Chapter 2: Literature Review

2.1 Cyber Security

We are currently living in an age, where the use of Internet has become second nature to
millions of people. Not only do businesses depend in the Internet for all types of electronic
communications or transactions, but more and more home users are experiencing the immense
benefit of the internet (Kritzinger, 2010).

Information systems are prevalent in every major endeavor. Business, government, utilities and
control systems all take advantage of the efficiency, speed, and storage of these systems to
provide their functions. The information systems are so ingrained into everyday operations that
these functions would be difficult, if not impossible, to perform without them. Taken all
together, the use of information systems has become a key component of most of the critical
national infrastructure. Unfortunately, this reliance on information systems makes the
infrastructure as vulnerable as the underlying information systems themselves (John, 2001).

Cyber security touches nearly every part of our daily lives. Moreover, economic vitality, and
national security depend in a stable, safe and resilient cyberspace. We rely on this vast array of
networks to communicate and travel, power our homes, run our economy, and provide
government services (Graham, 2014).

However, cyber intrusions and attacks have increased dramatically over the last decade,
exposing sensitive personal and business information, disrupting critical operations, and
imposing high costs on the economy. The nation has a significant shortage of cyber security
professionals who can understand and effectively thwart the growing threats. As a result,
education and training in cyber security has become a national priority (Bardas, 2013). To
address this priority, higher education has gradually incorporated the principle of computer and
information security into the mainstream undergraduate and graduate computer science
curricula.
2.2 Hands-on Learning

Teaching computer science students how hardware devices work is often a very difficult
process. It requires huge efforts both from the instructors and students. Although teaching the
theoretical lessons and exercises is important process, the most important part of teaching
hardware-based courses is hand-on exercises since they can easily awake or asleep computer
science student curiosity for hardware courses (Misha, 2006).

Traditional techniques of teaching have turned out to be not sufficient for cyber security
training, because students cannot apply the principles from the academic approach to a realistic
environment during the course. In security training, gaining hands-on experience through
exercises is indispensable for consolidating the knowledge (Williems, 2012).

Hands-on learning provides students opportunities to gain practical experience through hands-
on practice with what they learn from the textbook and lecture. They don’t just memorize steps
for an exam, they develop the skills needed to manage a real network, install routers, configure
firewalls, and ensure switch security, for example (Wittman, 2010).

Students in information technology need realistic, hands-on experience to master their IT skills.
When students have the opportunity to train with a hands-on curriculum and prepare to certify
in the IT field, they become more deeply engaged in both their education and their career path
(Wittman, 2010).
2.2.1 Need of Computer Security Laboratory

One of the fundamental requirements for serious computer security education is to have
sufficient hands-on equipment. One very effective way is to set up a hands-on laboratory. Such
laboratory could be used for research projects and in support of computer security courses.
Unfortunately, dedicated hands-on labs are not being used in most computer security courses
(Yurcik, 2001).

A good example of an institution developing a laboratory to support computer security teaching

and research programs is the Centre for Information Security Research (CISR) at the Naval
Postgraduate School. In the description of their computer security program the CISR states “the
ultimate objective of all computer security studies is to improve security in real systems. Thus,
practical laboratory experience is crucial for an effective computer security program.
Laboratory exercises in the form of tutorials and projects help to reinforce and extend concepts
conveyed in lectures as well as help prepare students for effective thesis research (Humphries
et al., 2001).

There are two additional reasons for a dedicated security laboratory. The laboratory can support
course projects that should be isolated from normal academic computing due to the potential
for collateral computing damage. Furthermore, it provides a means for graduate students to
perform effective research in computer security in an isolated, safe environment. Given the
means, more graduate students and faculty might be drawn into computer security research if
they have the faculties to conduct the necessary research (Humphries et al., 2001).
2.2.2 Benefits of Hands-on Learning

Hands-on training is the acquisition of knowledge, skills and competencies needed in the
workplace. There are a number of definite benefits that can be realized in learning in a hands-
on environment (Shortliffe, 2015).

 More program material is retained

Student experience a huge increase in the amount of information that they retain when
given the opportunity to practice what they are learning in the form of hands-on training.
Studies have shown that when students sit and listen intently but passively in a lecture-style
environment, they retain 20 percent of the presented information. When they are given the
opportunity to practice what they have just learned, that percentage increases to 75 percent
(Cavanagh, 2011).
 Simulated learning environments enable learners to be more engage
When students are given the ability to learn in a practical hands-on environment, they are
very often engaged, stimulated and want to learn as much as possible. The student's appetite
for learning increases and they are more willing to listen and pay attention if they have a
more practical or life like task to complete. Students also become more empowered in their
own learning situation (Shawer et al., 2012).
 Hands-on learning environment develops critical thinking skills
A student’s critical thinking skills increase in a hands-on learning environment. This occurs
since students must make decisions on what to do next to receive the outcome they are
striving to obtain. They no longer have to rely on memory and attention as they sit in a
lecture environment. These critical thinking skills remain with a student as opposed to
material that is simply memorized for a test and much of the material often forgotten after
the exam. Critical thinking skills are very important to the workplace as every situation that
an employee encounters cannot be learned from a book (Dunlosky et a., 2013).
 Real-world experience and knowledge from an instructor can go a long way
Students who learn in a hands-on environment have an instructor nearby who have real-
world experience and knowledge and can help and give guidance to them if they have
difficulty with a task that they are trying to complete. This expert advice can help them
perform the task correctly and safely which is very critical in the workplace.
 Use of materials and equipment used on the job
One of the benefits of a hands-on learning environment is that students will get a feel for
materials and equipment that is commonly used in the workplace after the course. This is
particularly good if the student is working with equipment and tools. One of the main
reasons for accidents in the workplace comes from equipment and tools misuse; knowing
how to properly handle equipment increases safety.

In computer science and information security education it is widely accepted that hands-on
experiences engage students in learning, raise their interest, and help them to retain knowledge
and master skills (Lou, 2011).
2.3 Experiential Learning

Experiential learning is a process through which students develop knowledge, skills, and values
from direct experiences outside a traditional academic setting. Experiential learning
encompasses a variety of activities including internships, service learning, undergraduate
research, study abroad, and other creative and professional work experiences. Well-planned,
supervised and assessed experiential learning programs can stimulate academic inquiry by
promoting interdisciplinary learning, civic engagement, career development, cultural
awareness, leadership, and other professional and intellectual skills.

Learning that is considered "experiential" contain all the following elements:

1. Reflection, critical analysis and synthesis

2. Opportunities for students to take initiative, make decisions, and be accountable for the
results
3. Opportunities for students to engage intellectually, creatively, emotionally, socially, or
physically
4. A designed learning experience that includes the possibility to learn from natural
consequences, mistakes, and successes

2.3.1 Kolb’s Experiential Learning

David Kolb published his learning styles model in 1984 from which he developed his learning
style inventory. Kolb’s experiential learning theory work on two levels: a four-stage cycle of
learning and four separate learning styles. Much of Kolb’s theory is concerned with the
learner’s internal cognitive processes. Kolb states that learning involves the acquisition of
abstract concepts that can be applied flexibly in a range of situations. In Kolb’s theory, the
impetus for the development of new concepts is provided by new experiences (Kolb, 1984).
2.3.2 Kolb’s Experiential Learning Cycle

Kolb's experiential learning style theory is typically represented by a four-stage learning cycle
in which the learner 'touches all the bases':

1. Concrete Experience
Being involved in a new experience
2. Reflective Observation
Watching others or developing observations about one’s own experience
3. Abstract Conceptualization
Creating theories to explain observations
4. Active Experimentation
Using theories to solve problems, make decisions
2.4 Packet Sniffer

A packet sniffer is a tool that plugs into a computer network and monitor all network traffic. It
monitors traffic destined to itself as well as to all other hosts on the network. Packet sniffers
can be run on both non-switched and switched networks (Dhiren, 2009).

2.4.1 Packet Sniffer Components

Sniffer is a combination of hardware and software. Different sniffers may have various
configurations on account of designation and final usage, but basically, a sniffer is composed
of four parts (Chakrabarti, 2011):

 Hardware
A standard network adapter.
 Drive Program
This is the most important part of a packet sniffer. It captures the network traffics, filters it
for the particular traffic you want, then stores the data in a buffer.
 Buffer
A buffer is a storage device for captured data from network. In general, there are two modes
of buffers: keep capturing until the storage place full or keep capturing and overflowing as
the latest captured data keep replacing the oldest data. The size of a buffer depends on a
computer's EMS memory. This means that the bigger the EMS memory is, the more data
that can be stored in the buffer.
 Packet Analysis
Capture and analysis are both the most basic and the most important features of a sniffer.
They record the errors and abnormalities while they happening. Packet analysis can be done
on real time or we can analyse packets after storing it. We can analyse both header and
actual data, when we store data in memory or we perform real time analysis.
 Decoder
Decoder is used to decode the data store in packets into human-readable format.

2.4.2 Packet Sniffer Techniques

Three types of sniffing techniques are used (Ailawadhi, 2017). These are:

 IP Based Sniffing
IP based sniffing is the most commonly used method of packet sniffing. It is the original
way of packet sniffing. It works by putting the network card into promiscuous mode and
sniffing all packets matching IP address filter. Normally, the IP address filter is not set so
it can capture all the packets. This method only works in non-switched networks.
 MAC Based Sniffing
This is the other method of packet sniffing. This method works by putting the network card
into promiscuous mode and sniffing all packets matching the MAC address filter.
 ARP Based Sniffing
This method works a little different. It does not put the network card into promiscuous
mode. This is not necessary because ARP packets will be sent to us. This happens because
the ARP protocol is stateless. Because of this, sniffing can be done on a switched network.
2.4.3 Uses of Packet Sniffer

Typical use of network sniffer is to analyze network traffic and bandwidth utilization, so that
underlying troubles in the network can be identified. There are, however, two directional
usages of sniffer which have coexisted since it was first produced (So-In, 2009):

 Positive Usage
Positive usage of a sniffer is also its regular usage, which has as its objective the desire to
maintain the network and keep it working normally.
 Capturing packets
 Recording and analyzing traffic
 Decrypting packets and displaying in clear text
 Converting data to readable format
 Showing relevant information like IP, protocol, host, or server name and so on

A packet sniffer is used as assistant tool of the network engineer or administrator for
monitoring and analyzing a network, detecting intrusion, controlling traffic or supervising
network activity.

 Negative Usage
Negative usage of a sniffer is well known as its harms to network security:
 Catching password, which is the main reason for most illegal uses of sniffing tool
 Capturing special and private information of transactions, such as username, credit ID,
account, and password
 Recording email or instant message and resuming its content
 Modify target’s computer and damage the system
 Interrupting the security of a network or to gain higher level authority

With more and more hackers using of packet sniffers, it has become one of the most
important tools in the defense of cyber-attacks and cyber-crime.
2.4.4 User of Packet Sniffer

 Network Engineers / System Administrators

Packet sniffers are a valuable tool for network engineers and system administrators. They
have used packet sniffers for years to monitor their networks and perform diagnostic tests
or troubleshoot problems (Bonsor, 2014).
 Home User
Home network is our fortress. Inside it lies tons of valuable information such as
unencrypted files, personal, private data, and perhaps most importantly, computers that can
be hijacked and used for any purpose (Henry, 2014). Besides, smart homes are gaining vast
popularity as the most promising application of the emerging Internet of Things (IoT)
technology. Exploiting the high level of connectivity present in current electronic devices
such as smartphones, tablets, and multimedia systems, smart homes provide innovative,
automated and interactive services for residential customers through distributed and
collaborative operations. As these types of networks become enormously popular, it is
fundamental to provide the adequate level of protection against cyber-attacks. Packet
sniffer can be installed in each home to constantly monitor home network to maximize
home network security (Zappaterra, 2014).
 Educations
Packet sniffer not only can be used by network administrator, it also can be used for
education purpose in campus. Wireshark and tcpdump are two of the most popular tools
among network administrators. While Wireshark user-friendlier than tcpdump, tcpdump is
less intrusive and hence, can be used in a campus-wide network safer, since it does not
readily reveal any data transmitted in a packet. Wireshark can be used in a closed
networking lab environment to analyze and study many more protocols. Many class
assignments can be designed using these two packet sniffers. Particularly, assignments can
be developed to analyze tcpdump's output in real-time for intrusion detection or the
understanding of a protocol (Asrodia, 2012).
2.4.5 Existing Packet Sniffer

There are many packet sniffers on the market and they range from free, to cheap, to expensive,
from very simple, to advanced, to packed with features. Each type of packet sniffers has its
purposes and if you need a simple tool for quick results on a small network, you don't have to
buy the most expensive packet sniffers, no matter that they have tons of features. But in reality,
if you need a packet sniffer for professional use, low-end sniffers are not the answer and you
need something more sophisticated (Zhou, 2009).

 Open Source Packet Sniffer

Wireshark

Wireshark is the world’s most popular network protocol analyzer. It has a rich and powerful
feature set and runs on most computing platforms including Windows, OS X, Linux and UNIX.
Network professionals, security experts, developer, and educators around the world use it
regularly. It is freely available as open source and is released under GNU General Public
License version 2. It has been developed and maintained by a global team of protocol experts,
and it is an example of a disruptive technology. Wireshark formerly used to be known as
Ethereal. Wireshark is a free packet sniffer computer application. It is used for network
troubleshooting, analysis, software and communications protocol development, and education.
In June 2006 the project was renamed from Ethereal due to trademark issues. Wireshark has
tools for capturing, viewing and analysis of data packets. Wireshark have sophisticated wireless
protocol analysis support to help administrators troubleshoot wireless networks. With the
appropriate driver support, Wireshark can capture traffic “from the air” and decode it into a
format that helps administrators track down issues that are causing poor performance,
intermittent connectivity, and other common problems (Banerjee, 2010).

But Wireshark have some limitation like Wireshark isn't an intrusion detection system. It will
not warn you when someone does strange things on your network that he/she isn't allowed to
do and Wireshark will not manipulate things on the network. On the other hand, Wireshark has
a very good user-friendly GUI. But its installation file size is 18MB and after installation it will
consume 81 MB in Windows and a hefty 449 MB in Linux (Banerjee, 2010).
Tcpdump

Tcpdump is a common packet analyser that runs under the command line. It allows the user to
intercept and display TCP/IP and other packets being transmitted or received over a network
to which the computer is attached. Tcpdump works on most Unix-like operating systems: Linux,
Solaris, BSD, and Mac OS. In those systems, tcpdump uses the libpcap library to capture
packets. The port of tcpdump for Windows is called WinDump, it uses WinPcap, the Windows
port of libpcap. Tcpdump analyzes network behaviour, performance and applications that
generate or receive network traffic (Orebaugh, 2006).

It can also be used for analysing the network infrastructure itself by determining whether all
necessary routing is occurring properly, allowing the user to further isolate the source of a
problem. It is also possible to use tcpdump for the specific purpose of intercepting and
displaying the communications of another user or computer (Patel, 2012).

Tcpdump also have some limitations. For example, tcpdump is able to report on only what it
finds in the packet. If an IP address is forged in the packet, tcpdump has no ability to report
anything else and tcpdump is very economical in terms of memory because its installation file
size is just 484KB. tcpdump does not have a user friendly Graphical User Interface (GUI)
(Niphadkar, 2008). So, the user has to study those commands and get acquainted with the
command prompt like screen. That limitation may play a key role in not choosing it for use.
 Commercially Available Packet Sniffer

Acrylic Wi-Fi

Acrylic Wi-Fi is a Wi-Fi analyser software to identify access points and Wi-Fi channels, and
to analyse and resolve incidences on 802.11a/b/g/n/ac wireless networks in real time (Pacheco,
2017).

It is a tool for advanced users and professional Wi-Fi network analysts and administrators to
control their office wireless network performance and who is connected to it, identify access
point data transmission speeds, and optimize their company’s Wi-Fi network channels.

It is a tool for advanced users and professional Wi-Fi network analysts and administrators to
control their office wireless network performance and who is connected to it, identify access
point data transmission speeds, and optimize their company’s Wi-Fi network channels.

AirPcap

Airpcap is a family of wireless capture devices and drivers representing the first open and easy-
to-deploy 802.11 packet capture solutions for the Microsoft Windows platform (Troya et al,.
2014). More specifically, Airpcap is:

 A Windows-based, USB form-factor 802.11 wireless traffic capture device

 The only Windows-based wireless traffic capture device that fully integrates with
Wireshark to present full management and data control frames
 The only wireless traffic capture device to fully integrate with Cascade Pilot
 AirPcap Tx USB 802.11b/g Adapter - $298.00
2.4.6 Cost Comparison of Existing Packet Sniffer

Device Cost

AirPcap Tx USB 802.11b/g

RM 1300.00
Adapter

ACRYLIC WiFi
RM 80.00 / Year
Professional

Raspberry Pi 3 Model B RM 160

2.4.7 Packet Sniffer with Intrusion Detection

Packet sniffer can be used for malicious purpose, it also can be used for intrusion detection.
Using this methodology, the intrusion system software in placed on the system, which puts the
Ethernet card in “promiscuous mode” so that the software can read and analyze all traffic. It
does this by examining both the packet header fields and packet contents. The intrusion
detection software like packet sniffers includes an engine, which looks for specific types of
network attacks, such as IP spoofing and packet floods. When the packet sniffer detects a
potential problem, it responds immediately by notifying to the administrator by various mode
such as console, sending an email or even shutting down the network session.

2.4.8 Comparison of Existing Packet Sniffer and Proposed Packet Sniffer

Network analyzers, also known as packet sniffers, are amongst the most popular network tools
found inside any network administrator’s toolkit. A packet sniffer allows users to capture
network packets as they flow within the network or Internet. Administrators usually make use
of packet sniffer to help uncover, diagnose and fix network problems.

Any typical packet sniffer will capture and display packets, providing basic packet information
such as time of capture, source and destination MAC address, source and destination IP address,
Layer 4 protocol information (TCP/UDP flags, ports, sequence/acknowledgement numbers)
and the data payload (Firewall.cx, 2016).

The proposed packet sniffer will come with these features with an additional feature which is
packet injection. Packet injection (also known as forging packets or spoofing packets) is a
computer networking term that refers to the process of interfering with an established network
connection, by means of constructing packets to appear as if they are part of the normal
communication stream. The packet injection process allows an unknown third party to disrupt
or intercept packets from the consenting parties that are communicating, which can lead to
degradation or blockage of users' ability to utilize certain network services or protocols. Packet
injection is commonly used in man-in-the-middle attacks and denial-of-service attacks (Private
Tunnel, 2017).
2.5 Raspberry Pi

Raspberry Pi, an efficient and cost-effective credit card sized computer comes under light of
sun by United Kingdom-Raspberry Pi foundation with the aim to enlighten and empower
computer science teaching in schools and other developing countries (Chheda, 2013). Since its
inception, various open source communities have contributed tons towards open source apps,
operating systems and various other small form factor computers similar to Raspberry Pi. Till
date, researchers, hobbyists and other embedded systems enthusiast across the planet are
making amazing projects using Pi which looks unbelievable and have out-of-the-box
implementation. Raspberry Pi since its launch is regularly under constant development cum
improvement both in terms of hardware and software which in-turn making Pi a " Full Fledged
Computer " with possibility to be considered for almost all computing intensive tasks (Small,
2015).

2.5.1 Raspberry Pi as A Cost-Effective Solution

The Raspberry Pi is no longer synonymous with homemade projects and hobbyists, it’s entered
the Corporate world to bring a cost-effective solution to business (Duranton, 2017).

The Raspberry Pi is a credit card-sized microcomputer that can be connected to a monitor,

mouse and keyboard to deliver similar functionality to a regular desktop computer. This Linux-
based system was originally intended to teach coding skills in schools, but it quickly evolved
into a low-cost and efficient computer across the business world.

2.5.2 Benefits of Raspberry Pi

 Each Pi only cost about RM100 - RM200. This makes the Raspberry Pi an incredibly cost-
effective solution
 Raspberry Pi is very well supported. There is a huge selection of apps, development tools,
tutorials, forums and media programs available online
 It is highly customizable and easy to use
2.6 Systems Development Life Cycle (SDLC) Methodologies

Software Development Life Cycle (SDLC) provides a systematic process for building and
delivering software applications from inception to completion. There are a number of different
SDLC methodologies that can be used to deliver projects.

 Waterfall Model

Waterfall is the oldest and most straightforward of the structured SDLC methodologies. There
are strict phases and each phase needs to be completed first before going to the next phase.
There is no going back. Each phase relies on information from the previous stage and has its
own project plan. Waterfall is easy to understand and simple to manage. However, it is usually
prone to delays as each phase needs to be reviewed and fully signed off before the next phase
can begin (Balaji, 2012).

Pros:

 Easy to understand and functional

 Simple enough to handle as model is rigid
 Saves significant amount of time
 Allows for easy testing and analysis

Cons:

 Only matches precise needs

 Not applicable for maintenance projects
 Does not allow editing in the testing phase
 No option to know possible outcome of a project
 Not excellent for long and ongoing projects
 Agile Model

The agile model is a combination of both iterative and incremental model by breaking a product
into components where on each cycle or iteration, a working model of a component is delivered.
The model produces ongoing releases (iterative), each time adding small changes to the
previous release (iterative). During each iteration, as the product is being built, it is also tested
to ensure that at the end of the iteration the product is shippable. The Agile model emphasizes
collaboration, as the customers, developers and testers work together throughout the project
(Ambler, 2002).

Pros:

Adaptive approach that responds to changes favorably

 Allows for direct communication to maintain transparency

 Improved quality by finding and fixing defects quickly and identifying expectation
mismatches early

Cons:

 Focuses on working with software and lacks documentation efficiency

 Chances of getting off-track as outcome are not clear
 Spiral Model

One of the most flexible SDLC methodologies, the Spiral model takes ideas from the Iterative
model and its repetition but also combined with the structured and systematic development of
the waterfall model with a heavy emphasis on risk analysis. The project passes through four
phases (identification, design, build, evaluation and risk analysis) over and over in a “spiral”
until completed, allowing for multiple rounds of refinement (Boehm, 2009).

Pros:

 Risk factors are considerably reduced

 Excellent for large and complex projects
 Allows for additional functionality later
 Suitable for highly risky projects with varied business needs

Cons:

 Costly model in software development

 Failure in risk analysis phase may damage the whole project
 Not appropriate for low-risk projects
 Might get continued and never finish
 Prototyping Model

The Prototyping Model is a SDLC in which a prototype (an early approximation of a final
system or product) is built, tested, and then reworked as necessary until an acceptable prototype
is finally achieved from which the complete system or product can now be developed. This
model works best in scenarios where not all of the project requirements are known in detail
ahead of time. It is an iterative, trial-and-error process that takes place between the developers
and the users (Jacobson, 2011).

Pros:

 Gives clear idea about the functional process of the software

 Reduces the risk of failure in a software functionality
 Assists well in requirement gathering and the overall analysis

Cons:

 Chances of extension in management cost

 Excessive involvement of client can affect processing
 Too many changes affect the workflow of the software
2.7 Methods

This research will be conduct using simulation approach. Simulation approach is suitable in
this research where it allows imitation of real-world activities and processes in a safe
environment (Lateef, 2010). Packet sniffer require a safe environment to be tested to prevent
damages on any important systems. Besides, simulation is flexible, the changes in the system
variables can be modified to pick the most effective solution among the various alternatives.
Simulation can make changes to the system quickly. Research is suitable to apply simulation
because the variables are changing constantly throughout the project. Furthermore, simulation
allows the researcher to work independently because it can be executed without the necessary
to distribute the system to the testers. Analyzed result can be obtained by simulation when used
on developed prototype. Researcher can modify the development until the result is satisfied.

Another method that can be used for this research is experimental approach. It is a basic,
straightforward, efficient type of research that can be applied across a variety of disciplines.
The difference between simulation and experimental is that experiment takes any form of data,
while simulation can only manipulate the variables in a specific way. For example, in
simulation, researcher will use packets that they have picked beforehand to test, while in
experimental situation, packet sniffer will be tested without using specific packets. In other
words, experiment is a simulation where anything could happen. Both experimental and
simulation will be implemented together to get the best result (Bordens, 2002).

2.8 Conclusion

In a nutshell, the research above indicated that there exists a lack of computer security
components in many universities and colleges across the world due to the high setup cost,
which proves the need of cost-effective solution to develop computer security components.
This packet sniffer will be developed on raspberry pi in order to achieve cost-effectiveness.