Loading...

Brute Force vs. Hueristic Attacks

Course video 24 of 45

This module introduces some fundamental frameworks, models, and approaches to cyber security including the CIA model.

Introduction to Cyber Attacks

New York University Tandon School of Engineering

Course 1 of 4 in the Introduction to Cyber Security Specialization

This course provides learners with a baseline understanding of common cyber security threats, vulnerabilities, and risks. An overview of how basic cyber attacks are constructed and applied to real systems is also included. Examples include simple Unix kernel hacks, Internet worms, and Trojan horses in software utilities. Network attacks such as distributed denial of service (DDOS) and botnet- attacks are also described and illustrated using real examples from the past couple of decades. Familiar analytic models are outlined such as the confidentiality/integrity/availability (CIA) security threat framework, and examples are used to illustrate how these different types of threats can degrade real assets. The course also includes an introduction to basic cyber security risk analysis, with an overview of how threat-asset matrices can be used to prioritize risk decisions. Threats, vulnerabilities, and attacks are examined and mapped in the context of system security engineering methodologies.

Skills You'll Learn

Cybersecurity, Information Security (INFOSEC), Denial-Of-Service Attack (DOS), Risk Assessment

Taught By

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC

Transcript

There's two different types of attacks that we see in cyber security.

The first is called brute force.

That's where an attacker creates software, creates a system,

creates some sort of an attack strategy that's literally going to try every

possibility in some input set to try and break into your system.

The obvious example here is passwords, right?

So one possible way to break your password, [LAUGH] is try every password.

And I know it sounds crazy, but that's why we try and

lengthen the password that you're using.

Make sure that it's of sufficient length and complexity that it's not easy for

you to just try every possibility.

If you have a three character password, then in my sleep I can write a program

that will try all possibilities of three characters.

So brute force attacks, it turns out,

are things that are thwarted in cyber security by making size to domain.

Now keep that in mind.

Size becomes a means for dealing with brute force attacks.

When someone asks you, hey, what's the strength of this cryptographic algorithm?

Sometimes what they mean is, what's the size of the key?

What's the domain, the number of keys that are possible?

And it's considered strong if the domain size is very big, okay?

So that's the first thing, brute force.

The second type of attack that we often see in cyber is called a heuristic attack.

A heuristic attack is a little different.

That's where you're using your intelligence, you're using knowledge,

you're using something called a shortcut.

So where brute force, I write a program or I do something that runs through

every possibility, heuristic attacks you say, I don't have time for that.

I can't do it that way, I need a shortcut.

I need some way of making the amount of time to attack your system reduced.

Now the way we deal with heuristic attacks on the offensive side is not with size,

but with complexity.

I try and make whatever my scheme is that you're trying to break so

complicated that you can't use your intelligence.

So let's put those together.

Brute force is about size.

So if I see something that has a weakness in terms of, say, the number of keys

in crypto, or the number of possibilities in terms of guessing,

then that brute force nature would lead me to follow that approach.

But if I see that you've accounted for that,

then I'm going to use my intelligence and say wow, let's see if we can find a way to

break the system without having to try all the possibilities.

So, for example, let's take a dumb crypto example.

If I said there are three characters to the keys, then duh, you use brute force.

But if I try and make the key length real big then the question is,

can I figure out the algorithm?

Are you doing something really dumb?

If it's a function, is F of 2, 4?

F of 3, 6?

F of 4, 8?

I don't need to go through all the possibilities to see that you're doubling

the domain input.

So complexity and size

are the two ways that we deal with these main two types cyber attacks.

Brute force dealt with by size, heuristic dealt with by complexity.

Keep that in mind, thanks.

About Coursera

Courses, Specializations, and Online Degrees taught by top instructors from the world's best universities and educational institutions.

Join a community of 40 million learners from around the world

Earn a skill-based course certificate to apply your knowledge

Gain confidence in your skills and further your career

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online.

© 2019 Coursera Inc. All rights reserved.

Download on the App Store

Get it on Google Play