Читать книгу Intelligent Security Systems - Leon Reznik - Страница 17
I.5 Glossary of Basic Terms
ОглавлениеThis section lists standard terms used within the book and where to learn more about them.
| Term | Additional term | Definition | Definition source | Book section to learn more | Example |
|---|---|---|---|---|---|
| Offense | |||||
| Attack | Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself. | NIST SP 800‐12; | 1.4 | ||
| Cyber attack | An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. | NIST SP 800‐30 Rev. 1 | 5.1.5 | ||
| Advanced persistent threat (APT) | An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g. cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives. | NIST SP 800‐39 | 1,6 | ||
| Adversarial machine learning (AML) | AML is concerned with the design of ML algorithms that can resist security challenges, the study of the capabilities of attackers, and the understanding of attack consequences. | NISTIR 8269 (DRAFT) | 6 | ||
| Attack signature | A specific sequence of events indicative of an unauthorized access attempt. | NIST SP 800‐12 Rev. 1; | 4.5 | ||
| Brute force | A method of accessing an obstructed device by attempting multiple combinations of numeric/alphanumeric passwords. | NIST 800‐101 | 5.1.5.2 | ||
| Colluded applications | Attack performed by two or more cooperating applications, when an application that individually incorporates only harmless permissions expends them by sending and receiving requests to a collaborating application. | 5.1.8 | |||
| Denial of Service | The prevention of authorized access to resources or the delaying of time‐critical operations. (Time‐critical may be milliseconds or it may be hours, depending upon the service provided.) | NIST 800‐12 | 5.1.5.2 | Ex. 5.4 | |
| Eavesdropping | An attack in which an attacker listens passively to the authentication protocol to capture information that can be used in a subsequent active attack to masquerade as the claimant. | NIST 800‐63‐3 | 5.1.5.2 | ||
| Impersonation | A scenario where the attacker impersonates the verifier in an authentication protocol, usually to capture information that can be used to masquerade as a claimant to the real verifier. | NIST 800‐63‐2 | 5.1.5.2 | ||
| Phishing | Fraudulent attempt to obtain sensitive information or data by impersonating oneself as a trustworthy entity in a digital communication. | 5.1.5.2 | Ex. 5.3 | ||
| Spoofing | Faking the sending address of a transmission to gain illegal entry into a secure system. | CNSSI 4009‐2015 | 5.1.5.2. | Ex. 5.7 | |
| Website fingerprinting | Attack that allows an adversary to learn information about a user's web browsing activity by recognizing patterns in his traffic. | 5.4.2 | Ex. 5.8 | ||
| Zero day | An attack that exploits a previously unknown hardware, firmware, or software vulnerability. | CNSSI 4009‐2015 | 5.1.5.3 | ||
| Cyber crime | Criminal activities carried out by means of computers or the Internet. | 1.1 | Ex. 5.2 | ||
| Hacker | Unauthorized user who attempts to or gains access to an information system. | NIST SP 800‐12 | 5.1 | Ex. 5.1, 5.2 | |
| Malware | Hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose. | NIST SP 800‐12 | 4 | ||
| Adware | Software that automatically displays or downloads advertising material (often unwanted) when a user is online. | 4.2.6 | Ex.4.11 | ||
| Botnet | Attack conducted with the help of more traditional malware types, such as worms and Trojans. | 4.2.9 | Ex.4.15, 4.16, | ||
| Ransomware | Type of malware, which prevents users from accessing their system functionality or data, either by locking the system's screen or by locking the users' files unless a ransom is paid. | 1.3, 4.2.7 | Ex. 1.3, 1.4, 4.12, 4.13 | ||
| Rootkit | A set of tools used by an attacker after gaining root‐level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root‐level access to the host through covert means. | NIST SP 800‐150 | 4.2.8 | Ex. 4.14 | |
| Spyware | Software that is secretly or surreptitiously installed into a system to gather information on individuals or organizations without their knowledge; a type of malicious code. | NIST SP 800‐12 1.3 | 4.2.5 | Ex.4.10 | |
| Trojan horse | A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. | NIST SP 800‐12 | 4.2.4 | Ex.4.9 | |
| Virus | A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use email programs to spread itself to other computers, or even erase everything on a hard disk. | NIST 800‐12 | 4.2.2 | Ex. 4.3, 4.4, 4.5, 4.6 | |
| Worm | A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. | NIST 800‐82 | 4.2.3 | Ex.4.1, 4.2, 4.7, 4.8 | |
| Risk | The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or a system. | NIST 800‐12 | 1.3 | ||
| Spam | Electronic junk mail or the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. | NIST 800‐12 | 4.3 | ||
| Threat | Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. | NIST 800‐12 | 1.2 | ||
| Destruction | The process of overwriting, erasing, or physically destroying information (e.g. a cryptographic key) so that it cannot be recovered. | NIST 800‐88 | |||
| Disclosure | Divulging of, or provision of access to, data. | NISTIR 8053 | |||
| Unauthorized access | A person gains logical or physical access without permission to a network, system, application, data, or other resource. | NIST 800‐82 | 1.3 | Ex. 5.2 | |
| Vulnerability | Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. | NIST 800‐53 | 4.4. | Ex. 4.17, 4.18 | |
| Defense | |||||
| Computer security or Cybersecurity | The ability to protect or defend the use of cyberspace from cyberattacks. | NISTIR 8170 under Cybersecurity CNSSI 4009 | 1.1 | ||
| Computer security policy | Security policies define the objectives and constraints for the security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g. remote access). In general, policies provide answers to the questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology‐independent. | NIST 800‐82 | 1.1 | ||
| Confidentiality | Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. | NIST 800‐53 | 1.2 | ||
| Integrity | Guarding against improper information modification or destruction, and includes ensuring information non‐repudiation and authenticity. | NIST 800‐53 | 1.2 | ||
| Availability | Ensuring timely and reliable access to and use of information. | NIST 800‐53 | 1.2 | ||
| Firewall | A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures. | NIST SP 800‐41 Rev. 1 | 2 | ||
| Application proxy | A firewall capability that combines lower‐layer access control with upper layer‐functionality, and includes a proxy agent that acts as an intermediary between two hosts that wish to communicate with each other. | NIST 800‐41 | 2.2, 2.3 | ||
| Demilitarized zone (DMZ) | An interface on a routing firewall that is similar to the interfaces found on the firewall’s protected side. Traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall and can have firewall protection policies applied. | NIST 800‐41 | 2.1, 2.3 | ||
| Network address translation(NAT) | A routing technology used by many firewalls to hide internal system addresses from an external network through use of an addressing schema. | NIST 800‐41 | 2.2 | ||
| Packet filter | A routing device that provides access control functionality for host addresses and communication sessions. | NIST 800‐41 | 2.2, 2.3 | ||
| Stateful inspection | Packet filtering that also tracks the state of connections and blocks packets that deviate from the expected state. | NIST 800‐41 | 2.2, 2.3 | ||
| Virtual Private Network (VPN) | Protected information system link utilizing tunneling, security controls, and endpoint address translation giving the impression of a dedicated line. | NIST 800‐53 | 2.1, 2.3 | ||
| Intrusion detection system (IDS) | A security service that monitors and analyzes network or system events for the purpose of finding, and providing real‐time or near real‐time warning of, attempts to access system resources in an unauthorized manner. | NIST 800‐82 | 3 | ||
| Intrusion protection system (IPS) | A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets. | NIST 800‐82 | |||
| Rule set | A collection of rules or signatures that network traffic or system activity is compared against to determine an action to take –such as forwarding or rejecting a packet, creating an alert, or allowing a system event. | NIST 800‐115 | Ex. 3.1. | ||
| False negative or Missing attack | Incorrectly classifying malicious activity as benign. | NIST 800‐83 | 3.5 | ||
| False positive or False alarm | Incorrectly classifying benign activity as malicious. | 3.5 | |||
| User authentication | Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. | NIST 800‐53 | 5.3 | ||
| Techniques and Technologies | |||||
| Internet | The single interconnected worldwide system of commercial, government, educational, and other computer networks that share the set of protocols specified by the Internet Architecture Board (IAB) and the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN). | NIST SP 800‐82 Rev. 2 RFC 4949 | |||
| Algorithm | Formulae given to a computer in order for it to complete a task (i.e. a set of rules for a computer). | ||||
| Conventional Techniques | |||||
| String pattern search | Aho–Corasick | Dictionary‐matching algorithm that locates elements of a finite set of strings (the “dictionary”) within an input text and attempts to match all strings simultaneously. | Ex. 4.20. | ||
| Boyer and Moore | An efficient string‐searching algorithm that is the standard benchmark for practical string‐search literature. | Alg 3.4 | |||
| Knuth, Pratt, and Morris | Algorithm, which checks the characters from left to right, and when a pattern has a sub‐pattern that appears more than one in the sub‐pattern, it uses that property to improve the time complexity. | Alg 3.2 | |||
| Naïve (brute force) | Very general problem‐solving technique and algorithmic paradigm that consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement. | Alg 3.1 | |||
| Rabin and Karp | A string‐searching algorithm that uses hashing to find patterns in strings. | Alg 3.3. | |||
| AI, ML, and Data Science Artificialintelligence(AI) | Interdisciplinary field, usually regarded as a branch of computer science, dealing with models and systems for the performance of functions generally associated with human intelligence, such as reasoning and learning. | 1.5.2. | |||
| Fuzzy logic | Form of logic, which is much closer to human thinking logic and a natural language than traditional binary logic. | 1.5.6, 5.2.4 | |||
| Expert systems | Intelligent computer program that uses knowledge and inference procedures to solve problems that are difficult enough to require significant human expertise for their solution. | 1.5.5, 2.5, 5.2.4 | |||
| Knowledge‐based | A knowledge‐based system is a computer program that reasons and uses a knowledge base to solve complex problems. | 1.5.5, 2.5 | Ex. 3.1 | ||
| Artificial neural networks | A computing system, made up of a number of simple, highly interconnected processing elements, which processes information by its dynamic state response to external inputs. | 1.5.8, 3.6.5 | |||
| Autoencoders | The model that aims to reconstruct data from the input layer into the output layer with a minimal amount of distortion. | ||||
| Backpropagation | Shorthand for “backward propagation of errors,” is a method of training ANN where the system’s initial output is compared to the desired output, then adjusted until the difference (between outputs) becomes minimal. | 1.5.8 | |||
| Convolutional | Multilayer topology with a few hidden layers, where each neuron receives its input only from a subset of neurons of the previous layer. | 1.5.8, 5.4.2, 6.5.2 | Ex.5.8 | ||
| Deep belief | Composition of Restricted Boltzmann Machines (RBM), a class of neural networks with no output layer. | 1.5.8 | |||
| Generative adversarial networks (GAN) | Unsupervised learning technique that is capable to generate data with selected properties similar to a dataset of our choice. | 6.5 | |||
| Long Short Term Memory | Special type of recurrent topology, which has memory cells that maintain information in memory for a longer period. | 5.1.8.3 | |||
| Multilayer perceptron (MLP) | An ANN model, in which neurons compose a layer and layers are connected between each other creating an ANN with certain connectivity organization rules to follow up. | 3.6.5.3, 4.6.3 | Ex 4.22 | ||
| Modified time‐based multilayer perceptron (MTBMLP) | ANN topology that consists of multiple time‐based MLPs, all connected to a single‐end MLP, with time series used as inputs. | 3.6.5.3, 4.6.3 | Ex. 4.22 | ||
| Radial basis function (RBF) | ANN that uses radial basis functions as activation functions, producing an output, which is a linear combination of radial basis functions of the inputs and neuron parameters. | 3.6.5.3 | |||
| Recurrent | A multilayer topology, which includes the feedback loop that connects its output to the inputs. | 1.5.8, 5.1.8.3 | |||
| Data science | The field that combines domain expertise, programming skills, and knowledge of mathematics and statistics to extract meaningful insights from data. | 1.5.3. | |||
| Machine learning | A subfield of AI that comprises the study of algorithms which have a capability to improve themselves automatically through experience to solve problems without external instructions, by using previously trained models. | 1.5.3. | |||
| Intelligent agents | Autonomous entity, which acts, directing its activity toward achieving goals, upon an environment using observation through sensors and consequent actuators. | 3.6.5.4 | |||
| Deep learning | Machine learning method based on characterization of data learning. | 1.5.3 | |||
| Reinforcement learning | Algorithms, in which an agent decides what to do to perform the given task to maximize the given function. | 1.5.7 | |||
| Shallow learning | Techniques that separate the process of feature extraction from learning itself. | 3.6.5.1 | |||
| Supervised learning | Algorithms, which develop a mathematical model from the input data and known desired outputs. | 1.5.7 | Alg. 1.1. | ||
| Unsupervised learning | Algorithms, which take a set of data consisting only of inputs and then they attempt to cluster the data objects based on the similarities or dissimilarities in them. | 1.5.7. | Alg. 1.2. | ||
| Decision tree | Tree‐structure resembling a flowchart, where every node represents a test to an attribute, each branch represents the possible outcomes of that test, and the leaves represent the class labels. | ||||
| J48 | Open source Java implementation of the C4.5 algorithm that builds decision trees from a set of training data using the concept of information entropy. | 6.6.4 | |||
| Genetic/evolutionary algorithms | Set of evolutionary algorithms, which take an inspiration from genetic evolution theories. | 3.6.4, 3.6.5.4 | Alg. 1.3 | ||
| Hidden Markov models | Algorithm that builds up a set of states producing outputs with different probabilities with the goal to find out the sequence of states that results in the observed outputs. | ||||
| K‐means | Clustering algorithm that uses a distance function to distribute all data pieces between k clusters defined by their centroid position in the feature space. | 3.6.2 | |||
| K‐nearest neighbor | Classification algorithm that uses a distance function in order to determine to which class to assign the new element by finding K closest elements in the feature space. | 3.6.3, 5.3.5.4 | |||
| Naive Bayes | Algorithm that consists of applying the Bayes theorem in order to find a distribution of conditional probabilities among class labels, with the assumption of independence between features. | ||||
| Random forest | An ensemble learning method that builds a large group of independent decision trees, and outputs the mode of the label predictions of all the trees. | 6.6.4 | Sec.6.6.4 | ||
| Support vector machine | Binary classification algorithm that creates a hyper plane that separates the data into two classes with the objective to maximize the gap perpendicular to the plane, allowing better generalization. |
Please note: I realize that there exist various definitions and even understandings of these terms’ meaning. I have chosen to follow up the definitions given in the publications of the NIST Computer Security Resource Center (see https://csrc.nist.gov/glossary), first (see Section I.6) and then proceed with others (see Section I.7). Even those publications are ambiguous in some cases and provide different meanings too. I have chosen ones, which are followed up in this book. I do not intend to make this list all inclusive or exclusive.
