuity needs.
   • Sets acceptable risk for each function.

Workflow:
Threat detected → SLA engine ranks affected asset → Model adjusts rules → System auto-defends and logs actions → Feedback updates future decisions.

11. Critically analyze the role of explainable AI (XAI) in mission-critical IDS deployments where false positives may shut down life-support systems or autonomous vehicles. Propose a practical XAI integration model.
Answer:

Role of XAI in Critical IDS:

• Increases trust by justifying alerts.
• Reduces panic from opaque decisions.
• Helps human operators validate true/false positives.
• Enables real-time override of incorrect shutdowns.

Challenges Without XAI:

• Black-box ML can misclassify harmless signals.
• Undocumented decisions cause operational chaos.
• Accountability and forensic analysis become difficult.

Proposed XAI Integration Model:

1. Layered Explanation System:

   • Fast, human-readable summaries (e.g., “Unusual sensor input after code deployment”).
   • Drill-down details (e.g., features, probability scores).

2. Edge AI with Local Explanation:

   • Lightweight interpretable models on device (e.g., autonomous cars).
   • Shows why an action was taken.

3. Human-in-the-Loop Verification:

   • Pauses critical responses for operator confirmation.
   • Escalation path if anomaly confidence is low.

4. Integration with Governance Dashboards:

   • Logs reasoning with timestamps.
   • Enables post-event analysis and ML model updates.

Impact:
Safer AI deployments, reduced shutdown risks, and increased transparency in life-critical systems.

Section A - Short Answer Questions (5 * 2 = 10 Marks)

1. Why does the lack of causal explainability in deep learning-based IDS models pose a regulatory risk in critical infrastructure?
Answer: Regulatory bodies require traceable and explainable decisions, especially in safety-critical systems; black-box models cannot justify actions, risking non-compliance and system shutdowns.

2. How does protocol mutation by attackers undermine deterministic detection engines in IPS?
Answer: Attackers manipulate protocol behavior (e.g., malformed headers) to bypass rule-based engines expecting strict RFC-compliance, evading detection.

3. What is the significance of “alert prioritization algorithms” in preventing threat overload in real-time SOCs?
Answer: They rank alerts by threat level and asset value, reducing analyst fatigue, focusing on high-impact risks, and ensuring timely incident response.

4. How does dynamic container scaling interfere with host-based IDS trace consistency?
Answer: Frequent creation/destruction of containers leads to inconsistent process IDs, ephemeral logs, and gaps in behavioral baselines, confusing host-based IDS.

5. Why is detection of time-slow attacks (e.g., low-and-slow DDoS or data exfiltration) fundamentally challenging for rate-based IPS?
Answer: These attacks operate below configured thresholds, exploiting temporal gaps in detection logic, making them appear like normal behavior over time.

Section B - Medium Answer Questions (4 * 4 = 16 Marks)

6. Propose a detection method for cross-VM side-channel attacks in cloud hypervisors using non-signature-based IDS logic.
Answer:

• Use performance counters to monitor cache/memory access anomalies.
• Build statistical baselines for each VM’s resource behavior.
• Detect timing and access pattern skews (e.g., Flush+Reload).
• Correlate across VMs via hypervisor-level ML-based anomaly scoring.

7. How does federated learning improve the generalizability of IDS across diverse edge networks while preserving data privacy?
Answer:

• Trains IDS models locally on each edge node without sharing raw data.
• Aggregates model updates centrally using secure aggregation.
• Maintains privacy, adapts to local attack patterns, and builds a general global model.
• Supports compliance with privacy laws (e.g., GDPR).

8. In zero-knowledge environments, how can IDS infer intent from encrypted payloads without compromising confidentiality?
Answer:

• Use metadata analysis: traffic timing, size, frequency, destination.
• Apply flow clustering and behavioral profiling.
• Combine with TLS fingerprinting and anomaly-based detection.
• No decryption needed; decisions based on context.

9. Design a vulnerability scoring strategy that adapts CVSS scores dynamically based on exploitability in a given deployment context.
Answer:

• Extend CVSS with context-aware factors:
  • Network exposure (e.g., internal vs. public-facing).
  • Asset criticality.
  • Compensating controls.
  • Real-time threat intel (e.g., active exploits in wild).
• Implement scoring algorithm:
  Adaptive Score = CVSS * Exposure Weight * Criticality * Exploit Likelihood.
• Prioritize remediation dynamically.

Section C - Long Answer Questions (1 * 8 = 8 Marks)

10. You are hired to secure a global IoT-based critical infrastructure (smart grid, healthcare, and autonomous transport). Architect a distributed, resilient IDS/IPS solution using swarm intelligence, fog computing, and reinforcement learning. Justify each design decision technically.
Answer:

Architecture Overview:

• Fog Layer IDS/IPS:

  • Deploy lightweight agents at edge/fog nodes near IoT devices.
  • Provides low-latency detection and isolation.

• Swarm Intelligence:

  • Each agent shares local observations (threat vectors) with peers.
  • Uses consensus mechanisms (e.g., Ant Colony Optimization) to detect coordinated attacks (e.g., botnets, DDoS).
  • Self-organizing, fault-tolerant, no central control.

• Reinforcement Learning:

  • Local agents learn optimal responses (e.g., block, isolate) by interacting with environment.
  • Rewards based on attack containment success, minimal disruption.
  • Shared learning models fine-tuned per vertical (grid, health, transport).

Justification:

• Fog Computing: Scales better than cloud for real-time IoT; reduces bandwidth load.
• Swarm Model: Enhances resilience and avoids single point of failure.
• RL-based Adaptation: Adapts to evolving threats in complex, device-diverse environments.
• Domain-Specific Policies: Healthcare prioritizes patient safety; transport prioritizes uptime.

11. Conduct a security impact analysis for the use of large language models (LLMs) in real-time intrusion detection and prevention. Evaluate both the augmentation and exploitation risks and suggest a secure integration framework.
Answer:

Augmentation Benefits:

• Contextual Log Analysis: LLMs can parse diverse logs and correlate across systems.
• Threat Hunting Automation: Generate hypotheses and detection rules from vague symptoms.
• Incident Response: Draft actionable responses and forensic summaries quickly.

Exploitation Risks:

• Prompt Injection Attacks: Malicious input may manipulate LLM logic.
• Hallucination: May produce plausible but false conclusions, leading to misdetections.
• Model Poisoning: Feeding biased or false data in RLHF cycles can degrade trust.

Secure Integration Framework:

1. Isolation: Run LLM in a sandboxed environment with rate limits and token filters.
2. Human-in-the-Loop: Use LLMs for advisory roles; analysts validate final actions.
3. Explainability Layer: Enforce reasoning tracebacks for all LLM suggestions.
4. Input Sanitization: Strip untrusted user content from LLM prompts.
5. Audit Logging: Store all prompts/responses for forensic review.
6. Zero-Trust Principles: LLM gets only role-specific access to data.

Conclusion: With strict safeguards, LLMs can significantly enhance IDS efficiency, but must be controlled to prevent misuse or manipulation.

Section A - 5 Marks Each (Short Answer Questions)

1. Compare Signature-based and Anomaly-based IDS models. Give examples and explain their working briefly.
Answer:

• Signature-based IDS: Detects attacks by matching traffic with known attack patterns (signatures).

  • Example: Snort
  • Working: It scans network traffic and compares it to a database of signatures. If a match is found, an alert is generated.
  • Advantage: High accuracy for known threats.
  • Limitation: Cannot detect new or unknown attacks.

• Anomaly-based IDS: Detects abnormal behavior by comparing current activity to a normal baseline.

  • Example: OSSEC
  • Working: It uses statistical or machine learning techniques to model normal behavior, and anything that deviates is flagged.
  • Advantage: Can detect zero-day attacks.
  • Limitation: Higher false positives due to dynamic normal behavior.

2. What is a Credentialed Vulnerability Scan? Explain its advantages and limitations with real-world relevance.
Answer:

• Definition: A credentialed vulnerability scan is performed using valid login credentials to access systems like an authenticated user.
• Advantages:
  • Deeper visibility into configuration, file system, registry, and patch levels.
  • Lower false positives.
  • Accurately simulates an insider perspective.
• Limitations:
  • Requires sensitive credentials that must be securely managed.
  • More complex to configure.
• Real-World Relevance:
  • Used by enterprises for compliance checks, ensuring that internal systems are properly secured against insider threats.

3. Explain the phases involved in the Intrusion Detection process with a neat flow diagram.
Answer:
Phases:

1. Data Collection: Gathers data from sources like network traffic, logs, and system events.
2. Preprocessing: Filters and normalizes data for analysis.
3. Detection Engine: Applies detection logic (signature or anomaly-based) to identify threats.
4. Alert Generation: Generates alerts for identified threats.
5. Response: Logs the event and triggers an appropriate action.

Diagram:

[Data Collection] → [Preprocessing] → [Detection Engine] → [Alert Generation] → [Response]
                                

Section B - 10 Marks Each (Detailed Answer Questions)

4. Explain the types of Intrusion Prevention Systems (IPS). How do they differ in placement and function? Support your answer with examples.
Answer:
Types of IPS:

1. Network-based IPS (NIPS):

   • Monitors traffic across entire network.
   • Placement: Between firewall and internal network.
   • Example: Cisco Firepower IPS.

2. Wireless IPS (WIPS):

   • Detects attacks in wireless environments (rogue access points).
   • Placement: Monitors wireless signals across premises.
   • Example: AirMagnet.

3. Host-based IPS (HIPS):

   • Installed on individual endpoints or servers.
   • Placement: Inside the operating system.
   • Example: OSSEC.

4. Network Behavior Analysis (NBA):

   • Detects anomalies in traffic flow patterns.
   • Placement: At a network aggregation point.
   • Example: Darktrace.

Differences in Placement and Function:

5. Define and compare Credentialed and Non-Credentialed Vulnerability Analysis. When should each be used? Support your answer with a table.
Answer:

Credentialed Vulnerability Analysis:

• Uses valid credentials to scan systems from within, like a trusted user.

Non-Credentialed Vulnerability Analysis:

• Scans from outside without login, mimicking an external attacker.

Usage Recommendation:

• Use credentialed scans for internal systems requiring compliance and in-depth analysis.
• Use non-credentialed scans for perimeter security checks and attacker simulations.

6. Discuss in detail the role of Machine Learning in IDS. Explain different approaches (Supervised, Unsupervised, Reinforcement) with examples.
Answer:

Role of Machine Learning in IDS:

• Enhances detection accuracy.
• Reduces false positives.
• Learns patterns of both normal and malicious behavior.

Approaches:

1. Supervised Learning:

   • Trained on labeled datasets (attack vs. normal).
   • Example: Decision Trees, SVM.
   • Use Case: Known attack detection.

2. Unsupervised Learning:

   • Finds anomalies in unlabeled data.
   • Example: K-Means, Isolation Forest.
   • Use Case: Detecting unknown threats.

3. Reinforcement Learning:

   • Learns from environment via rewards/punishments.
   • Example: IDS that adapts firewall rules based on feedback.
   • Use Case: Real-time adaptation to evolving threats.

Benefits:

• Scalability for large data environments.
• Ability to detect zero-day attacks.
• Automates threat classification and prioritization.

Challenges:

• Needs quality training data.
• Risk of adversarial attacks on models.
• Requires explainability for critical use-cases.

Section A - Short Answer Questions (2 * 5 = 10 Marks)

1. What are the key components of an IPS architecture? Explain the role of each briefly.
Answer:

1. Sensor: Captures and monitors network traffic for analysis.
2. Analysis Engine: Processes traffic to detect malicious activity using rules or patterns.
3. Signature/Rule Database: Stores known attack patterns for comparison.
4. Response Module: Takes action like blocking traffic or generating alerts.
5. Management Console: Provides interface for configuration, monitoring, and reporting.

2. Describe the steps involved in the Signature-Based Detection process model in IDS.
Answer:

1. Data Collection: Network or host activity is captured.
2. Preprocessing: Data is cleaned and formatted for analysis.
3. Signature Matching: Traffic is compared to known signatures in the database.
4. Alert Generation: An alert is triggered if a match is found.
5. Logging and Reporting: Events are logged and reports are generated for analysis.

3. List and explain any two evaluation metrics used to assess IDS models.
Answer:

1. True Positive Rate (TPR): Percentage of actual attacks correctly detected. High TPR means good detection ability.
2. False Positive Rate (FPR): Percentage of normal activities wrongly classified as attacks. Low FPR means fewer unnecessary alerts.

Section B - Long Answer Questions (1 * 10 = 10 Marks)

4. Explain in detail the working mechanism of an Intrusion Prevention System (IPS). How does it detect and respond to threats in real-time?
Answer:

• Traffic Inspection: IPS is placed inline and monitors all incoming/outgoing traffic.
• Detection Methods:
  • Signature-Based: Matches traffic to known patterns.
  • Anomaly-Based: Detects deviations from normal behavior.
  • Protocol Analysis: Checks for protocol misuse.
• Threat Identification: If malicious activity is detected, IPS takes immediate action.
• Response Mechanism:
  • Blocks packets or drops malicious connections.
  • Sends alerts and logs incidents.
• Real-time Operation: Enables immediate protection without human intervention.
• Examples: Cisco Firepower, Suricata.

Section C - Application-Based Questions (1 * 10 = 10 Marks)

6. You are assigned to secure a company’s network. How would you design a hybrid vulnerability scanning strategy using both credentialed and non-credentialed scans? Justify your approach.
Answer:
Hybrid Scanning Strategy:

• Credentialed Scans:

  • Used for internal systems.
  • Accesses deeper layers like OS, installed software, configurations.
  • Detects weak passwords, missing patches.

• Non-Credentialed Scans:

  • Used for external-facing systems.
  • Identifies open ports, exposed services.
  • Simulates attacker’s view.

Design Approach:

• Schedule regular credentialed scans during low-traffic periods.
• Run non-credentialed scans frequently on public servers.
• Use scan results to prioritize patching and hardening.
• Maintain separate scan reports for compliance and incident readiness.

Justification:
Combines internal depth with external perspective, ensuring comprehensive security coverage. Reduces risk from both insider threats and external attackers.