Network Security Laboratory

The Network Security Laboratory of the Institute of Telecommunications is currently offering two laboratory exercises per year, mainly addressed to students of Electrical Engineering and Computer Science. The lab exercises are the following:

Introduction to IP Darkspace Analysis (NetSec)
Detection of Covert Channels (NetSec Advanced)
Application form to get access to exercises and lab documents

NetSec lab
NetSec lab

Introduction to IP Darkspace Analysis (NetSec Lab)

Scanning attacks: one of the multiple traffic anomalies that are observable in the darkspace
Scanning attacks: one of the multiple traffic anomalies that are observable in the darkspace

The NetSec lab consists of a set of exercises for teaching network traffic anomaly detection to electrical engineering students. The lab explores basic methods for analyzing Internet Protocol (IP) traffic data destined to an unassigned IP address space (IP darkspace). The dataset is taken from the IP darkspace data collected by the Center for Applied Internet Data Analysis (CAIDA) from the UCSD Network Telescope, which monitors traffic to a large (/8) IP darkspace. An IP darkspace is a globally routable IP address segment with no active hosts. All traffic to an IP darkspace is unsolicited and unidirectional. Observing and analyzing darkspace traffic can facilitate study, analysis, and detection of network attacks and global incidents such as scanning, DDoS attacks, network outages, and misconfigurations.

For the NetSec lab version 2, an additional exercise was included to refresh students knowledge about the TCP 3-Way Handshake. The TCP handshake exercise has been taken from C. Sanders. Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, 2nd Edition. No Starch Press, 2011.

Objectives:

Students learn how to analyze and understand network traffic flows. They search for anomalies and suspicious imprints; furthermore, they learn how to present and interpret their scientific results. The lab is focused on two goals: to improve security-specific technical skills as well as general knowledge in statistical data analysis and data mining techniques.

Required software/tools:

Corsaro,
MATLAB/Octave,
Rapidminer,
Whireshark.

Material, documents and dataset:

Histograms of different Time to Live (TTL) values for a tiny portion of the darkspace. The displayed clusters identify different operating systems
Histograms of different Time to Live (TTL) values for a tiny portion of the darkspace. The displayed clusters identify different operating systems

Available on demand by filling the application form.
CAIDA Darkspace FlowTuple files.
– Perl and bash scripts for data preprocessing.
– Already processed aggregated time series in CSV format.
– Exercise sheet (pdf).
– Students’ report templates (doc and tex).
– Review questions (pdf).
– Evaluation criteria and report model (pdf).
– Exercise solver scripts.
– Lab Introduction and Closure sessions slides (pdf).
Students’ feedback sheet (pdf).

Versions:

– NetSec lab v1.2014: Analysis of darkspace data for April 2012.
– NetSec lab v2.2014: Updated with Wireshark exercises about TCP Handshake. Analysis of darkspace data from 1st January 2012 to 30th June 2012.

Citation:

When using any material from the TU Wien NetSec lab, please always reference the following paper:

Zseby, T., Iglesias Vázquez, F., King, A., Claffy, K.C., “Teaching Network Security With IP Darkspace Data,” IEEE Transactions on Education, vol.59, no.1, pp.1-7, 2015
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7086349&isnumber=4358717

Disclaimer:

The Network Security group of TU Wien Institute of Telecommunications provides this material and data exclusively for the purpose of education and it shall not be used by any party for commercial gain. We do not accept any responsibility or liability whatsoever for use of the material and data provided.

 


Detection of Covert Channels (NetSec Advanced Lab)

Addressed mainly to electrical engineering students, the NetSec Advanced lab consists of three exercises that introduce the concept of covert channels in IP networks and teach students how to face their detection from statistical analysis. The exercises are presented as a story where students take the role of members of security staff and need to detect an intruder. Hence, they face the detection and decoding of a covert channel in an online communication (exercise 1); later, the exploration and analysis of multiple traffic captures in pcap format where covert channels are suspected (exercise 2); and, finally, they use bouncing covert channels as a counter-intelligence measure, digging into different network tools and techniques to make covert channels more difficult to detect and the sources more difficult to track (exercise 3).

Example of a timing covert channel
Example of a timing covert channel

For the exercises, covert channels have been generated by using the Covert Channels Evaluation Framework (CCHEF), original pcap files belong to NETRSEC, and the exercise 3 has been based on the example proposed by Joaquín Moreno in Security Art Work.

Objectives:

Students learn how to discover covert channels by analyzing the statistical properties of network traffic. They use different techniques based on univariate and bi-variate analysis (histograms, multimodality, time series) that help them to filter irrelevant data and progress seizing suspicious traffic. Students are free to deploy different tools (Whireshark, Rapidminer, MATLAB/Octave, scripting languages, Spreadsheets), yet they are guided and encouraged to follow methodological and reasoned steps for the problem resolution. Furthermore, they learn how to use different network communication tools as tgn or netcat.

Material, documents and dataset:

Looking for suspicious sources by means of multimodality estimation algorithms
Looking for suspicious sources by means of multimodality estimation algorithms

Available on demand by filling the application form.
– Pcap files with included covert channels.
– Phyton and bash scripts for data pre-processing, analysis and malware simulation.
– Exercise sheet (pdf).
– Students’ report templates (doc and tex).
– Review questions (pdf).
– Evaluation criteria and report model (pdf).
– Lab Introduction and Closure sessions slides (pdf).
Students’ feedback sheet (pdf).

Versions:

– NetSec Advanced lab v1.2014: 3 exercises.

Required software/tools:

Whireshark,
Rapidminer,
MATLAB/Octave (optional),
Scripting languages (optional),
Spreadsheets (optional).

Citation:

When using any material from the TU Wien NetSec Advanced lab, please always reference the following paper:

T. Zseby, F. Iglesias Vázquez, V. Bernhardt, D. Frkat, R. Annessi, “A Network Steganography Lab on Detecting TCP/IP Covert Channels,” in IEEE Transactions on Education,vol. 59, no. 3, pp. 224-232, Aug. 2016. 
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7405338

Disclaimer:

The Network Security group of TU Wien Institute of Telecommunications provides this material and data exclusively for the purpose of education and it shall not be used by any party for commercial gain. We do not accept any responsibility or liability whatsoever for use of the material and data provided.

 


Application form to get access to exercises and lab documents

Your Name*

Institution*

Position*

Your Email*

Requested exercise(s)*

Comments

*) Mandatory fields