AP Cybersecurity 4.4: Detecting Attacks on Devices
Topic 4.4: Detecting Attacks on Devices
Three IoC types (host-based, file-based, behavior-based), three detection method criteria, log analysis for password attack patterns, and the most important AP exam trap in Unit 4: offline password attacks cannot be detected.
• Classify the three IoC types: host-based (unusual files, unexpected processes, unauthorized config changes, unauthorized software install), file-based (hash matches known malware, known malware filenames, known malicious file paths), behavior-based (failed logins, unusual times/locations, unauthorized access to sensitive data, privilege escalation)
• Apply the three detection method criteria: performance (anomaly uses more resources; embedded devices often can’t run any tools), cost (per-device licensing; EDR = expensive but centralized), sensitivity/criticality (hybrid for devices storing sensitive data)
• Identify IoCs for each password attack type in log files: single user many failed attempts (online attack), unusual login time/location (compromised password), many users in seconds from one IP (password spraying), default user:password sequences (credential stuffing)
• Critical AP exam trap: offline password attacks cannot be detected — the attack runs on the adversary’s machine; no logs are generated on the target system
Topic 4.4 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 4.4.A.1–A.3 | System processes, login attempts, file downloads, and user actions are logged. Auth logs record every attempted login. Logs reconstruct events during a cyber incident. An IoC is evidence that an adversary has compromised a device or network. | Section 2 — Logs and IoCs |
| 4.4.A.4 | Host-based IoCs (in auth logs, activity logs, config files): unusual files created/modified, unexpected processes/services, unauthorized config changes, unauthorized software install/update | Section 2 — Host-Based IoCs |
| 4.4.A.5 | File-based IoCs (in executable files): file hash matches known malware, filename known to be created by specific malware, file path associated with malicious activity | Section 2 — File-Based IoCs |
| 4.4.A.6 | Behavior-based IoCs (in auth and access logs): multiple failed login attempts, unusual login times or locations, unauthorized attempts to access sensitive data, privilege escalation attempts | Section 2 — Behavior-Based IoCs |
| 4.4.B.1 | Performance criterion: anomaly-based uses more resources than signature-based; many embedded devices cannot run any detection tools | Section 3 — Detection Criteria |
| 4.4.B.2 | Cost criterion: per-device licensing; EDR (endpoint detection and response) = expensive but holistic/unified/centralized alert platform | Section 3 — Detection Criteria |
| 4.4.B.3 | Sensitivity/criticality criterion: devices storing sensitive data or providing critical services benefit from hybrid detection when possible | Section 3 — Detection Criteria |
| 4.4.C.1 | Speed/performance factor: signature-based faster; effect compounded on resource-limited devices; resource-intensive tools degrade performance | Section 4 — Evaluating Methods |
| 4.4.C.2 | Phase of attack factor: adversaries must bypass physical/network controls before reaching device level; detecting at device level can prevent access to sensitive data | Section 4 — Evaluating Methods |
| 4.4.C.3 | False positive vs. bypass factor: signature-based = low false positives but easier to bypass; anomaly-based = harder to bypass | Section 4 — Evaluating Methods |
| 4.4.D.1 | Online attack IoC: single user with many wrong password attempts in auth logs. If hash DB compromised: ALL users must reset passwords — all hashes considered insecure | Section 5 — Log Analysis |
| 4.4.D.2 | Compromised password IoC: authorized user logging in from unexpected location, IP, or time | Section 5 — Log Analysis |
| 4.4.D.3 | Password spraying IoC: many users attempting login within seconds from one IP or unusual IPs | Section 5 — Log Analysis |
| 4.4.D.4 | Credential stuffing IoC: series of default user:password combinations attempted in quick succession, often same IP | Section 5 — Log Analysis |
| 4.4.D.5 | Offline attacks cannot be detected — the attack runs on the adversary’s computer. No auth logs generated on target system. | Section 5 — Log Analysis |
Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 3.B Detection strategies • 3.D Detect and classify attacks via digital evidence
Answer independently. No notes.
- An auth log shows user “jsmith” had 847 failed login attempts in 3 minutes, followed by a successful login. Which password attack type does this indicate, and which IoC category is this? What should the security team do next?
- A security analyst discovers a file on a server whose SHA-256 hash matches a known ransomware hash in their threat intelligence database. The file hasn’t executed yet. Which IoC type is this, and what should happen immediately?
- A company’s password database was stolen in a breach. The CISO asks: “Can we check our logs to see which passwords the adversary has already cracked from the database?” What is the correct answer and why?
Answers: (1) Online password attack / brute force or dictionary (one user, many attempts). Behavior-based IoC (multiple failed login attempts in auth logs, 4.4.A.6). Force password reset for jsmith; investigate the source IP; check for lateral movement after the successful login. (2) File-based IoC (4.4.A.5) — file hash matches known malware. Quarantine the file immediately before it executes; investigate how it arrived; scan for additional indicators. (3) No — offline password attacks cannot be detected (CED 4.4.D.5). The cracking runs on the adversary’s machine against the stolen database. No authentication attempts are made against the company’s systems, so no logs are generated. The correct response is to force all users to reset passwords immediately, since all hashes must be considered insecure (CED 4.4.D.1).
- 4.4.1 — Learning Objectives (3 min)
- 4.4.2 — Logs and IoC Types (12 min)
- 4.4.3 — Detection Method Criteria (10 min)
- 4.4.4 — Evaluating Detection Methods (8 min)
- 4.4.5 — Password Attack Log Analysis (10 min)
- 4.4.6 — Worked Scenarios & CFUs (8 min)
- 4.4.7 — Common Mistakes (3 min)
- 4.4.8 — Key Terms & FAQ (4 min)
14.4.1 — Learning Objectives
- Explain what system logs record and define an indicator of compromise (IoC) (4.4.A.1–A.3)
- Classify IoCs as host-based, file-based, or behavior-based and identify examples of each (4.4.A.4–A.6)
- Apply the three detection method criteria (performance, cost, sensitivity/criticality) to choose between signature-based, anomaly-based, and hybrid detection for a given device (4.4.B)
- Evaluate detection methods using the three CED factors: speed, phase of attack, and false positive vs. bypass rate (4.4.C)
- Identify IoCs for online attacks, compromised passwords, password spraying, and credential stuffing in auth logs — and explain why offline attacks produce no detectable log evidence (4.4.D)
24.4.2 — Logs and IoC Types (LO 4.4.A)
Three IoC Types
• Unexpected processes or services running
• Unauthorized changes to system configuration settings
• Unauthorized software installation or update
• File name known to be created by a specific piece of malware
• File path associated with malicious activity (certain directories are known malware staging areas)
• Unusual login times or locations
• Unauthorized attempts to access sensitive data
• Attempts to elevate user privileges on a system
Match each IoC description to its CED type.
Which of the following are TRUE about IoCs per the CED?
I. Authentication logs record every attempted login, both successful and failed, and can be used to reconstruct events during a cyber incident.
II. File-based IoCs are discovered by monitoring network traffic for unexpected data flows between devices.
III. An unauthorized change to a system configuration setting is classified as a host-based IoC.
34.4.3 — Detection Method Criteria (LO 4.4.B)
Three criteria determine which detection method is appropriate for a given device. These parallel the network detection criteria from Topic 3.5 but apply specifically to devices.
| Criterion | CED Ref | Signature-Based | Anomaly-Based | When to Choose |
|---|---|---|---|---|
| Performance | 4.4.B.1 | Less resource intensive | Uses more system memory and processing power | Signature for resource-limited devices. Many embedded devices cannot run any detection tools at all. |
| Cost | 4.4.B.2 | Per-device licensing costs | Per-device licensing costs + more hardware | EDR (endpoint detection and response) = expensive but provides holistic, unified, centralized alerting across all devices. |
| Sensitivity / Criticality | 4.4.B.3 | Fewer alerts, misses novel attacks | More alerts, catches novel attacks | Devices storing sensitive data or providing critical services benefit from hybrid detection when possible. |
The CED (4.4.B.2) introduces Endpoint Detection and Response (EDR) as a specific type of detection service. EDR is purchased from a third-party vendor and is expensive — but it provides a holistic, unified approach to threat detection and a centralized alert platform for monitoring attacks across all of an organization’s devices. Know the tradeoff: EDR = high cost, centralized visibility across all devices. Per-device software = lower per-unit cost, but no unified view.
A hospital’s network includes: (A) pacemaker controllers embedded in the hospital network, (B) nurse workstations storing patient medical records, and (C) a public-facing appointment booking server. Apply all three CED criteria to recommend the best detection method for each device type.
44.4.4 — Evaluating Detection Methods (LO 4.4.C)
| Evaluation Factor | CED Ref | Signature-Based | Anomaly-Based |
|---|---|---|---|
| Speed & Performance | 4.4.C.1 | Faster. Effect compounded on resource-limited devices. | Slower. Resource-intensive tools degrade performance, especially on devices with limited processing power. |
| Phase of Attack | 4.4.C.2 | Both methods: adversaries must bypass physical/network controls before reaching the device. Detecting at the device level can prevent access to sensitive data or disruption of critical services — detection at this layer is a last line of defense. | |
| False Positives vs. Bypass | 4.4.C.3 | Low false positive rate. Easier for adversaries to bypass (craft malware with no known signature). | Higher false positive rate. Harder for adversaries to bypass (behavior-based, not pattern-based). |
Which of the following statements about evaluating device detection methods are TRUE per the CED?
I. Signature-based detection has a low false positive rate but is easier for adversaries to bypass than anomaly-based detection.
II. Installing resource-intensive anomaly-based detection on a device will always improve security without any performance trade-offs.
III. Detecting an attack at the device level can prevent adversaries from accessing sensitive data, because adversaries must first bypass physical and network controls before reaching the device.
54.4.5 — Password Attack Log Analysis (LO 4.4.D)
Offline password attacks cannot be detected. The attack runs on the adversary’s own computer against a stolen hash database. No authentication attempts are made against the target system. No logs are generated. This is directly and explicitly stated in the CED and is one of the highest-frequency exam targets in Topic 4.4. If a question asks how to detect an offline attack, the correct answer is that it cannot be detected through log analysis.
Log Patterns for Each Attack Type
| Attack Type | CED Ref | Log Pattern (IoC) | Detectable? |
|---|---|---|---|
| Online Password Attack (brute force / dictionary) | 4.4.D.1 | Single user with many failed login attempts in auth logs | Yes — auth logs show repeated failures |
| Compromised Password | 4.4.D.2 | Authorized user logging in from unexpected location, IP address, or time | Yes — location/time anomaly in auth logs |
| Password Spraying | 4.4.D.3 | Many different users each attempting login within seconds of each other from one IP or unusual IPs | Yes — pattern visible across user accounts in logs |
| Credential Stuffing | 4.4.D.4 | Series of default user:password combinations attempted in quick succession, often from same IP | Yes — default credential sequence visible in logs |
| Offline Attack (brute force / dictionary / rainbow table) | 4.4.D.5 | None — attack runs on adversary’s machine | No — cannot be detected |
A CISO states: “We know our password database was stolen last month, but our auth logs show no unusual login activity, so the adversary probably hasn’t cracked any passwords yet. We’ll force password resets only for accounts we see attacked in the logs.” What is the error?
64.4.6 — Worked Scenarios
Complete each statement with the correct CED term or phrase.
1. Auth logs show 3,000 different user accounts each had exactly one failed login attempt within 8 seconds, all from the same IP. This is an indicator of .
2. Auth logs show a sequence of login attempts: admin:admin, admin:password, admin:1234, root:root, root:password in rapid succession from one IP. This is an indicator of .
3. An unauthorized change to system configuration settings is classified as a IoC.
4. When a password hash database is stolen, must be forced to reset their passwords because all hashes must be considered insecure.
5. Offline password attacks (brute force, dictionary, rainbow table) because the attack runs on the adversary’s own computer.
An auth log shows: user “mjohnson” successfully authenticated at 2:13 AM from IP 185.220.101.47 (a Tor exit node in Eastern Europe). This user typically logs in between 8 AM and 6 PM from IP 10.0.0.45 (internal corporate network). Which IoC type and specific indicator does this represent?
A security team’s incident report states: “We detected the rainbow table attack in progress by monitoring our authentication logs for the rapid hash comparison queries hitting our server.” What is the error?
Which of the following are TRUE about password attack detection per the CED?
I. Password spraying can be detected because it generates a log pattern of many different user accounts attempting login within seconds of each other from one or unusual IP addresses.
II. If a user:password hash database is compromised, only users whose passwords appear in a dictionary should be forced to reset, since complex passwords cannot be cracked offline.
III. An authorized user logging in from an unexpected IP address or at an unusual time is a behavior-based IoC indicating the user’s password may be compromised.
Which response correctly identifies all IoC types AND addresses the offline attack gap?
!Common AP Exam Mistakes — Topic 4.4
| Mistake | Why It’s Wrong | What to Do Instead |
|---|---|---|
| Thinking offline attacks are detectable in auth logs | CED 4.4.D.5 is explicit: offline attacks run on the adversary’s machine. No authentication attempts reach the target system. Auth logs record only authentication events against the live system. | Offline = no logs, no detection. The only response to a stolen hash database is forcing all users to reset passwords immediately. |
| Only resetting compromised-looking passwords after a database theft | CED 4.4.D.1 requires forcing ALL users to reset. Offline cracking may have already occurred undetectably. Every hash in the stolen database must be treated as compromised. | Stolen hash database = universal forced password reset. No exceptions for “complex” or “probably safe” accounts. |
| Classifying unexpected process as file-based IoC | An unexpected process running on a system (CED 4.4.A.4) is a host-based IoC found in system logs. File-based IoCs (4.4.A.5) require analyzing the actual file: its hash, name, or path. | Unexpected process = host-based (from system logs). File hash match = file-based (from file analysis). |
| Recommending anomaly-based detection for all embedded devices | CED 4.4.B.1: many embedded devices “do not have enough system resources to run any detection tools on the device.” The choice isn’t signature vs. anomaly — it may be detection vs. no detection. | For embedded devices: check whether any detection is feasible before recommending a method. Resource limitation is the primary constraint. |
| Confusing password spraying log pattern with brute force | Brute force = many passwords against one account. Password spraying = one password against many accounts. The log patterns look different: brute force shows one user with many failures; spraying shows many users each with one failure from the same IP. | Many failures, one user = brute force (online). One failure each, many users, same IP = password spraying. Both are behavior-based IoCs but different patterns. |
84.4.8 — Key Terms & FAQ
| Term | Definition | AP Exam Note |
|---|---|---|
| Indicator of Compromise (IoC) | Evidence that an adversary has compromised a device or network | Three types: host-based, file-based, behavior-based |
| Authentication Log (Auth Log) | Records every attempted login on a system | Primary source for detecting online attacks and compromised passwords |
| Host-Based IoC | IoC found in auth logs, activity logs, or config files: unusual files, unexpected processes, unauthorized config changes, unauthorized software installs | Discovered from logs and configuration analysis — not from the files themselves |
| File-Based IoC | IoC found in files: hash matches known malware, known malware filename, known malicious file path | Discovered by analyzing executable files themselves |
| Behavior-Based IoC | IoC found in auth and access logs: failed logins, unusual time/location, unauthorized sensitive data access, privilege escalation attempts | Also includes the specific password attack patterns in 4.4.D |
| EDR | Endpoint Detection and Response — third-party service; expensive but holistic and centralized | High cost; unified alert platform for all devices |
-
Why does the CED treat offline attacks so differently from online attacks for detection?
Online attacks interact with the target system. Every login attempt, successful or not, generates an auth log entry. The security team can see these in real time and respond. Offline attacks bypass the target system entirely — the adversary runs hash-cracking tools on their own hardware against a copy of the stolen database. Nothing touches the organization’s servers. No log is possible because no request reaches the organization’s systems. This is why CED 4.4.D.5 is absolute: offline attacks cannot be detected through any log analysis technique. Prevention (strong hashing, salting, database security) is the only defense before a breach; universal forced reset is the only response after.
-
What is the difference between host-based IoCs and behavior-based IoCs? They both come from logs.
The CED distinguishes them by what the indicator describes. Host-based IoCs (4.4.A.4) describe changes to the system itself: new or modified files, unexpected processes running, unauthorized config changes, unauthorized software installs. Behavior-based IoCs (4.4.A.6) describe user actions: login failures, unusual access times or locations, attempts to access unauthorized data, privilege escalation. Think of it as: host-based = what happened to the machine; behavior-based = what actions were taken (usually by a compromised account or the adversary acting as one).
-
When would you choose EDR over per-device anti-malware software?
The CED (4.4.B.2) positions EDR as expensive but holistic. You would choose EDR when: (a) the organization needs centralized visibility across all devices in one dashboard rather than checking each device separately; (b) the security team is small and cannot monitor many individual devices; or (c) the cost is justified by the sensitivity of the data or criticality of the devices. Per-device software is cheaper per unit but provides no unified correlation across devices. EDR can correlate events across the entire device fleet — seeing that three different workstations all started running the same unexpected process at the same time is something per-device tools miss.
Students submit before leaving.
- Name and define all three IoC types. For each, give two specific CED-listed examples and name the log or file source where it is discovered. (AP Skill: Detect Attacks)
- Apply all three detection method criteria to recommend a detection approach for: (a) a smart thermostat embedded in a corporate HVAC system; (b) a CFO’s laptop storing financial projections and acquisition plans. (AP Skill: Detect Attacks)
- Auth logs show: at 11:47 PM, 12,000 user accounts each had exactly one failed login attempt within 15 seconds from IP 198.51.100.0. What attack is this? What is the specific IoC? Why does account lockout fail to stop it? (AP Skill: Detect Attacks)
- A company discovers their password hash database was stolen 10 days ago. Their auth logs show no unusual activity since the theft. A security analyst says: “We’re safe — the logs are clean.” Why is this conclusion wrong, and what should the company do? (AP Skill: Detect Attacks)
- For each event below, classify the IoC type and identify the specific CED indicator: (a) file “update32.tmp” in C:\Windows\Temp whose hash matches a known RAT; (b) user “bsmith” logged in at 3 AM from Brazil when she works in Boston; (c) system logs show a new service called “winsvc64” started after a user opened an email attachment. (AP Skill: Detect Attacks)
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.
+Continue Learning
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]