|I finally received the professor’s feedback from the attached paper. See below. Can you provide the additions. It should only total 1 page. The additions look like it can be added to page 11 in the “Network Traffic Analysis and Results” section.
Malicious Network Activity Report Tasks: This portion of the assignment was done fairly well. Most of the content objectives were met as expected with good details. I did not see where you discussed the concept of performing statistical analysis of false positives and false negatives. While you provided the range for well known ports, you did not identify well-known ports with applications that are used and risks associated with those ports as well as applications being identified and possibly targeted. You made good use of APA.
Malicious Network Activity Report
Malicious Network Activity Report
A network intrusion is known as any illegal or unauthorized action on a network. It often involves valuable network resources theft and jeopardizes network security and sensitive data. A network intrusion detection system senses malicious traffic on the network. This system normally requires unrestrained network access to see all traffic, plus all unicast traffic. These devices do not interfere with any traffic on the network and operate passively (Ghorbani, Lu, &Tavallaee). A network intrusion detection system aims to reveal any suspicious activity on a network and create a predictive model that can differentiate between attacks or intrusions, and usual network connection. To proactively find and respond to network intrusions, firms should have a thorough understanding of network intrusions architecture and place a response system to cater to it (Bul’ajoul, James, & Shaikh, 2019). Internet usage has exponentially increased internet banking and e-commerce transaction which results in facing serious security threats and intrusion or penetration. The banking sector has faced cybersecurity challenges for years because of online transactions and other processes (Gezer et al., 2019). The paper aims to discuss the network intrusion detection and prevention system for Bank of America to secure it from any malicious network attack. Bank of America, a small community financial institution is seeking a solution for employee satisfaction by updating its network design to overcome network intrusions challenges. The first step is to update its network architecture design.
Network Architecture Overview
Network architecture is the framework defining the physical components of the network and its configuration and organization. The fundamental function of any computer network is to provide paths for an end-user to access some other end-user at a different geographical location (Berardi, & Tedeschi, 2017). The existing network for the bank is presented in the following diagram:
Fig 1: Network Architecture
The current architecture of bank lack online banking capabilities as well as relies on outdated devices that lack flexibility and security.
There are frameworks available for creating and implementing networking protocols such as OSI and TCP/IP. One such protocol is the OSI model refers to the comprehensive set of rules and protocols for software developers and hardware manufacturers. The model has severed different layers that make it easy to troubleshoot. The seven layers are application layer, presentation layer, session layer, transport layer, network layer, data link layer, and physical layer. While TCP/IP protocol has five layers application, transport, network, data link, and physical layer. The end to end data transportation is handled by the transport layer using two protocols TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP and UDP are two types of internet protocol (IP) traffic. TCP is a reliable and connection-oriented protocol that makes it suitable for applications that require high reliability at the expense of speed. TCP protocol maintains data integrity and arrives in the same order in which it was transmitted. To establish data connection TCP requires three packets before sending any user data. UDP is a connectionless protocol used in message transfer by sending a lot of packets. It is suitable for applications that require efficient and speedy data transfer. UDP maintains no ordering while packets are being transferred thus all packets are independent. This approach makes it faster but less reliable. Packets’ integrity is checked only on arrival (Kumar, & Rai, 2010).
The basic components of networks are servers that hold shared files, clients that use the shared files and resources, transmission media that facilitates media transmission between channels, shared data, local operating system, network operating system, hub, and switch. A packet is the data unit transmitted between two points (origin and destination) on the internet. Each packet contains information like the origin and destination, the identification or the protocol. The structure depends upon the type of packet and protocol and usually has a payload and header. The header contains information about transmission, packet, and service. To transfer a packet over the internet it is converted into IP packets which contain information such as the IP address of the machine sending data, the IP address of the machine to which data is sent, the packer order in which they are being transmitted, the service type, flags, technical data, and the payload (Varghese, 2010).
There are three types of addresses for IP within the three headers i.e. link-layer header, transport-layer header, and the network layer header. The header contains 32 bits used for addressing a device on the network. It is a unique number used to find a device on an IP network. The addressing structure is further divided into host ID that identifies the device and network ID that identified the device network which means all the devices belonging to the same network will have a single network ID. Based on that, it is further divided into bit-level classes A, B, C, D, (multicast) and E (reserved).
Fig 2: IP addresses classes
Each class has a different length. Class A starts from zero bit to 7 bits for network ID and 24 bits for the host ID. Class B starts at 10 bits accompanied by 14 bits for network ID and 16 for host ID, Class C starts at 110 bits accompanied by 21 network ID bits and 8 host ID bits. Class D starts at 1110 bits accompanied by 28 bits and used for multicast addressing. Class E starts at 1111 and has 28 bits used for network experiments only (Graham, 2001).
Fig 3: Comparison of IP addresses
All the data transmitted over a network is encoded first in the form of ones and zeros at multiple levels. The application layer sends the data to the encode/decode layer where the data is transferred into the stream of computer bytes, this stream is now forwarded to the hardware layer where it converts into ones and zeros. The receiving computer’s hardware layer converts the ones and zeros into a byte stream and sends it to the encode/decode layer for decoding where they decoded into the original form and send up to the application layer. The encoding techniques depend upon the data conversion type for example for analog data to analogue signals phase modulation, amplitude modulation, and frequency modulation techniques are used. For analog to digital encoding is done by PCM (Pulse Code Modulation). For digital, to digital signals, NRZ, Bi-Phase encoding, and block encoding are used.
In networking, TCP and UDP protocols use ports as the communication endpoint which is associated with a host IP address and communication protocol type. Specific port numbers are reserved to perform specific tasks so that the coming data can be easily transferred to a running application. The port numbers within the range of 0 to 1023 are called well-known ports used for system processes.
IDS is a combination of hardware and software to collect and analyze network activities. The four types of IDS are network intrusion detection system, host-based intrusion system, perimeter intrusion detection system, and VM based system. Banks implement NIDS which gains access to a network switch or hub, configured for a network tap or port mirroring.
Fig 4: IDS
In NIDS, the sensors are often placed at the demilitarized zone to capture network traffic and examine individual packets content for malicious traffic (Depren et al., 2005). An intrusion prevention system (IPS) is an automated network security device used to observe and respond to security threats. It examines network traffic to determine potential threats just like the intrusion detection system. Network administrator programs a certain response to a threat automatically in case of a cyberattack. IPS contains anti-spoofing software, anti-virus software, and firewalls. Banks implement a multi-layer defense system to protect the network. It includes firewalls and intrusion detection systems. A firewall is a system installed between the bank’s internal network and the rest of the network (Zhang et al., 2004).
To implement firewalls, the bank uses the Demilitarized Zone (DMZ) to protect the most vulnerable components of the network. It can be done using a single firewall with at least three network interfaces to develop architecture. The three-legged approach Internet Service Provider creates the external network to the firewall of the network on the first interface. Then the second network interface form the internal network and the third network interface create network DMZ.
To provide more secure DMZ banks also implement dual firewall architecture where two firewalls are setup. The front-end firewall only flows traffic to/from DMZ and the back-end firewall flow traffic from DMZ to the internal network (Webb, 2014).
IDS and firewall both relate to network security but firewall stop intrusion by looking outwardly and limiting access between networks to avoid intrusion. It does not notify an attack happening inside the network while IDS assess intrusion once it has occurred and raised an alarm. It also analyzes the attacks happening inside the network.
The common network threats are spoofing/cache poisoning, session hijacking, and man-in-the-middle attack. Spoofing or poisoning exploits system weaknesses in DNS to distract traffic away from legitimate servers and send it to fake ones. This can happen by spam email containing a URL that infects the system. Session hijacking refers to the ability of a hacker to hijack a portion of a session. It attacks unencrypted protocols and injects a frame or packet pretending to be one of the hosts. It is similar to spoofing but all the details are already available to hackers. Man-in-the-middle attack involves disturbing traffic either between external sites and internal networks or within the internal network. The hacker can steal data, obtain credentials, and hijack session through this attack (Lenzu, & Tedeschi, 2012).
A honeypot is a trap that an IT professional lay to analyze the way malicious attackers interact with the network. It is often configured with known network weaknesses to provide more obvious targets of cyberattacks. There are two methods to set up the honeypot. The first method is to use fake databases, folder, and data as bait intent to monitor attacks to analyze the impact of a data breach in real-life. They would have access to the password, username, and IP addresses. That can be used to check the authorization security of the system. The second method is a high interaction method that allows hackers to interact with hardware, software, and services to make it as realistic as possible.
Fig 4: Classification of Honeypot
Honeypot looks like a real server but the only difference between the real server and honeypot system is the machine location related to the real server. That makes real server invisible or hidden to the hackers. The system is designed to monitor the attacker’s activity, save events like changes, delete, file adds, compiles, and processes started and save log files. Banks can use this method to find the attackers’ skill level, their identity, and intention.
Fig 6: Flowchart of honeypot
Honeypot can work with any IP including IPv6 which is not handled by IDS or firewalls (Litchfield et al., 2016).
Network Traffic Analysis and results
There are various tools available to analyze network traffic such as Wireshark, IP Fix, NetFlow, and sFlow, etc. Some time network intrusion tools receive the false report. For instance, a file or item may mark as malicious when it is not. It is known as a false positive. A false negative occurs when a malicious item or file is marked as clean. False-negative is the result of new attacks that the detection tool is not able to pick up. False-negativesare perceived to be more harmful but false positives can be harmful too for the long-term processes. Banks can avoid such incidents by keeping their solutions up-to-date (Rottmann et al., 2019).
Other Detection Tools and Techniques
Other detection tools are techniques include access control which prevents unauthorized access by limiting user access and resources, anti-malware software which protects the computer from malware such as viruses, Trojans, worms, and spyware, anomaly detection that reveal anomalies in network and alarm quickly, application security that helps create security parameters for applications relevant to network security, endpoint security prevent personal devices from network intrusion when use them to access business networks, VPN that secure communication between endpoint devices and network, web security that prevents vulnerabilities related to web-based activities, and wireless security which prevent wireless network threats.
Recommended Remediation Strategies
A cyberattack can affecttechnology and processes throughout the bank. Hence, it would be more challenging to manage cybersecurity through its procedures, policies, and responsibilities, without considering the overall operational and organization-wide risk management framework. To overcome this problem, it is necessary to have advanced communication, cooperation, and planning among cybersecurity, infrastructure, risk, and operational teams. In banks, like any other risk, cyber-risk should have a management framework and governance structure. The effective implementation of response and control policies throughout the bank should be regularly assessed. It is also important to analyze if the implemented governance system for cyber-security is strong enough to cope with changing security threats.
Raising awareness among bank staff is equally important to limit the human error factor. It is common that organizations keenly focus on technology solutions but ignore the end users using these systems. Bank strategies should add factors in their framework to raise awareness among employees and explain to them the significance of network security for adherence.
Berardi, S., & Tedeschi, G. (2017). From banks’ strategies to financial (in) stability. International
Review of Economics & Finance, 47, 255-272.
Retrieved from doi: 10.1016/j.iref.2016.11.001
Bul’ajoul, W., James, A., & Shaikh, S. (2019). A New Architecture for Network Intrusion
Detection and Prevention. IEEE Access, 7, 18558-18573. Retrieved from doi:
Depren, O., Topallar, M., Anarim, E., &Ciliz, M. K. (2005). An intelligent intrusion detection
system (IDS) for anomaly and misuse detection in computer networks. Expert Systems
with Applications, 29(4), 713-722. Retrieved from doi: 10.1016/j.eswa.2005.05.002
Gezer, A., Warner, G., Wilson, C., & Shrestha, P. (2019). A Flow-Based Approach for TrickBot
Banking Trojan Detection. Computers & Security, 84, 179-192. Retrieved from doi:
Ghorbani, A. A., Lu, W., &Tavallaee, M. (2009). Network Intrusion Detection and Prevention:
Concepts and Techniques (Vol. 47). Springer Science & Business Media.
Graham, B. (2001). TCP/IP addressing: Designing and Optimizing Your IP Addressing Scheme.
Kumar, S., & Rai, S. (2012). Survey on Transport Layer Protocols: TCP & UDP. International
Journal of Computer Applications, 46(7), 20-25.
Lenzu, S., & Tedeschi, G. (2012). Systemic risk of different interbank network topologies.
Physica A: Statistical Mechanics and its Applications, 391(18), 4331-4341. Retrieved
from doi: 10.1016/j.physa.2012.03.035
Litchfield, S., Formby, D., Rogers, J., Meliopoulos, S., &Beyah, R. (2016). Rethinking the
Honeypot for Cyber-Physical Systems. IEEE Internet Computing, 20(5), 9-17. Retrieved
from doi: 10.1109/MIC.2016.103
Rottmann, M., Maag, K., Chan, R., Hüger, F., Schlicht, P., & Gottschalk, H. (2019). Detection of
False Positive and False Negative Samples in Semantic Segmentation. Retrieved from
Varghese, G. (2010). Network Algorithmics (pp. 28-28). Chapman & Hall/CRC.
Webb, J. (2014). Network Demilitarized Zone (DMZ).
Zhang, X., Li, C., & Zheng, W. (2004, September). Intrusion prevention system design. The
Fourth International Conference on Computer and Information Technology, 2004.
CIT’04. pp. 386-390. Retrieved from 10.1109/CIT.2004.1357226
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.