Tutorial week 12

1.

Question 1:

Working from the example in the lecture notes, using slightly different numbers: Say a network system has a population where 0.01 of the logins having intrusions. (The other 99% logins are having normal behaviours). When an intrusion occurs, the probability of detecting it as abnormality is 97%. Under normal operations, the probability of detecting it as abnormality is 9%. Using Bayess theorem, work out all the probability of:
i. ii. iii. iv.

When IDS shows abnormality, whats the probability of having an intrusion? When IDS shows abnormality, whats the probability of no intrusion? When IDS shows no abnormality, whats the probability of having an intrusion? When IDS shows no abnormality, whats the probability of no intrusion?

How do these numbers compare with the ones show in the lecture? Follow the lecture notes and let your students aware that Bayess theorem wont be in the exam :)

Question 2: Conduct some research from the Internet on the topic of SQL Injection. Discuss generally what does it do?
2.

General discussion, maybe show an example of SQL injection

Question 3: The Markov Model Password Checker in the lecture notes, show that if there are only three letters, a, b and c.
3.

a.

If 4 letters password is chosen, how many combinations can it be? 3^ 4 = 81?

b.

What is the advantage of having this Markov model password checker? It shows that the probabilities of letter combinations are not equal. Hence, it recommends users to choose passwords with less probability.

c.

Using this model, compute the probability of the following 4-letter word: babc caac abcc

i. ii. iii.

You may assume the initial probabilities for letter a, b and c is 0.5, 0.3 and 0.2 respectively.

Easy computation, just follow the model

d.

For the students whom can program, using uniform distribution random generator to generate 4 letters 1000 times, and to indicate their frequencies. Show to students the algorithm.

4.

Think again the problem stated in the lecture about using Operating Systems Page Faults for guessing password. The following question is a simplified version, where: Assume that passwords are selected from four-character combination of 26 alphabetic characters. Assume that an adversary is able to attempt passwords at a rate of once per second.
a.

Assuming no feedback to the adversary until each attempt has been completed, what is the expected time to discover the correct password? seconds. Assuming feedback to the adversary flagging an error as each incorrect character is entered, what is the expected time to discover the correct password? = 52 seconds

b.

5.

It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096. But the slat is stored in plaintext in the same entry as the corresponding cipher text password. Therefore those two characters are known to the attacker and need not be guessed. Why it is asserted that the salt increases security?

Without the salt, the attacker can guess a password and encrypt it. If ANY of the users on a system use that password, then there will be a match. With the salt, the attacker must guess a password and then encrypt it once for each user, using the particular salt for each user.