CS6250 Module 9 Practice Exam Guide
2026
1. What are the Confidentiality
properties of se- Integrity
cure communica- Authentication
tion? Availability
2. Round Robin DNS Each time the DNS server is queried, it sends the IP address to which it most
recently responded with to the back of the queue, operating on a loop.
Used by large websites to distribute the load of incoming requests
(larger TTL)
3. DNS-based con- When accessing the name of the service using DNS, the CDN computes the 'nearest
tent delivery edge server' and returns its IP address to the DNS client. It determines the nearest
server, which results in the content being moved 'closer' to the DNS client which
increases responsiveness and availability.
(lower TTL)
4. Fast-Flux Service Based on a rapid change in DNS answers, in order to prevent spammers for
Networks injecting bad IP addresses into the DNS resolution lifecycle
(lowest TTL)
5. What are the 1. Botnet command and control providers:
main data
2. Drive-by-download hosting providers: is a method of malware installation user
sources to iden-
interaction. Occurs when the victim visits a web page that contains an exploit for
tify hosts that
the browser
likely belong to
rogue networks,
3. Phish housing providers: This data source contains URLs of servers that host
used by FIRE
phishing pages
(FInding Rogue
1/6
, CS6250 Module 9 Practice Exam Guide
2026
nEtworks sys-
tem)?
6. Key difference Legitimate networks are usually able to remove the malicious content within a few
between rogue days whereas rogue networks may let the content be up for weeks to more than a
and legitimate year!
networks
7. ASWatch uses information exclusively from the control plane (ie. routing behavior) to identify
malicious networks. Based on monitoring global BGP routing activity to learn the
control plane behavior of a network.
8. Phase 1 of ASwatch learns the control-plane behavior of a normal AS and a malicious one and
ASWatch: Train- learns to ditterentiate between them
ing phase
9. Phase 2 of ASwatch takes an unknown AS and calculates the features for it, assigning it a
ASWatch: Opera- reputation score.
tional Phase
10. What are 3 class- 1) Rewiring activity - changes in the AS connecting activity, multiple changes in
es of features providers / customers looks suspicious
used to deter-
mine the likeli- 2) IP Space Fragmentation and Churn - inspects advertised prefixes of an au-
hood of a security tonomous system. Malicious ASes are likely to use small BGP prefixes to partition
their IP address space and only exposes a small section of them
breach within an
organization?
3) BGP Routing Dynamics - tracks announcements and withdrawals, which usually
follow ditterent patterns for malicious ASes
11. How to infer net- 1. Mismanagement Symptoms -
work reputation
2. Malicious Activities
(Random Forest)
2/6
2026
1. What are the Confidentiality
properties of se- Integrity
cure communica- Authentication
tion? Availability
2. Round Robin DNS Each time the DNS server is queried, it sends the IP address to which it most
recently responded with to the back of the queue, operating on a loop.
Used by large websites to distribute the load of incoming requests
(larger TTL)
3. DNS-based con- When accessing the name of the service using DNS, the CDN computes the 'nearest
tent delivery edge server' and returns its IP address to the DNS client. It determines the nearest
server, which results in the content being moved 'closer' to the DNS client which
increases responsiveness and availability.
(lower TTL)
4. Fast-Flux Service Based on a rapid change in DNS answers, in order to prevent spammers for
Networks injecting bad IP addresses into the DNS resolution lifecycle
(lowest TTL)
5. What are the 1. Botnet command and control providers:
main data
2. Drive-by-download hosting providers: is a method of malware installation user
sources to iden-
interaction. Occurs when the victim visits a web page that contains an exploit for
tify hosts that
the browser
likely belong to
rogue networks,
3. Phish housing providers: This data source contains URLs of servers that host
used by FIRE
phishing pages
(FInding Rogue
1/6
, CS6250 Module 9 Practice Exam Guide
2026
nEtworks sys-
tem)?
6. Key difference Legitimate networks are usually able to remove the malicious content within a few
between rogue days whereas rogue networks may let the content be up for weeks to more than a
and legitimate year!
networks
7. ASWatch uses information exclusively from the control plane (ie. routing behavior) to identify
malicious networks. Based on monitoring global BGP routing activity to learn the
control plane behavior of a network.
8. Phase 1 of ASwatch learns the control-plane behavior of a normal AS and a malicious one and
ASWatch: Train- learns to ditterentiate between them
ing phase
9. Phase 2 of ASwatch takes an unknown AS and calculates the features for it, assigning it a
ASWatch: Opera- reputation score.
tional Phase
10. What are 3 class- 1) Rewiring activity - changes in the AS connecting activity, multiple changes in
es of features providers / customers looks suspicious
used to deter-
mine the likeli- 2) IP Space Fragmentation and Churn - inspects advertised prefixes of an au-
hood of a security tonomous system. Malicious ASes are likely to use small BGP prefixes to partition
their IP address space and only exposes a small section of them
breach within an
organization?
3) BGP Routing Dynamics - tracks announcements and withdrawals, which usually
follow ditterent patterns for malicious ASes
11. How to infer net- 1. Mismanagement Symptoms -
work reputation
2. Malicious Activities
(Random Forest)
2/6
