Assessment Information
SIT716: COMPUTER NETWORKS AND SECURITY
Assessment 1d: Bi-weekly Report (Weeks 7-8)
KEY INFORMATION
Due: Sunday May 9th by 8pm
Weight: 6% of total mark for this unit
Approximate length: 1 to 2 pages1
Individual Assessment
PURPOSE
Short answer questions to assess and reinforce learning of the concepts of Weeks 7-8 by
exploring telemetry data for detecting attacks/compromise.
TASK(S)
Network managers must be vigilant in monitoring for malicious activity and keeping software
up to date as evidenced recently by the vulnerabilities discovered in Microsoft Exchange which
were subsequently exploited by attackers. Consider two scenarios where an attacker could
gain access to downloading email from an organisations server (data exfiltration):
1. An attacker successfully exploits a vulnerability that allows them to modify the email
web portal application code. As a result, the attacker can now download any email sent
to any user on the system by using manually constructed URLs, e.g.,
• http://mail.victim.com/hiddenhack/user/index
• http://mail.victim.com/hiddenhack/user/get/messageid
2. An attacker successfully exploits a vulnerability that allows them to gain access to an
interactive root shell (privileged user shell) on the mail server. Using this access, the
attacker installs a program that quietly scans emails in the background, then forwards
emails of interest to the attacker. To help prevent detection, the attacker doesn’t
forward the emails directly, instead forwarding the emails to a non-existent user causing
them to bounce to the attackers controlled email, i.e.,
• From: hackerbot@hackedsite.com
• To: nosuchuser@victim.com
For each scenario, identify a piece of telemetry data obtained through SNMP, IPFIX, or a custom
data source, that if monitored would allow the attack to be discovered, and explain how the
attack would be identified. You may not identify the same telemetry data for both attacks.
1 Approximate length is only an estimate and does not include title page, contents page, references, or
illustrations, i.e., the length is indicative of the text of your answer only. Indicated length is based on sensible
settings, e.g., 2cm margins, 12 point font, reasonable spacing. Whilst there is no penalty for an over-sized answer,
note that excessively large answers are likely to lack clarity and can even demonstrate a lack of understanding.
Assessment Information
SUBMISSION DETAILS
Your answers should be submitted via CloudDeakin to the TurnItIn-enabled Assignment Folder
for the Assignment 1d - Weeks 7-8 Bi-Weekly Report. Your answers to each question and sub-
question must be clearly identified in your submission. Acceptable file formats are Word
documents, PowerPoint documents, PDF documents, text and rich text files, and HTML.
Compressed files, such as ZIP files or RAR files are not accepted and will not be marked.
After submitting your assignment you should receive an email to your Deakin email address
confirming that it has been submitted. You should check that you can see your assignment in
the Submissions view of the Assignment folder after upload, and check for, and keep, the email
receipt for the submission.
ACADEMIC MISCONDUCT
Academic misconduct and plagiarism is subjected to penalties.
Plagiarism includes and not limited to:
• Copying others’ work without appropriate referencing
• Re-using assignment material completed by other students
• Contracting others to do assessment tasks on your behalf.
https://www.deakin.edu.au/students/study-support/referencing/academic-integrity
LEARNING OUTCOMES
This assignment assesses the following Graduate Learning Outcomes (GLO) and related Unit
Learning Outcomes (ULO):
Graduate Learning Outcome (GLO) Unit Learning Outcome (ULO)
GLO1: You will be required to work with
content relevant to computer networks,
network security, and the IT discipline in
general.
ULO1: You will be required to explain the
architecture and operation of computer
networks, security attacks, and defensive
measures.
ULO2: You will be required to explain
normal and abnormal behaviour of
network protocols.
ULO3: You will be required to explain
how cybersecurity activity can be
identified.
Assessment Information
EXTENSIONS
No extensions will be considered for this assessment unless a request is submitted through the
CloudDeakin and approved by the Unit Chair (enter SIT716 unit page and click Assessment ->
Extension request). Assignment Extensions are normally only approved when students apply
before the due date. The Unit Chair may ask you to supply supporting documentation about the
difficulties you are facing, and evidence of the work you have completed so far.
A marking penalty will be applied where the assessment task is submitted after the due date
without an approved extension as follows:
a. 5% will be deducted from available marks for each day up to five days
b. where work is submitted more than five days after the due date, the task will not be
marked and the student will receive 0% for the task.
'Day' means working day for paper submissions and calendar day for electronic submissions.
(This assessment task uses electronic submission)
Assessment Information
SIT716 Computer Networks and Security
Assessment 1d: Bi-Weekly Report (Weeks 7-8)
Criteria Advanced answer
(4 marks)
Clear answer
(3 marks)
Reasonable answer
(2 marks)
Flawed answer
(1 mark)
No merit
(0 marks)
Task i
Criteria 1: 50%
i. Telemetry for discovering
the first attack.
Valid telemetry data has
been identified and a clear
explanation of how the
identified data would allow
the attack to be discovered
while being distinguished
from regular traffic to/from
the mail server has been
provided.
Valid telemetry data has
been identified and a clear
explanation of how the
identified data would allow
the attack to be discovered
has been provided. There are
no major misunderstandings
or errors in the answer.
Valid telemetry data has
been identified and a basic
explanation of how the attack
would be discovered
provided. Minor inaccuracies
may be present in the
answer.
Valid telemetry data has
been identified however the
explanation of how this data
relates to the attack is clearly
incomplete or only partially
explained.
Question not attempted,
your explanation does not
address the question, or your
explanation is incorrect.
Task ii
Criteria 2: 50%
ii. Telemetry for discovering
the second attack.
Valid telemetry data has
been identified and a clear
explanation of how the
identified data would allow
the attack to be discovered
while being distinguished
from regular traffic to/from
the mail server has been
provided.
Valid telemetry data has
been identified and a clear
explanation of how the
identified data would allow
the attack to be discovered
has been provided. There are
no major misunderstandings
or errors in the answer.
Valid telemetry data has
been identified and a basic
explanation of how the attack
would be discovered
provided. Minor inaccuracies
may be present in the
answer.
Valid telemetry data has
been identified however the
explanation of how this data
relates to the attack is clearly
incomplete or only partially
explained.
Question not attempted,
your explanation does not
address the question, or your
explanation is incorrect.
学霸联盟