COIT20262 – Advanced Network Security, Term 1, 2021

         COIT20262 – Advanced Network Security, Term 1, 2021

Assignment 1 Submission

• Packet Capture and Analysis

Part (a)

The file is submitted on Moodle

Part (b)

Message Sequence diagram illustrating all the TCP packets is shown below

Sequence Diagram

Part (c)

We use net cat for the security check and also, we need to know about integrity, authentication, confidentiality, and non-repudiation. We use net cat for the security check and also, we need to know about integrity, authentication, confidentiality, and non-repudiation so if these things are not validated then we can be sure that the message is modified but if these things are used that means they use certain kind of algorithm and we can be pretty sure that the information here cannot be modified.

Part (d)

We must use open SSL to perform the operation. A small mistake may mean that the system will be insecure. We must encrypt a file test it, decrypt it and compare it to the original file to the decrypted.

Performing an replay attack on TCP exchange, replaying the message without any modification, then the server may know that the error has occurred if the encryption is good and if the key is known, the time that the message will come, so checking all these factors, if the message is not on time then the error can be known. The time stamp is different 

• Attack Detection from Real Intrusion Dataset

Note: The dataset for weka to be tested and trained is given below

Part (a)

Weka- 1

Analysis using tree J48-C 0.25-M 2

Analysis using tree J48-C 0.25-M 2

                                      Figure: Analysis using tree J48-C 0.25-M 2

Analysis using Random Tree -k 0-M1.0 -V0.001 -S 1

Analysis using Random Tree -k 0-M1.0 -V0.001 -S 1

                                      Figure: Analysis using Random Tree -k 0-M1.0 -V0.001 -S 1

Analysis Using Rep Tree -M2 -V0.001 -N 3 -S 1 -L -1 -I 0.0

Analysis Using Rep Tree -M2 -V0.001 -N 3 -S 1 -L -1 -I 0.0

               Figure: Analysis Using Rep Tree -M2 -V0.001 -N 3 -S 1 -L -1 -I 0.0

Analysis Using Decision Stump Tree

Analysis Using Decision Stump Tree

                                  Figure: Analysis Using Decision Stump Tree

Analysis Using One R-B 6

                                                Figure: Analysis Using One R-B 6

Part (b)

By analyzing the dataset and classifying them, weka has shown that the correctly classified data

So, out of 5 results, I consider the Rep tree as the first one because the accuracy of the result in the rep tree is 76.240%, the precision is 0.826 whereas the recall is 0.762, the false positive rate 0.032 and the F1 measure is 0.775

The second classifier I would choose is the Random Tree Classifier where the accuracy is 73.3482%, the precision of the classifier is 0.804 whereas the recall is 0.733, where the false positive rate is 0.036 and the f1 measure is 0.760.

The third classifier I would consider is the ONE- R B 6 classifier because the accuracy of this classifier is 69.5404%, the precision is 0.776, recall is 0.695, the false positive rate is 0.058 and the f1 measure is 0.703

The precision is calculated as

Precision= TP/(TP+FP)

Recall=TP/(TP+FN)

TP is the true positive where the classifier correctly classifies the positive class.

FP is false positive where the classifier incorrectly classifies the positive class.

FN is false negative where the classifier mistakenly classifies that a particular condition is not present.

F measure is the combined matrix of precision and recall, in this when we are comparing algorithms, we cant say which is better if one has higher precision and lower recall.

Part (c)

I choose Rep tree as my first option as the classifier because the f1 measure is higher because the f1 measure is the weighted average of precision and recall taking both false positives and false negative into account. F1 is useful than accuracy if we have uneven class distribution. Accuracy works best if both false positive and false negative have similar cost.

Part (d)

The best classifier is rep tree classifier because the precision of this classifier is higher and also the f measure of this classifier is higher

• Cryptography

Part (a)

Prime numbers between 100 and 300

P=103      q=113

N= 11639 where N = P*Q

L= 11424 where l is (p-1) (q-1)

E=5 where E is the Encryption key number between 1 and l that is coprime with L and N

D=13709 where D is decryption key and calculated as D*E mod L= 1

Private key (E, N) = (5, 11639)

My public key is (D, N) = (13709, 11639)

My friend public key (D1. N1) = (33547,20413)

My message= 13

Ciphertext = 13 ^33547 mod 20413

                   =10799

My friend’s Ciphertext = 12^13709 mod 11639

                                     =11267

Decrypting the message = 11627^5 mod 11639

                                       = 12

So my friend’s Message is 12

Part (b)

Encryption is a generally new and complex method of Encryption. Complex since it consolidates two cryptographic keys to execute information security. These keys are known as a Public Key and a Private Key. The Public key, as the name recommends, is accessible to each and every individual who wishes to communicate something specific. Then again, the private key is kept at a protected spot by the proprietor of the public key.

The public key encodes the data to be sent. It utilizes a particular calculation in doing as such. While, the private key, which is in control of the collector, decodes it. The Same calculation is behind both these cycles.

The inclusion of two keys makes Asymmetric Encryption a perplexing procedure. In this way, it ends up being enormously gainful as far as information security. Diffie-Hellman and RSA calculation are the most broadly utilized calculations for Asymmetric Encryption.

RSA can be utilized for something beyond encoding information. Its properties additionally make it a valuable framework for affirming that a message has been sent by the substance who professes to have sent it, just as demonstrating that a message hasn’t been modified or altered.

At the point when somebody needs to demonstrate the legitimacy of their message, they can figure a hash (a capacity that takes information of a discretionary size and transforms it into a fixed-length worth) of the plaintext, at that point sign it with their private key. They sign the hash by applying the very recipe that is utilized in unscrambling (m = compact disc mod n). When the message has been marked, they send this advanced mark to the beneficiary close by the message.

On the off chance that a beneficiary gets a message with a computerized signature, they can utilize the mark to check whether the message was really endorsed by the private key of the individual who professes to have sent it. They can likewise see whether the message has been changed by assailants after it was sent.

To check the computerized signature, the beneficiary first uses a similar hash capacity to discover the hash worth of the message they got. The beneficiary at that point applies the sender’s public key to the computerized signature, utilizing the encryption recipe (c = me mod n), to give them the hash of the advanced mark.

By contrasting the hash of the message that was gotten close by the hash from the scrambled computerized signature, the beneficiary can tell whether the message is real. In the event that the two qualities are something similar, the message has not been changed since it was endorsed by the first sender. In the event that the message had been adjusted by even a solitary character, the hash worth would be totally unique.

Part (c)

At the point when RSA is carried out, it utilizes something many refer to as cushioning to help forestall various assaults. To clarify how this function, we’ll start with a model. Suppose we are sending a coded message to a companion:

Dear Karen,

I trust you are well. Is it accurate to say that we are as yet eating tomorrow?

Yours

Name

Suppose that you coded the message in a straightforward manner, by changing each letter to the one that follows it in the letter set. This would change the message to:

Efbs Lbsfo,

J ipqf zpv bsf xfmm. Bsf xf tujmm ibwjoh ejoofs upnpsspx?

Zpvst tjodfsfmz,

Kbnft

In the event that your foes captured this letter, there is a stunt that they could use to attempt to figure out the code. They could take a gander at the configuration of your letter and attempt to think about what the message may be saying. They realize that individuals typically start their letters with “Greetings”, “Hi”, “Dear” or various different shows.

On the off chance that they attempted to apply “Hey” or “Hi” as the principal word, they would see that it wouldn’t fit the quantity of characters. They could then attempt “Dear”. It fits, yet that doesn’t really mean anything. The assailants would simply attempt it and see where it drove them. So they would change the letters “e”, “f”, “b”, and “s” with “d”, “e”, “a”, and “r” separately. This would give them:

Dear Laseo,

J ipqe zpv are xemm. Are xe tujmm iawjoh djooes upnpsspx?

Zpvrt tjoderemz,

Kanet

It actually looks pretty confounding, so the aggressors may have a go at taking a gander at some different shows, similar to how we finish up our letters. Individuals regularly add “From” or “Kind respects” toward the end, however neither of these fit the configuration. All things being equal, the aggressors may attempt “Yours truly” and supplant different letters to see where it gets them. By evolving “z”, “p”, “v”, “t”, “j” “o”, “d” and “m” with “y”, “o”, “u”, “s”, “I”, “n”, “c” and “l” separately, they would get:

Dear Lasen,

I ioqe you are xell. Are xe tuill iawinh dinnes uonossox?

Yours truly,

Kanet

After that change, it would seem that the aggressors are beginning to get some place. They have discovered the words “I”, “you” and “are”, notwithstanding the words that made up their underlying speculations.

Seeing as the words are in right linguistic request, the aggressors can be quite certain that they are going the correct way. At this point, they have most likely likewise understood that the code included each letter being changed to the one that follows it in the letter set. When they understand this, it makes it simple to interpret the rest and read the first message.

The above model was only a basic code, yet as should be obvious, the design of a message can give assailants pieces of information about its substance. Without a doubt, it was hard to sort out the message from simply its design and it took some informed mystery, however you need to remember that PCs are vastly improved at doing this than we are. This implies that they can be utilized to sort out undeniably more mind boggling codes in a lot more limited time, in light of signs that come from the construction and different components.

On the off chance that the construction can prompt a code being broken and uncover the substance of a message, at that point we need some approach to conceal the design to keep the message secure. This carries us to cushioning.

At the point when a message is cushioned, randomized information is added to conceal the first organizing hints that could prompt a scrambled message being broken. With RSA, things are somewhat more muddled, in light of the fact that an encoded key doesn’t have the undeniable designing of a letter that assisted with giving us signs in our above model.

In spite of this, foes can utilize various assaults to abuse the numerical properties of a code and break encoded information. Because of this danger, executions of RSA use cushioning plans like OAEP to insert additional information into the message. Adding this cushioning before the message is encoded makes RSA significantly more secure.

• Denial of Service Attack Research

Part (a)

A Distributed Denial Service (DDoS) attack is a pernicious endeavour to disturb the typical traffic of a focused on worker, administration or organization by overpowering the objective or its encompassing foundation with a surge of Internet traffic.

DDoS attack is accomplished viability by using various bargained PC frameworks as wellsprings of assault traffic. Misused machines can incorporate PCs and other arranged assets like IoT gadgets. From a significant level, a DDoS assault resembles a sudden gridlock stopping up the parkway, keeping ordinary traffic from showing up at its objective. The organization comprise of PCs and different gadgets, (for example, IoT devices) which have been tainted with malware, permitting them to be controlled distantly by an assailant. These individual gadgets are alluded to as bots (or zombies), and a gathering of bots is known as a botnet. When a botnet has been set up, the assailant can coordinate an assault by sending far off guidelines to every bot.

At the point when a casualty’s worker or organization is focused by the botnet, every bot sends solicitations to the objective’s IP address, conceivably making the worker or organization become overpowered, bringing about a refusal of-administration to ordinary traffic. Since every bot is a real Internet gadget, isolating the assault traffic from ordinary traffic can be troublesome.

Different types of DDOS attacks are:

1. Application Layer attack

the objective of the attack is to debilitate the objective’s assets to make a refusal of-administration.

The assaults focus on the layer where website pages are created on the worker and conveyed because of HTTP demands. A solitary HTTP demand is computationally modest to execute on the customer side, yet it very well may be costly for the objective worker to react to, as the worker frequently stacks various documents and runs data set inquiries to make a site page.

                                  Figure 1: Application Layer Protocol

                                

HTTP flood

This attack involves pressing refresh in an internet browser twice and again on a wide range of PCs without a moment’s delay – enormous quantities of HTTP demands flood the worker, bringing about disavowal of-administration. The attack may be simple or complex.

More straightforward executions may get to one URL with a similar scope of attacking IP locations, referrers and client specialists. Complex adaptations may utilize countless attacking IP locations, and target arbitrary URLs utilizing irregular referrers and client specialists.

Protocol Attack

Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by over-consuming server resources and/or the resources of network equipment like firewalls and load balancers.

Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible.

                          Figure 2: Protocol attack Example

SYN flood

A SYN Flood is similar to a worker in a stockpile room getting demands from the front of the store.

The labourer gets a solicitation, proceeds to get the bundle, and sits tight for affirmation prior to bringing the bundle out front. The specialist at that point gets a lot more bundle demands without affirmation until they can convey no more bundles, become overpowered, and demands begin going unanswered. This attack abuses the TCP handshake — the succession of correspondences by which two PCs start an organization association — by sending an objective countless TCP “Beginning Connection Request” SYN bundles with parodied source IP addresses.

The objective machine reacts to every association solicitation and afterward sits tight for the last advance in the handshake, which never happens, depleting the objective’s assets all the while.

Volumetric Analysis

This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet.

Part (b)

There are different defence challenges in DDOS, however

1. Complex and diverse attack- 48 %

Different cybersecurity specialists and researchers have identified 35 different types of DDOS attacks.

2. Broader Protection against DDOS attack- 39%
3. Attacks from many places-37%
4. Manual Intervention requirement-34%
5. Cost Prohibitive usage-33%
6. Inability to integrate different capabilities (32 percent).
7. Lack granular control for more agile response (29 percent).

1. Build up a Denial of Service Response Plan

Build up a DDoS anticipation plan dependent on an intensive security appraisal. In contrast to more modest organizations, bigger organizations may require complex framework and including various groups in DDoS arranging.

At the point when DDoS hits, there is no an ideal opportunity to consider the best strides to take. They should be characterized ahead of time to empower brief responses and stay away from any effects.

Building up an episode reaction plan is the basic initial move toward complete protection system. Contingent upon the foundation, a DDoS reaction plan can get very comprehensive. The initial step you take when a pernicious assault happens can characterize how it will end. Ensure your server farm is readied, and your group knows about their obligations. That way, you can limit the effect on your business and save yourself long periods of recuperation.

The key components continue as before for any organization, and they include:

Frameworks agenda. Build up a full rundown of resources you should execute to guarantee progressed danger recognizable proof, appraisal, and sifting devices, just as security-improved equipment and programming level insurance, is set up.

Structure a reaction group. Characterize obligations regarding key colleagues to guarantee coordinated response to the assault as it occurs.

Characterize notice and acceleration strategies. Ensure your colleagues know precisely whom to contact if there should arise an occurrence of the assault.

Incorporate the rundown of inward and outside contacts that ought to be educated about the assault. You ought to likewise create correspondence procedures with your clients, cloud specialist co-op, and any security merchants.

2. Secure Your Network Infrastructure

Moderating organization security dangers must be accomplished with staggered insurance techniques set up.

This incorporates progressed interruption anticipation and danger the board frameworks, which join firewalls, VPN, against spam, content sifting, load adjusting, and different layers of DDoS protection strategies. Together they empower steady and predictable organization assurance to forestall a DDoS assault from occurring. This incorporates everything from recognizing conceivable traffic irregularities with the most elevated level of accuracy in hindering the assault.

The greater part of the standard organization gear accompanies restricted DDoS alleviation alternatives, so you might need to rethink a portion of the extra administrations. With cloud-based arrangements, you can get to cutting edge relief and insurance assets on a compensation for each utilization premise. This is an incredible alternative for little and medium-sized organizations that might need to keep their security spending plans inside projected cutoff points.

Furthermore, you ought to likewise ensure your frameworks are forward-thinking. Obsolete frameworks are generally the ones with most provisos. Forswearing of Service aggressors discover openings. By routinely fixing your foundation and putting in new programming forms, you can close more ways to the assailants.

Given the intricacy of DDoS attacks, there’s not really an approach to shield against them without proper frameworks to recognize irregularities in rush hour gridlock and give moment reaction. Supported by secure foundation and a fight plan, such frameworks can limit the danger. More than that, they can bring the required true serenity and certainty to everybody from a framework administrator to CEO.

3. Practice Basic Network Security

The most essential countermeasure to forestalling DDoS assaults is to permit as little client mistake as could be expected.

Participating in solid security practices can keep business networks from being undermined. Secure practices incorporate complex passwords that change consistently, against phishing strategies, and secure firewalls that permit minimal external traffic. These actions alone won’t stop DDoS, yet they fill in as a basic security establishment.

4. Keep up Strong Network Architecture

Zeroing in on a protected organization engineering is indispensable to security. Business ought to make repetitive organization assets; on the off chance that one worker is assaulted, the others can deal with the additional organization traffic. Whenever the situation allows, workers ought to be situated in better places geologically. Spread-out assets are more hard for aggressors to target.

5. Influence the Cloud

Re-appropriating DDoS counteraction to cloud-based specialist organizations offers a few benefits. To start with, the cloud has undeniably more transmission capacity, and assets than a private organization probably does. With the expanded extent of DDoS assaults, depending entirely on-premises equipment is probably going to fall flat.

Second, the idea of the cloud implies it is a diffuse asset. Cloud-based applications can ingest destructive or malevolent traffic before it at any point arrives at its proposed objective. Third, cloud-based administrations are worked by computer programmers whose work comprises of observing the Web for the most recent DDoS strategies.

Settling on the correct climate for information and applications will vary among organizations and ventures. Crossover conditions can be helpful for accomplishing the correct harmony among security and adaptability, particularly with merchants giving customized arrangements.

7. Think about DDoS-as-a-Service

DDoS-as-a-Service gives improved adaptability to conditions that consolidate in-house and outsider assets, or cloud and committed worker facilitating.

Simultaneously, it guarantees that all the security foundation parts satisfy the most noteworthy security guidelines and consistence necessities. The critical advantage of this model is the capacity of customized security engineering for the necessities of a specific organization, making the undeniable level DDoS insurance accessible to organizations of any size.

Part (c)

It is extremely hard to distinguish between normal traffic and the real attack.

Moderation endeavours that include dropping or restricting traffic aimlessly may toss great traffic out with the terrible, and the assault may likewise change and adjust to go around countermeasures. To defeat an unpredictable Endeavor at disturbance, a layered arrangement will give the best advantage.

Blackhole directing

One arrangement accessible to essentially all organize administrators is to make a blackhole course and pipe traffic into that course. In its most straightforward structure, when blackhole sifting is carried out without explicit limitation measures, both real and vindictive organization traffic is steered to an invalid course, or blackhole, and dropped from the organization.

On the off chance that an Internet property is encountering a DDoS assault, the property’s Internet specialist organization (ISP) may send all the website’s traffic into a blackhole as a guard. This is certifiably not an ideal arrangement, as it viably gives the aggressor their ideal objective: it makes the organization unavailable.

Rate restricting

Restricting the quantity of solicitations, a worker will acknowledge throughout a specific time window is likewise a method of alleviating disavowal of-administration assaults.

While rate restricting is valuable in easing back web scrubbers from taking substance and for relieving beast power login endeavours, it single-handedly will probably be inadequate to deal with a complex DDoS assault successfully.

By the by, rate restricting is a valuable segment in a compelling DDoS moderation system. Find out about Cloudflare’s rate restricting

Web application firewall

A Web Application Firewall (WAF) is an apparatus that can help with moderating a layer 7 DDoS assault. By putting a WAF between the Internet and a cause worker, the WAF may go about as an opposite intermediary, shielding the focused-on worker from specific kinds of malevolent traffic.

By sifting demands dependent on a progression of rules used to distinguish DDoS devices, layer 7 assaults can be hindered. One key estimation of a powerful WAF is the capacity to rapidly execute custom standards in light of an assault. Find out about Cloudflare’s WAF.

Anycast network dispersion

This relief approach utilizes an Anycast organization to disperse the assault traffic across an organization of circulated workers to where the traffic is consumed by the organization.

Like directing a hurrying waterway down independent more modest channels, this methodology spreads the effect of the conveyed assault traffic to where it becomes sensible, diffusing any problematic ability.

The unwavering quality of an Anycast organization to moderate a DDoS assault is subject to the size of the assault and the size and proficiency of the organization. A significant piece of the DDoS relief carried out by Cloudflare is the utilization of an Anycast appropriated network.

Part (d)

1. Build up a Denial-of-Service Response Plan

Build up a DDoS avoidance plan dependent on an exhaustive security appraisal. In contrast to more modest organizations, bigger organizations may require complex framework and including various groups in DDoS arranging.

Building up an episode reaction plan is the basic initial move toward far reaching guard technique. Contingent upon the foundation, a DDoS reaction plan can get very thorough. The initial step you take when a pernicious assault happens can characterize how it will end. Ensure your server farm is readied, and your group knows about their obligations. That way, you can limit the effect on your business and save yourself long stretches of recuperation.

The key components continue as before for any organization, and they include:

Framework’s agenda. Build up a full rundown of resources you should execute to guarantee progressed danger ID, appraisal, and separating apparatuses, just as security-improved equipment and programming level insurance, is set up.

Structure a reaction group. Characterize obligations regarding key colleagues to guarantee coordinated response to the assault as it occurs.

Characterize warning and heightening systems. Ensure your colleagues know precisely whom to contact if there should be an occurrence of the assault.

Incorporate the rundown of interior and outside contacts that ought to be educated about the assault. You ought to likewise create correspondence procedures with your clients, cloud specialist co-op, and any security sellers.

2. Secure Your Network Infrastructure

Relieving network security dangers must be accomplished with staggered assurance methodologies set up. This cause the improvement counteraction and danger executive framework joining firewall, VPN, hostile to span, content shifting, load adjusting and attacks on different Layers of DDoS protection methods incorporating everything distinguishable from traffic irregularities with significant level of exactness to prevent attack.

3. Practice Basic Network Security

The most essential countermeasure to forestalling DDoS assaults is to permit as little client mistake as could really be expected.

Taking part in solid security practices can keep business networks from being undermined. Secure practices incorporate complex passwords that change consistently, against phishing techniques, and secure firewalls that permit minimal external traffic. These actions alone won’t stop DDoS, yet they fill in as a basic security establishment.

4. Keep up Strong Network Architecture

Zeroing in on a protected organization design is essential to security. Business ought to make repetitive organization assets; in the event that one worker is assaulted, the others can deal with the additional organization traffic. Whenever the situation allows, workers ought to be situated in better places geologically. Spread-out assets are more hard for assailants to target.

5. Influence the Cloud

Re-appropriating DDoS anticipation to cloud-based specialist co-ops offers a few benefits. In the first place, the cloud has undeniably more transfer speed, and assets than a private organization probably does. With the expanded greatness of DDoS assaults, depending exclusively on-premises equipment is probably going to come up short.

Second, the idea of the cloud implies it is a diffuse asset. Cloud-based applications can ingest hurtful or pernicious traffic before it at any point arrives at its expected objective. Third, cloud-based administrations are worked by computer programmers whose work comprises of checking the Web for the most recent DDoS strategies.

Settling on the correct climate for information and applications will vary among organizations and ventures. Cross breed conditions can be helpful for accomplishing the correct harmony among security and adaptability, particularly with merchants giving customized arrangements.

6. Comprehend the Warning Signs

A few indications of a DDoS assault incorporate organization stoppage, inconsistent availability on an organization intranet, or discontinuous site closures. No organization is awesome, yet in the event that an absence of execution is by all accounts delayed or more extreme than expected, the organization probably is encountering a DDoS and the organization should make a move.

7. Think about DDoS-as-a-Service

DDoS-as-a-Service gives improved adaptability to conditions that consolidate in-house and outsider assets, or cloud and committed worker facilitating.

Simultaneously, it guarantees that all the security framework parts fulfill the most elevated security guidelines and consistence prerequisites. The critical advantage of this model is the capacity of customized security engineering for the necessities of a specific organization, making the undeniable level DDoS insurance accessible to organizations of any size.