You will do this assignment in groups of 3 or 4. Phase I ======= Electronic voting machines today have a huge code base and are prone to malicious attacks. In addition to auditing the code base, we can obtain added security by detecting anomalous runs of voting machine software. You will be given a simplistic voting machine to play with. Your task is to use ptrace() to monitor and report any anomalies in the execution of that voting machine. The voting machine issued is intentionally simplistic. Your anomaly detection software should be able to detect anomalies in our voting machine as well as any voting machine we might seek to give it. You will first devise a training methodology to build a model of the voting machine. Your training methodology should be generic enough to be applied to any voting machine. Specifically, your training application should model the voting machine's non-anomalous activity over some number of benign, correct voting sessions. After the training is complete, you will write a ptrace backend to enforce proper running behavior and report errors whenever an anomaly is detected. Note: If your methodology requires the use of machine learning algorithms, then you are free to use machine learning toolkits to learn the weights from the training set you develop. One such toolkit which might be useful is Weka http://www.cs.waikato.ac.nz/ml/weka/. Matlab and R are also useful for such analysis. As well, should you require a disassembly library, we suggest http://webster.cs.ucr.edu/AsmTools/OllyDbg/DISASM.ZIP Deliverables: Due Thursday, October 26, at the beginning of class. I) A report on your methodology of training and anomaly detection. The report should also include a comprehensive related work section describing the current state of art in host based anomaly detection. II) Complete documented code on a CD. III) A 15 minute presentation on your anomaly detection methodology. Phase II ======= Once the anomaly detector phase of the project is complete, the groups will exchange their detection software with another group in the class. The groups will then do everything possible to attempt to cause an undetected anomaly in their received anomaly detection software. In attacking another group's software, you must abide by the following rules: 1.) You must train the detection software according to the architect's specifications. 2.) Modifying the actual voting machine application binary (physically on the machine) constitutes building a new voting machine which must be trained on. 3.) You cannot do anything to the anomaly detection software itself either to the binary or in memory. You must pretend that the anomaly detection software is running in an area that you cannot access. Given the source for the detection software and complete control over the voting machine, try to find every malicious activity you can get away with while abiding to the above rules. Deliverables: Due Thursday, November 16 at the beginning of class I) A report on your analysis of the other group's detection software II) Complete documented code on a CD III) A 15 minute presentation on your analysis Phase III ====== Based on the analysis from Phase II each group will be given a chance to improve their anomaly detector. This will give you the opportunity to correct any flaws which you missed during Phase I. You will also revise your Phase I report if you have made any changes in your detection algorithm. Due: Friday, 12/8 at the beginning of class