Ideas for Projects in Undergraduate Information Assurance and Security Courses A. Ghafarian Department of Mathematics and Computer Science North Georgia College & State University Dahlonega, GA 30597, U.S.A. aghafarian@ngcsu.edu ABSTRACT In this work, we present some ideas for projects that can be used in undergraduate Information Assurance and Security (IAS) courses. The projects range from cryptanalysis of ciphertext, network security, security vulnerability analysis, and programming to demonstrate buffer overflow. The projects can be used in IAS courses such as cryptography, network security, and computer security. Alternatively, they can be used as separate modules in computer science courses such as operating systems, networking, and programming. Some of these projects have been piloted by the author and have achieved their objectives. 1.2 Buffer Overflow Students are required to use C programming language to exploit buffer overflow. Some of the C language constructs such as string manipulation is vulnerable to attack. For example, strcpy does not check the length of the string it copies when we insert a 12-byte string long string buffer to a buffer which is eight bytes long. The first eight characters from the input completely fills the buffer, and the remaining four characters overflow the buffer. That is, these four characters overwrite the adjacent address in the buffer. If these four memory locations are expected to have the return address of a function call, when the function tries to go back to the caller function, a buffer overflow could be exploited. Categories and Subject Descriptors: K.3 [Computers & Education]: Computer Information Science Education - Computer Science Education. & 1.3 Cryptanalysis The instructor provides some ciphertext messages. Each student uses cryptanalysis techniques to decrypt the ciphertext and extract the original text of the message. This project will provide firsthand experience of cryptanalysis techniques that hackers use. There are two key issues that must be considered in this type of projects, i.e. the encryption algorithm and cryptanalysis technique [1]. For example, if we know that the ciphertext was made using a letter-substitution cipher from English plaintext, then information about letter frequencies can help us identify key letters. Usually "E" is the most common letter in English text, with "A", "O" and "T" running next. So the chances are that "E" has been replaced by whichever letter is the most common in the ciphertext. The students can use a spreadsheet to experiment with the results of various possible substitutions. Once they have identified which letters have been substituted a few key letters such as "A", "E", "O" and "T", then even a partial deciphering of the message should enable them to guess the rest. General Terms: Security Keywords: Information Assurance and Security (IAS), Security Projects 1. THE PROJECTS 1.1 Network Security Vulnerability Vulnerability is a weak point that can be exploited from both inside and outside of an organization’s network system. External vulnerabilities include viruses, worms, script kiddies, spyware, and denial of services attacks. For this project, students are required to install and configure hardware/software tools and methodologies that exist for network attack detection. Examples of hardware devices are network intrusion detection system (NIDS) and host-based intrusion diction system (HIDS) [2]. Ethereal packet sniffing tool is an example of software that students should install, configure, and capture the network traffic. A significant issue for this project is to define interesting and unusual packets. The source of the packets, the destination, the packet number, and port number will be examined in details. 2.

/lp/association-for-computing-machinery/ideas-for-projects-in-undergraduate-information-assurance-and-security-XtIXPFBWcN