Topic 6.1
- What is the difference between Authentication vs. Authorization?
Authentication answers the ‘who are you?’ and is the process of verifying a user’s identity using things like passwords, tokens, or biometrics. Authorization answers “What are you allowed to do?” and decides which resources or actions that authenticated identity can access. In practice, you authenticate first, then authorization rules are effective.
- What is Continuous Authentication? What are the benefits?
Continuous Authentication (CA) keeps checking that the person using the system is still the legitimate user, instead of trusting a single login event. It builds a profile from behavior over time such as: process activity, network usage, mouse input, and keystrokes and compares current activity against that profile. This helps catch anomalies and behavior without constantly interrupting the user. Online models work better than offline ones here because they can update as behavior changes, and network-related events in particular are very effective for distinguishing users.
- Why not to ask password all the time?
Constant password prompts wreck usability and productivity, since people lose a lot of time dealing with failed logins and resets. Strict, complex password rules make passwords hard to remember and annoying to type, which drives up error rates.
- In terms of methodology, what is the difference between Online vs. Offline experiments?
Offline classification trains a model once on an initial batch of data and then freezes it, using that static model for all future predictions. This works best when the data distribution is stable and doesn’t change much over time. Online classification instead follows a test it then train it pattern, updating the model with each new sample so it tracks shifts in behavior. For Continuous Authentication, where user behavior clearly drifts over time, online methods are a much better fit than a one-shot offline model.
- What is the technical difference between Keyloggers (malware) vs. Keystroke authenticators (goodware)?
A keystroke authenticator is a defensive tool that uses how you type (like timing patterns) to verify your identity as an extra factor of authentication. A keylogger is a malware designed to secretly record what you type, especially passwords, and send that data to an attacker. Keystroke dynamics makes attacks harder because an adversary needs both the correct text and a close mimic of your typing rhythm. A keylogger just sidesteps guessing entirely by stealing your input, even though reliably replaying behavior across systems still has issues.
Topic 6.2
- Is the type of each person difference?
Yes, according to the sources, computer usage profiles characterize for each individual user. Profiles built from process, network, mouse, and keystroke events stay mostly consistent over time, with around 83.9% of participants repeating daily habits over eight weeks. Machine learning models could distinguish these profiles very accurately (up to a 99.90% F-score), with network domains accessed showing up as the most discriminative feature.
- What is Keystroke Dynamics? How can it be used for authentication?
Keystroke Dynamics is a behavioral biometric that uses how a user types as an extra factor for authentication. It records timing based metrics like dwell time (how long a key is held) and flight time (the gaps between key presses) when a user enters a password or passphrase. The system compares these timing patterns to an enrolled profile and can tune how strict it is to control false positives and false negatives. In practice, it is usually deployed as a second tier of authentication and can run in static, semi-static, or fully continuous modes, which makes it flexible for both one time logins and ongoing monitoring.
- What is the difference between Passwords and passphrases? Which one should we use?
In the study, passwords and passphrases are treated as distinct things. An “average” password is about eight characters and may mix character sets, while a passphrase is defined as a 16+ character sequence of lowercase words (like a sentence) and, achieved about 75.2 bits of entropy versus 46 bits for the sample password. Passphrases came out ahead on both security and usability. They are harder to crack but easier to remember and type across devices. Based on that, the recommendation is to use passphrases of roughly 16–18 characters to balance strength and practicality.
- What is the relation between password policies (e.g., min chars) and Entropy? Which kind of attack it prevents?
Password policies directly drive entropy by controlling minimum length and which character sets users are allowed or required to use. Under Shannon Entropy, more characters and larger alphabets increase the search space, boosting the number of guesses an attacker would need. That extra entropy mainly pushes back against bruteforce attacks that try every combination and dictionary attacks that iterate through large lists. When using keystroke dynamics, an attacker not only has to find the right string but also match the timing pattern, which further raises the cost of guessing based attacks.
- What is the relation between password policies Usable Security?
Stricter password rules often hurt usability. They are a struggle to memorize and reliably type them, leading to more login failures and more time burned on resets. People tend to start reusing weak passwords or writing credentials down. Introducing passphrases as an option helps break this cycle because they offer high entropy and are easy to use enough to support both security and usability.
- What is the difference between Bruteforce and dictionary attacks?
A dictionary attack limits itself to a curated list of likely passwords or words, trying each entry in that list against the account. A brute-force attack instead walks through the entire keyspace of allowed characters up to some length, and may also incorporate known leaked passwords as part of its search strategy.
- What is hashing? And Salting? And Rainbow Tables?
Hashing shows up mainly in the context of “hashed passwords” stored in backend databases. Hashing is a one-way transformation that turns a password into a fixed-length digest so the system does not need to store the raw secret. Rainbow tables is a massive database that stores all of the hashed passwords and their cracked original value so it is easy to identify what value was hashed.
- Can keystroke dynamics be used offensively?
Yes, once you start relying on keystroke dynamics defensively, you also create a new attack surface. If an attacker already knows the passphrase, they can try to steal or approximate the typing pattern through phishing sites that run hidden KSD and keylogging code,reality cameras that watch the user type, or audio-visual side channels. The backend keystroke templates themselves can also be targeted through database attacks, just like hashed passwords. On top of that, techniques like bi-gram slicing and crafted text can help exploit similarities in typing patterns across common word fragments to game the classifier.
- What is Typosquatting?
Typosquatting refers to registering lookalike domains to catch users’ URL typos, which is a different problem from simple login typing errors.
Topic 6.3
- Do AVs use signatures or ML? In which situation?
Modern AVs use both signatures and machine learning. Traditional signature-based detection (YARA rules) is still used to match known byte patterns, families, or functionality. ML shows up in two main ways, learning to classify samples directly as benign or malicious and helping generate or refine those signatures automatically.
- If there is a signature, does it mean there is no ML?
No, having a signature does not imply that machine learning is absent. In fact, the paper shows that ML can sit behind the scenes and help produce those signatures, rather than replace them. Systems like YarGen and AutoYara use ML models to rank or select features.
- Where is the ML placed in the case of a signature?
ML lives in the tooling that builds and scores candidate features for the rule, not inside the rule itself. YarGen, for example, uses a Naive Bayes model to score how useful various strings are for distinguishing malware from benign files. AutoYara takes it a step further with biclustering, jointly grouping samples and n-gram features to find patterns that also occur in a specific family.
- What are YARA rules?
YARA (yet another recursive algorithm) rules are an industry standard for expressing malware signatures. People use YARA extensively to hunt for specific families, CVE-related artifacts, or generic signs of malicious functionality across large corpora. The downside is that writing high-quality rules by hand is slow and takes a long time for new samples.
- How to generate YARA rules automatically?
AutoYara automates YARA rule generation by applying ML-driven analysis to a small set of malware samples. It first extracts candidate byte n-grams (with n≥8) and then filters out noisy or useless ones, such as strings that are too common across benign and malicious files or have very low entropy. Next, it runs a biclustering algorithm to find groups of features that consistently appear together in the target family but not in others and converts those groups into structured AND/OR logic.
- Are rules good for 0 days, 1-day, or N-day threats?
YARA rules built from byte patterns are much better suited for 1-day and N-day threats than for true 0-days. They rely on having at least a few known samples of a family so that you can mine recurring features and lock them into a rule. That assumes the threat is no longer completely unknown. On top of that, classic evasion techniques like packing and polymorphism can easily break byte-pattern signatures. More advanced malware needs to be analyzed by people.