Glossary

Definitions of terms used in DefenSys and network security.

A

• Anomaly Score – A numeric value from the ML model. Lower (more negative) = more anomalous. Isolation Forest uses negative scores.
• Anomaly Detection – Identifying behavior that deviates from normal patterns, often used for unknown or zero-day threats.

B

• Baseline – A learned profile of "normal" traffic. DefenSys learns over a 7-day period.
• Brute Force – Repeated login attempts (e.g. SSH, RDP) to guess credentials.

D

• Detection Engine – The component that analyzes packets and decides if an alert should be raised.

F

• Feature Vector – A fixed-length array of numbers (e.g. 20 values) used as input to the ML model.
• Flow – A bidirectional connection between two endpoints (src:port ↔ dst:port, protocol). Used for feature extraction.

H

• Honeypot – A fake service designed to attract attackers. Any interaction is a confirmed threat.
• Honey Token – A decoy credential or file placed to detect misuse.

I

• IDS – Intrusion Detection System. Monitors traffic and detects threats; does not block by default.
• IPS – Intrusion Prevention System. Can block traffic in addition to detection.
• Isolation Forest – An ML algorithm that uses random trees to identify anomalies. Anomalies are "easy to isolate."

M

• ML – Machine Learning. In DefenSys, used for anomaly detection.

P

• Packet Capture – Capturing network packets for analysis. Requires Npcap (Windows) or libpcap (Linux/macOS).
• Port Scanning – Probing multiple ports on a host to discover services. Often reconnaissance before an attack.

S

• SYN Flood – A DoS attack that sends many SYN packets without completing the TCP handshake.
• Signature-Based Detection – Detection using known patterns (rules, regex). Good for known threats.

T

• Threat Map – Geographic visualization of threat sources.