I. Malicious Network Activity Report
• Malicious Network Activity Report: 8 to 10-page double-spaced Word document with
citations, include figures, diagrams, tables. APA format. The page count does not include
figures, diagrams, tables, or citations.
Part 1: Create a Network Architecture Overview
Describe the various data transmission components including User Datagram Protocol
(UDP) Transmission Control Protocol/Internet Protocol (TCP/IP) Internet packets IP
Address Schemes Well-Known Ports and Applications
As part of your assignment to report on prevention methods and remediation techniques for the
banking industry, you would have to travel to the various bank locations and gain access to their
networks. However, you must first understand the network architecture of these banks.
Provide a network architecture overview along with diagrams. Your overview can be
fictitious or based on an actual organization. The goal is to provide an understanding of the
Writing Plan (NB: all points mandatory)
Address the meaning and relevance of:
• The sender or source that transmits a message
• The encoder used to code messages
• The medium or channel that carries the message
• The decoding mechanisms used
• The receiver or destination of the messages
• Intrusion detection system (IDS),
• The intrusion prevention system (IPS)
• The firewalls that have been established
• The link between the operating systems, the software, and hardware components in the
network, firewall, and IDS that make up the network defense implementation of the banks’
• How banks use firewalls.
• How banks use IDSs
• The difference between these technologies
• The network infrastructure information
• The IP address schemes which will involve the IP addressing assignment model
• The public and private addressing and address allocations
• Identify potential risks in setting up the IP addressing scheme
• Any well-known ports and applications that are used
• The risks associated with those ports and applications being identified and possibly targeted
- User Datagram Protocol (UDP). “…User datagram protocol (UDP) is a connectionless
transport layer protocol that requires no handshaking process. Unlike transmission control
protocol (TCP), UDP transmits data without setting up a dedicated connection or verifying the
transmission with the receiver. Consequently, there is no guarantee that data packets are
delivered in the right order, or delivered at all.
However, UDP has low latency and is suitable for time-critical transmission where speed is more
important than reliability. Common applications of UDP include Domain Name System (DNS)
and Simple Network Management Protocol (SNMP).”
- Internet Packets – Data transmitted over the internet is broken into small pieces or packets. It
is faster and more secure to transfer several small packets, rather than one large message.
According to Severance (2015): The most important innovation that allowed messages to move
more quickly across a multi-hop network was to break each message into small fragments and
send each fragment individually. (p. 6)
Each packet is transmitted with the source and destination address, which routes it to the
intended destination. Since a large amount of packets (from different sources) travel
simultaneously, each packet from a single sender may take a different route, and these packets
may not arrive at their destination in order.
Severance, C. (2015). Introduction to networking. http://do1.dr-chuck.net/net-intro/EN_us/netintro.pdf.
- IP Address Schemes – An Internet Protocol (IP) address is the unique network address given
to each device connected to the internet. The most popular versions of IP addresses are IPv4 and
IPv6. According to Ellingwood (2014): IPv4, which is the fourth version of the protocol,
currently is what the majority of systems support. The newer, sixth revision, called IPv6, is being
rolled out with greater frequency due to improvements in the protocol and the limitations of IPv4
address space. Simply put, the world now has too many internet-connected devices for the
amount of addresses available through IPv4.
Since “IPv6 provides for extended network address sizes of 128 bits, a substantial increase over
the 32-bits address sizes that are available with IPv4,” it can “handle the growth rate of the
internet and the demanding requirements of services, mobility, and end-to-end security for
network communications” (Radack, 2011).
Ellingwood, J. (2014). Understanding IP addresses, subnets, and CIDR notation for networking.
Digital Ocean. https://www.digitalocean.com/community/tutorials/understanding-ip-addressessubnets-and-cidr-notation-for-networking.
Radack, S. (2011). Internet Protocol version 6 (IPv6): NIST guidelines help organizations
manage the secure deployment of the new network protocol. National Institute of Standards and
Technology. US Department of Commerce. http://csrc.nist.gov/publications/nistbul/January2011-
- Well-Known Ports and Applications – Port numbers are 16-bit numbers that are used to
identify different applications and TCP/IP programs from an IP address. The port numbers are
assigned by the Internet Assigned Numbers Authority (IANA) and divided into three ranges
- well-known ports (from 0 to 1023);
- registered ports (from 1024 to 49151); and
- dynamic and/or private ports (from 49152 to 65535)
According to CCM Benchmark Group (2016):
Ports 0 to 1023 are the ‘well known ports’ or reserved ports. Generally speaking, they are
reserved for system processes (daemons) or programs executed by privileged users. A network
administrator can nevertheless link services to the ports of his choice.
Commonly used well-known ports include 21 (FTP), 25 (SMTP), 80 (HTTP) and 110 (POP3).
CCM Benchmark Group. (2016). Port/ports TCP/IP.
Port (Computer Networking). In Wikipedia. (n.d.). https://en.wikipedia.org/wiki
Part 2: Identify Network Attacks
Provide techniques for monitoring the identified attacks
Propose and describe a honeypot environment to lure hackers to the network and include the
following in your proposal:
• Explain how a honeypot environment is set up.
• Explain the security and protection mechanisms a bank would need for a
• Discuss some network traffic indicators that will tell you that your honeypot
trap is working.
Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Computer security:
Guide to cyber threat information sharing: Special Publication 800-150, 2nd draft. National
Institute for Standards and Technology. http://csrc.nist.gov/publications/drafts/800-150/
Hoeper, K., & Chen, L. (2009). Recommendation for EAP methods used in wireless network
access authentication: Special Publication 800-120. National Institute of Standards and
Technology. . http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-120.pdf
Part 3: Identify False Positives and False Negatives
Writing Plan (mandatory):
• Identify what are false positives and false negatives
Discuss how false positives and false negatives are determined?
• Discuss how false positives and false negatives are determined?
• Which is riskier to the health of the network, a false positive or a false negative?
• Describe your analysis about testing for false negatives and false positives using tools such as
IDSes and firewalls
• Discuss the concept of performing statistical analysis of false positives and false negatives.
• Explain how banks can reduce these issues.
Describe your analysis about testing for false negatives and false positives using tools such as
IDSs and firewalls, and include this as recommendations for the banks in your public service
Discuss the concept of performing statistical analysis of false positives and false negatives.
Explain how banks can reduce these issues. Research possible ways to reduce these events and
include this information as recommendations in the Malicious Network Activity Report.
Network intrusion analysis is often done with a tool such as Snort. Snort is a free and opensource intrusion detection/prevention system program. It is used for detecting and preventing
malicious traffic and attacks on networks, analysis, and education. Such identification can be
used to design signatures for the IDS, as well as to program the IDS to block this known bad
Network traffic analysis is often done using tools such as Wireshark. Wireshark is a free and
open-source packet analyzer. It is used for network troubleshooting, analysis, software and
communications protocol development and education. Cybersecurity professionals must know
False Positives and False Negatives.
A “false positive is an instance where an IDS incorrectly identifies a benign activity to be
malicious, while a false negative occurs when the IDS fails to detect a malicious
activity” (Duquea & bin Omar, 2015).
False positives and false negatives are important indicators for measuring an IDS’s accuracy and
rate of detection. If the numbers of false positives and false negatives are high, the IDS can be
considered inefficient because it may increase the work of network administrators.
how to perform network forensics analysis.
Duquea, S., & bin Omar, M. N. (2015). Using data mining algorithms for developing a model for
intrusion detection system (IDS). Procedia Computer Science, 61, 46–51. http://
Phatak, P. (2011). The importance of intrusion prevention systems. http://opensourceforu.com/
Atlassian Documentation. (n.d.). How to capture HTTP traffic using Wireshark or Fiddler.
Network Startup Resource Center. (n.d.). Wireshark: Network forensic exercise. https://nsrc.org/
Khan, S., Shiraz, M., Wahab, A., Gani, A., Han, Q., & Rahman, Z. (2014). A comprehensive
review on adaptability of network forensics frameworks for mobile cloud computing. The
Scientific World Journal. https://www.hindawi.com/journals/tswj/2014/547062/.
Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Computer security: Guide to integrating
forensic techniques into incident response (Special Publication 800-86). National Institute of
Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/
II. Joint Network Defense Bulletin
• Joint Network Defense Bulletin: two-page, double-spaced document, World, APA.
Compile the information you have gathered, taking care to eliminate any sensitive bank-specific
information. The Joint Network Defense Bulletin is an educational document for the financial
services consortium. This bulletin should be addressed to the FBI chief and the FS-ISAC