Reference no: EM132863152

COIT20262 Advanced Network Security - Central Queensland University

Question 1. Packet Capture and Analysis

For this question you must use virtnet (as used in the tutorials) to perform an interception attack. This assumes you have already setup and are familiar with virtnet. See Moodle and tutorial instructions for information on setting up and using virtnet. The tasks and sub- questions are grouped into multiple phases. You must complete all phases, in order.

Phase 1: Setup
1. Create topology 5 in virtnet. node1 will be referred to as the client, node2 the router, and node3 the server.
2. The attacker has access to the router and will run tcpdump to capture packets.
3. Users on the client and server will use applications to communicate. For this task,
netcat will be used to generate the application traffic.
4. Server port numbers must be assigned based on the last three (3) digits of your student ID, xyz, as defined below. Examples are given for a student ID of 12345678.
• For netcat TCP server use port 8xyz. Example port: 8678

Phase 2: Intercept TCP Application Traffic
The attacker should capture traffic on the router (node1) for the following TCP application traffic.
1. Start the netcat TCP server using the assigned port on the server (node3)
2. Start the netcat TCP client on the client (node1)
3. On the client, type the following (use your actual first name):
COIT20262 TCP<press ENTER>
My ID is [studentID] <press ENTER>
My first name is [FirstName]<press ENTER>
<Ctrl-D>
The attacker should then stop the capture, and save the file as:[StudentID]-tcp.pcap

Phase 3: Analysis
Answer the following sub-questions regarding the previous phases.

(a) Submit[StudentID]-tcp.pcap file on moodle.

(b) Draw a message sequence diagram that illustrates all the TCP packets generated by using netcat in phase 3. Do not draw any packets generated by other applications or protocols, such as ARP, DNS or SSH, and do not draw the UDP packets. Only draw TCP packets. A message sequence diagram uses vertical lines to represent events that happen at a computer over time (time is increasing as the line goes down). Addresses of the computers/software are given at the top of the vertical lines. Horizontal or sloped arrows are used to show messages (packets) being sent between computers. Each arrow should be labelled with the protocol, packet type and important information of the message. Examples of message sequence diagrams are given in tutorials. Note that you do not need to show the packet times, and the diagram does not have to be to scale. You must draw your own diagram; you cannot use the diagram generated by Wireshark.

(c) If the attacker performs a modification attack on the TCP exchange, changing the unit code from COIT20262 to COIT20264, then will the server (node3) know that an attack may have occurred? Explain why or why not. Also explain a technique that could be used so that the server (node3) is certain the message was not modified.

(d) If the attacker performs a replay attack on the TCP exchange, replaying the messages without any modification, then will the server (node3) know that an attack may have occurred? Explain why or why not.

Question 2. Attack Detection from Real Intrusion Dataset

For this question you need to implement three multi-classifiers to identify attack and normal behaviour from the UNSW-NB15 intrusion dataset. You are required to read the data from training set (175,341 records) and test set (82,332 records).
You are required to implement it by using the publicly available machine learning software WEKA.
For this task you will need two files available on Moodle:

• training.arff and test.arff.
You need to perform the following steps:

• Import training data.
• For each classifier:
- Select an appropriate classifier (do not choose any meta classifier)
- Specify test option
- Perform the training
- Supply test data set
- Evaluate the classifier.
You need to repeat for at least 5 classifiers, and eventually select the results from the best 3 classifiers.
You need to include in your report the following:

(a) Screenshot of the performance details for 5 classifiers

(b) Compare the results of the selected best 3 classifiers, evaluating with the metrics: Accuracy, precision, recall, F1-Score and false positive rate.
Reflection:

(c) Discuss why you consider the results of the 3 classifiers you choose (out of the 5 that you used) the best.
(d) Which classifier gave the best performance overall? Justify your selection of the ‘best' classifier and given reasons why you think it is the best. Is there any way to improve the performance further?

Question 3. Cryptography

Consider in the RSA encryption/decryption algorithm, the value of p and q randomly within the range 100 and 300 (where p and q are prime numbers) used to encrypt a message M which is randomly chosen within the range 10 to 50. Using RSA, perform the following:
• Generate your own key pair (using the randomly chosen p and q).
• Ask your partner for their public key.
• Randomly select a message M within range 10 to 50.
• Encrypt the message for confidentiality sending to your partner and inform your partner of the ciphertext.
• Decrypt the ciphertext that your partner sent you.
• Confirm with your partner that the decrypted message is correct. If incorrect, then discuss with your partner and fix.
You need to include in your report the following:

(a) Your and your partner's public key and cyphertext Reflection:
(b) Explain the role of two different keys (public and private) in asymmetric encryption, comparing to symmetric encryption. Is ordering of the keys important in RSA?

(c) Suppose you have downloaded the dataset from Moodle for Question 2. How do you use RSA to ensure that this dataset is not modified?

Question 4. Denial of Service Attack Research

The modern era is fully dependent on the Internet which serves as an information source for all users. Thus, the availability of the Internet is very important. DDoS is one of the most highlighted attacks that obstructs network availability. Your task is to write a short report on DDoS that answers the following questions:

(a) What is a DDoS attack? How does a DDoS attack work? Classify different types of DDoS attacks.

(b) Discuss defence challenges (technical/non-technical) underlying the inability to mitigate DDoS attacks.

(c) Describe three existing defence mechanisms to prevent DDoS. You need to include if they have any limitations.

(d) Write recommendations to prevent DDoS attacks.

Note: Need Question 2 Only.

Attachment:- Advanced Network Security.rar