I3336

Cybersecurity

Spring 2026

Dr. Abdallah Dabboussi

1/27/2025 Applied ML for Cybersecurity

1
Motivation
Hacker attack every 39 seconds Most companies take nearly 6
months to detect a data breach

43%of cyber attacks Since COVID-19, the US FBI reported

a 300% increase in reported
target small business
cybercrimes

1/27/2025 Applied ML for Cybersecurity

2
Today’s Outline:

[Link] 1: Introduction to Cybersecurity

[Link] & Evolution
[Link] Concepts & Terminology
[Link] 3: The Cyber Threat Landscape
[Link], Vulnerabilities, & Risk
[Link] Surfaces & Vectors
3.Q&A & Discussion

❖By the end, you will be able to:

•Define core cybersecurity terms

•Explain the evolution of cyber threats
•Differentiate between threats, vulnerabilities, and risks
•Identify common attack surfaces
Learning Objectives
After studying this material, you should be able to:

Understand the CIA Triad Identify Security Threats Apply Security Requirements
Describe the key security Discuss the types of security threats Summarize the functional
requirements of confidentiality, and attacks that must be addressed requirements for computer security
integrity, and availability that form and provide examples of threats and how they're implemented in
the foundation of computer that apply to different categories of real-world systems.
security. computer and network assets.
 Cybersecurity: Protecting Our
Digital World
Cybersecurity is the practice of protecting systems, networks,
and programs from digital attacks.
These attacks are often aimed at accessing, changing, or
destroying sensitive information; extorting money from users;
or interrupting normal business processes.

5
 • Cyber security is the collection of
policies, techniques,
technologies, and processes that
work together
• to protect the confidentiality, integrity, and
availability of computing resources, networks,
software programs, and data from attack.
• Cyber defense
mechanisms exist at
the application,
Firewalls network, host, and data
antivirus software intrusion detection systems (IDSs)
level.
1/27/2025 Applied ML for Cybersecurity

6
 Intrusion detection systems (IDSs)

• An Intrusion Detection System (IDS) is a cybersecurity solution that

monitors and evaluates network traffic or system activities to identify
malicious behavior that might signal a security breach.

• Its main function is to detect intrusions and notify administrators,

enabling them to respond quickly to potential threats.

1/27/2025 Applied ML for Cybersecurity

7
 Cyber Security
Safeguarding the systems, applications, and networks from potential digital
attacks (modify/access the confidential information, laundering money from the
users, and interrupting the normal business operations)

1/27/2025 Applied ML for Cybersecurity

8
 Why is Cybersecurity
Important?
In today's digital age, our lives are increasingly intertwined with
technology. From personal devices to critical infrastructure, everything
is connected to the internet. This interconnectedness, while offering
numerous benefits, also exposes us to a wide range of cyber threats.

1/27/2025 Applied ML for Cybersecurity

9
 Why is Cybersecurity
Important?
Cybersecurity is essential because:
• Protecting Sensitive Information: It safeguards personal data,
financial information, and intellectual property.
• Maintaining Business Continuity: It ensures the uninterrupted
operation of businesses and organizations.
• Safeguarding Critical Infrastructure: It protects essential services like
power grids, transportation systems, and healthcare systems.

1/27/2025 Applied ML for Cybersecurity

10
 Common Cyber
Threat
• Malware: Malicious software designed to harm computer systems.
• Phishing: Deceptive tactics used to trick individuals into revealing
sensitive information.
• Ransomware: Malware that encrypts data and demands a ransom for
its decryption.
• Denial-of-Service (DoS) Attacks: Overwhelming a system or network
to prevent legitimate users from accessing it.
• Data Breaches: Unauthorized access to sensitive data.

1/27/2025 Applied ML for Cybersecurity

11
Cyberattacks: A Growing Threat
A cyberattack is any malicious act targeting computer systems,
networks, or digital information. These attacks can range from simple
vandalism to sophisticated espionage and sabotage.

1/27/2025 Applied ML for Cybersecurity 12

 The Impact of
Cyberattacks
• Financial Loss: Discuss the direct and indirect costs of cyberattacks,
including ransom payments, lost revenue, and legal fees.
• Reputational Damage: Explain how cyberattacks can erode/ break
down trust and damage a company's brand reputation.
• Operational Disruption: Highlight the potential for cyberattacks to
disrupt critical business operations, leading to service outages and
production delays.
• Data Privacy and Security: Discuss the risks to sensitive personal and
corporate data, including identity theft and intellectual property
theft.
1/27/2025 Applied ML for Cybersecurity

13
 Types of Cyber
Attacks

1/27/2025 Applied ML for Cybersecurity

14
 Cyberattacks come in many forms, each targeting different aspects of a
system or network. Here are some common types of cyberattacks:
[Link]:
1. Attackers trick individuals into providing sensitive information (like
passwords or credit card numbers) by pretending to be a legitimate
entity via email or other communication methods.
2. Malware:
1. Software designed to harm or exploit any device, service, or
network. Examples include viruses, worms, Trojans, and
ransomware.
3. Ransomware:
1. A type of malware that encrypts the victim's data and demands a
ransom (usually in cryptocurrency) for decryption keys to regain
access.

1/27/2025 Applied ML for Cybersecurity

15
4. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS):
•These attacks aim to make a system, network, or service unavailable to its
users by overwhelming it with a flood of traffic or requests.
5. Man-in-the-Middle (MitM) Attack:
•Attackers intercept and potentially alter communication between two parties
without their knowledge, often to steal sensitive data like login credentials.
6. SQL Injection:
•In this attack, malicious SQL queries are used to manipulate a database,
allowing attackers to access or manipulate sensitive data.
[Link]-Site Scripting (XSS):
•Attackers inject malicious scripts into web applications, which then execute on the
user's browser, potentially stealing data or compromising the system.

1/27/2025 Applied ML for Cybersecurity

16
 The Evolving Threat
Landscape

Key points:
• The increasing sophistication of cyberattacks
• The growing volume and complexity of cyber threats
• The limitations of traditional security measures

17
Defining Computer Security

This definition introduces three key objectives that are at the heart of computer security, collectively known as the CIA triad:

Integrity
Ensuring information remains accurate
Confidentiality and unaltered
Protecting information from
unauthorized access and
disclosure Availability
Guaranteeing reliable access
to information when needed
The CIA Triad: Core Security Concepts

Confidentiality Integrity Availability

Guarding against improper
Preserving authorized restrictions Ensuring timely and reliable access
information modification or
on information access and to and use of information.
destruction, including ensuring
disclosure, including means for Loss scenario: Disruption of access
information nonrepudiation and
protecting personal privacy and
authenticity. to information systems, such as
proprietary information. Loss scenario: Unauthorized through denial-of-service attacks or
Loss scenario: Unauthorized modification or destruction of hardware failures.
disclosure of information, such as information, such as website
customer data breach or leaked defacement or database corruption.
company secrets.
Additional Security Concepts
Authenticity
The property of being genuine and verifiable, establishing
confidence in the validity of a transmission, message, or originator.
This means verifying that users are who they claim to be and that
each input arriving at the system came from a trusted source.

Accountability
Since truly secure systems remain an aspirational goal, we must be
able to trace security breaches to responsible parties. Systems
must maintain activity logs to enable forensic analysis of security
incidents or to assist in resolving transaction disputes.
A Brief History of Cybersecurity
Timeline Visual:

•1940s-1970s: The Early Days •2000s: Professionalization of Crime & Warfare

• Security through physical access & • Organized cybercrime, botnets, identity theft
"phreaking"
• State-sponsored attacks (Stuxnet, 2010)
• No malicious software, mainly academic
•2010s-Present: The Modern Era
exercises
• Ransomware, Advanced Persistent Threats (APTs)
•1980s: The Birth of Cyber Threats
• IoT vulnerabilities, Cloud security challenges
• First computer virus (Brain, 1986)
• AI-powered attacks and defenses
• Morris Worm (1988) – first major internet
attack

•1990s: The Internet Age

• Malware proliferation (Melissa, ILOVEYOU)

• Rise of firewalls and antivirus software

 Why Does Cybersecurity Matter?

The Stakes are High:

• Financial: Global cybercrime costs reach $10.5 trillion annually in 2025

• Personal: Identity theft, privacy loss, financial fraud

• National: Critical infrastructure protection, election security, espionage

• Corporate: Reputation damage, IP theft, operational disruption

Key Terminology (I)
Foundational Vocabulary:

•Asset: Anything of value to an organization (data, hardware,

reputation)
•Threat: Any potential danger to an asset
•Vulnerability: A weakness that can be exploited by a threat
•Risk: The potential for loss or damage when a threat exploits a
vulnerability
• Risk = Threat × Vulnerability × Impact

(Threat → exploits → Vulnerability → causes → Risk to → Asset)

Key Terminology (II)

Core Concepts:

•Attack Vector: Path or means by which an attacker gains access

•Attack Surface: All possible points where an attacker could try to enter
•Exploit: A piece of code or technique that takes advantage of a vulnerability
•Zero-Day: A previously unknown vulnerability with no available patch
•Countermeasure/Control: An action taken to reduce risk
Interactive Activity

"Map the Terms" Case Study:

Scenario:

•A hospital's patient database is accessed by hackers who used a phishing email to steal a

nurse's login credentials. Patient data was copied and held for ransom.

•Task (Breakout Groups): Identify the Asset, Threat, Vulnerability, Attack Vector, and
Impact.
 The Evolving Cyber Threat Landscape
• It's a dynamic battlefield
– From individual hobbyists → organized crime →
nation-states
– Attacks are increasingly sophisticated, targeted,
and costly
• Cyber threats evolve continuously over time
 Types of Cyber Threats
• Cybercrime: Financially motivated attacks
• Cyber Espionage: Theft of sensitive or
classified information
• Hacktivism: Ideological or political motivations
• Cyber Warfare: State vs. state attacks on
infrastructure
• Insider Threats: Malicious or negligent internal
actions
 Common Threat Agents & Their
Motivations
Threat Agent Typical Motivation Common Tactic

Script Kiddies Thrill, notoriety Existing tools/scripts

Hacktivists Political / social causes DDoS, defacement

Organized Crime Financial gain Ransomware, fraud

Insiders Revenge, financial, Data theft, sabotage

accident
Nation-States Espionage, disruption, APTs, zero-days
warfare
 Understanding Vulnerabilities
• Technical: Software bugs, misconfigurations,
unpatched systems
• Human: Social engineering, weak passwords,
poor habits
• Physical: Unlocked server rooms, stolen
devices
• Operational: Weak policies, lack of training,
poor incident response
 The Expanding Attack Surface
• Traditional: Servers, workstations, corporate
networks
– Cloud: SaaS, IaaS, PaaS environments
– Mobile: Smartphones, tablets, mobile apps
– IoT: Smart devices, cameras, sensors
– Remote Workforce: Home networks, personal
devices
– Supply Chain: Third-party vendors and software
 Common Attack Vectors
• Phishing & Social Engineering: Primary malware
delivery method
• Malware: Viruses, worms, ransomware, spyware
• Weak Credentials: Password spraying, credential
stuffing
• Unpatched Software: Exploiting known vulnerabilities
• Misconfigurations: Open cloud storage, default
passwords
• Supply Chain Compromise: Attacking trusted vendors
 Risk Management: The Core Process
• Identify assets, threats, and vulnerabilities
• Assess risk likelihood and potential impact
• Mitigate risk using appropriate controls
• Monitor, review, and improve continuously
• Goal: Manage risk to an acceptable level, not
eliminate it
 Defense in Depth (Layered Security)
• No single security control is sufficient
• Multiple layers protect critical assets
– Firewall / Network Security (Outer Wall)
– Authentication & Endpoint Protection (Inner
Layers)
– Encryption protects the most valuable data
Impact Levels of Security Breaches

Security breaches can have varying degrees of impact on organizations.

Understanding these impact levels helps prioritize security measures and
allocate resources effectively.

1
Low

2 Moderate

3 High

These impact levels help organizations assess risk, allocate security resources
appropriately, and develop contingency plans tailored to the potential
severity of security incidents.
Low Impact Security Breaches
Low impact breaches cause limited negative effects on organizational
operations, assets, or individuals.

Examples of limited adverse effects:

Degradation in mission capability to an extent that the organization can

still perform primary functions, but with noticeably reduced
effectiveness

Minor damage to organizational assets that can be easily repaired or

replaced

Minor financial loss that falls within acceptable operational risk parameters

Minor harm to individuals that doesn't require significant intervention

Moderate Impact Security Breaches
Moderate impact breaches cause serious negative effects on organizational operations, assets, or individuals.

Examples of serious adverse effects:

Significant degradation in mission capability where the Significant damage to organizational assets requiring
organization can still perform primary functions, but substantial resources to repair
effectiveness is significantly reduced

Significant financial loss impacting operational budgets or Significant harm to individuals that doesn't involve loss of
requiring special funding life or serious, life-threatening injuries
High Impact Security Breaches
High impact breaches cause severe or catastrophic negative effects on
organizational operations, assets, or individuals.

Examples of severe or catastrophic adverse effects:

Severe degradation or complete loss of mission capability preventing

the organization from performing one or more primary functions

Major damage to organizational assets requiring extensive resources to

repair or replace

Major financial loss threatening the organization's continued existence

or operation

Severe or catastrophic harm to individuals involving loss of life or

serious life-threatening injuries
Confidentiality: Real-World Examples
Student Academic Records

High Confidentiality Moderate Confidentiality

Student grade information is Student enrollment information is

highly sensitive and should only be seen by more people daily, is less
available to students, their likely to be targeted than grade
parents, and authorized information, and results in less
employees who require this damage if disclosed.
information to perform their job
duties.

Low/No Confidentiality

Directory information, such as lists of students or faculty, may have minimal

confidentiality requirements as it's typically freely available on a school's
website.
Integrity: Real-World Examples (Part 1)
Hospital Patient Allergy Information

High Integrity Requirement

• Doctors must trust that patient allergy information is correct and current
• Falsified data (e.g., by an authorized nurse) could cause patient harm
• Database must be quickly restored to a trusted state after tampering
• Actions should be traceable to the responsible individual
• Inaccurate information could result in serious harm or death to patients
• Hospital could face massive liability for integrity failures
Integrity: Real-World Examples (Part 2)

Moderate Integrity: Discussion Forum Low Integrity: Anonymous Online Poll

A website offering forum discussions to registered users may Many news websites offer anonymous online polls with minimal
have moderate integrity requirements. Falsified entries by users safeguards against manipulation. These have low integrity
or hackers may cause: requirements because:

• Some data loss requiring restoration • Their inaccuracy is well understood by users
• Limited financial impact • They're recognized as unscientific by nature
• Time loss for administrators • Results aren't used for critical decision-making

However, if the forum isn't used for critical purposes like • Manipulation has minimal consequences
research and generates little revenue, potential damage is not
severe.
Availability: Real-World Examples (Part 1)
Authentication Services for Critical Systems

High Availability Requirement

An authentication service that controls access to critical systems

requires maximum uptime because:

• Service interruption prevents customer access to computing resources

• Staff cannot access resources needed to perform critical tasks
• Downtime translates to significant financial losses from:
• Lost employee productivity
• Potential customer attrition
• Damaged reputation and trust
Availability: Real-World Examples (Part 2)

Moderate Availability: University Website Low Availability: Online Phone Directory

A public university website typically has moderate availability An online telephone directory lookup application would have low
requirements: availability requirements because:

• Not a mission-critical component of the university's • Temporary loss is merely an annoyance

information system • Alternative access methods exist (hardcopy directory,
• Temporary unavailability doesn't prevent core educational operator)
functions • Non-critical to operations
• Downtime causes some embarrassment and inconvenience • Extended recovery time is acceptable
• May impact prospective student research or public • Little financial impact from downtime
information access
• Reasonable recovery time is acceptable
Security Attacks: Basic
Classifications
Security attacks can be classified into two fundamental categories:

Passive Attacks Active Attacks

Attempts to learn or make use of Attempts to alter system resources
information from the system but or affect their operation.
does not affect system resources.
• Modifying data in transit
• Monitoring transmissions • Creating fraudulent data
• Gathering intelligence • Disrupting services
• No modification of data • Often detectable
• Difficult to detect
Passive Attacks: Types and Goals
The primary goal of passive attacks is to obtain information being transmitted
without altering it. These attacks are categorized into two main types:

Release of Message Contents

Unauthorized access to sensitive or confidential information such as:
• Phone conversations
• Email messages
• File transfers
• Instant messages
Defense: Encryption is the primary countermeasure to mask content
from unauthorized viewers.

Traffic Analysis
Even with encrypted content, an attacker can observe:
• Communication patterns
• Message frequency
• Message length
• Sender/receiver identities
This metadata can reveal the nature of communication taking place.
Passive Attack: Interception
Key Characteristics of Interception Attacks

Covert Operation Normal Appearance Confidentiality Breach

The attacker captures data without Message traffic continues to flow While data integrity remains intact, the
alerting the sender or receiver, normally between legitimate parties who confidentiality of the information is
maintaining complete secrecy. remain unaware of the eavesdropping. compromised.
Passive Attacks: Traffic Analysis
The Subtle Threat of Traffic Analysis
Even when message contents are encrypted, attackers can gain
valuable intelligence by analyzing traffic patterns:

• Determining location and identity of communicating hosts

• Observing frequency of communications
• Measuring message lengths
• Tracking timing patterns
• Inferring relationships between communicating parties
• Guessing the nature of communication

This information can be surprisingly revealing even without access

to the actual message content.
Handling Passive Attacks
Challenges and Approaches

Detection Difficulties Prevention Strategies

• Extremely difficult to detect • Strong encryption to protect
since no data alteration occurs message contents
• Message traffic appears normal • Secure communication channels
to both sender and receiver • Traffic padding to obscure patterns
• No obvious signs of third-party • Mix networks to obfuscate traffic
observation analysis
• Conventional intrusion detection • Regular security audits
systems may miss these attacks

The primary security approach for passive attacks is prevention rather than
detection, focusing on making the intercepted data useless to attackers.
Active Attacks: Categories and Impact
Active attacks involve modification of data streams or creation of false streams. These attacks are divided into four main categories:

Masquerade Replay
One entity pretends to be a different entity, often to gain Passive capture of a data unit followed by its
unauthorized privileges or access protected resources. retransmission to produce an unauthorized effect, such as
repeating authentication sequences.

Modification Denial of Service

Altering portions of legitimate messages, or Preventing or inhibiting the normal use of communication
delaying/reordering them to produce unauthorized effects. facilities, either targeting specific services or entire
networks.
Active Attacks: Masquerade & Replay
Masquerade Attacks Replay Attacks
A masquerade attack occurs when one entity pretends to be a Replay attacks involve capturing legitimate data and
different entity: retransmitting it later:

• Typically combined with other forms of active attacks • Passive capture of authentication sequences
• Often involves stolen credentials or session hijacking • Retransmission to fraudulently authenticate
• Enables privilege escalation by impersonating entities with • Can work even with encrypted communications
higher access levels • No need to understand the data contents
• Can bypass authentication mechanisms • Example: Capturing and replaying authentication tokens to
• Example: Using stolen administrator credentials to access gain unauthorized access
restricted systems
Active Attacks: Modification & Denial of Service
Modification of Messages Denial of Service (DoS)
These attacks alter legitimate messages to create unauthorized DoS attacks prevent normal use of computing resources:
effects:
• May target specific services (e.g., security audit)
• Changing critical parts of messages • Can affect entire networks
• Delaying messages to create timing issues • Methods include disabling networks or overwhelming with traffic
• Reordering message sequences • Distributed DoS (DDoS) uses multiple attacking systems
• Example: Changing "Allow John Smith to read file" to "Allow • Often used for extortion or as distraction for other attacks
Fred Brown to read file"
• Can bypass authorization checks
• May trigger unintended system behavior
Active Attack: Denial of Service
Understanding DoS Attack Mechanics
In a denial of service attack, the attacker floods a target with excessive requests
or traffic, overwhelming its capacity to respond. This can be executed through
various techniques:

SYN Flood: Exploiting TCP handshake by sending many SYN packets

without completing connections

Volumetric Attacks: Overwhelming bandwidth with massive traffic volumes

Application Layer Attacks: Targeting specific applications or services

with resource-intensive requests
Active Attack: Masquerade
Masquerade Attack Details

Attack Process Common Techniques

1. Attacker obtains credentials or • Social engineering to steal
session information credentials
2. Attacker assumes the identity of • Man-in-the-middle attacks
a legitimate user • Session hijacking
3. System authenticates the • Credential theft via malware
attacker as the legitimate user
• Brute force password attacks
4. Attacker gains access to
resources authorized for the
impersonated user
Active Attack: Replay
Replay Attack Mechanics

Capture Phase
Attacker passively intercepts valid network traffic containing authentication
tokens, session cookies, or other credentials during legitimate user
transactions.

Analysis Phase
Attacker identifies valuable data units that can be reused, even without
understanding their internal structure or encryption.

Retransmission Phase
Attacker retransmits the captured data at a later time to replicate the
original transaction, gaining unauthorized access or executing
unwanted operations.
Active Attack: Modification
Message Modification Techniques

Content Alteration Timing Manipulation

Changing critical parts of a Delaying messages to create
message to alter its meaning or timing issues or exploit time-
authorization level. sensitive operations.

Example: Changing "Allow John Example: Delaying a financial

Smith to read confidential file transaction confirmation to
accounts" to "Allow Fred Brown create opportunity for duplicate
to read confidential file transactions.
accounts."

Sequence Reordering
Changing the order of a series of messages to produce unintended effects.

Example: Reordering database operations to bypass transaction controls.

Handling Active Attacks
Challenges in Active Attack Mitigation

Prevention Limitations Detection and Recovery Focus

Unlike passive attacks, active attacks The primary security strategy shifts to:
are difficult to prevent absolutely
• Rapid detection of active attacks
due to:
• Effective incident response
• Wide variety of potential
• Minimizing disruption duration
physical vulnerabilities
• System and data recovery
• Diverse software vulnerabilities
• Creating deterrent effects
• Complex network attack vectors
through accountability
• Zero-day exploits
• Social engineering vulnerabilities
Security Mechanisms: Encryption & Signatures
Encipherment Digital Signature

Uses mathematical algorithms to transform data into a form Data appended to or transformed from a data unit that:
that's not readily intelligible:
• Proves the source of the data (authentication)
• Encryption and decryption depend on algorithms and keys • Verifies data integrity
• Protects data confidentiality during storage and transmission • Prevents forgery by recipients
• Provides foundation for many other security services • Provides non-repudiation of origin
Security Mechanisms: Access Control & Integrity
Access Control Data Integrity

A variety of mechanisms that enforce access rights to resources: Mechanisms that assure the integrity of data units or streams:
• Authentication factors (something you know, have, are) • Checksums and hash functions
• Authorization policies • Message authentication codes (MACs)
• Principle of least privilege • Digital signatures
• Role-based access control • Version control systems
• Mandatory access control • Blockchain technology
Additional Security Mechanisms

Authentication Exchange Traffic Padding

Mechanisms that ensure entity identity through information Insertion of bits into gaps in data streams to frustrate traffic
exchange, such as challenge-response protocols, multi-factor analysis attempts, making it difficult for attackers to infer
authentication, and biometric verification. information from communication patterns.

Routing Control Notarization

Enables selection of physically secure routes for sensitive data Uses trusted third parties to assure certain properties of data
and allows routing changes when security breaches are exchanges, such as time of creation, sender identity, and
suspected, enhancing transmission security. content integrity.
Here's a simple malware detection dataset with five attributes and one label. The
label indicates whether the file is "Malicious" or "Benign."

File File Encryptio n Number of CPU

Label
Size Type (Yes/No) Connection Usage (%)
(MB) s
3.2 EXE Yes 12 70 Malicious
1.5 TXT No 1 5 Benign
5.6 EXE Yes 25 85 Malicious
0.8 DOC No 2 10 Benign
7.1 EXE Yes 30 90 Malicious
2 PDF No 3 15 Benign
4.3 EXE Yes 18 65 Malicious
1.2 JPG No 0 2 Benign
6.8 EXE Yes 20 80 Malicious
1 TXT No 1 7 Benign

59
Here’s an explanation of each attribute in the dataset:
1. File Size (MB):
1. Represents the size of the file in megabytes (MB).
2. Malware files often have unusual sizes compared to normal files, either being
very small (to avoid detection) or unusually large due to embedded malicious
payloads.
2. File Type:
1. Specifies the type or format of the file, such as EXE (executable), TXT (text file),
DOC (document), PDF, or JPG (image).
2. Executable files (EXE) are more likely to contain malware, whereas other file
types like TXT or JPG are less likely to be malicious but can still be used as delivery
vectors for certain attacks.
3. Encryption (Yes/No):
1. Indicates whether the file is encrypted or not.
2. Malware creators often encrypt their files to confuse the malicious content and
bypass security detection.
1/27/2025 Applied ML for Cybersecurity

60
4. Number of Connections:
1. Refers to the number of network connections initiated by the file or application.
2. Malware frequently establishes multiple connections to external servers for
activities like data exfiltration, command-and-control (C2), or downloading
additional malicious payloads.
5. CPU Usage (%):
1. Shows the percentage of CPU resources consumed by the file or associated
process.
2. Malicious files often cause unusually high CPU usage due to activities like mining
cryptocurrency, launching denial-of-service (DoS) attacks, or running background
processes.

6. Label:
1. Indicates whether the file is Malicious (contains malware) or Benign (safe and free
of threats).
2. This is the target variable used in machine learning models for classification
purposes.
1/27/2025 Applied ML for Cybersecurity

61
 Class
Guidelines

ATTEND ON TIME KEEP ANY SHARE YOUR IDEAS ASK QUESTIONS

DISTRACTIONS AND DISCUSS
AWAY

1/27/2025 CMPS452: Introduction to Data Mining

62
 Interactive Scenario: Secure the
Startup
• Scenario: A fintech startup launching a cloud-
based web application
• Assets: Customer data, web application, cloud
infrastructure
• Attack Surfaces: Web app, cloud services,
employee laptops
• Task: Propose 1 technical and 1 human control
per surface
• Group discussion and presentation (20 minutes)
 The Future & Your Role
• AI vs. AI in cybersecurity
• Quantum computing and encryption
challenges
• Increasing regulation and privacy laws (GDPR,
CCPA)
• Everyone plays a role in security: developers,
managers, users
• Think security first: a mindset, not just a
department