Question 1. Packet Capture and Analysis [8 marks] For this question you must use virtnet (as used in the tutorials) to perform an interception attack. This assumes you have already setup and are familiar

COIT20262 – Advanced Network Security, Term 2, 2023

Assignment 1 Questions

Due date:	11:45 pm Friday 25 August 2023 (Week 6)	ASSESSMENT
Weighting:	35%	1
Length:	N/A

Instructions

Attempt all questions. This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQUniversity resources on Referencing and Plagiarism. Guidelines for this assignment include:

• Do not exchange files (reports, captures, diagrams) with other students.
• Complete tasks with virtnet yourself – do not use results from another student.
• Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students.
• Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own.
• Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words.
• Perform the tasks using the correct values listed in the question and using the correct file names.

File Names and Parameters

Where you see [StudentID] in the text, replace it with your actual student ID. If your student ID contains a letter (e.g. “s1234567”), make sure the letter is in lowercase.

Where you see [FirstName] in the text, replace it with your actual first name. If you do not have a first name, then use your last name. Do NOT include any spaces or other non- alphabetical characters (e.g. “-“).

Submission

Submit two files on Moodle only:

1. The report, based on the answer template, called [StudentID]-report.docx.
2. Submit[StudentID]-tcp.pcap file on Moodle.

Marking Scheme

A separate spreadsheet lists the detailed marking criteria.

Question 1. Packet Capture and Analysis [8 marks]

For this question you must use virtnet (as used in the tutorials) to perform an interception attack. This assumes you have already setup and are familiar with virtnet. See Moodle and tutorial instructions for information on setting up and using virtnet. The tasks and sub- questions are grouped into multiple phases. You must complete all phases, in order.

Phase 1: Setup

1. Create topology 5 in virtnet. node1 will be referred to as the client, node2 the router, and node3 the server.
2. The attacker has access to the router and will run tcpdump to capture packets.
3. Users on the client and server will use applications to communicate. For this task,

netcat will be used to generate the application traffic.

• Server port numbers must be assigned based on the last three (3) digits of your student ID, xyz, as defined below. Examples are given for a student ID of 12345678.
• For netcat TCP server use port 8xyz. Example port: 8678

Phase 2: Intercept TCP Application Traffic

The attacker should capture traffic on the router (node1) for the following TCP application traffic.

1. Start the netcat TCP server using the assigned port on the server (node3)
2. Start the netcat TCP client on the client (node1)
3. On the client, type the following (use your actual first name):

COIT20262 TCP<press ENTER>

My ID is [studentID] <press ENTER>

My first name is [FirstName]<press ENTER>

<Ctrl-D>

The attacker should then stop the capture, and save the file as:[StudentID]-tcp.pcap

Phase 3: Analysis

Answer the following sub-questions regarding the previous phases.

• Submit[StudentID]-tcp.pcap file on moodle. (0.5 marks)
• Draw a message sequence diagram that illustrates all the TCP packets generated by using netcat in phase 3. Do not draw any packets generated by other applications or protocols, such as ARP, DNS or SSH, and do not draw the UDP packets. Only draw TCP packets. A message sequence diagram uses vertical lines to represent events that happen at a computer over time (time is increasing as the line goes down). Addresses of the computers/software are given at the top of the vertical lines. Horizontal or sloped arrows are used to show messages (packets) being sent between computers. Each arrow should be labelled with the protocol, packet type and important information of the message. Examples of message sequence diagrams are given in tutorials. Note that you do not need to show the packet times, and the diagram does not have to be to scale. You

must draw your own diagram; you cannot use the diagram generated by Wireshark. (2.5 marks)

• If the attacker performs a modification attack on the TCP exchange, changing the unit code from COIT20262 to COIT20264, then will the server (node3) know that an attack may have occurred? Explain why or why not. Also explain a technique that could be used so that the server (node3) is certain the message was not modified. (2.5 marks)

• If the attacker performs a replay attack on the TCP exchange, replaying the messages without any modification, then will the server (node3) know that an attack may have occurred? Explain why or why not. (2.5 marks)

Question 2. Attack Detection from Real Intrusion Dataset [7 marks]

For this question you need to implement three multi-classifiers to identify attack and normal behaviour from the UNSW-NB15 intrusion dataset. You are required to read the data from training set (175,341 records) and test set (82,332 records).

You are required to implement it by using the publicly available machine learning software WEKA.

For this task you will need two files available on Moodle:

• training.arff and test.arff.

You need to perform the following steps:

• Import training data.
• For each classifier:
• Select an appropriate classifier (do not choose any meta classifier)
• Specify test option
• Perform the training
• Supply test data set
• Evaluate the classifier.

You need to repeat for at least 3 classifiers, and eventually select the results from the best 2 classifiers.

You need to include in your report the following:

• Screenshot of the performance details for 3 classifiers (1.5 marks)

• Compare the results of the selected best 2 classifiers, evaluating with the metrics: Accuracy, precision, recall, F1-Score and false positive rate. (3 marks)

Reflection:

• Which classifier gave the best performance overall? Justify your selection of the ‘best’ classifier and given reasons why you think it is the best. Is there any way to improve the performance further? (2.5 marks)

Question 3. Encryption and Signing [7 marks]

Aim

Your aim is to demonstrate skills and knowledge in cryptographic operations, especially key management. You will do this in pairs (that is, with a partner student).

When performing cryptographic operations you must be very careful, as a small mistake (such as a typo) may mean the result is an insecure system. Read the instructions carefully, understand the examples, and where possible, test your approach (e.g. if you encrypt a file, test it by decrypting it and comparing the original to the decrypted). It is recommended you use virtnet to perform the operations.

Phase 1: Key Generation

1. Generate your own RSA 2048-bit public/private key pair and upload your public key to the Public Key Directory on Moodle. (If you have already done this in the tutorial, you do not need to do it again). Save your keypair as [StudentID]-keypair.pem.
2. Generate a secret key to be used with AES-256-CBC, saving it in the file [StudentID]- key.txt.
3. Generate an IV to be used with AES-256-CBC, saving it in the file [StudentID]- iv.txt.

Phase 2: Message Creation and Signing

1. Create a message file [StudentID]-message.txt that is a plain text file containing your full name and student ID inside.
2. Digitally sign [StudentID]-message.txt using RSA and SHA256, saving the signature in the file [StudentID]-message.sgn.

Phase 3: Encryption

1. Encrypt [StudentID]-message.txt using symmetric key encryption, saving the ciphertext in the file [StudentID]-message.enc.
2. Encrypt [StudentID]-key.txt using public key encryption (RSA), saving the ciphertext in the file [StudentID]-key.enc.
3. Encrypt [StudentID]-iv.txt using public key encryption (RSA), saving the ciphertext in the file [StudentID]-iv.enc.

Phase 4: Upload to your Partner

1. To send files to your partner, you must upload them to the Encrypted Files database onMoodle. Your partner can then download from the database.

Phase 5: Decryption and Verification

1. Download the files from your partner from the Encrypted Files database.
2. Decrypt to obtain the message, saving it in the file [StudentID]-received.txt.
3. Verify the signed message.

Phase 6: File Submission

1. Submit the files on Moodle. As output from these phases, you should have the followingfiles for submission on Moodle:
2. [StudentID]-message.txt
3. [StudentID]-keypair.pem
4. [StudentID]-pubkey.pem
5. [StudentID]-key.txt
6. [StudentID]-iv.txt
7. [StudentID]-message.sgn
8. [StudentID]-message.enc
9. [StudentID]-key.enc
10. [StudentID]-iv.enc
11. [StudentID]-received.txt (this will contain the message you received from your partner)

Even though the encrypted files and public keys must be available on the Moodle databases, you should also include a copy of the files in your assessment submission. Ensure the files in the database and your submission are the same – the marker may use either version.

Phase 7: Reflection

Think about the tasks you performed in this question and write a brief reflection. You should:

(a) Submit your files on Moodle as listed above. Also take a screenshot showing the OpenSSL verification command and the message contents. That is, the single screenshot should show the output of two commands:

openssl dgst …

cat [StudentID]-received.txt

Include the screenshot on your assignment answer template. [3 marks]

• Write a reflection on which parts were the most challenging or led to mistakes, and why there were mistakes? [2 marks]

• Find and discuss the potential security vulnerability in the process/the steps you took. [2 marks]

Question 4. Ransomware Research [8 marks]

Read the research article on Ransomware attack (2023) from the below link:

https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10105244

You need to perform the following tasks:

• Write an interesting, engaging, and informative summary of the provided article. You must use your own words and you should highlight aspects of the article you think are particularly interesting. It is important that you simplify it into common, easily understood language. Your summary MUST NOT exceed 300 words. [3 marks]

• Find an Internet (online) resource (e.g., research article or link) that provides additional information and/or a different perspective on the central theme of the article you summarised in (a). Like you did in (a), summarise the resource, in your own words and the summary should focus on highlighting how the resource you selected expands upon and adds to the original prescribed resource. You must also provide a full Harvard reference to the resource. This includes a URL and access date. [3 marks]

• Reflect on the concepts and topics discussed in the prescribed article and the resource you found and summarised and how you think they could potentially impact us in future. [2 marks]

Maintaining Journal [5 marks]

Whenever you perform tasks, you should be recording important information in your online journal. This may include notes, commands you have run, parts of files you edited, and screenshots. You will be marked on how well you have maintained your journal (including technical depth) and how accurately it captures your tutorial and assignment practical activities from Week 1 to Week 5. Your online journal may be also referred to when marking your submission. For example, if the marker sees two student submissions with very similar answers, they may refer to the journal to review the entries that indicate that both students performed the tasks independently.