Part I – Finding Cyber Vulnerabilities (70 Marks) Task Description and Questions After implementing the Part I tasks and questions, take screens
Cyber Vulnerabilities and Data Analytics (MN623 Assessment-3) Assignment Help
Assignment Description
The assignment has two parts.
Part I: Group Report
Part II: Video Demonstration
Submission Guidelines:
1) Write a group report on the topics listed in Part I.
2) Make a group video demonstration of three cyber security tools implemented for writing a group report.
3) Length of Video: The total length of the video presentation should not be more than 9 minutes (marks would be deducted for longer presentation).
Note: Put the video link of your group video demonstration in the cover page of your Group Report.
Part I – Finding Cyber Vulnerabilities (70 Marks)
Task Description and Questions
After implementing the Part I tasks and questions, take screenshots of your work and provide commentary for each. You will create a report based on the following tasks using the vulnerable virtual machines (vulnerable_vm), including Metasploitable2, DVWA, Mutillidae, and the OWASP Broken Web Applications Project (OWASP BWA). You may also use OWASP Mantra as your web browser to conduct the tests.
• Metasploitable2 is a vulnerable virtual machine designed for practicing penetration testing and gaining unauthorized access to systems.
• Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application intentionally made vulnerable. It is divided into sections that focus on different types of vulnerabilities, with lessons and guidelines on how to exploit them.
• OWASP Mutillidae is a free, open-source, deliberately vulnerable web application used for web-security training. It offers numerous vulnerabilities and hints, making it an ideal environment for labs, security enthusiasts, classrooms, Capture the Flag (CTF) events, and vulnerability assessment tool testing.
• OWASP Broken Web Applications (BWA) Project provides a collection of vulnerable web applications designed for security testing.
Tasks and Questions:
1. Using the Hackbar Add-on for Parameter Probing:
o How can the Hackbar add-on be utilized to streamline parameter probing during security assessments? (Demonstrate using the SQL injection vulnerability in DVWA).
2. Request Viewing and Alteration with ZAP:
o How does ZAP facilitate the viewing and alteration of requests to identify potential vulnerabilities? (Demonstrate using Mutillidae).
3. Capabilities of Burp Suite in Security Assessments:
o What are the capabilities of Burp Suite in viewing and altering requests, and how does it contribute to security assessments? (Demonstrate using Mutillidae).
4. Techniques for Identifying Cross-Site Scripting (XSS) Vulnerabilities:
o What techniques are employed in identifying XSS vulnerabilities during security evaluations? (Demonstrate using DVWA).
5. Identifying and Mitigating Error-Based SQL Injection Vulnerabilities:
o How can error-based SQL injection vulnerabilities be identified and mitigated during security assessments? (Demonstrate using DVWA).
6. Detecting Blind SQL Injection Vulnerabilities:
o What methods are utilized to detect blind SQL injection vulnerabilities, and what are the associated risks? (Demonstrate using DVWA).
7. Identifying and Addressing Cookie Vulnerabilities:
o How are vulnerabilities in cookies identified and addressed to enhance web application security? (Demonstrate using Mutillidae).
8. Analyzing SSL/TLS Configurations with SSLScan:
o What information can be obtained about SSL and TLS configurations using SSLScan, and how does it contribute to security assessments? (Demonstrate using OWASP BWA).
9. Approaches for Detecting File Inclusion Vulnerabilities:
o What approaches are employed in searching for file inclusions as part of security evaluations? (Demonstrate using DVWA).
10. Identifying and Mitigating the POODLE Vulnerability:
o How is the POODLE vulnerability identified and mitigated to enhance the security posture of web applications? (Use the provided script from this link).
11. Reporting Defenses Against Cyber Vulnerabilities:
o Suggest and report defenses against the cyber vulnerabilities identified and exploited from points 1 to 10.
12. Data Analysis on Selected Datasets:
o Demonstrate your data analytic skills on any three datasets available at Fordham University’s Data Mining Datasets.
13. Classification and Evaluation Using Recent Datasets:
o Select a recent dataset from either:
IoT-23 Dataset
LITNET Dataset
o Load the selected dataset into Weka or a tool of your choice, then follow these steps: i. Select the relevant features with rationale (using external references or your own reasoning).
ii. Create training and testing data samples.
iii. Classify the network intrusion provided in the sample data.
iv. Evaluate the performance of the intrusion detection using available tools and technologies (e.g., confusion matrix).
References:
For additional information and to complete Task 13, refer to the following studies:
1. Damasevicius, R., Venckauskas, A., Grigaliunas, S., Toldinas, J., Morkevicius, N., Aleliunas, T., & Smuikys, P. (2020). LITNET-2020: An annotated real-world network flow dataset for network intrusion detection. Electronics, 9(5), 800.
2. Larriva-Novo, X., Villagrá, V. A., Vega-Barbas, M., Rivera, D., & Sanz Rodrigo, M. (2021). An IoT-Focused Intrusion Detection System Approach Based on Preprocessing Characterization for Cybersecurity Datasets. Sensors, 21(2), 656.
3. Tait, Kathryn-Ann, Jan Sher Khan, Fehaid Alqahtani, Awais Aziz Shah, Fadia Ali Khan, Mujeeb Ur Rehman, Wadii Boulila, and Jawad Ahmad. “Intrusion Detection using Machine Learning Techniques: An Experimental Comparison.” arXiv preprint arXiv:2105.13435 (2021).
Part II: Video Demonstration (30 Marks)
1. Make a group video demonstration of three cyber security tools implemented for writing a group report.
Marks distribution for this section include marks for Implementation and Demonstration, Presentation Teamwork and Collaboration, Demo and Viva.
Note:
If you are using the dataset at a) for your research, please reference it as “Stratosphere Laboratory. A labeled dataset with malicious and benign IoT network traffic. January 22. Agustin Parmisano, Sebastian Garcia, Maria Jose Erquiaga.
Students can find “IEEE-Reference-Guide.pdf” available in Assignments Folder after logging into your MOODLE account for referencing purposes.
Marking criteria for Assignment 3:
Example Marking Rubric for Assignment 3