Web Application Development 2 Group Project Web App (25%) Introduction The WAD2 Project is mainly based on the development of a web application of your choosing. Your web application should be developed using Python, Django, HTML, CSS and associated technologies including Javascript, JQuery and AJAX. Implementation of your web app should draw on the skills built up during the development of Rango. Teams are free to use their own ideas, however there are some basic expectations: • the app should involve user authentication; • it should certainly interact with some kind of model stored in a database; • it should be visually appealing and have an intuitive user interface; • overall the functionality supported should be rich enough in order to allow you to demonstrate an understanding of the technologies listed above. Beyond these guidelines, it is up to you, though if you do need some ideas, the following section lists some example projects from previous years. Example project ideas from previous years • Rate My Beard o Users with beards can upload photos inviting feedback; other users can login, view photos and give feedback • GU Grub Guide o Users can leave ratings for restaurants and view other users’ ratings • UnNoobMe o Students seeking private tutors and tutors seeking clients are allocated to each other • Does my MSP Represent Me? o Users can find out information about how their MSP is voting in Parliament • TripShare o Users can post information about their upcoming trips, browse / search for trips and request to join a specific trip • Bargain Radar o Small businesses can post their discounted deals; customers can browse deals and add them to baskets • SHAKESbeer o Allows users to contribute cocktail recipes; users can browse and search over, and rate and comment on, cocktails • FilmBook o Users can login and browse, search and rate movies; film producers can login and upload new films so that they can be rated • Federated Health Search Application o People find out about particular conditions and to save the information that they find into different folders. The app lets people search across two different medical sites • Zombie Survival o A game of search and survival. The web application needs to interface with a series of classes that create the world in which the player needs to survive. The last two projects are described in more detail in Appendix 2. Working in a team You should think about how the tasks associated with the development of your team’s web app should be divided. Try to ensure that activities are assigned so that every member of the team can be involved at all times. Here is a possible breakdown of responsibilities for a four- person team (this is just an example and you should feel free to organise things differently if you prefer. Remember, contributions can also be balanced with earlier design work and the forthcoming presentation): 1. user authentication, unit testing 2. models, Javascript, AJAX 3. views and URLs 4. templates and CSS What should be submitted You should host your application on PythonAnywhere and also ensure that the latest version of the code is stored in a public GitHub repository. The URLs for both of these locations will need to be submitted. You should ensure that your final application addresses the following requirements: Deployment • Application is deployed via PythonAnywhere and runs from there • Requirements file is included and contains the correct packages o Within your main project folder you should include a file called requirements .txt that can be used to install the relevant packages within a newly-created virtual environment using pip install –r requirements .txt. You can create this file easily using pip freeze > requirements .txt. • Database files not included o You should not commit your database files so that when your tutor works on deploying your application on his/her local machine, the database can be recreated from scratch by making the relevant migrations and running your population script. • Population script. works and contains useful example data o Create a population script. called population_script .py with enough relevant data in your main project folder. • Application can be deployed on marker's own machine Functionality • Main functionality has been implemented (hopefully reflecting the design) o Here you should refer back to your design specification to guide development towards providing functionality consistent with what was envisaged. o If you have used external sources, you should acknowledge them in a README file in the top-level folder of your project. Failure to acknowledge external sources could result in a deduction of marks under the “main functionality” heading. o Although there are marks available for deploying your application on PythonAnywhere, the main functionality will be checked with respect to the version that your tutor deploys locally (i.e., the version on localhost). • Application is bug-free / no error messages occur o The user should be able to access all of the functionality of the application without encountering Django error messages. You should thoroughly test your application to ensure that this is the case. • Application includes some Javascript. / JQuery / AJAX o Your application should not be based solely on Python and Django, and there should be evidence of usage of one or more of some of the technologies covered later in the course including Javascript. / JQuery / AJAX. (More marks for more ambition!) Look and Feel • Polished / refined interface, not clunky • Uses a responsive CSS framework o CSS can be quite fiddly – to help with the layout and appearance of your web pages you are recommended to use a CSS framework such as Bootstrap. • If browser window size changed, is the change handled neatly? • In the “Look and Feel” category, marks are available for an attractive and intuitive user interface with good use of CSS. Code • Templates inherit from base • URLs are relative, i.e., use the {% url ..%} tag • Code contains helper functions/classes (if required) • Code is readable, clear and commented where appropriate • CSS and Javascript are kept separate from templates (i.e., not inline) • No repetition of code blocks in the views or templates • Unit tests are included • In the “Code” category, marks are available for well-organised code, adhering to the principles that you will have learned during the development of the Rango app. A sample marking scheme is included in Appendix 1. Use of external sources It is recognised that you may use external sources (e.g., Bootstrap) when developing your application. However these must be acknowledged when you submit (see below). How to submit After developing your web application you should host it on PythonAnywhere and ensure that the latest version of your code has been pushed to your team’s GitHub repo. One member of the team should then submit a one-page document via the “ Project” submission icon on the Moodle page for the course, containing the following information: • Name of web application • Lab group number and team letter (e.g., Lab group 4, Team B) • Team members (names and student numbers) • GitHub URL for the app • PythonAnywhere URL for the app • Any external sources used (code, libraries, APIs), if applicable. The person making the submission will be required to complete a Declaration of Originality on behalf of all team members when submitting via Moodle. If you have used any external sources, be sure to acknowledge them in your one-page document. For reference, the School’s plagiarism policy is contained in Appendix A of the Undergraduate Class Guide. Appendix 1: Sample marking scheme The following marking scheme is intended to give a broad indication as to how marks will be apportioned. The actual marking scheme used in practice may deviate slightly from this. Category Marks Deployment Application is deployed via PythonAnywhere and runs from there 4 Requirements file is included and contains the correct packages 2 Database files not included 1 Population script. works and contains useful example data 3 Application can be deployed on marker's own machine 2 Functionality Site core functionality – an ambitious project has been undertaken 20 Application is bug-free / no error messages occur 2 Application includes some Javascript. / JQuery / AJAX 6 Look and Feel Polished / refined interface, not clunky 8 Uses a responsive CSS framework 3 If browser window size changed, is the change handled neatly? 1 Code Templates make use of inheritance 2 URLs are relative, i.e., use the {% url ..%} tag 2 Code structure: readable, clear and commented where appropriate etc 3 CSS and JavaScript. are kept separate from templates (i.e., not inline) 3 No repetition of code blocks in the views or templates 2 Unit tests are included and are comprehensive, including testing views 6 Total 70 The total mark will be converted to a band which will be the team’s mark for this component of the assessment. Appendix 2: Example projects from previous years In a previous year, there were four fixed project ideas and each team was required to select and work on one of those four. Specifications from two of these are provided below. These can help provoke your own ideas, and provide an example of the expected scope and complexity of the apps to be created in the project. Note that these are examples to illustrate sample ideas and that diagrams etc might not be in the required format for any of your submissions Federated Health Search Application Description: The purpose of this application is to help people find out about particular conditions and to save the information that they find into different folders. The application lets people search across two different medical sites (medline and healthfinder) and the general web (bing). People using the application would like to self-diagnose, i.e. given some symptoms find out what are the likely conditions. They would also like to find out information about particular conditions, treatments and medicines. Specifications: Searchers need to be able to: • create an account and profile • edit, update and maintain their profile • create a category (where they can save pages that they found) • save pages that they find during the process • search for conditions, treatments, medicines. • share a list of links (via a category) o links and categories should be private, unless shared. The search interface should provide: • a mash up of results from the three search verticals • tabs to enable access to the individual search verticals • results should be annotated in terms of source (which vertical) • a list of user defined categories should be available to select and browse • an easy mechanism to save results to categories • inline query suggestions to help uses with tricky words and spelling When results are saved, the page should be fetched and stored. The readability of the page should be calculated, using TextStat’s Flesch Reading Ease Score. The polarity and subjectivity of the text should also be calculated, using TextBlob. When looking at saved pages, the searcher should be able to see the title of the page, the summary, the source, url, the reading score, polarity score and subjectivity score. The API’s for the federated search are: • http://healthfinder.gov/developer/How_to_Use.aspx • https://www.nlm.nih.gov/medlineplus/webservices.html • https://datamarket.azure.com/dataset/bing/search Additional resources: • https://pypi.python.org/pypi/textstat/0.1.4 • https://pypi.python.org/pypi/textblob/0.11.0 High level system architecture diagram: HealthFinder, Medline and Bing are all external APIs. To provide some clarity I have split out the Search component that will interface with these APIs. And then my middle ware will use this service. ER diagram: Searcher(username, password, email) Category(user, name) Page ( category, title, summary, url, flesch_score, polarity_score, subjectivity_score) Zombie Survival: A Game of Search Description: The purpose of this web application is to provide the frontend interface for a game of search and survival. The web application needs to interface with a series of classes that create the world in which the player needs to survive. The game is as follows: A player starts on day one of the zombie apocalypse. Their goal is to survive as long as possible (as measured by the number of days). Their party size is 1. They have 3 units of food and 2 units of ammunition. They enter a street. A street contains a number of houses. Each house has a number of rooms. A room may contain other survivors, zombies, food and/or ammunition. The player has a number of moves. On the street: (1) a player can choose which house they enter. In a house: (1) enter room (2) move to next room (3) leave house In a room: (1) search room (2) leave room (3) if zombies are present, they can fight or run. a. if they run, they leave the house and return to the street b. if they fight, they might lose the fight (lose party members), or win, in which case they claim whatever is in the room (survivors, food, ammo) c. the number of zombies killed is counted The game mechanic for win/loss is based on the number of zombies, the amount of ammo and the size of the party. During a day, the player has X units of time. Each action costs time. The day ends when they run out of time. At the end of the day, the game mechanic, decreases the amount of food depending on the size of the party. If there is not enough food, then party members might leave. Party size and food is updated, then they start the next day. The web application needs to provide the following functionality. Specifications: Players need to be able to: • create an account and profile • view, edit, update and maintain their profile • start a game and return back to a game in progress. • Play the game according to the mechanics described above • View the leaderboard Visitors to the site: • Need to be able to view the leaderboard • Read the instructions of the game • Be able to register The profile contains the players handle/username and picture along with how many games they have played, their average and best number of days survived and zombie kills. The profile also lists the badges that the player has achieved. Badges: there are 4 badges with different levels (bronze, silver, gold): (i) Survival: survived 5, 10 and 20 days. (ii) Killer: killed 10, 20 and 50 zombies in one game. (iii) Stamina: played 5, 10 and 20 games, (iv) Party: had a party size that contained 10, 20, 40 people. Leaderboard: there are two leaderboards: (i) top 20 players based on days survived, (ii) top 20 players based on zombie kills. As the application will use the Game Engine provide we have made this explicit in the following high level system architecture diagram: Here is an ER diagram: We assume that a Player can only play one game at one time. Statistics on pasts games are recorded in the Player model. Since they can only be in one game at one time, we can store the game in the player model, too. Player(user, profile_picture, games_played, most_days_survived, most_kills, most_people, current_game) username, password, email, are stored in the django user model. Current_game stored the current instantiated game (tip: use the python pickle package to persist the game object, and save it in the Player model). How the Badge is represented depends a lot on the implementation. My suggestion is below, but other justifiable versions are acceptable, especially if they work in an elegant fashion. Badge( name, description, criteria, badge_type, level, icon) Where badge_type (kills, people, days) and criteria is an integer specifying how many kills, people, days, etc have to be obtained in order to get the badge. Icon is an image that represents the badge. The population script. should ensure that the badges and their icons are all inserted into the database. A class/handler is needed to determine if the criteria for a particular badge_type is met, or not. Achievement (player, badge, date_awarded)
CS5804 Research Project Management Assessment/Coursework for 2024/25 Assessment Title A Research Proposal Distribution Date Monday 3rd February 2025 Submission Deadline Tuesday 6th May 2025 at 11.00 UK time Feedback by Tuesday 3rd June 2025 Contribution to overall module assessment 100% Indicative student time working on assessment 70 Hours Word or Page Limit (if applicable) 2500 Words (excluding references and Gantt chart) Assessment Type (individual or group) Individual Main Objective of the Assessment The coursework for CS5804 (Research Project Management) is an individual research proposal. This assignment assesses the following learning outcomes (LOs): 1. Critically reflect upon and argue convincingly for the study of a chosen problem area (LO1). 2. Formulate and critically justify an appropriate research design applicable to the chosen problem area (LO2). 3. Demonstrate a practical and critical understanding of the key issues and challenges to managing a research project (LO3). This coursework is designed to prepare you for the dissertation part of your MSc studies, where a key element to a successful MSc dissertation is a well-thought out project proposal. In this assignment, you have three suggested topic areas. You can also choose your own topic area for this assignment, if you so wish, as long as it is relevant to your degree programme. For your dissertation, you will also have a free choice, subject to obtaining the necessary agreement from your supervisor Description of the Assessment You will be required to produce a research proposal. The topic of your research proposal can either be chosen from below or you can identify your own topic. Please make sure that the topic you choose is aligned to the particular MSc that you are doing. Suggested Topic Area 1: Assessing the Evidence about e-Participation E-participation is a generic term which refers to the use of Web-based technologies, such as online social networks, to enable citizens to engage in political activity with the ultimate aim of influencing policy making. Examples include organising social movements, for example, to oppose government policy, such as funding cuts; various forms of online deliberation and discourse, for example, eConsultation and eVoting; trades union activity; and citizen journalism. Typical research questions in this area focus on the following issues: · What evidence is there that online interactions, such as those outlined above, foster social inclusion and enable democratic decision making? What alternative research findings exist? · Does e-participation enable new forms of organising, and if so, how enduring are these new forms? Suggested Topic Area 2: Learning Analytics Data Analysis A course instructor has implemented several new features in a learning management system (LMS) to supplement the current activities undertaken by students studying a module. The instructor wishes to investigate the efficacy of each of these new and existing features as single entities and in combination with each other to increase student attainment. This information will assist the instructor in deciding which features to continue with and augment, and which to drop from the repertoire of activities undertaken by the students. The instructor collected data on which students engaged with which features on the LMS, how many times they accessed and engaged with a particular feature, and their final grades. The instructor also has access to the previous cohort’s final grades to allow comparisons to be made when none of these features were enacted. All of the data is available in CSV files. Students are anonymised and identified by number only. Typical research projects in this area address the following hypotheses: · Hypothesis: Specific instructional features are more effective than others at increasing student attainment either singly or in combination with each other. · Null Hypothesis: No specific feature or features make any difference to student attainment; it is influenced solely by the number of times a student accesses the materials. Suggested Topic Area 3: Design for Emotional and/or Physiological Signals Wearable devices and smart phones are increasingly being enabled to detect data from their users and the environment. This can include human physiological signals (such as heart rate) but research is also exploring whether human displays of emotion can be detected (for example from facial expression, tone of voice). Typical research questions in this area focus on the following issues: · What kinds of applications could benefit from the integration of such technology? · What are the legal and ethical implications? · Are there user acceptance issues? · How can the effectiveness of such applications be evaluated? Additionally, as part of this coursework you are required to undertake (and pass) an online Academic Misconduct Quiz. This can be (re)taken as many times as you need till you get the requisite score to pass the Quiz, the Completion Certificate of which needs to be included as an appendix in your submission - failure to do this will result in FAILING CS5804. Assignment Structure Your research proposal should include a literature review; a justification for your choice of research methods; a strategy for collecting data or recruiting participants; and a plan of work for completing your project by mid-September 2025. You should do this by answering the following questions: 1. What work has been done already in the topic area and what are the compelling unanswered questions? Your answer should demonstrate that your research question is one that needs further work. 2. What research methods will you use? Do you think that any other research methods could be used? Justify your selection using appropriate references. 3. What type of data will you need to collect? If your project requires you to conduct some research using participants, what types of participant will you need? How will you recruit them? 4. How long will your project take? You should answer this question by including a Gantt chart. Your Gantt chart should include no more than 10 key activities, with dates, and be accompanied by a short description of each activity. 5. What good project management principles will you use to ensure its success? Do the stages of the GANTT chart include milestone(s) and deliverable(s), as appropriate? Have you identified a risk matrix for your project, with the likelihood of risks to your project, their potential effect on the project, as well as identified measures to mitigate the risks? Your research proposal should be no longer than 2500 words, excluding references and the Gantt chart
CSCI-GA.3033-107: Cryptography of Blockchains Spring 2024 Homework #2 Due: 11:59pm on Sunday, 3/10, 2024 Submit via Brightspace Problem 1. Distributed Randomness Beacons using VDFs. A distributed randomness beacon (DRB) allows mutually untrusted parties to engage in a protocol and derive a random value ω that cannot be biased by any party. Consider the verifiable delay function VDF(x) : G → G = x2t where (G, ·) is a multiplicative group of unknown order. Let g be a generator of G and let h = VDF(g). Consider the following one-round protocol DRB1: Round 1: Each party reveals a random value ri. Suppose n parties participate in Round 1. The DRB output is obtained as ω = ( ! n i=1 ri)2t ∈ G. a. Show that this protocol is not secure and can be biased. That is, describe an attack an adversary acting as of the parties can perform. that lets them set the DRB output to any value they want. (Note the adversary can get preparation time before the protocol starts.) b. Suggest a solution to this attack based on the solution used to prevent the rogue-key attack when aggregating BLS signatures. (You need not prove your answer. A brief justification is enough.) An issue with the VDF-based DRBs is that they always require a costly VDF computation to be done. Consider the following protocol DRB2: Round 1: Commit Round: Each party i samples a random nonce αi and shares ci = gαi . Round 2: Reveal Round: After all parties share their commitments, each party reveals αi. (If ci = gαi then this αi is ignored by the other parties). Suppose n parties participate in Round 1. There are two scenarios here, based on the behavior. of the n parties in Round 2. The optimistic scenario allows all the parties to compute the output quickly while the pessimistic one resorts to the costly VDF computation. • Optimistic case: If all n parties reveal a valid nonce in Round 2, then the DRB output ω is quickly obtained as ω = ! n i=1 hαi . • Pessimistic case: If any party skips Round 2, then the DRB output is obtained by the others as ω = VDF( ! n i=1 ci). (You may verify that the randomness obtained in the two cases is the same.) c. This scheme also suffers from a biasing attack similar to the one in part (a). Show how. d. As in part (b), write out a solution that prevents the above attack. (Again, it’s based on the technique used in BLS signature aggregation. And you need not formally prove security.) e. Even after this fix, there is an inherent weakness associated with any DRB that has an “optimistic” fast case and a “pessimistic” slow case. Show how one party participating in the protocol can learn ω much faster than all the other parties. (Note that they don’t bias the value. They only learn it much faster than the others.) 1Problem 2. More VDFs a. Is Proof-of-Work a VDF? Why or why not? If it is, describe the VDF input, output, and prove and verify functions. If not, describe what property of a VDF is not satisfied. b. Can a VDF be used as a Proof-of-Work function? For a given challenge ch, the goal of the miner to now produce a valid output and proof for a given VDF function on input ch. c. A commonly used randomness beacon is the Bitcoin blockchain. Suppose random value r is obtained by hashing the latest block header b as r = H(b). What is one issue with this method? (Hint: think about which parties can bias the randomness.) d. What if the randomness is obtained by hashing the VDF output on the header, instead? That is, r = H(VDF(b)). Briefly explain (doesn’t have to be formal) how this is secure or insecure. Problem 3. Certificates of Correctness In class, we so far have seen ways to obtain quorum certificates where each signature has equal weight. What if we want to extend this to a scenario where different nodes have different weights? This may be the scenario in a Proof-of-Stake blockchain where the more stake you have, the more your vote counts. Instead of needing 2/3rd of all miners for a quorum, you need 2/3rd of all the weight (that is, stake). a. Let node i have weight wi for i = 1, . . . , n. Modify the Merkle tree construction for QC to show that some fraction x of all stake is in the quorum. Hint: Assume the total stake is T = " n i=1 wi. The Merkle tree should enable the verifier to query a value q between 0 and T and the prover returns the leaf wi ′ , such that " i ′ −1 i =1 wi < q and " i ′ i =1 wi >= q. The Merkle tree needs to track more information than just the hashes in order to do this. Problem 4. Security of Wesolowski VDF This question will analyze the role of the prime challenge ℓ in Wesolowski VDFs. To establish notation, the input is (G, g, h,t), w here g, h ∈ G and the prover claim is that h = g2t . The verifier sends a challenge ℓ, which is a prime. The prover responds π where π = gq and 2t = qℓ+r and r < ℓ. The a. Show that the scheme isn’t secure when ℓ ≈ 2λ is the product of small primes each less than k (for some constant k), by describing an attack that runs in time O(k · λ) group operations. Problem 5. Batching Polynomial Commitments In this question, we’ll build and efficient batch evaluation proofs from a linearly homomor� phic polynomial commitment scheme. Here, a prover P and verifier V have input polynomials f0, . . . , fℓ−1 ∈ F
STATS 3DA3 Homework Assignment 4 Instruction • Due before 10:00 PM on Tuesday, March 18, 2025. • Upload a PDF copy of your solutions to Avenue to Learn. You do not need to rewrite the questions in your submission. • Late Submission Penalty: A 15% deduction per day will be applied to assignments submitted after the deadline. • Late Submission Limit: Assignments submitted more than 72 hours late will receive a grade of zero. • Grace Period for Accommodations: A 72-hour extension beyond the due date is granted for students with approved accommodations through SAS. • Your submission must follow the Assignment Standards listed below. Assignment Standards • Include a title page with your name and student number. Assignments without a title page will not be graded. • Use Quarto Jupyter Notebook for your work (strongly recommended). • Format your document with an 11-point font (Times or similar), 1.5 line spacing, and 1-inch margins on all sides. • Use a new page for the solution to each question (e.g., Question 1, Question 2, Question 3). — Clearly number all solutions and sub-parts. • Do not include screenshots in your submission; they will not be accepted. • Ensure your writing and referencing are appropriate for the undergraduate level. • You may discuss homework problems with other students, but you must prepare and submit your own written work. • The originality of submitted work will be checked using various tools, including publicly available internet tools. Assignment Policy on the Use of Generative AI • The use of Generative AI is not permitted in assignments, except for using GitHub Copilot as a coding assistant. — If GitHub Copilot is used, you must clearly indicate this in the code comments. • In alignment with McMaster academic integrity policy, it “shall be an offence knowingly to submit academic work for assessment that was purchased or acquired from another source”. This includes work created by generative AI tools. Also state in the policy is the following, “Contract Cheating is the act of”outsourcing of student work to third parties” with or without payment.” Using Generative AI tools is a form of contract cheating. Charges of academic dishonesty will be brought forward to the Office of Academic Integrity. Question Consider the banknote dataset from the mclust package in R. The dataset can be downloaded from banknote. You can read the data dictionary for the banknote dataset at Banknote dataset. The data set con- tains six measurements made on 100 genuine and 100 counterfeit old Swiss 1000-franc banknotes. You will uncover patterns in the data using clustering and principal component analysis, but first, you must prepare the dataset. 1. Store the Status variable in a separate object. Later, we will compare the outcomes of the unsupervised methods against the actual labels to evaluate their performance. 2. What are the variables in the dataset? 3. From the banknote dataset, remove the Status variable. Ensure that all analyses and tasks going forward are conducted using this modified dataset. 4. Calculate the mean and variance for each variable in the dataset. Which variable has the largest variance? Discuss the implications of this finding for unsupervised learning, particu- larly how this variable’s characteristics might influence the analysis compared to the other variables. 5. Normalize the dataset by centering and scaling all variables. Use this standardized dataset for all subsequent analyses (Questions 6-12). 6. Using k-means clustering, group the banknotes into clusters. Select a random number of clusters, denoted as k, according to your discretion. Set n_init to 20 to ensure the algorithm runs with 20 different centroid seeds. After clustering, calculate the average silhouette score for the cluster assignments to evaluate the clustering performance. 7. Determine the optimal number of clusters, k, for the dataset based on the silhouette score distribution. To achieve this, plot the silhouette scores for various values of k (e.g., k = 2, 3, 4). Based on these plots, select the k that best fits the data. Provide two reasons supporting your choice of k. 8. Apply k-means clustering to find clusters of banknotes with you found in question (7). Set n__init to 20 to ensure multiple initial centroid seeds are tested. After clustering, calculate and report the number of observations within each identified cluster. 9. Since visualizing clusters with all variables in the dataset is not feasible, we will employ princi- pal component analysis (PCA) to reduce the dimensionality of the banknote data, excluding the Status variable. Use the normalized data prepared in question (5) for this analysis. De- termine the number of principal components to compute. Justify your choice of the number of components, considering factors such as explained variance and the scree plot. 10. Refer to the PCA obtained in question (9) to identify which variable has the most significant influence on the second principal component. Explain your rationale for identifying this variable. 11. Determine the proportion of the total variance in the original dataset that is explained by the first two principal components. Provide the Python code that calculates this proportion based on the PCA results obtained in question (9). 12. Create a visualization of the k-means cluster assignments from question (8), using the first two principal components as the axes. This visualization will help illustrate how the clusters are distributed in the reduced-dimensional space. 13. Compare the true labels, represented by the Status variable saved in question (1), with the k-means cluster assignments determined in question (8). Use the adjusted Rand index to quantify the similarity between the true labels and the clustering assignments. Provide commentary on the implications of the results obtained from this comparison. Grading scheme 1. Codes [1] 2. Answer the question [1] 3. Codes [1] 4. codes [1] and answer two questions [2] 5. Codes [1] 6. Codes with appropriate inputs [2] 7. Codes and Plots [2] Choose the best [1] Write two reasons for choosing that [2] 8. Codes [1] and answer the question [1] 9. Codes [1] and answer the questions [2] 10. Answer the question [1] and explain the reason [1] 11. Codes [1] and answer the question [1] 12. Codes [1], readable plot [1], readable axes labels [1], cluster an- notation with colors [1] 13. Codes [1] and comment on the results [1] The maximum point for this assignment is 29. We will convert this to 100%.
Engaging with Inuit knowledge of environmental change in the climatological research Assignment for EESB03: DUE BY MARCH 26, 2025 by 10 am Context: Understanding climate change holistically in the Arctic requires multiple ways of knowing. While meteorological data provide measurable trends in wind speed and direction, Indigenous knowledge—rooted in generations of lived experience—offers crucial context on how these changes affect the land, ice, and livelihoods of northern communities. This assignment invites you to explore how wind patterns in eastern Hudson Bay have changed over the past 30 years and what this means for Inuit hunters and travelers in Kuujjuaraapik, Nunavik. By engaging with both IK and meteorological data, you will gain insights into how scientific observation and Indigenous knowledge can complement one another to provide a fuller picture of environmental change. Your work in this assignment will be twofold: 1. Analyze two different knowledge systems—one based on Indigenous observation and one on scientific measurement—to assess changes in wind conditions in a changing climate condition. 2. Apply this knowledge to a real-world climate assessment, considering the perspectives of Inuit land-users, scientists, and policymakers. As you begin, remember that Inuit Knowledge (IK) is deeply tied to the land, culture, and survival of Inuit communities. It provides not just observations, but also meaning and context—something essential in climate science today. Understanding wind changes is not just a scientific exercise; it is about safety, food security, and the ability to travel in an environment for Inuit people in this case where the wind dictates movement across ice-covered waters. By the end of this assignment, you should be able to explain why integrating (IK) with climatological data leads to more informed decision-making, strengthening both scientific research and Indigenous governance in the face of climate change. Assignment overview: Changes in wind speed and direction over the past 30 years have had considerable effects on sea ice and oceanographic conditions in Nunavik (northern Quebec). These changes have significantly impacted hunting and travel for Inuit. This assignment explores changes in wind in eastern Hudson Bay as identified by Inuit in collaborative studies of Inuit knowledge (IK), and by studies of observational meteorological data in Kuujjuaraapik, Nunavik. The assignment has two parts; the first part involves examining sources of knowledge from both Inuit knowledge and meteorological data. And the second part you will write a brief report on wind changes. In this assignment you will be asked to: 1) evaluate robust sources of IK-based indicators of change and climatological data; 2) engage with IK while evaluating meteorological data; and 3) describe how the results of meteorological and IK analyses can be used together as evidence when making an argument. A broader underlying goal will be for you to be able explain how Inuit knowledge provides critical context in global climatological assessments, acting as an important aid for the decision making process in terms of understanding the impacts of climate change. Important Note: it is important that you have listened to the lecture recording and studied the readings related to the IK knowledge and climate change before you begin the assignment. Part 1: Explore sources of knowledge about eastern Hudson Bay wind speed and wind direction changes You will consider two sources of data from eastern Hudson Bay: IK indicator data, and weather station data. Step 1) Look at Table 1, which contains quotes from Inuit knowledge holders. These were obtained from two separate studies in which Inuit knowledge holders discuss changes in wind speed and wind direction. - Consider where this data comes come from. a. Going back to your lecture slides (notes) in which we discussed indicators of robustness in studies of Inuit knowledge, list three ways in which each source is reliable or robust. - 1mark b. What is one limitation to this data in terms of understanding changes in wind speed and/or direction? - 1 mark Step 2) Open the wind speed and wind direction files that are posted at Quercus under the assignment tab (from meteorological station). These data are based on changes in wind speed and direction in the month of December from 1971 - 1990 and from 1991 - 2010. - Look at the source of this information: a. List three ways in which this source is robust. - 1 mark b. What is one limitation to this data in terms of understanding changes in wind speed and/or direction? - 1 mark Step 3) Answer the following questions: i. Compare and contrast the nature of IK and quantitative data: a. What kinds of data are each source based upon? - 0.5 mark b. How are these sources of knowledge different? - 1 mark c. How are they similar? - 0.5 marks ii. What changes in wind speed have occurred? - 1 mark iii. What changes in wind direction have occurred? - 1 mark iv. In 2-3 sentences, discuss how using these two sources of knowledge together provide the ability to understand the significance of changes in wind speed and direction, to the community of Kuujjuaraapik, as proposed to simply looking at meteorological data alone? - 2 mark Part 2: Apply IK knowledge to understand impacts of climate change at Kuujjuaraapik Prepare a short (300 word) assessment report. In this report you will focus on the following: - 10 marks i. Summarize in your own words the observable changes in wind speed and direction that have occurred since the 1970s in/around Kuujjuaraapik, citing the sources provided. Discuss their effects in the month of December for the periods of 1971 to 1990 and 1991 to 2010. and potential impacts to Inuit hunters (referring to the case study- Inuit Knowledge and Climatology of Changes in Wind Speed and Direction in Kuujjuaraapik, Nunavik). ii. Include a summary the value of using both sources of knowledge in evaluating the changes in wind speed and direction so that one can understand the impacts of climate change from comprehensive viewpoint. iii. The audience for this report is the Nunavik Marine Region Wildlife Board, and your report will be included in a regional climate assessment for the Nunavik regional government. Assume your audience is comprised of Inuit land-users, scientists, and Inuit decision- makers, who strongly value IK. Remember, They also see the potential of science to contribute to their communities when conducted in a manner that is respectful of Inuit knowledge.
In this project you will familiarize yourself with Python and Jupyter by implementing a rudimentary outlier detection algorithm. The project may be completed individually, or in a pair of two (2) students as long as both students are enrolled in the same section of the course.Platforms For this project (and, in general, for most machine learning or data science projects) you will need a Jupyter notebook with Python 3. Jupyter allows you to create documents mixing text, equations, code, and visualizations.The Jupyter project itself recommends Anaconda if you intend to run notebooks locally on a laptop or desktop computer. Alternatively you may use a cloud service such as Google Colab that offers Jupyter notebooks online.Libraries and Code This project must be implemented in pure Python with the Python Standard Library, without recourse to third-party libraries. Code from A Whirlwind Tour of Python may be reused. All other code and the results of experiments must be your own original work or the original work of other members of your team.Dataset The file participants.csv contains meeting attendance data reported by Zoom for the first three weeks of a course. Each row contains the name of a student along with the number of minutes that the student was logged in to the course Zoom meeting. (The names of students have been changed to protect the innocent.)Experiments Run the following experiments in a Jupyter notebook, performing actions in code cells and reporting results in Markdown cells. 1. Use the csv module to load and examine the dataset. 2. Find the quartiles for Week 1. You may wish to consult the Python Sorting HOW TO document for help manipulating the data. 3. In order to record attendance, we want to find the students who logged into the Zoom meeting but did not attend the entire lecture. In order to do this, we can look for outliers in the data. Tukey’s fences are a simple method to define outliers in terms of the interquartile range. Use this method with k = 1.5 to find the outliers in the Week 1 attendance data.4. Repeat experiments (2) and (3) for Weeks 2 and 3. 5. Consolidate your code from experiments (2) through (4) into a Python function named tardy(). You may wish to define other functions as well. This function should list the name and attendance statistics for any student whose attendance in any week falls below the bottom fence for that week. Tardy students should be listed in the same order as they appear in the original .csv file.Submission A Markdown cell at the top of the notebook should include project summary information as described in the Syllabus for README files. Since you may be actively editing and making changes to the code cells in your notebook, be certain that each of your code cells still runs correctly before submission. You may wish to do this by selecting Run All from the drop-down menu bar.Submit your Jupyter .ipynb notebook file through Canvas before class on the due date. If the assignment is completed by a pair, only one submission is required. Be certain to identify the names of both students at the top of the notebook. See the following sections of the Canvas documentation for instructions on group submission: ● How do I join a group as a student? ● How do I submit an assignment on behalf of a group?
After the midterms, the teaching assistants (TAs) were occupied with scanning the submitted answer sheets. In their rush to attend their next class, they mistakenly captured only partial images of each sheet. Below are the three photos they took in haste.Help the TAs rectify this mistake by combining these images to produce a complete, rectangular image that displays all parts of the answer sheet, resembling an A4 sheet as closely as possible. (a) Image 1 (b) Image 2 (c) Image 3 Figure 1: Scanned image sectionsSuggested Approach • Feature Identification: Determine the location of corresponding features between the images, which will facilitate accurate alignment and stitching. This can be done in one of the following ways: – Manual Identification: Select corresponding points between the images by hand. (3) – Automated Detection: Use a feature descriptor, such as SIFT or ORB, to automatically identify matching points across the images. (5) • Image Stitching: Using the identified points, align and stitch the images to form a composite. (6)• Rectification: Correct any perspective distortions and non-uniform scaling to ensure that the final image is rectangular, resembling an A4 sheet. (6) • Comparative Analysis: Evaluate and discuss the quality of stitching obtained through manual feature selection versus using an automated feature descriptor. Comment on the accuracy, smoothness of blending, and ease of implementation for each method.(5)After the space shuttle has completed its mission in orbit, it begins its descent back to Earth. As it approaches the atmosphere, its navigation systems activate advanced visual processing techniques to prepare for a precise landing. Upon entering the atmosphere, the shuttle’s sensors scan for a safe landing runway. Using Hough Transform algorithms, the shuttle identifies straight lines on the runway, which helps it align perfectly for touchdown. Figure 2Your mission is to simulate the space shuttle’s final approach. Given an image representing the shuttle’s view of the landing area, use Hough Transform to detect and delineate the runway lines. This will aid in guiding the shuttle for a safe landing. Figure 3In a groundbreaking mission, SpaceX’s Falcon 9 booster launches a payload into orbit. After the booster separates, it autonomously begins its descent, aiming to land precisely on a circular landing pad on land.During its descent, the booster’s cameras and sensors analyze the view of the landing zone searching for the landing pad. To ensure a safe landing, the booster scans the surface, using a powerful algorithm to detect the circular landing zone amidst other infrastructure and clutter.Your mission is to assist the Falcon 9 booster’s landing process. Provided with an image 5 that mimics the booster’s view as it nears the landing zone, use Hough Transform to locate the circular landing pad. Accurate detection of this circle is crucial for a safe touchdown.Figure 4 Figure 5 Suggested Approach • Implementation: Implement the Hough transform from scratch for both the scenarios – Edges of runway: Identify the bounding edges of the runway for precise touchdown and landing (7)– Edges of landing pad: Identify the both the bounding edges of the circular(the smaller circle and the larger circle) Landing pad for precise touchdown and landing (7) • Overlaying: Using the implementation of hough transform function overlay the final result on the two original images (3+3) • Improvements: Discuss if the detection is satisfactory if not what changes would you suggest to make the mission successful (5)After the successful completion of various space missions, you are now traveling in your car equipped with Full Self-Driving (FSD) capabilities. However, despite its sophisticated algorithms for autonomous driving, the system is glitching when it comes to identifying stop signs—a critical aspect of safe navigation on the road. As a computer vision expert, you are tasked with implementing a quick and effective solution to resolve this issue using image segmentation techniques.Objectives Your goal is to perform image segmentation on a given image 6 that include a stop sign. You will employ two different methods of image segmentation and compare their effectiveness. • Method 1: Mean Shift Segmentation – Implement the Mean Shift algorithm to segment the images. This technique groups pixels based on color and spatial proximity, which can help in isolating the stop signs from the background.• Method 2: Normalized Graph Cut Segmentation – Utilize the Normalized Graph Cut method for segmentation. This method formulates the image as a graph and partitions it based on the minimum cut, allowing for better delineation of complex structures within the image, including stop signs. Figure 6Deliverables • For each segmentation method, provide: – A brief description of the algorithm and its implementation. (10) – The original image and the segmented result for comparison. (10) – A discussion on the strengths and weaknesses of each method in the context of identifying stop signs. (5)If you beat this section, you will get (TBD) bonus points. The task of this creative section is to come up with the best segmentation algorithm which is not machine/deep learning based approach and follows classical approaches.4.1 Task Description • Image Selection: Choose a challenging image for segmentation. The complexity of the image will provide a better opportunity to showcase your algorithm’s effectiveness. • Performance Evaluation: – Calculate the Intersection over Union (IoU) values for all segmented objects within the image. This metric will provide a quantitative measure of segmentation accuracy, defined as: IoU = Area of Overlap Area of Union – Report the IoU values for each identified segmented region.• Detailed Approach Description: Provide a comprehensive explanation of the approach you implemented, including: – The rationale behind your choice of algorithm. – Step-by-step details of the segmentation process. – A justification of why you believe this method performs better than alternative approaches.• Comparison and Empirical Evidence: Compare your results with other classical segmentation techniques (if applicable) and present empirical proof of your method’s performance. This may include visual comparisons, numerical results, and any relevant metrics that support your claims.• Function Requirements: Your segmentation algorithm should be encapsulated in a function that accepts an image as input and outputs all identified segmented regions.• Bonus Eligibility: The top TBD% of students who achieve the highest average IoU for all identified regions will be eligible to receive the bonus points.
Imagine you’re a detective analyzing a mysterious photograph below 1 where a person is sitting on something, but you can’t quite tell what it is. The image is washed out, with a bright laptop screen stealing all the attention, leaving the rest of the scene in low contrast and hidden details. Your mission, should you choose to accept it, is to enhance the image and reveal the secret!Using the concept of histogram equalization, your task is to write a function histogram equalisation that takes this grayscale image as input and enhances the contrast, making the scene clearer. Once you process the image, uncover what the person is sitting on. Can you bring the hidden details to light and solve the mystery? Figure 1Tasks to execute: • Brief introduction of histogram of an image and what it does. (3) • Implement the following functions: def create pdf(im in) which returns the pdf, def create cdf(pdf) which returns the cdf and def histogram equalization(im in) which returns the equalized image utilizing your previously implemented functions of pdf and cdf. (7)• Plot pdf and cdf before and after histogram equalization. Plot them side-by-side for easy comparison. (10) • Provide a comparative discussion of the PDF and CDF plots, and relate them to the image’s contrast and intensity. (5)Transmission electron microscopy (TEM) provides resolutions on the order of a nanometer. Hence, it is a critical imaging modality for biomedical analysis at the sub-cellular level. One of the problems associated with TEM images is variations in brightness due to electron imaging defects or non-uniform support films and specimen staining. These variations render image processing operations such as segmentation more difficult. The correction requires estimation of the global illumination field in either the background and foreground and other corrections. Below 2 is a TEM image of the C-Elegans ventral nerve cord. Can you, by image thresholding, enhance the cell boundaries which can then be used to segment the cell further in the pipeline?Note: You just need to perform image thresholding to enhance the cell boundaries. Figure 2 Tasks to execute: • Show histogram of the image. (3) • Implement and apply Otsu’s thresholding and generate a plot of the inter-class variance as a function of the chosen threshold (i.e., x-axis with each possible threshold from 0-255, y-axis with the resulting variance) and highlight the threshold value where it is maximised. (6)• Show the binary image after thresholding and discuss the results. Explain why do you think the results are they way they are. (3) • Implement and apply Niblack thresholding algorithm and show how changing the filter shape affect the results. Show the thresholded binary image with 3 examples of changing filter size. (10) • Comparatively discuss the two thresholding based on the results you got. (3)Have you ever played the classic game ”Where’s Waldo?”. Waldo, with his iconic red-and-white striped shirt and glasses, loves to hide in the most crowded and chaotic places, making him tricky to find. Now, it is your turn to take on the challenge – but instead of searching with just your eyes, you will use computer vision to find him! In this task, you will apply template matching to locate Wilma, Waldo’s 2 friend, in a large, cluttered image 3. Let’s see how quickly you can track her down using some clever image processing!The template 4 provided is of Wilma whom you need to find. Note: The image is colored; you may need to adjust your approach to account for that during template matching. Figure 3 While performing the template matching, you might have to take care of the scale of the template. At the end of your task, once the location is identified, mark the same pixel location on the image with a box around the pixel or color the center of the pixel.Note: While translating the pixel position of the location where Wilma is found in the cluttered image, take into account the reduction in size that will occur when you apply the template to find a match. Adjust the same in the cluttered image before marking the final location. Figure 4Tasks to execute: • Implement cross-correlation with the original image and the template as mask. (8) • Parse the correlation image to detect the maximum peak value and its (x,y) location. You may mark this location with an overlay of a circle or just manually painting an arrow or else. Discuss if this location matches your expectations. Discuss the appearance and cause of other peaks, and how they compare to the global peak, you may just manually check other peaks and annotate them on the peak image. (10) • Show the image which helps you identify the peaks (cross-correlation output) with a mark on the highest peak.(2) • Overlay the found peak on the original image. (5)Points (25) If you beat this section, you will get (5) bonus points. You are free to choose any method to find Waldo in the image below 5. It should be quicker (in execution time) than the previous implementation, which was done using cross-correlation to get full points. The top 10% (in execution time) of the students will receive bonus points. We will normalise the runtime in terms of image size to do a fair comparison between the two images.Make your code generic enough, such that it accepts two images(original image and template image) and returns a bounding box around the matched template on the original image. We will pass a test image with a template to your function and use the runtime to determine the score for bonus points. Figure 5 The template is below 6. Figure 6
Suppose that you have a company. You want to create the database of your company. ▪ Describe the user requirements of your company. ▪ Draw the E-R diagram of the company. ▪ Do normalization. ▪ List the functional dependencies. ▪ List your tables. ▪ Create the database including everything (tables, relationships, keys etc.). You may use any database management system. ▪ Create the user interface of at least 5 modules using any programming language. Choose the interfaces according to the questions below. ▪ Create 1 OUTER RIGHT JOIN, 1 OUTER LEFT JOIN, 1 FULL OUTER JOIN queries on user interface. ▪ Create and use at least 5 different triggers making completely different tasks. Show how they are working in your interfaces. ▪ Create and use at least 5 different views that are completely different from each other. Show how they are working in your interface.Additional: ▪ Give and create at least 3 atomic transactions. ▪ For at least 3 tasks solve concurrency of transactions using any techniques in the book. ▪ Add additional details about the database if there is any. ▪ Use inheritance for the tables.Note: ▪ Your E-R diagram should be as complex as the E-R diagram of student managements system example in the book. Which means, it should have many entities and relations.
1- (12.5 points) Write a trigger that increase (10%) salary of your employees in your company and show salary difference of employees after the salary increment. The employee table details are given as follows: Employee (name, payment, empid)2- (12.5 points) Write a trigger that maintains referential integrity for on delete cascade. Using the trigger, when a department is deleted, the employees on that department also have to delete. The details of the tables are given below: Employee (Name, Age, Address, Depid) Department (Depid, Depname)3- (25 points) What are the advantages and disadvantages of using NoSQL databases? Explain each of them.4- (25 points) Give characteristics of blockchain databases. Explain each of the characteristic. What are the differences between blockchain databases and traditional databases?5- (25 points) What are the advantages and disadvantages of using a graph database? What are the characteristics of Neo4j graph database?
A Park consists of a collection of Wood-Sections each has a number of specific species of trees. You can access everywhere by Roads. The forest also has a Manager. There are Fire-Stations in the park. Each one monitors fires in the Park. There are Facilities which consists of camps and offices in the park. There are also Rivers. Each river supply water to a different facility.Answer the questions using the text above. 1- (35 points) Draw the E-R diagram of the park. 2- (5 points) Give all the functional dependencies in the question. 3- (10 points) Is there a weak entity in the E-R diagram. If there isn’t, modify the question so that there will be a weak entity. Explain every detail. Explain why you need a weak entity in both cases.4- (15 points) Create tables for your E-R diagram. (Do not forget that you should consider the effect of type of relationships to the tables.)5- (20 points) Give 2 relations. Show if they hold or does not the criteria of 3NF and Boyce-Codd Normal Form. Explain why they are (or not) in 3NF and Boyce-Codd Normal Form, give your reasons and proofs in details.6- (15 points) Create database schema where the relations must hold BoyceCodd Normal Form or 3NF after the normalization steps.
The PyTorch system is currently one of the leading software tools for making artificial intelligence systems using deep artificial neural networks. It provides fairly abstract methods for building such machine learning models, training them on data, and applying the trained models to novel inputs. This assignment provides you with some introductory experience using PyTorch software. When complete, this assignment results in a Python program that constructs three different network architectures:• AnnLinear — A network with no hidden layer, connecting a 4-element input vector to a 3-element linear output layer. • AnnOneHid — A network with a single hidden layer of 20 processing units, mediating the production of a 3-element output vector from a 4-element input vector. • AnnTwoHid — A network with two successive hidden layers between a 4-element input and a 3-element output, with the first hidden layer having 16 processing units and the second having 12 processing units.The program trains each constructed network on a simple classification task, reporting progress during training and calculating the accuracy of each learned model on a set of testing examples. The classification task is one that has been studied for many years. The goal is to learn to identify the species of an iris plant based on the size of various parts of the plant. Each plant is a member of one of three possible species: setosa, versicolor, or virginica. Four numerical features of the plant are input to allow the system to categorize it by species. The four input measurements are sepal length and width and petal length and width. A total of 150 examples are provided for use as training data and testing data. Details concerning the data set may be found at the UC Irvine Machine Learning Repository:https://archive.ics.uci.edu/ml/datasets/iris This is a fairly simple classification task to learn, making it easy to produce models with high categorization accuracy, even on previously unseen inputs.Python Packages This program makes use of three publicly available Python packages, all of which need to be installed in the PyCharm IDE before the program can be successfully run. • PyTorch (torch) — tools for building artificial neural network models • Pandas (pandas) — tools used for data loading and manipulation • Scikit-learn (scikit-learn) — tools used to randomly sample training and testing sets from a collection of examplesThese packages can be easily installed in PyCharm. On the Preferences window (or the Settings window), there is an option on the project pane which is labeled “Python Interpreter”. Selecting this option shows a table of installed packages. The plus-sign button may be selected to install a new package. The installation window contains a search bar, through which the three needed packages may be found. Once found, a package may be installed from this window by selecting the “Install Package” button.The program is implemented in three Python script files. One of these files is incomplete. • “main.py” — This file provides code to train and test all three network architectures, printing performance results. • “ann.py” — This file provides three utility functions. – load iris data — Load the iris classification data set from the UC Irvine Machine Learning Repository.– train model — Train a given network model using a specified set of examples. – test model — Calculate the accuracy of a given network model on a specified set of testing examples. • “arch.py” — This file defines three Python classes describing the three artificial neural network architectures of interest. Of these three files, only the third, “arch.py”, is incomplete. A template is provided, but a solution to this assignment must provide the code necessary to implement the three architectures.In PyTorch, an artificial neural network architecture is specified by defining a new Python class that inherits from nn.Module. The “arch.py” file defines three such classes: AnnLinear, AnnOneHid, and AnnTwoHid. Each class has an initialization method, called when constructing an instance, and a method that performs forward pass computations to produce network outputs.In the initialization method, network layers are defined. Each layer should be stored in a class variable. For this assignment, all layers calculate their “net input” values as a linear weighted sum of inputs, with the weights being learned parameters. In PyTorch, such a layer may be declared using nn.Linear in the following way: self.my_layer = nn.Linear(in_features=6, out_features=9)In this example line of Python code, a layer with 9 processing units is defined, with the layer receiving 6-dimensional inputs (e.g., the number of processing units in the preceding layer). The layer is stored in the “my layer” variable.In the method that implements the forward pass, aptly named “forward”, processing element activation levels are successively calculated across layers, from inputs to outputs. The method is given network inputs as an argument, conventionally labeled “x”. Weighted sums, calculating “net input” values, can be computed by treating layer variables as functions. For example, using “my layer” as previously defined, the “net input” of the layer can be computed using this line of Python code: my_layer_net = self.my_layer(x)An activation function can be applied to the “net input” of a layer. For example, the rectified linear (ReLU) activation function may be applied as follows: my_layer_act = F.relu(self.my_layer(x))In this way, the activation of each layer can be calculated, from inputs to outputs. Note that a few variable naming conventions are repeatedly used. Typically, “x” references an input to the network. The target outputs of the network are referenced as “y”. The actual outputs of the network, to be compared with the targets, are referenced as “y hat” (spelling out yˆ). Thus, the forward method takes x as an argument and should return the corresponding value of y hat.In this assignment, all three network architectures must take a 4-dimensional input, corresponding to the four measurements of the iris plants. Each architecture must provide a 3-dimensional output, with one element for each of the three species categories. The output element with the highest activation is taken as indicating the predicted species corresponding to the current network input. The network architecture with a single hidden layer should use 20 hidden units. The network architecture with two hidden layers should have 16 units in the first hidden layer and 12 in the second. All hidden layers should use the ReLU activation function, but network output layers should not. Output layers should compute the linear weighted sum of their inputs, without any nonlinear activation function.Analysis The “arch.py” file is to be completed, filling in code for the two methods in each of the three architecture classes. The header comment of this file should also contain answers to two analysis questions.Once the artificial neural network architectures are implemented, running the program will display measures of training progress and testing set accuracy for each of the three architectures. The program should be run a dozen times or more, recording the displayed results. Because testing examples are sampled at random on each run, and each network begins with random initial weights, each run can produce different results. Still, patterns in performance should be evident.Based on your observations of many executions of the program, you should answer the following two questions: 1. Which network architecture achieves the lowest training set error? 2. Which network architecture tends to exhibit the best testing set accuracy? With a little thought, you should be able to understand why the observed patterns of performance arose.Evaluation To receive full credit for this assignment, working network architecture implementations must be provided, and both questions must be answered, all within the “arch.py” script file. The three Python classes must work with the other provided Python script files without modifying the other files in any way. All of these files, including a template for “arch.py”, are available in a ZIP archive file called “PA4.zip” in the “Assignments” section of the class CatCourses site, under “Programming Assignment #4”. The contents of these Python code files should be read, and comments in these files should assist in your understanding of the provided code. Questions are welcome, however, and they should be directed to the teaching team.Your submission will be evaluated primarily for accuracy, with efficiency being a secondary consideration. Your source code will be examined, however, and the readability and style of your implementation will have a substantial influence on how your assignment is evaluated. As a rough rule of thumb, consider the use of good software writing practices as accounting for approximately 10% to 20% of the value of this exercise. Please use the coding practices exemplified in the provided utility files as a guide to appropriate readability and style. Note also that, as discussed in the course syllabus, submissions that fail to run without crashing on the laboratory PyCharm IDE will not be evaluated and will receive no credit.The code that you provide should write no output, as this will clutter the output produced by the “main.py” script. If you include any statements that write output in your code (perhaps as tools for debugging) these should be removed prior to submitting your code files for evaluation. You may receive no credit for your submitted solution if it produces extraneous output.As for all assignments in this class, submitted solutions should reflect the understanding and effort of the individual student making the submission. Not a single line of computer code should be shared between course participants. If there is ever any doubt concerning the propriety of a given interaction, it is the student’s responsibility to approach the instructor in order to clarify the situation prior to the submission of work results. Also, helpful conversations with fellow students, or any other person (including members of the teaching team), should be explicitly and clearly mentioned in submitted assignments (e.g., in comments in the submitted source code file).These comments should also explicitly mention any written resources, including online resources, that were used to complete the exercise. Citations should clearly identify the source of any help received (e.g., “Dr. David Noelle” instead of “a member of the teaching team”, “The Python Tutorial at docs.python.org/3/tutorial/” instead of “Python documentation”).Failure to appropriately cite sources is called plagiarism, and it will not be tolerated! Policy specifies that detected acts of academic dishonesty must result minimally with a zero score on the assignment, and it may result in a failing grade in the class. Please see the course syllabus for details.To be clear, please note that all of the following conditions must hold for a submitted solution to receive any credit: • solution submitted by the due date • solution runs without crashing on the laboratory PyCharm IDE • solution produces no extraneous output • solution works with unmodified utility code, as provided • solution does not include code written by another person (with or without modifications)
Overview This programming assignment has three main learning goals. First, the assignment will provide you with an opportunity to practice developing programs in Python using the PyCharm integrated development environment. Second, this assignment will allow you to practice implementing the decision theory principle of maximum expected utility in a game-playing context. Your work on this assignment is intended to strengthen your understanding of how expected utility values are calculated, including how they are calculated in multi-agent environments. Finally, this assignment requires you to design a heuristic evaluation function for a game, providing you with experience in the design of such functions.You will be provided with Python source code that (almost) implements a two-player game called the Guardian Game, with a single computer player pitted against a single human player. You are charged with completing the implementation of the computer player’s decision procedure by writing a function that calculates an expected utility value and another that computes a heuristic evaluation value for a state of play.Submission for Evaluation To complete this assignment, you must generate one Python script file, called “heuristic.py”. That file is to contain two functions: a component of a minimax look-ahead search procedure called expected value over delays and a heuristic evaluation function for non-terminal states of game play called heuristic value. This is the only file that you should submit for evaluation. To submit your completed assignment for evaluation, log onto the class site on CatCourses and navigate to the “Assignments” section. Then, locate “Programming Assignment #3” and select the option to submit your solution for this assignment. Provide your single program file as an attachement. Do not upload any other files as part of this submission. Comments to the teaching team should appear as header comments in your Python source code file.Submissions must arrive by 11:59 P.M. on Friday, December 2nd. Please allow time for potential system slowness immediately prior to this deadline. You may submit assignment solutions multiple times, and only the most recently submitted version will be evaluated. As discussed in the course syllabus, late assignments will not be evaluated and will receive no credit. If your last submission for this assignment arrives by 11:59 P.M. on Tuesday, November 29th, you will receive a 10% bonus to the score that you receive for this assignment. This bonus is intended to encourage you to try to complete this assignment early.ActivitiesThe Guardian Game is a two-player fully-observable zero-sum game that includes some randomness and, therefore, some uncertainty about the outcomes of actions. The board represents a single walkway extending to the West and to the East of a magical statue called the Guardian. One player begins the game along the walkway to the West of the Guardian and the other begins along the walkway to the East. They begin at equal distances from the Guardian. The players take turns sneaking toward the Guardian, with the goal of reaching the Guardian before the other player does. The walkway is divided into “squares” or “steps”, and each turn involves a player selecting a number of steps to move on that turn (i.e., a move action).Once the length of the move is selected, the player begins to move toward the Guardian, but there is danger in approaching the magical statue. The Guarding can turn its head, facing either West or East. If a player is moving when the Guardian is facing toward them, a magical ray of light springs from the Guardian’s eyes, banishing that player to another world, causing them to lose the game. This means that each player’s turn begins with the Guardian facing in the other direction. Each move action should be selected so as to complete the move before the Guardian turns its head to look in the direction of the player. If the move is completed before the head rotates, the other player is allowed to take a turn. If the head faces the player before the move is done, catching the player in motion, that player loses, and the other player wins the game. If neither player is caught in motion, turn after turn, then the first player to reach the Guardian wins.The Guardian turns its head after a random number of time steps. This interval is always at least 2 time steps, so a player is safe on any turn that they select the action of moving only 1 step. If the player opts to move 2 or more steps, however, there is a chance that they will be caught in motion by the Guardian. There is a maximum length to this interval, as well, so any move action of that length or longer is guaranteed to result in the player being caught. Thus, on each turn, the current player selects an action ranging from 1 step to one less than the length of the maximum delay before the Guardian turns its head.This game has a number of parameters that specify details of game play, with these parameters specified as variables or functions in the Python implementation of the game. These things include: • The starting distance to the Guardian is a number of steps specified by board size, which defaults to 13 steps.• The computer always is the West player, and the human opponent is always the East player. The player that gets the first turn is determined by a (digital) coin toss at the beginning of the game. • The smallest action size is specified by min act steps, which defaults to 1. The largest action size is specified by max act steps, which defaults to 4. Actions must be an integer number of steps between these bounds, inclusive.• By default, the delay prior to the Guardian turning its head is a random value between min time steps and max time steps, defaulting to 2 and 5, respectively. This value is determined by (digitally) flipping three fair coins and adding two to the total number of “heads” that result. Note that this is not a uniform distribution, as the random delay values vary in their probability of occurrence.• The game ends when either a player is banished due to being caught in motion or when a player reaches the Guardian. The terminal state of the game is assigned a payoff, with a positive value of max payoff if the computer player wins and a negative value of (−1 × max payoff) if the human opponent wins. Because of the use of randomness, there is no strategy that guarantees a win, but some action choices are better than others. The goal of this assignment is to complete the provided Python program so as to make it as competitive as possible.The code for a Python implementation of the minimax approach to selecting actions is contained in a collection of provided script files. These include: • “parameters.py” — This file contains a small set of game parameters, including the board size, the range of allowable actions, and the maximum payoff. • “game.py” — This file provides the Game class. This class implements both a game session and the current state of play. For example, it records where the players are currently located on the walkway, whose turn it is, what action the current player has selected, and how many time steps remain before the Guardian will turn its head. The class includes a method called “play” which implements a session of play, from the initialization of the board to declaring a winner.• “main.py” — This is a top-level driver script, performing needed initialization, creating a Game object, and calling the play method. • “minimax.py” — This file provides a collection of functions that, together, produce a minimax look-ahead search implementation, allowing the computer player to select actions. The entry point to this code is the function called “minimax action”, which examines each possible action choice for the computer player and selects the action that maximizes the value of the resulting state. The value of a state of play is returned by the “value” function.The action selection process combines two important artificial intelligence concepts. First, it incorporates minimax search. The value of a considered future state of play, where one of the players is about to select an action, is determined by recursively computing the values of the states that result from each possible action, and selecting the action corresponding to the minimax value. If the current player of the given state is the computer player, then the action that maximizes the value determines the backed-up value of the state. If the current player is the human opponent, then the action that minimizes the value determines the backed-up value. This is the standard minimax approach, with the computer player seeking high value states and the human opponent seeking low value states.Second, the implementation makes use of the concept of maximum expected utility. The randomly selected delay prior to the Guardian turning its head produces resulting states of game play that vary in their values. Succinctly, low random delays are bad for the player currently taking a turn, as they result in banishment for a broader range of move actions. In order to deal with this uncertainty, the value of a game state just prior to randomly selecting the delay is taken to be the expected utility of that state – the expected value over the states that result. Recall that this is the sum, over all possible delays, of the values of the resulting states (as returned by the value function), with each value weighted by the probability of randomly selecting the corresponding delay. (Note that a function called “probability of time” is provided, which calculates the probability of a given delay.) Combining this expected value calculation with minimax search provides a way to address the randomness in the game.As is true in many games, it would take too much time to perform a look-ahead search all the way to terminal states. Instead, the provided implementation looks ahead to a ply specified in “parameters.py” as max ply. At that point, non-terminal states are assigned values using a heuristic evaluation function. This heuristic evaluation function must be fast, avoiding all further look-ahead search, but it should provide an estimate of the future payoff attainable from the given state.A positive value for the heuristic indicates that the state of play is looking good for the computer player, while a negative value indicates that the human opponent is ahead. The heuristic function must be symmetric, in the sense that if the two players swapped positions, the heuristic value would become the additive inverse of the original value. For example, if a given state of play has a heuristic value of 24, then another state of play that is identical to this one, except for the fact that the two players have swapped positions, should have a heuristic value of −24. Heuristic values must also be within the range of possible payoff values for terminal states.Note that look-ahead search can be quite slow, especially as the maximum ply grows. Thus, a good heuristic function is important for timely decisions by the computer player.Activities For this assignment, you are to complete the look-ahead search implementation by providing two functions. Both of these functions are to be written in a file called “heuristic.py”, and these functions must work with the other provided Python script files without modifying the other files in any way. All of these files, including a template for “heuristic.py”, are available in a ZIP archive file called “PA3.zip” in the “Assignments” section of the class CatCourses site, under “Programming Assignment #3”. The contents of these Python code files will be briefly discussedduring a laboratory session, and comments in these files should assist in your understanding of the provided code. Questions are welcome, however, and they should be directed to the teaching team. The first of the two functions to be implemented is expected value over delays. This function takes a Game object as input, representing a state of play in which the current player has chosen an action, but the time delay before the Guardian turns its head has not yet been randomly determined. This function is to return the expected value of the state over all possible random delays.The second function to be written is heuristic value. Without performing any additional search, this function must quickly estimate the value of the given state of play, encoded by a Game object. The task of designing this function is an opportunity for creativity. There are many ways to assign heuristic values to game states, and the quality of these estimates can greatly affect the performance of the computer player.Both of these two functions are called by the value function in “minimax.py”, and they are needed for the minimax procedure to work correctly. Well written functions will result in competitive play from the program. Once again, both functions are to written in the “heuristic.py” file, which is to be submitted for evaluation.Evaluation Your submission will be evaluated primarily for accuracy, with efficiency being a secondary consideration. Your source code will be examined, however, and the readability and style of your implementation will have a substantial influence on how your assignment is evaluated. As a rough rule of thumb, consider the use of good software writing practices as accounting for approximately 10% to 20% of the value of this exercise. Please use the coding practices exemplified in the provided utility files as a guide to appropriate readability and style. Note also that, as discussed in the course syllabus, submissions that fail to run without crashing on the laboratory PyCharm IDE will not be evaluated and will receive no credit.The functions that you implement should write no output, as this will clutter the output produced by the “main.py” script. If you include any statements that write output in your code (perhaps as tools for debugging) these should be removed prior to submitting your code files for evaluation. You may receive no credit for your submitted solution if it produces extraneous output. As for all assignments in this class, submitted solutions should reflect the understanding and effort of the individual student making the submission. Not a single line of computer code should be shared between course participants. Not a single line of computer code should be received from any other person, such as students not enrolled in the class and people providing tutorial assistance.If there is ever any doubt concerning the propriety of a given interaction, it is the student’s responsibility to approach the instructor and clarify the situation prior to the submission of work results. Also, helpful conversations with fellow students, or any other person (including members of the teaching team), should be explicitly mentioned in submitted assignments (e.g., in comments in the submitted source code files). These comments should also explicitly mention any written resources, including online resources, that were used to complete the exercise. Citations should clearly identify the source of any help received (e.g., “Dr. David Noelle” instead of “the professor”, “The Python Tutorial at docs.python.org/3/tutorial/” instead of “Python documentation”). Failure to appropriately cite sources is called plagiarism, and it will not be tolerated! Policy specifies that detected acts of academic dishonesty must result minimally with a zero score on the assignment, and it may result in a failing grade in the class. Please see the course syllabus for details.To be clear, please note that all of the following conditions must hold for a submitted solution to receive any credit: • solution submitted by the due date • solution runs without crashing on the laboratory PyCharm IDE • solution produces no extraneous output • solution works with unmodified utility code, as provided • solution does not include code written by another person (with or without modifications)
The goals of this project:Additional information:Accessing project resources:Setup (0 points)Please note that the file is over 9GB, so it will take some time to download. Do not wait until the last minute to download it. Do it right away!When you begin each phase, make sure to change directories for each part of the project.TABLE OF CONTENTS Phase 1 (50 points):You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. So initially you should assume that each malware we question you about below has every behavior listed. It’s your job to determine if that assumption is actually true.Hint: Look at the API/system call sequence under each process generated by the malware sample and determine what the malware is doing. Note that each JoeSandbox report may contain multiple processes with many different system call sequences. If any of the behaviors are seen (or attempted, but not necessarily successful) in any process in the report, then that malware has attempted that behavior. This is, of course, not completely practical, as legitimate applications may perform the same actions in a benign fashion. We are not concerned with differentiating the two in this assignment, but it is some food for thought.Clarification for attempted: We mean by “attempted” that a specific action was attempted but failed. By “specific” we mean that it is clear which action is attempted. If you have a registry key, for instance, that is unambiguous (like, say, it is used only to set a startup option), but it fails to change the key, that is an attempt for our purposes. But if you have a more generic registry key that governs multiple settings, we don’t know for sure which key or keys it is attacking and so the action would not count as an “attempt”.You will encounter that the same API functions can end with either a W or an A. This is a standard practice in the Windows API, and this document explains the difference (either one could in theory be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-thewindows-apiFor each of the following questions, mark (true/false) which of the malware exhibit the identified behavior:DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.Download the submission template or use the JSON format below for your answers:{“sample1”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample2”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample3”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample4”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: , “behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample5”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”: }}The submitted answers should be in the format (this is an example only):{“sample1”: {“behavior01”: true,“behavior02”: false,“behavior03”: true, “behavior04”: true, ...}The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). Incorrectly formatted JSON files or typos count as a submission if the submission attempt fails. We have provided a validation script named “json_validator.py” which will check your file for proper formatting. To run the validator on your file, use the following command: “python json_validator.py /path/to/solution.json” at the command line in the /home/malware directory. The validator will either return “JSON file correctly formatted.” if the submission file is correct, or will return the errors found. It is not required to use the validation script, although it is highly recommend to prevent erroneous submissions. We will not provide extra submission attempts. This validation script works only for Phase 1 and the Extra Credit portions of the project.For Phase 1, you will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and count as a submission. If you attempt to make more submissions than the limit, your grade will be a ZERO for submissions past five. You must fill out “true” or “false” for all 100 behaviors (5 samples X 20 behaviors) or the submission will fail and count as one submission attempt. You will want to choose your best submission of the first 5 manually in Gradescope, but this MUST be done BEFORE the project deadline. No late submissions or requests to update the submission will be accepted after the project deadline. Please submit the answers in the JSON file in the Gradescope assignment Project Malware Analysis – Phase I. Phase 2 (50 points)For this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis.To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder.NOTE:When handling actual malware, additional due diligence is needed to ensure that you don’t accidentally infect your own machine or other machines on your network. The overall process for setting this environment up is outside the scope of this project, but you can find many helpful resources online along with CS6747: “Advanced Malware Analysis” if you wish to continue studies on your own. There are no malicious malware samples in the VM.To get started we will work through a number of simple scripts to understand some basics about deobfuscation that will be helpful in later exercises. Malware authors will often obfuscate their payloads through various means to attempt to bypass IPS and AV systems, as well as to increase the effort required by analysts to contain and remediate a breach. Understanding some of these techniques will be important when we go to analyze some of the other samples in this project.These are some basic concepts of static analysis and are often used by malware authors and red team (penetration testers) operators in their work. All of these warm ups should provide a script for you to execute with your GTID and get a flag if you do so correctly. De-obfuscate the samples below and execute them to get your flag.We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure.Can you figure out how to get your flag?base64 -d
The goals of this project:Additional information:Accessing project resources:Setup (0 points)Please note that the file is over 9GB, so it will take some time to download. Do not wait until the last minute to download it. Do it right away!When you begin each phase, make sure to change directories for each part of the project.TABLE OF CONTENTS Phase 1 (50 points):You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. So initially you should assume that each malware we question you about below has every behavior listed. It’s your job to determine if that assumption is actually true.Hint: Look at the API/system call sequence under each process generated by the malware sample and determine what the malware is doing. Note that each JoeSandbox report may contain multiple processes with many different system call sequences. If any of the behaviors are seen (or attempted, but not necessarily successful) in any process in the report, then that malware has attempted that behavior. This is, of course, not completely practical, as legitimate applications may perform the same actions in a benign fashion. We are not concerned with differentiating the two in this assignment, but it is some food for thought.Clarification for attempted: We mean by “attempted” that a specific action was attempted but failed. By “specific” we mean that it is clear which action is attempted. If you have a registry key, for instance, that is unambiguous (like, say, it is used only to set a startup option), but it fails to change the key, that is an attempt for our purposes. But if you have a more generic registry key that governs multiple settings, we don’t know for sure which key or keys it is attacking and so the action would not count as an “attempt”.You will encounter that the same API functions can end with either a W or an A. This is a standard practice in the Windows API, and this document explains the difference (either one could in theory be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-thewindows-apiFor each of the following questions, mark (true/false) which of the malware exhibit the identified behavior:DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.Download the submission template or use the JSON format below for your answers:{“sample1”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample2”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample3”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample4”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: , “behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample5”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”: }}The submitted answers should be in the format (this is an example only):{“sample1”: {“behavior01”: true,“behavior02”: false,“behavior03”: true, “behavior04”: true, ...}The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). Incorrectly formatted JSON files or typos count as a submission if the submission attempt fails. We have provided a validation script named “json_validator.py” which will check your file for proper formatting. To run the validator on your file, use the following command: “python json_validator.py /path/to/solution.json” at the command line in the /home/malware directory. The validator will either return “JSON file correctly formatted.” if the submission file is correct, or will return the errors found. It is not required to use the validation script, although it is highly recommend to prevent erroneous submissions. We will not provide extra submission attempts. This validation script works only for Phase 1 and the Extra Credit portions of the project.For Phase 1, you will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and count as a submission. If you attempt to make more submissions than the limit, your grade will be a ZERO for submissions past five. You must fill out “true” or “false” for all 100 behaviors (5 samples X 20 behaviors) or the submission will fail and count as one submission attempt. You will want to choose your best submission of the first 5 manually in Gradescope, but this MUST be done BEFORE the project deadline. No late submissions or requests to update the submission will be accepted after the project deadline. Please submit the answers in the JSON file in the Gradescope assignment Project Malware Analysis – Phase I. Phase 2 (50 points)For this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis.To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder.NOTE:When handling actual malware, additional due diligence is needed to ensure that you don’t accidentally infect your own machine or other machines on your network. The overall process for setting this environment up is outside the scope of this project, but you can find many helpful resources online along with CS6747: “Advanced Malware Analysis” if you wish to continue studies on your own. There are no malicious malware samples in the VM.To get started we will work through a number of simple scripts to understand some basics about deobfuscation that will be helpful in later exercises. Malware authors will often obfuscate their payloads through various means to attempt to bypass IPS and AV systems, as well as to increase the effort required by analysts to contain and remediate a breach. Understanding some of these techniques will be important when we go to analyze some of the other samples in this project.These are some basic concepts of static analysis and are often used by malware authors and red team (penetration testers) operators in their work. All of these warm ups should provide a script for you to execute with your GTID and get a flag if you do so correctly. De-obfuscate the samples below and execute them to get your flag.We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure.Can you figure out how to get your flag?base64 -d
Project 3 is on malware analysis. You’ll be learning about and manipulating malware on the Windows and Android platforms. Read the write-up below to get started. It’s very long but also very comprehensive, walking you through the beginning of the project and including helpful posts from previous semesters on Piazza. ResourcesWrite-upCS6262_P3_WriteupLinks to an external site.Android WriteupActionsQuestionnaireassignment-questionnaire.txtDownload assignment-questionnaire.txtFAQFAQ.md Download FAQ.mdVMThe project VM can be downloaded from:https://www.dropbox.com/s/dnk6acztw9ewp83/Project%203.zip?dl=0Links to an external site.The password to the archive is cs6262.Submission:There is an autograder on Gradescope to help verify your answers as you work. To use it, submit your assignment-questionnaire.txt file to both the Windows and Android assignments. However, this will not count for your final grade.To receive full credit, you must submit1) assignment-questionnaire.txt to Gradescope, 2) report.zip to Canvas.If you did not submit report.zip on time, we will contact you, and a 5-point deduction will be applied to your total score.Have fun, and start early!Project 3: Malware Analysis CS 6262 Sections:Scenario:You got a malware sample from the wild! Your task is to discover what the malware does by analyzing it. How do you discover the malware’s behaviors? There are multiple ways of analyzing it but we’ll be focusing on two ways: Static Analysis and Dynamic Analysis. Static Analysis: Dynamic Analysis: In our scenario, you are going to analyze the given malware with tools that we provide. These tools help you to analyze the malware with static and dynamic analysis.Objective:Requirement: Project Structure:○ https://www.virtualbox.org/wiki/Downloads ● Download the Virtual Machine (VM)○ https://www.dropbox.com/s/dnk6acztw9ewp83/Project%203.zip?dl=0○ Unarchive the file with 7zip and password is cs6262 ● Network Configurations:○ tap0:■ Virtual network interface for Windows XP • IP Address: 192.168.133.101 ○ br0■ A network bridge between Windows XP and Ubuntu○ enp0s3■ A network that faces the Internet ○ Go to File → Import Appliance○ Select the ova file and import it○ For detailed information on how to import the VM, see: ○ Before starting, it might be useful to configure the settings, allocate more base memory, processors etc. to your VM, as per your device configurations for better performance. ● VM user credentials○ Username: analysis ○ Password: analysis NOTE: VM Setup ■ init.py○ Type your Georgia Tech username (your Canvas LoginName) after running this •$./init.py○ Malware:Tutorials:○ Update the project 3 before begin■ Open the terminal (Ctrl-Alt-T, or choose terminal from the menu)■ Run ./update.sh ○ Initializing the project■ Open the terminal (Ctrl-Alt-T, or choose terminal from the menu)■ Run ./init.py ○ Note:■ These are malware samples hosted under the Georgia Tech Network■ IMPORTANT $ file unzip ○ We need a secure experiment environment to execute the malware ○ Why?■ Insecure analysis environment could damage your system ■ You may not want:■ Contain malware in a virtual environment○ Conservative rules(allow network traffic only if it is secure) ○ We provide a Win XP VM as a testbed! ● Run Win XP VM○ Run Windows XP Virtual Machine with virt-manager○ Open a terminal○ Type “virt-manager” and double click “winxpsp3”○ Click the icon with the two monitors and click on “basecamp” ○ Right click on basecamp, and click “Start snapshot.” Click Yes if prompted.○ Once, virt-manager successfully calls the snapshot, click Show the graphical console.■ Click on the Windows Start Menu and Turn off Computer. ■ Then select Restart ○ DO NOT MODIFY OR DELETE THE GIVEN SNAPSHOTS! ■ The given snapshots are your backups for your analysis.■ If something bad happens on your testbed, always revert back to the basecamp snapshot. ● Copy from Shared Directory○ Go to the shared directory by clicking its icon (in Windows XP)■ Copy stage1.exe into Desktop■ If you execute it in the shared directory, the error message will pop up. Please copy the file to Desktop. ○ Now we will run the malware■ Execute stage1.exe (double click the icon)■ It will say “Executing Stage 1 Malware”. Then, click OK.○ Otherwise, malware execution will be blocked○ If you want to halt the malware that is running…■ Execute stop_malware in the temp directory.○ To analyze network behaviors, you need■ Wireshark (https://www.wireshark.org/)■ Capturing & Recording inbound/outbound network packets○ By capturing and recording network packets through the tools■ Reveal C&C protocol■ Attack Source & Destination ○ But, malware will not do anything. Why? ■ The C2 server is dead!■ Therefore, the malware (C2 client) will never unfold its behaviors.■ Question?○ Let’s check it through network monitoring ■ Everything has been already installed.■ Open Wireshark, capture the traffic for the network bridge(Make sure to run with root privileges)■ IP address = 192.168.133.1■ Reference: https://www.wireshark.org/docs/■ Get yourself familiarized with Linux commands and how to employ Wireshark.■ Other references:○ From WireShark, we can notice that the malware tries to connect to the host at 128.61.240.66, but it fails○ Let’s make it redirect to our fake C2 server■ Go to ~/tools/network■ Edit iptables_rules to redirect the traffic to 128.61.240.66 to192.168.133.1 (fake host)○ Whenever you edit iptables_rules, always run reset.■ (type “./reset” from the ~/tools/network directory)○ IMPORTANT! If you shut down your project VM, be sure to run reset again the next time you start it up. ○ Observing C2 traffic■ In WireShark, we can notice that now the malware can communicate with our fake C2 server■ You can see the contents of the traffic by right-clicking on the line, then clicking Follow – TCP Stream ○ Let’s take a look at cuckoo. Cuckoo is NOT necessarily required to complete this project, but it is a useful tool to help you understand what your malware is doing, and therefore how you might want to modify your score.h file later in the project.○ Note! You can’t run the testbed VM and cuckoo simultaneously.○ Always turn off the testbed VM, and follow the steps below to execute Cuckoo ○ Open two terminals.○ ‘$workon cuckoo’ (Set virtualenv as cuckoo for both terminal1 and terminal2)○ Open one terminal in debug mode, with command: ‘$cuckoo -d’○ Open other cuckoo terminal for the webserver, with command: ‘$cuckoo web’ ○ Reference: Malware Analysis using Cuckoo Sandbox○ If you get an error when running cuckoo web because port 8000 is already inuse, run “sudo fuser -k 8000/tcp” and try again. ○ The Cuckoo uses asnapshot of the given testbed VM. ○ The snapshot is 1501466914○ • DO NOT TOUCH thesnapshot! ○ To open the cuckoo web server, type the following URL into Chromium ■ http://localhost:8000○ To upload a file, click the red box and choose a file. ○ Once you click the Analyze button, it will take some time to run the malware. ○ Once you click the Analyze button, it will take some time to run the malware. ○ The malware does not exhibit its behavior because we did not send the correct command through our fake C2 server ○ We will use■ File/Registry/Process tracing analysis to guess the malware behavior.■ control-flow graph (CFG) analysis and symbolic execution to figure out the list of the correct commands○ The purpose of tracing analysis is to draw a big picture of the malware ■ What kinds of System call/API does the malware use?■ Does the malware create/read/write a file? How about a registry?○ The purpose of CFG analysis is to find the exact logic that involves the interpretation of the command and the execution of malicious behavior○ Then, symbolic execution finds the command that drives the malware into that execution path ○ On the side bar, there are useful menus for tracing analysis. ■ We are focusing on:○ Trace behaviors in time sequence. ● Static Analysis on Cuckoo○ Static Analysis■ Information about the malware. ■ Win32 PE format information○ .text○ Strings, etc.○ .data○ .idata○ .reloc○ More information: Malware researcher’s handbook (demystifying PE file) ○ Interestingly three DLL(Dynamic Link Libraries) files are imported.○ In WININET.dll, we can see that the malware uses http protocol.○ In ADVAPI32.dll, we can check if the malware touches registry files ○ In Kernel32.dll, we can check the malware waiting signal, also sleep. ○ Tracing a behavior(file/process/thread/registry/network) in time sequence.○ Useful to figure out cause-and-effect in process/file/network.○ Malware creates a new file and runs the process, then writes it to memory. ○ Based on our analysis with Cuckoo, we can determine if… ■ The malware uses HTTP protocol to communicate ● Communicate with whom? C&C?■ The malware touches(create/write/read) a file/registry/processModifying the registry? ○ Based on the pre-information that we collected from the previous step, we aregoing to perform CFG analysis & symbolic execution analysis○ CFG:■ graph representation of computation and control flow in the program■ Nodes are basic blocks■ Edges represent possible flow of control from the end of one block to the beginning of the other. ○ But, in malware analysis, we are analyzing CFG at the instruction level.○ We provide a tool for you that helps to find command interpretation logic and malicious logic■ We list the functions of system calls the malware uses internally■ If you provide the score (how malicious it is, or how likely the malicious logic is to use such a function) for the functions, then the tool will find where the malicious logic is, based on its score■ Your job is to write the score value per each function ○ More info: http://www.cs.cornell.edu/courses/cs412/2008sp/lectures/lec24.pdf○ From our network analysis, we know that the malware uses an Internet connection to 128.61.240.66○ From our cuckoo-based analysis, we know that the malware uses the HTTP protocol.○ Moreover, it uses some particular functions to communicate and stay in touch with the command and control server.○ Modify the score values for these particular functions in order to generate a better CFG – for proper analysis.○ Find the file to be edited – score.h.○ Path: /tools/cfg-generation/score.h ○ Build control flow graph■ By executing ./generate.py stage1, the tool gives you the CFG ● This finds the function with higher score○ Implies that this calls high score functions on its execution ■ For stage2○ Note: your graph and its memory addresses will vary from this example ○ The function entry is at the address of 405190■ And, there is a function (marked as sub) of score 12■ This implies that○ Run from 405190 to 40525a○ Finding Commands with Symbolic Execution■ We want to find a command that drives malware from 405190 to 40525a■ Rather than executing the program with some input, symbolic execution treats the input data as a symbolic variable, then tries to calculate expressions for the input along the execution.■ Path explosion■ Modeling statements and environments■ Constraint solving○ Symbolic Execution Engine: Klee, Angr, Mayhem, etc. • Loading a binary into the analysis program○ • Translating a binary into an intermediate representation (IR). • Translating that IR into a semantic representation○ • Performing the actual analysis with symbolic execution. ○ In this example, ONLY i=2, j=9 conditions will lead the program to print “Correct!”○ Symbolic execution is available to solve the expression in order to reach a target, in this case ”Correct”.○ Let’s apply it into Malware Command & Control logic. A C&C bot(malware) is expecting inputs(solve the expressions) to trigger behaviors(targets). ○ In this example, ONLY ‘launch-attack’ and ‘remove’ commands(inputs) triggers attack() and destroy_itself().○ Symbolic execution is able to find ”launch-attack” as an input to trigger attack(), which is a malicious behavior.○ Plus, ”remove” will lead to destroy_itself(), which is another behavior.○ Our job in this project with Symbolic execution is to find inputs, and then feed the inputs to trigger behaviors. ○ We prepared a symbolic executor and a solver for you■ Your job is to find the starting point of the function which interprets the command, and find the end point where malware actually executes some function that does malicious operations■ The symbolic executor is called angr (http://angr.io/index.html) ○ We prepared a symbolic executor and a solver for you.○ How do you run it?■ Go to ~/tools/sym-exec■ Run it likepython ./sym_exec.py [program_path] [start_address] [end_address]○ Replace the (above) start and end addresses from your CFG graph.○ The command will be printed at the end (if found) ○ After CFG analysis + symbolic execution, reconstruct the C2 server○ The tool for reconstructing the C2 server is already on the VM○ It runs nginx and php script■ This will look like ~/tools/c2-command/stage*-command.txt■ Your job is to add your commands to the relevant *.txt file“$insert” (note: the name of the command you see may vary) ● Then, type ”$insert” and save the file.○ Note: This means that if you want to run only a particular command, you’ll need to remove, or comment out the other commands in your file ○ SimState ■ angr – SimState■ While angr perform symbolic execution, it stores the current state of the program in the SimState objects.■ SimState is a structure that contains the program’s memory, register and other information.■ SimState provides interaction with memory and registers. For example, state.regs offers read, write accesses with the name of each registers such as state.regs.eip, state.regs.rbx, state.regs.ebx, state.regs.ebh ■ Creating an empty 64 bit SimState ○ Bitvectors ■ Since, we are dealing with binary files, we don’t deal with regular integers.■ In binary program, everything becomes bits and sequence of bits.■ A bitvector is a sequence of bits used to perform integer arithmetic for symbolic execution.■ Creating some 32 bit bitvector values■ state.solver.BVV(4,32) will create 32 bit length bitvector with value 4■ We can perform arithmetic operations or comparisons using the bitvectors ○ Symbolic Bitvectors ■ state.solver.BVS(’x’, 32) will create a symbolic variable named x with 32 bit length■ Angr allows us to perform arithmetic operation or comparisons using them. ○ Registers ○ Constraints ■ In a CFG, a line like if ( x > 10 ) creates a branch. Please look at the Symbolic Execution Concepts tutorial.■ Assuming x is a symbolic variable, this will create a 4> when the True branch is taken for the successor state■ For the false branch,negation of a 4> will be created. ■ Adding a constraint to a SimState ○ Radare2 ■ Launch radare2 with $ r2 ~/shared/payload.exe■ Then type aaa which will analyze all (functions + bbs)■ afl list all functions ■ For more information :○ You don’t have to use Radare2.○ Here some of the tools you may want to use ○ Check its network access with Wireshark○ Redirect network traffic to if required (if the connection fails)○ Try to identify malicious functions by editing score.h and using the cfg-generation tool○ Discover the list of commands using the symbolic execution tool ○ Fill the commands in ~/tools/c2-command/stage2-command.txt ○ Run it as mentioned before. ○ for linux malware symbolic execution○ python linux_sym_exec.py path_to_linux_mw start target○ To make it work, you need to modify two linux_sym_exec.py functions■ targs_len_before and opts_len_before ● ~/tools/dynamicanalysis/○ instrace.linux.log : the dynamic instruction trace for the linux malware○ detect_loop.py : you have to modify this file to find the loop in the given trace ○ Usage: python detect_loop.py ○ Search for C&C commands and trigger conditions○ Vet the app for any anti-analysis techniques that need to be removed. ○ Background services ○ You have received a malware sample sms.apk. ○ You need to identify communication with the C&C server ○ Identify anti-analysis techniques being used by the app.○ Identify commands that trigger any malicious behavior.○ An emulator for Android 4.4 is pre-installed ■ Run ‘run-emulator’○ Jadx■ Disassembles apk files into Java source code.○ Rebuilds apk files.○ ~/Android/MaliciousMessenger/tutorialApps ■ Emu-check.apk■ Another tutorial example○ Target app to analyze to answer the questionnaire○ On the questionnaire sheet, there are entries for writing domain names. Please follow the following rules on getting answers for those questions.○ You should write FQDN, which means, if the full domain name is canof.gtisc.gatech.edu then write canof.gtisc.gatech.edu, not just gatech.edu or gtisc.gatech.edu○ For the others (connections check, DDoS, sending info, etc.), you should get the exact domain name that the malware uses. For example, the IP address 130.207.188.35 belongs to both coe.gatech.edu and web-plesk5.gatech.edu.○ Because there are multiple mappings, you cannot be sure about which domain that the malware used by just using nslookup. In this case, please go through the other way of getting domain names from DNS Packets in Wireshark. ○ All Domains should be based on Wireshark DNS packets■ e.g., get it from a DNS query packet or redirect HTTP traffic into a local VM and examine the Host header.○ If you get see the log in the Wireshark, You will find DNS query(Standard query) and DNS response(Standard query response)○ In Domain Name System section, there is Query section, like below ○ Queries:■ x.y.z: type A, class IN.○ Answers:■ x.y.z: type CNAME, class IN, cname a.b.c○ You should use x.y.z○ For all URLs, you do not have to specify the protocol (http:// or https://, etc.).○ However, if HTTP traffic is like the following:■ POST /a/b/c/d?asdf=1234 HTTP/1.1 Host: www.zzz.com ○ Then please write this as■ www.zzz.com/a/b/c/d?asdf=1234○ There are pre-installed PHP scripts in the VM locally that read the *.txt file for each stage,■ These scripts send the command to the malware after reading them from the TXT files.■ One caveat of these scripts is that they are written to send the commands in random order (i.e., if there are commands a, b, c, then the script will randomly choose one command and send it to the malware).■ So if you want to test ONE command at a time, then please write only that command in the TXT file.○ You could use free IDA-Pro, objdump or radare2 for this task to find out called attack functions, and the target addresses.○ Look for some angr examples on the github, which adds constraints to the state.○ For the loop detection, focus on function sequence that called repetitive ● Correct command but malware is not working?○ Note that some commands for stage 2 are different per each student, by having 4 digit hexadecimal numbers at the end of the command.■ Ex. a command for stage 2 is formatted like $COMMANDa1b4■ (NOTE: three commands in stage 2 have the 4 digit hexadecimal tail.■ All commands in stage 3 have the 4 digit hexadecimal tail on the command.○ However, there could be a case that only gets the front part of the command like■ $COMMAND■ If the endpoint address of symbolic execution is not correctly set. In such a case, please set the correct end point that you can get the entire command.○ In the VM, we provide cuckoo, which is a dynamic malware analysis framework.■ It is very convenient and easy to use.■ While you are running cuckoo, you might meet some warnings and errors “critical time blah blah~” and “YARA signature…. blah blah”. Please ignore them.■ Because you are executing malware in the QEMU Windows VM, the framework needs to set a time.■ In our case, the malware is never going to unfold even though you give an infinite time to be executing the malware unless you feed the right inputs(The malware expects C2 commands.) ○ IPtable Setting■ If you check /home/analysis/.cuckoo/conf/kvm.conf, you will find how we set the QEMU windows host VM.■ You will find the IP of the host VM is “192.168.133.101”.■ If you want to see network behaviors in Cuckoo, you want to forward the IP in /home/analysis/tools/network/iptables- rules.■ For example, open iptables-rules, you want to addsudo iptables -t nat -A PREROUTING -p tcp -s 192.168.133.101 -d[DEST-IP] –dport 80 -j DNAT –to 192.168.133.1:80 ○ Run the Windows VM only when:■ Sending commands to malware■ Analyzing network traffic via Wireshark■ Once done with those tasks, turn off the Windows VM.○ Avoid running the windows VM when:■ Running cuckoo analysis■ Generating CFGs■ Running Symbolic Execution – This is quite resource intensive, avoid doing other stuff to get this done quickly. (TIP: If this seems to be taking infinite memory/time, you’re mostly trying to reach an unreachable / invalid address! check your addresses!)○ Try running the VM at a lower resolution (recommend at-least 1280×800, for legibility) – If you have a very high resolution on your host machine. You can do this in 2 ways:■ VirtualBox Menu – View > Virtual Screen 1 > Resize to a x b■ Ubuntu Menu – Type “Displays” > Change it there○ Restart after a task / stage. This is mostly a last resort but restarting the VM after finishing a task/stage made everything feel really smooth, instead of trying to free memory etc. Just be sure to run ./reset in ~/tools/networks after each VM restart! ○ Fewer resource allocation could result in some issues, you could try to reinstall the VM image (deleting the previously stored state), and even Virtual-box as a last resort.■ ~/report/assignment-questionnaire.txt■ stage1.exe, stage2.exe, payload.exe (linux malware)■ ~/tools/network/iptables_rules■ ~/tools/cfg-generation/score.hIf you did not submit report.zip on time, a 5-point deduction will be applied to your total score.○ Read assignment-questionnaire.txt ○ Carefully read the questions, and answer them in assignment-questionnaire.txt ○ For each stage, there are 4-6 questions regarding the behavior of the malware. ● Android Part○ READ ~/Android/MaliciousMessenger/writeup.pdf ○ Carefully read the writeup, answer in assignment-questionnaire.txt○ Make sure you overwrite ANSWER_HERE ○ As each section is worth an equal amount of your overall P2 grade, we normalized the Windows score by dividing by 1.1 (and rounded up), then averaged it with the Android score to get your final grade. So effectively, each point in the table above is worth half a point of your final project grade (slightly less for Windows).Android Malware Analysis LabJune 11, 2017[1] Every application must have an AndroidManifest.xml file in its root directory. The manifest file provides essential information about your app to the Android system, which the system must have before it can run any of the app’s code. Among other things, the manifest file does the followingIn Listing 1 an example of an app’s manifest file is shown. From it, we can see that this app declares that it needs the INTERNET and RECEIVE SMS permissions. Additionally, the app uses three components: ActivityOne, SmsReceiver, and myAppsService. ActivityOne is declared in lines 80-85. The intent-filter tag specifies the types of intents that an activity, service, or broadcast receive can respond to. An intent filter declares the capabilities of its parent component – what an activity or service can do and what types of broadcasts a receiver can handle. It opens the component to receiving the intents of the advertised type, while filtering out those that are not meaningful for the component. Lines 16-21 declare a broadcast receiver component named SmsReceiver.From the intent filters, we see that the Android OS will notify SmsReceiver when the device receives a new text message. The final component this app uses is a service component named ServiceOfApp declared on lines 23-25.The Android Manifest file provides a high-level abstraction of an app’s behavior. When attempting to manually inspect the internal behaviors of an application statically, the manifest file is a good starting point. It provides key insights on the permissions an application is using, the components it is using, and how the application interacts with the Android OS and the outside world. Additional information about the contents and attributes of the manifest file can be found in the Android documentation [1].12345101112131417181920212425262728293031Listing 1: An example of an app’s Android Manifest FileAndroid uses the Android application package (APK) format to distribute apps to Android devices. Apks are nothing more than a zip file containing resources and assembled Java code. However, if you were to simply unzip the apk you would only have two files: classes.dex and resources.arsc. Since viewing or editing compiled files is next to impossible, the apk file needs to be decoded or disassembled. If one wishes to analyze an app at the bytecode level, reverse engineering tools, such as Apktool [2] are available. Additionally, the app’s Java source code can be partially reconstructed using JADX [3]. You will probably find both tools useful for completing this lab.Apktool is a reverse engineering tool for Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc. [2]. The functionality of Apktool is well-documented and we will briefly describes how this tool can be used to decode and build apk files. More information about Apktool can be found in its documentation [2].In this example, we will use Apktool to decompile a malicious apk that was found in the wild (a7f94d45c7e1de8033db7f064189f89e82ac12c1) [4]. The apk is a repackaged version of the CoinPirates game that includes a malicious payload.Apktool provides a command line interface. Its most common use case is for decoding and disassembling apk files. If you need to decode an apk file, you use the d (decode) option and pass the apk file as an argument. An example is shown in Listing 2 on line 1.123456789 101112131415Listing 2: Decoding an apk using Apktool.If you look in the directory created you should see something similar to Listing 3. For this lab, we will focus mostly on the AndroidManifest.xml file, the res/ directory, and the smali/ directory. The app’s resources, such as its images and layouts can be found in the res/ directory. In the smali/ directory, the original classes found in the classes.dex file can be found. Apktool converts the original classes.dex file into smali using baksmali[5], an assembler/disassembler for the dex format. We will discuss the contents of these files and smali syntax later on.12Listing 3: Contents of the directory created.Apktool also can rebuild an apk file from the decoded resources after making some modifications, such as modifying the smali code. To build an app you need to provide the b (build) parameter to Apktool and also provide the decoded directory as an argument like the example in Listing 4.123456Listing 4: Rebuilding an apk file using Apktool.If you received no errors, the new apk should be found in the dist subdirectory of the directory provided as input. For example the apk created from running the command in Listing 4 is shown in Listing 5. In your working directory, you will still have a copy of the original apk file. It does not include any modifications you may have made.123Listing 5: The location of the modified apk.The next step is to sign the apk you just created. If the apk has not been signed it will fail to install on an emulator or real device. The Android SDK provides a utility program called apksigner that is located in the Android/Sdk/build-tools/SDK version/ directory. We have provided this program on your VM (You can also use jarsigner if you prefer). For this lab, you should just sign the apk with the debug key, which is located in the debug.keystore file located in your $HOME/.android/ directory. An example of signing an apk is shown in Listing 6. You need to provide the location of the keystore after the –ks option and pass the apk file as an argument. You will be prompted for a password. The default password is android.123Listing 6: Signing your apk file (password is android).After you have signed your apk, install it onto the emulator to verify everything went correctly.Apktool can also be useful for making small modifications to the underlying byte code. For example, let’s assume a malicious app is using the anti-analysis check shown in Listing 7 to prevent the execution of any malicious behavior if the Build type is eng. Use apktool to disassemble this app, so that you can modify the code located in the smali directory. Use apktool to disassemble the app located in tutorialApps/emu-check.apk. After you have done so, open the file emu-check/smali/com/myapplication/MainActivity.smali in a text editor. You will see the code shown in Listing 8. The code shown is smali and is a representation of Dalvik bytecode. The Android Developer’s website provides a page that discusses the types of instructions and arguments [6].For the checkEnvironment method, the app is checking the model’s build type to see if it is equal to the string “eng”. In the bytecode, we see that the value of Build.TYPE is stored in register v0 on line 7. The string constant “eng” is stored in register v1 on line 9. The comparison of the strings is completed on line 11 and the result is stored in register v0. On line 13 we see that if the value stored in register v0 is equal to zero, then a jump to the cond 0 branch will occur. Therefore, if the Build.TYPE is not ”eng” then a jump to cond 0 occurs and the malicious behavior will be triggered. Since we are on an emulator, our Build.TYPE will be “eng” and the jump will not occur. To force the controlflow to go to cond 0, change the statement on line 15 to “goto :cond 0”. This will force the branch to occur every time the app runs. Build and sign the app. Install it onto the emulator (If you installed the previous version you will need to uninstall it first) and open the app. If you check logcat, you will see that the Build type is ”eng”. However, the app will now log the ”do something malicious” instead.12345Listing 7: Prevents malicious behavior if the build type is eng. 45678910111213141516171819202122232425262728293031323334353637Listing 8: checkEnvironment in smali.JADX [3] is another tool that can be used to disassemble apk files. However, JADX disassembles the Dalvik byte code into JAVA source code. The translation is imperfect and will most likely be incomplete, but it is still useful for doing analysis. JADX provides two interfaces: a command line interface and a gui interface. For this lab, we will only discuss the gui interface. You can start the GUI interface of JADX by running jadx-gui from the command line. When the program first opens, it will ask the user to choose a file to disassemble. It supports apk, dex, jar, class, zip, and aar files. This discussion will only discuss using apk files. After you choose the apk file, JADX will begin disassembling the apk. When it’s complete you should see the source code for each class in the Menu pane. If you review the source code, you can see it is not ideal, but it does provide insight into the app’s behavior.Now that we have disassembled the apk file, we can begin analyzing the source code to identify suspicious behavior. Defining behavior within Android is challenging. Behavior that may be suspicious or malicious in one application may be expected behavior in another application. It is reasonable for a messaging app to access a user’s contacts, but if a utility app, such as a flashlight app, accesses a user’s contacts it should raise suspicion. Therefore, the behavior that makes an application potentially malicious is not a particular pattern, but the behavior in an application that is inconsistent with the end user’s expectation. The easiest starting point for identifying any questionable behavior is by looking at the App’s manifest file. The manifest file provides a high-level abstract of an app’s behaviorIn JADX, the AndroidManifest.xml is located in the Resources/ directory. The highest level of security for Android is the permission system that protects the usage of sensitive behavior. The manifest file shows us that the CoinPirates app has access to 14 permissions. Malware often abuses the text messaging permissions to communicate with their C&C server and to try and send premium text messages without the user being aware.456789101112131415Listing 9: Permissions used by CoinPiratesAfter observing the permissions, the next goal is to vet the application by analyzing how the application uses the sensitive APIs that are protected by the suspicious permissions. Since malware writers often repackage their payload within real apps with 100’s of classes, it would be too time-consuming to search through all the source code. Instead, we will focus on the entry points of the application.[2] Android applications are written using the Java programming language. Unlike conventional Java programs, Android applications do not have a main() function or a single entry point for execution. Instead, they are designed using components. App components make up the essential building blocks of an Android app. Each component is a different point through which the system can enter a developer’s application. There are four different types of components: activities, services, content providers, and broadcast receivers. Each type of component serves a different role and the set of components used in an Android application define its overall behavior. The activity component creates user interfaces. For example, a messaging application may have one activity that creates the user interface for allowing a user to input their message and another activity for allowing the user to view their contacts. The service component runs in the background to perform tasks. Unlike, activity components, service components do not have a user interface. For example, a service component can be used to play music in the background. The content provider component handles application data. Using content providers, an application can store data in files, SQLite databases, or other persistent storage locations an application can access. The broadcast receiver component responds to system-wide broadcast announcements. For example, the system may broadcast that a picture has been captured, and the broadcast receiver can alert the application of this action. In general, broadcast receivers do minimal work, but instead, alert other components that an event occurred.Since the components are required to be declared in the manifest, this allows us to quickly identify any interesting entry points without having to search through the source code. To avoid detection, malware usually does not trigger until it receives commands from its C&C server. The two most common and efficient wants for this communication is through the network and sms. Since SMS can provide communication when the user does not have a wifi connection, it is usually preferred. Since this app has declared the RECEIVE SMS permission, we know that it has the ability to receive broadcasts about arriving text messages through a broadcast receiver. If a broadcast receiver wants to receive a text message, it must specify that it can handle this action by adding the action to its intent filter inside the manifest file. The action required is shown in Listing 10.1Listing 10: Action required to receive SMS broadcastsIn the CoinPirates manifest, we see that only one receiver has this ability, and the component’s declaration provides us with enough information to identify the package and class name that declares the receiver. Additionally, the components declaration raises more suspicion. First, it is manipulating the naming convention and is located in the com.android package. Next, it has a priority of 10000. In Android, broadcasts can be ordered or sent to all apps at the same time. In general, applications with a higher priority will receive the broadcast first. Additionally, they have the choice of aborting the broadcast() or allowing it to be sent to the app with the next highest priority. Therefore, this behavior can be manipulated by malicious apps to hide the notification of received text messages[3]456Listing 11: Action required to receive SMS broadcastsIf we use JADX to analyze the source code for the SMSReceiver class, we can identify any suspicious behavior that may occur when a text message is received. The Android OS notifies broadcast receivers by calling the receiver’s onReceive method. Therefore, we should start our analysis from this point in the app. When looking over the source code of the onReceive method, we see that the method immediately queries a database called “mydb.” The source code also shows us that the values received from the database are being compared to the sender’s number and the contents of the sms body. Based on thee results of these comparisons, the app uses the needDel (delete text message) or needUpload variables to control the apps’ control-flow.Identifying suspicious entry point that are defined in the manifest file, allows us to quickly identify suspicious behavior. For example, After analyzing the SMSReceiver we see that it is being used by the C&C server to trigger malicious behavior. We also know that the app uses the “mydb” database to interpret the C&C servers commands. While the SMSReceiver app provides the most insight, the malicious app is also using two other receivers, AlarmReceiver and BootReceiver, to start the Monitor Service. We leaving analyzing the MonitorService component to the reader.Using static analysis, we can identify the necessary events required to trigger malicious behavior in the app. Our next goal will be to leverage the details we extracted from the static analysis to dynamically generate the malicious behavior at run time.In the case that the events necessary to trigger the malicious behavior is dependent on external sources, such as a text message being received, we will need to simulate these events. Android provides several tools for injecting events into the emulator, and you can read the full documentation on the Developer’s Website [7]. One tool is the emulator console. Each running emulator instance provides a console that lets you query and control the emulated device environment. For example, you can use the console to manage port redirection, network characteristics, and telephony events while your application is running on the emulator. The console emulator will be useful for injecting events, such as text messages from a specific number or changing the location’s device. The official documentation provides several examples.A developer can provide an app with resources by placing it in a specific subdirectory of the res/ folder. Once you provide a resource in your application, you can use it by referencing its resource ID. Each resource is grouped into a ”type“ such as string, layout, or drawable.When viewing an APK in JADX, you can find the resources an app uses in the Resources directory under the resources.arsc tab. After expanding the resources.arsc file, you can find many basic resources, such as hardcoded strings found in the values directory.When JADX decompiles the APK back into source code, resources will be referenced by their ID in the R class, you can use this to create a mapping from the Resource ID to its original name in the res/resources.arsc/values subdirectory. 123Using SMS as a protocol for a C&C server is an important design decision that is different from traditional IP-based approaches known from infected PCs. The main advantages of an SMS-based approach instead of IP-based are the fact that it does not require steady connections, that SMS is ubiquitous, and that SMS can accommodate offline bots easily [8]. sms.apk is leveraging SMS to receive commands from its C&C server, you need to identify them.At this point we should have enough information to trigger the malicious behavior. The C&C server can be started by running ./start server from the command line. Start the server and send the necessary text messages. Unfortunately, no malicious behavior will be exhibited. This is because the malicious app has placed anti-analysis techniques into the app to prevent analysis. Our next goal will be to find them and see if we can emulate these triggers or remove them.The Android/BadAccents malware, discussed in [8], contains two specific checks on the incoming SMS number. It checks for ‘84’ and ‘82’ numbers, which indicates that the malware expects SMS from a C&C SMS server either located in China or South Korea. It seems the app we are inspecting does something similar.From Stage 1, we know the required country code and the necessary commands to trigger the malicious behavior. However, even if we send the correct commands with the correct country code, sms.apk will still not exhibit any malicious behavior. In order to maximize the longevity of malware, malicious developers want to prevent analysis. Since the majority of dynamic analysis frameworks are based on emulation, malicious developers integrate anti-analysis techniques to change an app’s behavior. If an app senses that the underlying environment is an emulator and not a real phone, it will change its behavior to not exhibit any suspicious behavior. In Stage 2 we will try to identify how sms.apk is checking if it is on an emulator. Then we will modify sms.apk to remove this check and trigger the malicious behavior.The most basic form of emulation detection is when a malicious app leverages a static heuristic. Static heuristics are pre-initialized values that provide information about the underlying environment [9]. Apps running on a system can check these static heuristics by calling Android APIs. For many of the values, the emulator will return values that are inconsistent with what would happen if the app was running on an real device. For example, if the TelephonyManager.getDeviceId() API returns all 0’s, the device in question is an emulator. This is because this value cannot exist on a physical device.A list of the possible static heuristics that can be found in sms.apk can be found in [10]. However, the one just mentioned would be a good starting point.The final question is a two-step process. The first step will be to modify sms.apk and remove the environment check so that we can run sms.apk on an emulator. The second step will be sending the commands found in Stage 1 to the emulator and having it exhibit malicious behavior. Upon success, the C&C server will generate the final answers.4.6.3 Step 1:4.6.4 Step 2://developer.android.com/studio/run/emulator-commandline.html# events.[1] Portions of this section are reproduced from work created and shared by the Android Open Source Project and used according to terms described in the Creative Commons 2.5 Attribution License.[2] Portions of this section are reproduced from work created and shared by the Android Open Source Project and used according to terms described in the Creative Commons 2.5 Attribution License.[3] As of Android 4.4 this has been slightly adjusted. The default SMS app will always receive the broadcast first, regardless of priority.
The goals of this project:Additional information:Accessing project resources:Setup (0 points)Please note that the file is over 9GB, so it will take some time to download. Do not wait until the last minute to download it. Do it right away!When you begin each phase, make sure to change directories for each part of the project.TABLE OF CONTENTS Phase 1 (50 points):You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. So initially you should assume that each malware we question you about below has every behavior listed. It’s your job to determine if that assumption is actually true.Hint: Look at the API/system call sequence under each process generated by the malware sample and determine what the malware is doing. Note that each JoeSandbox report may contain multiple processes with many different system call sequences. If any of the behaviors are seen (or attempted, but not necessarily successful) in any process in the report, then that malware has attempted that behavior. This is, of course, not completely practical, as legitimate applications may perform the same actions in a benign fashion. We are not concerned with differentiating the two in this assignment, but it is some food for thought.Clarification for attempted: We mean by “attempted” that a specific action was attempted but failed. By “specific” we mean that it is clear which action is attempted. If you have a registry key, for instance, that is unambiguous (like, say, it is used only to set a startup option), but it fails to change the key, that is an attempt for our purposes. But if you have a more generic registry key that governs multiple settings, we don’t know for sure which key or keys it is attacking and so the action would not count as an “attempt”.You will encounter that the same API functions can end with either a W or an A. This is a standard practice in the Windows API, and this document explains the difference (either one could in theory be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-thewindows-apiFor each of the following questions, mark (true/false) which of the malware exhibit the identified behavior:DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.Download the submission template or use the JSON format below for your answers:{“sample1”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample2”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample3”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample4”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: , “behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”:},“sample5”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: , “behavior20”: }}The submitted answers should be in the format (this is an example only):{“sample1”: {“behavior01”: true,“behavior02”: false,“behavior03”: true, “behavior04”: true, ...}The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). Incorrectly formatted JSON files or typos count as a submission if the submission attempt fails. We have provided a validation script named “json_validator.py” which will check your file for proper formatting. To run the validator on your file, use the following command: “python json_validator.py /path/to/solution.json” at the command line in the /home/malware directory. The validator will either return “JSON file correctly formatted.” if the submission file is correct, or will return the errors found. It is not required to use the validation script, although it is highly recommend to prevent erroneous submissions. We will not provide extra submission attempts. This validation script works only for Phase 1 and the Extra Credit portions of the project.For Phase 1, you will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and count as a submission. If you attempt to make more submissions than the limit, your grade will be a ZERO for submissions past five. You must fill out “true” or “false” for all 100 behaviors (5 samples X 20 behaviors) or the submission will fail and count as one submission attempt. You will want to choose your best submission of the first 5 manually in Gradescope, but this MUST be done BEFORE the project deadline. No late submissions or requests to update the submission will be accepted after the project deadline. Please submit the answers in the JSON file in the Gradescope assignment Project Malware Analysis – Phase I. Phase 2 (50 points)For this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis.To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder.NOTE:When handling actual malware, additional due diligence is needed to ensure that you don’t accidentally infect your own machine or other machines on your network. The overall process for setting this environment up is outside the scope of this project, but you can find many helpful resources online along with CS6747: “Advanced Malware Analysis” if you wish to continue studies on your own. There are no malicious malware samples in the VM.To get started we will work through a number of simple scripts to understand some basics about deobfuscation that will be helpful in later exercises. Malware authors will often obfuscate their payloads through various means to attempt to bypass IPS and AV systems, as well as to increase the effort required by analysts to contain and remediate a breach. Understanding some of these techniques will be important when we go to analyze some of the other samples in this project.These are some basic concepts of static analysis and are often used by malware authors and red team (penetration testers) operators in their work. All of these warm ups should provide a script for you to execute with your GTID and get a flag if you do so correctly. De-obfuscate the samples below and execute them to get your flag.We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure.Can you figure out how to get your flag?base64 -d
ProjectImplement the following Vehicle Control system with the specifications listed below. 1. Ask the user if he/she wants a. Turn on the vehicle engine b. Turn off the vehicle engine c. Quit the system2. If chose to “Quit the system”: Quit program3. If chose to “Turn off the vehicle engine”: Ask him/her again what he/she wants to do (Requirement 1)4. Once a choice has been chosen, print on screen the system state.5. If chose to “Turn on the vehicle engine”, display “Sensors set menu”, menu that simulates the vehicle sensors readings. a. Turn off the engine b. Set the traffic light color. c. Set the room temperature (Temperature Sensor) d. Set the engine temperature (Engine Temperature Sensor)6. While the engine is ON, menu in requirement 5 must be always displayed and waits for an answer.7. Based on the answer of requirement 6. a. Based on traffic light data (Take it as input from console, we will assume that this is the sensor read value) i. If the traffic light is ‘G’ set vehicle speed to 100 km/hr ii. If the traffic light is ‘O’ set vehicle speed to 30 km/hr iii. If the traffic light is ‘R’ set vehicle speed to 0 km /h b. Based on room temperature data (Take it as input from console, we will assume that this is the sensor read value) i. If temperature less than 10, Turn AC ON and set temperature to 20 ii. If temperature is greater than 30, Turn AC ON and set temperature to 20 iii. If temperature is otherwise, Turn AC OFFc. Based on engine temperature data (Take it as input from console, we will assume that this is the sensor read value) i. If temperature less than 100, Turn “Engine Temperature Controller” ON and set temperature to 125 ii. If temperature is greater than 150, Turn “Engine Temperature Controller” ON and set temperature to 125 iii. If temperature is otherwise, Turn “Engine Temperature Controller” OFFd. If vehicle speed is 30 km/hr i. Turn ON AC if it was OFF and set room temperature to: current temperature * (5/4) + 1 ii. Turn ON “Engine Temperature Controller” if it was OFF and set engine temperature to: current temperature * (5/4) + 1e. Display the current vehicle state after applying 7.a to 7.d i. Engine state: ON/OFF ii. AC: ON/OFF iii. Vehicle Speed iv. Room Temperature v. Engine Temperature Controller State. vi. Engine Temperature8. If chose in menu of requirement 5 to “Turn off the engine”, the menu of requirement 1 must be displayed.9. Bonus Requirement: Create #define WITH_ENGINE_TEMP_CONTROLLER, if this #define is 1 then compile/run the code lines that are related to the “Engine Temperature Controller, else do not compile/run. (Code that implements5—d, 7-c, 7-d-ii, 7-e-v and 7-e-vi) Notes • To get an character input use: printf(“a. Turn on the vehicle engine “); printf(“b. Turn off the vehicle engine “); printf(“c. Quit the system “); scanf(“ %c”,&input); Make sure you left a space before %c to prevent scanf function from take new line or enter from the above printf functions as input. • For the bonus requirement, search for how to use preprocessor directive like below in C Language. #if (CONDITION) … #endif This topic will be discussed later in C For Embedded Systems (Embedded C) Course.Thanks and Good Luck Eng / Mohamed Tarek
