Name:______________________________     Alpha:________________________________ 

1. [4pts] Depending how to detect bad behaviors, there are two-different kinds of IDSes.
   
   _______________________________     _______________________________
2. [8pts] An IDS is based on the assumption that attacker behavior is (sufficiently) different from legitimate user behavior. However, in reality, there will be an overlap, so it's inevitable that IDSes have false positives and false negatives. Color the appropriate region in each of the pictures as instructed.

   Please, color (or circle) the potential false positive region:

   Please, Color (or circle) the potential false negative region:

3. [14pts] Consider a following scenario.

   There have been 10,000 events, among which 100 events were actual attacks. Suppose an IDS system that worked as follows:

   • It detected only 90 attacks (out of 100).
   • Furthermore, it additionally issued a false alarm 10 times.
   • What is the false positive ratio? Show your work.

   • What is the false negative ratio? Show your work.
4. [5pts] Suppose that there is an IDS system A with the following feature:
   • False positive rate: 0.2%
   • False negative rate: 0%
   Suppose that we receive 10,000 requests a day and 100 of them are actual attacks. What is the expected number of false alarms? Show your work.

5. [10pts] List the three requirements of a reference monitor.

   
     - 
     - 
     -
     

6. [10pts] Answer the following TRUE/FALSE questions.
   
   
   • TRUE/FALSE
     With ACLs, it is much easier to remove a subject, compared to capabilities.
     
   • TRUE/FALSE
     With capabilities, each object is associated with a list that specifies which subjects can access that object in which manner.
     
   • TRUE/FALSE
     BLP is a decretionary access control mechanism.
     
   • TRUE/FALSE
     With BLP, a subject with the top secret clearance can create an object labeled with secret.
     
   • TRUE/FALSE
     With BLP, a subject with the top secret clearance can read an object labeled with secret.
     
7. [4pts] The descriptions below are from "Security Engineering, 3rd ed". Choose the word from the box that best fits each description.

   Tempora      Prism        NotPetya      Muscular      Bullrun     
   Xkeyscore    Longhorn     Edgehill      DGA           Mirai
   

   • This worm used EternalBlue together with the Mimikatz tool that recovers passwords from Windows memory. It encrypted the infected computer's hard disk. It took down banks, telcos, and even the radiation monitoring systems at the former Chernobyl nuclear plant. FedEx also lost $300m. As of June 2017, this attack was recorded as by far the most damaging cyber-attack.
   • It is a family of botnets that exploit IoT devices. The first worm infected CCTV cameras that had been manufactured by Xiaomi and that had a known factory default password that couldn't be changed.