COMP90073代写、c++,Java语言程序

日期：2022-08-17 09:54

COMP90073 Security Analytics University of Melbourne 2022

School of Computing and Information Systems

The University of Melbourne

COMP90073 Security Analytics, Semester 2 2022

Project 1: Detecting cyberattacks in network traffic data

Release: Tue 2 Aug 2022

Due: 1pm, Tue 23 Aug 2022

Marks: The Project will contribute 15% of your overall mark for the subject.

You will be assigned a mark out of 15, according to the criteria below.

Overview

In this project, you are given a network traffic dataset and should use Splunk to identify cyberattacks by

leveraging the analytics capabilities of this software. The aim is to strengthen your skills in analysing traffic

patterns and identifying their changes over time, which might be signs of suspicious activities. In searching

the evidence of cyberattacks, and hunting the attack sources and targets, you will develop the practical

security incident investigation skills and mindset of a real-world Cyber Security Analyst. In addition, you

will skill-up yourself in tracing attacks back in time to create an attack narrative1. Then generating and

extracting significant patterns/features of detected attacks will pave the way for the next project that is

heavily machine learning focused. Lastly, you will develop your skills as a Cyber Defender by proposing

the countermeasures to detect/mitigate similar attacks in the future.

You will write a technical report on your findings, and your proposal on how the identified attack patterns

and evidence can be used to detect and mitigate similar cyberattacks in future.

Deliverables

A technical report that describes your methodology for

1. Ingesting the given pcap file into Splunk (1 mark)

Note: If you fail to ingest pcap file after multiple attempts, you can ask your Tutor for a copy of

the indexed file “.pcap.csv”. Then copy the file to this directory:

“$SPLUNK_HOME/etc/apps/SplunkForPCAP/PCAPcsv/”. Please use this as last resort only.

Before asking for the indexed file, please be prepared to lose the mark for this deliverable, and

you will have to explain what steps you’ve taken to troubleshoot the issue.

2. Analysing the data using Splunk, validating the evidence of the following attack scenarios

contained in the given pcap file. You can use either Splunk Search or PCAP Analyzer Dashboard

where applicable, new field extraction may be required if you are using Splunk Search.

1 When the attack was started, the attacker(s), the victim(s) and the type of attack.

COMP90073 Security Analytics University of Melbourne 2022

2.1 SPAM (2 marks). In this dataset, a large number of spam emails were sent by infected

hosts. You need to identify:

a. The IP addresses of all the infected hosts that sent out spam emails (Hint: search

by protocol with the key word of “RCPT”)

b. The start and end time, the first and last recipients (email addresses) of the email

spam (Remember to add the time zone in your answer)

2.2 ClickFraud (2 marks).

a. Calculate the number of ClickFraud requests have been made to

“www.universehome.com” website, and the URI strings which were used (Hint:

you will need to get the IP address of the website first)

b. List the start and end time

2.3 IRC (2 marks).

a. Identify all the IRC servers (IP addresses) and the number of POST requests

received by each IRC server from the infected machines. (Hint: search by

protocol or port number)

b. List the start and end time

3. Evaluating the consequences of the attacks on the targeted network (Hint: targeted network is

where the infected system belongs to, evaluate the impact using CIA triad) (1 marks)

4. Generating and extracting the significant patterns/features for attack scenarios above, e.g.,

“src_IP+src_Port” can be a significant pattern to detect Flooding DDoS attacks (2 marks)`

5. Assuming you are the Cybersecurity Analyst who is part of the Incident Response team, and

you’ve been given the greenlight to put in any controls to mitigate this attack. You can safely

ignore any business impact as the priority is to the contain the current attack. Please propose your

countermeasures to detect/mitigate the above attacks scenarios, using evidence and patterns in

deliverables #2 and #4 (2 marks)

Technical Report

A technical report of no more than 2500 words in PDF format, comprising:

1. A data description and a summary of detected attacks, including the IP addresses of attackers and

victims, the attacked services, the timestamp, and the type of the attack per attack scenario.

2. Methodology of analysis to find evidence of cyberattacks in the network traffic data.

3. Description of each attack and the attack narrative.

4. Possible approaches for extracting features (fields) and summary of your approach.

5. Proposed countermeasures per attack scenarios.

6. Conclusions

You should include a bibliography and citations to relevant research papers and external resources and

codes you have used (these will not be counted in the word limit).

COMP90073 Security Analytics University of Melbourne 2022

Assessment Criteria

Report (15 marks out of 15)

1. Methodology: (7 marks)

You will describe your methodology in a manner that would make your work reproducible. You

should describe in detail how you have detected the cyberattacks using Splunk search capabilities:

the exact SPL commands you ran and the corresponding generated results, or the dashboards you

used in pcap app (PCAP Analyzer) and the corresponding data and generated results. Your approach

to model patterns in data and detect changes in them for identifying cyberattacks should be clearly

explained. The description of your proposed countermeasures should include reasons for choosing

it based on the types of attacks you have detected. You should not use a network traffic feature

generator as a black box without explaining the reasons for extracting the reported features.

2. Critical Analysis: (5 marks)

You should validate the evidence you have found in the data for proving that a certain type of attack

has happened. The attack narrative should specify the time of start and end of the attack and the

consequences of the attack on the victim network.1 You should identify other types of data that

could be collected to more accurately and effectively detect/mitigate the identified cyberattacks.

3. Report Quality: (3 marks)

You will produce a formal report and express your methodology and findings concisely and clearly.

The quality and description of figures and tables should be acceptable. In real-world scenarios, this

report will have a range of audience in a company. Thus, it should be structured such that summary

of the findings is available for the managers and non-technical audience and on the other hand, the

attack narratives should include technical details for other analysers that may read your report.

Note: The first two criteria focus on the correctness of your solutions to the five deliverables, while the

third criterion is about whether your results are presented in a clear manner.

Description of the Data

The dataset for Project 1 (download link) includes packet capture (pcap) file of network traffic for a network

that was victim of cyberattacks. This file was captured on the interfaces of virtual machines being infected

by malware, which contains attacks including but not limited to three scenarios listed in the Deliverable

section. It also contains normal traffic prior to malware infection. This enables you to compare the patterns

in data from normal operation (before infection) and post infection to identify attacks that occurred.

Changes/Updates to the Project Specifications

If we require any changes or clarifications to the project specifications, they will be posted on the LMS.

Any addendums will supersede information included in this document.

1 We validate your findings with our ground truth, and you lose marks for identifying non-anomalous traffic as

anomaly and vice-versa.

COMP90073 Security Analytics University of Melbourne 2022

Academic Misconduct

For most people, collaboration will form a natural part of the undertaking of this project. However, it is still

an individual task, and so reuse of ideas or excessive influence in algorithm choice and development will

be considered cheating. We will be checking submissions for originality and will invoke the University’s

Academic Misconduct policy (http://academichonesty.unimelb.edu.au/policy.html) where inappropriate

levels of collusion or plagiarism are deemed to have taken place.

Late Submission Policy

You are strongly encouraged to submit by the time and date specified above, however, if circumstances do

not permit this, then the marks will be adjusted as follows. Each day (or part thereof) that this project is

submitted after the due date (and time) specified above, 10% will be deducted from the marks available, up

until 5 days has passed, after which regular submissions will no longer be accepted.

Extensions

If you require an extension, please email Mark (yujing.jiang@unimelb.edu.au) using the subject

‘COMP90073 Extension Request’ at the earliest possible opportunity. We will then assess whether an

extension is appropriate. If you have a medical reason for your request, you will be asked to provide a

medical certificate. Requests for extensions on medical grounds received after the deadline may be

declined. Note that computer systems are often heavily loaded near project deadlines, and unexpected

network or system downtime can occur. Generally, system downtime or failure will not be considered as

grounds for an extension. You should plan ahead to avoid leaving things to the last minute, when

unexpected problems may occur.