The class project is to create an investigation-centered assignment similar to the assignments that you have been completing all semester. Students may complete the project as individuals or in teams of two students. The goal of the project is for students to learn about a new topic in the area of network security analysis and to share that knowledge with the class.

Students must choose a topic for the project on their own, but all topics must be approved by the instructor. The project must address material not covered in class. While projects may focus on a broad topic covered in class, such as malware, the project must address aspects of that topic not covered in class. The project must introduce at least one defensive software tool not covered in class and must use data that has not been used in a class assignment. The tool can be selected from the textbooks or from other sources. Data can include captured packets, flow records, signatures, logs, or any type of security data. See the Project Data and Software Tools sections below for more details.

The main component of the project will be an investigation problem, similar to the investigations in the later class assignments. The investigation should be a complex problem involving multiple networked devices. It should be aimed an audience that understands how to analyze packet captures, netflows, and log data that have been covered previously in this course. The new tool introduced in the assignment must be used to solve the investigation problem.


The easiest way to identify a topic is to start by selecting a security tool of interest. The tool will determine which types of data are required for the assignment. Investigations can include multiple types of data, including data types used by the project's new tool and data types used by tools used previously in class, such as pcap files, flow records, logs, or IDS alerts.

The topic proposal is a one page single-spaced document that describes the security tool chosen, identifies potential sources of data for that tool, and describes an idea for the investigation problem. The proposal document must include at least one paragraph of information about each of the components listed previously. The topic proposal document must include the title "Topic Proposal" at the top of the page followed by the names of each student working on the project. The topic proposal must be e-mailed to the instructor by the due date as an attachment. The subject of the email must be "CIT 481/694 Project Topic" and all members of the team must be CCed on the message.

Software Tools

There are many widely used defensive software tools that we did not cover in class, such as the Bro IDS, the Cuckoo sandbox, Scapy, the python library for manipulating network packets, the SiLK network flow analysis tool suite, or one of the many honeypots out there. Tools cannot be entire Linux distributions like Kali or REMnux, but tools can be selected from the many security tools included in those distributions. While students may use offensive tools to create their data, the project must introduce a new defensive tool to help solve the investigation problem.

The following web sites can be used to find defensive software tools for this project:

Note that the web sites above include both offensive and defensive tools. If you are uncertain if a tool is appropriate for this project, please contact the instructor.

Project Data

The data for the project includes data for the example problems as well as for the investigation problem. The investigation problem data must contain data involving at least 4 IP addresses, at least two of which must be affected by the attack that is being investigated. Projects are encouraged to use multiple types of data, such as pcap data, flow records, logs, or IDS alerts, in the investigation.

Students may create data for the project by capturing network packets from offensive security tools as bettercap, Metasploit, exploit-db, nmap, etc. to target vulnerable virtual machines. Once an attack compromises a target machine, further exploitation of that machine can be accomplished with tools like Meterpreter and backdoors to maintain access to that machine, which can result in additional network data as well as logs on the machine. Continuing access can be assured with tools like netcat, webshells, or through the use of tunnels like iodine. The Red Teamer's guide to pivoting provides a guide of how the attacker can use the initially compromised machine to access further machines in the network.

Vulnerable virtual machines to exploit can be found from a variety of sources. Each student has a virtual network including the vulnerable Linux VM, Metasploitable 2. Students may also install virtual machines on their own computers, such as Metasploitable 3, a vulnerable Windows VM designed for use with Metasploit. Alternatively, students may use an existing VM and install vulnerable applications and services on it, such as the ones at Vulnhub.

Students may also use data from public sources of security data. Potential sources of public data include but are not limited to:


The deliverables for the assignment include:

  1. Assignment document
  2. Assignment data
  3. Project report
  4. Project presentation

The project is worth 40% of the entire course grade. Projects will be evaluated by the deliverables according to how well they fulfill the requirements above, the quality of the assignment, report, and presentation, and the complexity of the investigation problem.

Assignment document

The assignment document should resemble the assignment documents that you completed throughout the semester. The document be 4-8 pages in length single-spaced. Screenshots may be included in the document but do not count towards the length requirement. The assignment document should begin with a 1-2 page description of the topic for the reader. The description must be followed by at least 2 simple examples, showing how to use the new defensive security tool introduced in the project on small data files to prepare the reader for the investigation problem.

The investigation problem is the most important part of the assignment document, providing a complex problem involving multiple networked devices that can be solved using the information provided earlier in the assignment. The investigation must not involve a trivial problem, easily solved by running a single software tool. Solving the investigation problem must involve multiple steps and should use multiple tools and/or data types.

Assignment data

The data for the assignment must be stored in an archive file containing all files used in the assignment. The archive must contain data files for the example problems as well as for the investigation problem.

Assignment data must be well organized, with the only top level item in the archive being a directory named cit481-project. The only file in the top level directory must be a README file. Each type of data (pcap, netflow, logs, etc.) must be contained in its own appropriately named directory below the top level.

The README file explains the sources of the data. If data was obtained from a web site, provide the URL. If data was provided by a person, indicate the name of that person with contact information. If data was created by you for this assignment, note that fact as well. If data was obtained from a site with a required license, that fact must be noted and the license file included in the archive.

Project report

The project report provides background for the assignment, explaining the topic chosen, the new defensive software tool introduced, and the types and sources of data used. If the software tool is from a category of tool already used in class (a packet sniffer like tcpdump or Wireshark, a netflow tool like Argus, or an IDS like snort), the report must include a section comparing the new tool with tools of the same category used in previous assignments.

The project report must describe what actually happened during the security event described in the investigation problem and provide a full solution for the investigation problem. The solution must include a timeline of events and a step by step sequence of actions that an investigator could follow to solve the investigation. Each step of the investigation must identify the event at that step by timestamp and by packet or flow number if appropriate. The description of the investigator's actions must include the tool used along with any input given to the tool and the text output provided by the tool. Avoid screenshots and use text output, either copied from a GUI or terminal or recorded in a file using I/O redirection or the script command. Files must be identified by both name and SHA-256 checksums.

Important Dates

The important dates for the project are


©2017 James Walden, Ph.D.