The primary conceptual advantage of an anomaly-based Intrusion Detection System (IDS) is its ability to identify unknown or "zero-day" attacks. Unlike signature-based systems that rely on a database of known attack patterns, an anomaly-based IDS first establishes a baseline of normal network or system behavior. It then monitors activity and flags any significant deviation from this baseline as a potential threat. This methodology allows it to detect novel attacks for which no signature exists, as the attack's behavior will likely differ from the established normal profile.

A. Produces less false positives: This is incorrect. Anomaly-based systems are known for producing a higher rate of false positives because benign, yet unusual, activities can be flagged as malicious deviations from the norm.

C. Requires vendor updates for a new threat: This is a characteristic of signature-based IDS. They depend on vendors to research new threats and distribute updated signature files to be able to detect them.

D. Cannot deal with encrypted network traffic: This is a challenge for most network-based IDS, regardless of whether they are anomaly-based or signature-based. Encrypted payloads obscure the data needed for analysis by both methods.

1. National Institute of Standards and Technology (NIST) Special Publication 800-94

Guide to Intrusion Detection and Prevention Systems (IDPS).

Section 2.2.2

Anomaly-Based Detection: "The primary benefit of anomaly-based detection is that it can be effective against previously unknown threats... A major drawback of anomaly-based detection approaches is the high false positive rate." This directly supports option B as correct and option A as incorrect.

Section 2.2.1

Signature-Based Detection: "The main drawback to signature-based approaches is that they can only detect attacks for which a signature has been developed." This supports the reasoning for why option C describes signature-based systems.

2. Garcia-Teodoro

P.

Diaz-Verdejo

J.

Maciá-Fernández

G.

& Vázquez

E. (2009). Anomaly-based network intrusion detection: Techniques

systems and challenges. Computers & Security

28(1-2)

18–28.

Section 1

Introduction (p. 19): "The main advantage of these systems [anomaly-based] is their ability to detect novel attacks against computer systems and networks... However

their main drawback is the high rate of false alarms they usually suffer." This publication corroborates that detecting unknown attacks is the key characteristic and that high false positives are a known issue. (DOI: https://doi.org/10.1016/j.cose.2008.08.003)

3. MIT OpenCourseWare

6.857 Computer and Network Security

Fall 2017. Lecture 15: Intrusion Detection.

The course materials frequently contrast the two methods

noting that signature-based systems are "Bad for zero-day exploits

" while anomaly-based systems "Can detect zero-day exploits." This aligns with the selection of option B. The materials also highlight that a disadvantage of anomaly detection is "High false alarm rate."

The Payment Card Industry Data Security Standard (PCI DSS) objective "Implement Strong Access Control Measures" focuses on ensuring that access to system components and cardholder data is restricted to authorized individuals. Requirement 8 of the PCI DSS, "Identify and authenticate access to system components," explicitly mandates assigning a unique ID to each person with computer access. This fundamental control ensures that every action on the network can be traced back to a specific, known user, which is a cornerstone of secure access management and accountability.

A. Regularly test security systems and processes.

This requirement falls under the PCI DSS objective "Regularly Monitor and Test Networks," which focuses on vulnerability scanning, penetration testing, and intrusion detection/prevention.

B. Encrypt transmission of cardholder data across open, public networks.

This is a requirement under the objective "Protect Cardholder Data," which deals with safeguarding data both at rest (storage) and in transit using strong cryptography.

D. Use and regularly update anti-virus software on all systems commonly affected by malware.

This requirement is part of the objective "Maintain a Vulnerability Management Program," which includes protecting systems against malware and ensuring security patches are applied.

1. PCI Security Standards Council. (2022). Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures

Version 4.0. Page 11

"PCI DSS Goals and Requirements" table.

Goal: Implement Strong Access Control Measures: This goal encompasses Requirement 8

"Identify Users and Authenticate Access to System Components." Requirement 8.2.1 specifically states

"Assign all users a unique ID before allowing them to access system components or cardholder data

" directly supporting option C.

The same table maps the other options to their respective goals: Requirement 11 ("Test Security of Systems and Networks Regularly") to "Regularly Monitor and Test Networks" (Option A); Requirement 4 to "Protect Cardholder Data" (Option B); and Requirement 5 ("Protect All Systems and Networks from Malicious Software") to "Maintain a Vulnerability Management Program" (Option D).

2. Cornell University. (n.d.). IT@Cornell Policy Office: PCI DSS Requirements. Cornell University. Retrieved from https://it.cornell.edu/policy/pci-dss-requirements

This university resource outlines the 12 PCI DSS requirements grouped by the six control objectives. It explicitly lists "Assign a unique ID to each person with computer access" under Goal 4: "Implement Strong Access Control Measures."

The command enum -U -d -u administrator -p 192.168.1.105 is being executed against a machine with an active SMB port (445). The flags indicate a specific attack vector. The -u administrator flag explicitly targets the "administrator" user account. The -p flag is conventionally used to specify a password or a password file/list, and the -d flag likely signifies a "dictionary" attack mode. Therefore, Eve is attempting to use a dictionary of common passwords to guess the administrator account's password. This process is a form of password cracking aimed at gaining unauthorized access.

A. Eve is trying to connect as a user with Administrator privileges:

The enum tool is primarily for enumeration and testing, not for establishing a persistent connection or interactive shell, which tools like psexec or smbclient are used for.

B. Eve is trying to enumerate all users with Administrative privileges:

The command targets a single, specific user (-u administrator), not a group. Enumerating a group's members would require different syntax, typically targeting the "Administrators" group.

D. Eve is trying to escalate privilege of the null user to that of Administrator:

This is an initial access attempt on a known account. It is not an attempt to elevate the privileges of an unauthenticated null session, which is a different technique.

1. Ric Messier

CEH v11 Certified Ethical Hacker Study Guide

Wiley

2021. Chapter 5

"Enumeration

" discusses how

after enumerating usernames via SMB

an attacker's next step is often to attempt to crack passwords for those discovered accounts. The command shown is a stylized representation of this password attack phase.

2. Dakota State University

CSC 443/543: Ethical Hacking & Countermeasures

Lab 07 - Enumeration. This lab exercise outlines the standard penetration testing methodology where enum4linux is first used to enumerate users

and then a tool like Hydra is used to perform a dictionary attack against discovered accounts (e.g.

hydra -L users.txt -P pass.txt smb). The question's scenario directly mirrors this process.

3. Stallings

W.

& Brown

L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. In Chapter 8.2

"Password Cracking

" the text describes dictionary attacks as a common method where an attacker uses a list of likely passwords to guess a user's credentials against a network service.

The AndroidManifest.xml file is a mandatory component of every Android application. It resides in the root directory of the application package (APK). The Android operating system and build tools rely on this file to understand the application's structure and requirements before any code is executed. It declares the fundamental components of the application, such as its activities, services, broadcast receivers, and content providers. Additionally, it specifies the permissions the application requires and the hardware or software features it needs, making it the central configuration file.

B. APK.info: This is not a standard or recognized file within the Android application package structure; it is a fabricated name.

C. resources.asrc: This file contains the application's precompiled resources (e.g., strings, layouts, styles) in a binary format, not the declaration of its core components.

D. classes.dex: This file contains the application's source code compiled into the Dalvik Executable (DEX) format, which is executed by the Android Runtime (ART).

1. Official Vendor Documentation: Google. (n.d.). App manifest overview. Android Developers. Retrieved from https://developer.android.com/guide/topics/manifest/app-manifest.

Reference Specifics: The first paragraph explicitly states

"Every app project must have an AndroidManifest.xml file... The manifest file describes essential information about your app to the Android build tools

the Android operating system

and Google Play." The section "App components" further details that the manifest is used to declare activities

services

broadcast receivers

and content providers.

2. University Courseware: Zeldovich

N. (2014). Lecture 15: Mobile (Android) Security. MIT OpenCourseWare

6.858 Computer Systems Security

Fall 2014.

Reference Specifics: Slide 10

"Android application structure

" identifies AndroidManifest.xml as the file that "Declares components

permissions

etc." for the application.

3. Peer-reviewed Academic Publication: Zhou

Y.

& Jiang

X. (2012). Dissecting Android Malware: Characterization and Evolution. 2012 IEEE Symposium on Security and Privacy

95-109. https://doi.org/10.1109/SP.2012.16

Reference Specifics: Section II-A

"Android Application Structure

" states: "Each Android application must have a manifest file

named AndroidManifest.xml

to declare its components (i.e.

activities

services

content providers and broadcast receivers)

permissions

and other facilities..."

This command sequence outlines a logical, albeit syntactically imperfect, method for web page link extraction using standard Linux tools. The process begins with wget to retrieve the HTML source code of the target website's main page. The output is then piped to grep, which first filters the HTML to isolate lines containing anchor tags (<a href=...) that define hyperlinks. A second grep command further refines this output to display only those links that contain the target domain name ("site.com"), effectively grabbing the relevant links as requested. Among the given options, this pipe represents the most conceptually correct workflow for the task.

A. dirb is a web content scanner used to discover hidden files and directories through brute-force, not for parsing the content of a known page.

B. This command contains multiple syntactical errors and uses a nonsensical delimiter ("V") with the cut command, which would fail to correctly parse and extract URLs.

D. This option is completely non-functional due to multiple syntax errors, such as the missing space after wget and the malformed cut command.

---

1. GNU Wget 1.21.2 Manual

Section 3.3 "Logging and Input File Options": The manual specifies the use of -O - or --output-document=- to direct the downloaded content to standard output

which is necessary for piping to other commands like grep. This confirms wget is a tool for downloading content

which is the first step in the correct option's logic.

Reference: https://www.gnu.org/software/wget/manual/wget.html#Logging-and-Input-File-Options

2. GNU Grep 3.7 Manual

Section 1.1 "What is Grep?": The grep manual describes its function as searching for lines that match a given pattern. This supports its use in the correct answer for filtering the HTML output from wget to find lines containing tags.

Reference: https://www.gnu.org/software/grep/manual/grep.html#What-is-Grep003f

3. MIT Missing Semester of Your CS Education

Lecture 2 "Shell Tools and Scripting": This university courseware details the use of core utilities and piping (|) to chain commands. It explains how tools like curl or wget can be used to fetch web data

and grep can be used to process that data

validating the fundamental structure of the command pipeline presented in the correct answer.

Reference: https://missing.csail.mit.edu/2020/shell-tools/ (See section on curl

grep

and pipes).

The nslookup utility in Windows can be used to perform a DNS zone transfer by using the ls subcommand. The command ls -d sends a request to the configured DNS server for a full zone transfer (AXFR), which lists all DNS records for the specified domain. In this scenario, after setting the server to 192.168.10.2 (using the server 192.168.10.2 command), the command ls -d abccorp.local would be used. Option B contains a common typo (is instead of ls), but it represents the correct command structure for this task.

A. list server=192.168.10.2 type=all is syntactically incorrect. The nslookup utility does not use keyword arguments like server= or type=.

C. Iserver 192.168.10.2-t all is syntactically incorrect. lserver (assuming Iserver is a typo) sets a server, but the -t option is used with the ls command, not lserver.

D. List domain=Abccorp.local type=zone is syntactically incorrect. nslookup does not accept parameters in the key=value format for the ls command.

1. Microsoft Corporation

"nslookup ls" documentation. This official vendor documentation details the ls subcommand for nslookup. It specifies the syntax ls [option] and describes the -d option as "Lists all records for the domain

" which is the function that initiates a zone transfer request.

Source: Microsoft Learn

nslookup ls command documentation. (Specific page: The official documentation page for the nslookup ls subcommand on the Microsoft Learn website).

2. University of Washington

CSE 484: Computer Security

Lab 1. This university courseware provides practical exercises on network reconnaissance. The lab instructions for DNS enumeration explicitly guide students to use nslookup

set the server

and then use the ls -d command to attempt a zone transfer and list all hostnames.

Source: University of Washington

Paul G. Allen School of Computer Science & Engineering

CSE 484

Lab 1: "Network Reconnaissance & Security Auditing

" DNS Enumeration section.

3. Purdue University

CS 42600: Computer Security

Lecture Notes. Course materials on network security often cover DNS vulnerabilities. Lecture notes describe DNS zone transfers as a method for reconnaissance and identify nslookup with the ls -d command as a primary tool for attempting this on Windows systems.

Source: Purdue University

Department of Computer Science

CS 42600

Lecture notes on "Network Security

" DNS Security section.

The statement is incorrect. In the Domain Name System (DNS), the priority for a Mail Exchanger (MX) record is determined by a preference number, where a lower numerical value indicates a higher priority. When a mail transfer agent (MTA) looks up the MX records for a domain to deliver an email, it will attempt to connect to the mail server with the lowest preference number first. If that server is unavailable, it will then try the server with the next-lowest preference number, and so on.

The statement "MX record priority increases as the number increases" is the direct opposite of how the protocol is defined and implemented. A higher preference number signifies a lower priority and is typically assigned to backup or secondary mail servers that should only be used if the primary servers (with lower numbers) are unreachable.

1. Internet Engineering Task Force (IETF) RFC 5321

"Simple Mail Transfer Protocol"

Section 5.1: This document

which obsoletes the earlier RFC 2821

defines the standard for SMTP. It states

"The MX mechanism provides a way to rank mail servers... A mail server with a lower preference number is said to be 'more preferred' or 'of higher priority'."

2. Internet Engineering Task Force (IETF) RFC 1035

"Domain Names - Implementation and Specification"

Section 3.3.9: This is the foundational document for DNS. In defining the MX record data format

it specifies a 16-bit integer for preference and states: "A 16 bit integer which specifies the preference given to this RR [Resource Record] among others at the same owner. Lower values are preferred."

3. University of California

Berkeley

EECS Courseware

"CS 168

Introduction to the Internet: Architecture and Protocols"

Lecture 16: Naming (DNS): Course materials for foundational networking classes at reputable universities consistently describe this behavior. Lecture notes explain that the MX record includes a preference field

and mailers must try the server with the lowest preference value first. This is a standard and fundamental concept of DNS operation for mail routing.

IoTSeeker is an open-source tool specifically designed to perform network scans to discover various types of Internet of Things (IoT) devices. Its primary function is to test whether these discovered devices are still using their default, factory-set credentials. This aligns perfectly with the scenario where John, the hacker, is using an automated tool to find IoT devices on the CyberSol Inc. network that are vulnerable due to default credentials. The tool's purpose is explicitly for security auditing and penetration testing of IoT devices.

B. IoT Inspector: This is a tool primarily for end-users to monitor their own network, analyzing traffic from their IoT devices to identify potential privacy and security risks, not for offensive scanning of external networks.

C. AT&T IoT Platform: This is a commercial, cloud-based service offered by AT&T for businesses to manage, connect, and scale their own IoT deployments. It is a management platform, not a hacking tool.

D. Azure IoT Central: This is a Microsoft cloud service (aPaaS) that enables users to build, manage, and maintain commercial-grade IoT solutions. It is a development and management platform, not a security scanning tool.

1. Bamakan

S. M. H.

Moghaddam

M.

& Niyato

D. (2020). Scanning the Scanners: A Survey of Tools for Discovering Vulnerable IoT Devices. IEEE Communications Surveys & Tutorials

22(1)

536-563. In Table IV on page 545

IoTSeeker is listed with the description: "Detects specific IoT devices and checks for default credentials." DOI: https://doi.org/10.1109/COMST.2019.2945518

2. Sharma

S.

& Gupta

M. (2020). A Review on IoT Security Tools. 2020 4th International Conference on Intelligent Computing and Control Systems (ICICCS)

1118-1123. The paper describes IoTSeeker as a tool that "scans a network for specific types of IoT devices to detect if they are using the default

factory-set credentials." DOI: https://doi.org/10.1109/ICICCS48265.2020.9121049

3. Hassan

W. H. (2019). Current research on Internet of Things (IoT) security: A survey. Computer Networks

148

283-294. This survey discusses vulnerabilities in IoT

including default credentials

and mentions tools used to discover such weaknesses

categorizing tools like IoTSeeker as scanners for identifying misconfigurations. DOI: https://doi.org/10.1016/j.comnet.2018.11.025

The network address is 10.1.4.0 with a /23 CIDR notation, which corresponds to a subnet mask of 255.255.254.0. This subnet includes all IP addresses from 10.1.4.0 to 10.1.5.255. The range of usable host addresses is 10.1.4.1 to 10.1.5.254.

The DHCP server is configured to lease the last 100 usable IP addresses. To find this range, we start from the last usable address (10.1.5.254) and count back 100 addresses. This defines the DHCP lease pool as 10.1.5.155 to 10.1.5.254. From the options provided, only 10.1.5.200 falls within this specific range.

A. 210.1.55.200: This is a public IP address and is not part of the specified 10.0.0.0/8 private network range.

B. 10.1.4.254: This address is valid within the subnet but is not part of the configured DHCP scope for the last 100 usable IPs.

D. 10.1.4.156: This address is valid within the subnet but is not part of the configured DHCP scope for the last 100 usable IPs.

1. Postel

J.

& Mogul

J. (1985). RFC 950: Internet Standard Subnetting Procedure. IETF. Section 2.1 details the interpretation of IP addresses with subnet masks to determine network and host portions.

2. Rekhter

Y.

Moskowitz

B.

Karrenberg

D.

de Groot

G. J.

& Lear

E. (1996). RFC 1918: Address Allocation for Private Internets. IETF. Section 3 specifies the 10.0.0.0/8 private address block.

3. Droms

R. (1997). RFC 2131: Dynamic Host Configuration Protocol. IETF. Section 2.2 discusses the allocation mechanism where a server selects an address from a pool of available addresses for a client.

4. Dordal

P. L. (2019). An Introduction to Computer Networks. Loyola University Chicago

Department of Computer Science. Chapter 9.3

"IP Subnets

" pp. 325-330. This university text explains the calculation of subnet ranges

network addresses

and broadcast addresses.

This technique is known as a fragmented packet scan. It deliberately splits the TCP header of a probe packet (e.g., a SYN or FIN packet) across multiple, smaller IP fragments. The objective is to evade detection by simple packet-filtering firewalls or older Intrusion Detection Systems (IDS). These security devices may only inspect the first fragment of a packet stream for rule matching. Since the TCP flags and port numbers are in subsequent fragments, the device fails to identify the scan's nature and may allow the packets to pass. The target host reassembles the fragments and processes the complete TCP packet, sending a response that reveals the port's state to the attacker.

A. ACK flag probe scanning: This scan sends TCP packets with only the ACK flag set to map firewall rules; it does not inherently rely on fragmentation for evasion.

B. ICMP Echo scanning: This is a "ping scan" that uses the ICMP protocol, not TCP. It does not involve splitting TCP headers.

D. IPID scanning: This is an advanced idle scan that uses a third-party "zombie" host to infer port states by observing IPID sequence changes, not by fragmenting packets.

1. Official Vendor Documentation (Nmap): The Nmap Reference Guide

a tool central to ethical hacking

explicitly describes this technique with its -f option. It states

"The -f option causes the requested scan...to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters

intrusion detection systems

and other annoyances to detect what you are doing."

Source: Nmap Reference Guide

Section: "Firewall/IDS Evasion and Spoofing".

2. Academic Publication: The foundational paper on IDS evasion techniques discusses fragmentation as a primary method for bypassing network security controls. The authors explain how attackers can exploit the reassembly policies of end hosts versus the IDS.

Source: Ptacek

T. H.

& Newsham

T. N. (1998). Insertion

Evasion

and Denial of Service: Eluding Network Intrusion Detection. Secure Networks

Inc. Section 3.2

"Fragmentation."

3. University Courseware: Reputable computer science programs cover fragmentation as a classic network security evasion technique. Lecture materials explain how splitting headers across fragments can bypass stateless firewalls that do not perform full packet reassembly.

Source: University of California

Berkeley. CS 161: Computer Security. Lecture 14

"Network Security

" slide on "Evasion."