Visualization Tools for Teaching Computer Security - Semantic Scholar

Visualization Tools for Teaching Computer Security XIAOHONG YUAN, PERCY VEGA, YASEEN QADAH, RICKY ARCHER, HUIMING YU, and JINSHENG XU North Carolina A&T State University

Using animated visualization tools has been an important teaching approach in computer science education. We have developed three visualization and animation tools that demonstrate various information security concepts and actively engage learners. The information security concepts illustrated include: packet sniffer and related computer network concepts, the Kerberos authentication architecture, and wireless network attacks. These tools are implemented using Macromedia Flash MX Professional Edition. The animations can run from a Web page as Flash Applets or as standalone applications. These visualization tools are intended to be used in undergraduate level computer network and security courses. They can be used as classroom instructor demos, student exercises, or Web-based student learning resources. These tools have been used in various computer network and information security courses at North Carolina A&T State University, and have received positive feedback from the students. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General— Security and protection; C.2.5 [Computer-Communications Networks]: Local and Wide-Area Networks; D.4.6 [Operating Systems]: Security and Protection; K.3 [Computing Milieux]: Computers and Education General Terms: Design, Security Additional Key Words and Phrases: Computer security, packet sniffer, Kerberos authentication architecture, wireless network attacks, visualization and animation ACM Reference Format: Yuan, X., Vega, P., Qadah, Y., Archer, R., Yu, H., and Xu, J. 2010. Visualization tools for teaching computer security. ACM Trans. Comput. Educ. 9, 4, Article 20 (January 2010), 28 pages. DOI = 10.1145.1656255.1656258. http://doi.acm.org/10.1145.1656255.1656258.

1. INTRODUCTION Concept visualization, or pedagogical visualization, has been used in various fields of computer science education, such as algorithms, computer networks, computer architecture, and so on [GVU 2002; Holliday 2003; Null and Rao This research was supported by National Science Foundation grant DUE-0415571 and DUE0723491. Author’s address: X. Yuan, Department of Computer Science, North Carolina A&T State University, 1601 East Market St., Greensboro, NC 27411; email: [email protected]. Permission to make digital/hard copy of all or part of this material without fee for personal or classroom use provided that the copies are not made or distributed for profit or commercial advantage, the ACM copyright/server notice, the title of the publication, and its date appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific permission and/or a fee. Permission may be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701, USA, fax +1 (212) 869-0481, or [email protected]. c 2010 ACM 1531-4278/2010/01-ART20 $10.00 DOI: 10.1145.1656255.1656258.  http://doi.acm.org/10.1145.1656255.1656258. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 2

·

X. Yuan et al.

2005]. The surveys conducted by Naps et al. [2003a] suggest a widespread belief that visualization technology positively impacts learning. However, experimental studies on the educational effectiveness of visualization technology reveal an important trend: the learners who actively engaged with the visualization technology have consistently outperformed learners who passively viewed visualizations. This leads to the argument that no matter how well a visualization technology is designed, it is of little educational value unless it engages learners in an active learning activity [Grissom et al. 2003; Naps et al. 2003a]. Previous surveys have also shown that a key impediment to the adoption of visualizations by instructors is the time required to learn, install, and develop visualizations and integrate them into a course [Naps et al. 2003b]. In recent years there has been a significant increase in the number of security courses in computer science curricula due to the increased demand for computer security professionals [Frincke and Bishop 2004; LeBlanc and Stiller 2004; Mullins et al. 2002; Bhagyavati et al. 2005]. Such courses could potentially benefit from visualization and animation tools that demonstrate information security concepts and actively engage learners. To integrate visualization techniques in classroom instruction, we have developed three visualization and animation tools that demonstrate various information security concepts. Our objectives of the visualization tools include: (1) Improve student comprehension of network vulnerabilities and Kerberos protocol. Dynamic visualization can make such concepts more tangible. (2) Better illustrate the dynamic nature of network vulnerabilities and Kerberos protocol. Dynamic visualization can express such concepts more clearly and succinctly than words do. (3) Increase student interests and provide better motivation for students. Students are more interested and motivated if they have fun while learning information security concepts. (4) Help to better focus the attention of today’s students who are accustomed to distraction and bombardment with media images. (5) Improve student learning and retention of the information through presenting the same concepts both verbally and graphically. Students can benefit from experiencing two approaches to the same material. The tools were designed with the following features. —Actively engage learners. The visualization tools engage learners in such activities as: (1) Constructing their own input data sets; (2) Answering questions about the visualization; (3) Navigating among different scenes of the visualization and controlling the animation process (e.g., choosing to fast forward, rewind, stop, pause, or resume the animation.) —Accessible through the Web. The visualization tools were implemented with Macromedia Flash 7 for its freely available player and versatility in creating interactive animations. The visualization tools can be run as standalone applications and can also be accessed through a Web browser as a Flash Applet. The visualization tools are accessible from our project Web site described in Section 6 of this article. —Map to existing teaching and learning resources. The visualization tools can be used with popular computer network and security textbooks such as [Stallings 2003; Whitman and Mattord 2009]. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 3

—Novice-friendly and easily learned GUI. The overall GUI is simple. The visualization tools have descriptions for each scene visualized. The tools have a built-in help menu and tracking description which describes the animation process. The visualization tools illustrate the following concepts: packet sniffer and related computer network concepts, the Kerberos authentication architecture, and wireless network attacks. These visualization tools are intended to be used in undergraduate level computer security and network courses. They can be used as classroom instructor demos, student exercises, or Web-based student learning resources. These tools have been used in various computer network and information security courses at North Carolina A&T State Universities. Our experience with these tools shows a positive impact on student learning. This article reports the three visualization tools we developed and our experience with these tools in our curriculum. The remainder of this article is structured as follows. Sections 2, 3, and 4 describe the packet sniffer simulator, the animated learning tool for Kerberos authentication architecture, and the visualization tool for wireless network attacks. Our classroom experience with these visualization tools are discussed in Section 5. Section 6 describes the available resources and Section 7 reviews related work on the visualization of computer security concepts. We conclude in Section 8. 2. PACKET SNIFFER SIMULATOR A packet sniffer captures all of the data packets going through a network interface. It is normally used by a network administrator to monitor and troubleshoot network traffic. However, it can also be used by hackers for stealing information. Normally, a computer in a network would only receive data packets that were intended for it. When a computer’s network interface card (NIC) is configured into promiscuous mode, it captures all packets traversing the network. A packet sniffer can only capture data packets within a given subnet. The packet sniffer simulator [Yuan et al. 2007a] was designed to demonstrate how a packet sniffer works progressively. It consists of a suite of five demos: direct path, real path, promiscuous mode, packet sniffer, and Telnet Over TCP/IP. Demos I to IV progressively demonstrate how a packet sniffer works at a higher level. Demo V depicts how a data packet is transmitted at a more in-depth level. It displays a protocol stack and animates the encapsulation and de-encapsulation process. The learning objectives of the packet sniffer simulator are that upon completion of the tool the students should be able to: —explain the differences between a hub, a bridge, and a router. —describe various network topologies. —explain how a data packet is transmitted in a local area network. —explain the purpose of promiscuous mode of a network interface. —explain the purpose of packet sniffer and how it works. —describe the protocol stack, and the encapsulation/de-encapsulation process of a data packet. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 4

·

X. Yuan et al.

Fig. 1. The user interface for Demo I – IV.

The user interface that Demos I – IV use is shown in Figure 1. It includes four components. (1) Demo Sequence. The textbox at the top-left of the interface lists the names of the five demos. A demo can be selected by clicking on the demo name. (2) Description Message. The text-area is at the top-right of the interface. It provides a brief description of the animation and is dynamically updated with the animation. (3) Network Architecture. The network architecture used in the simulation consists of two subnets connected by a router. One subnet has a star topology, the other has a bus topology. The computers in each subnet are connected with a hub. The computers are identified with numbers from 0 to 8. (4) Simulation Data. Demos I – IV allow the user to interact with the simulator through changing the input data. The input data are the source and destination addresses of a data packet. The user can choose from the following options: loading default data from an input file, generating input data randomly or entering data manually. The input data are displayed in the table to the left of the network architecture. The table has two columns: “From” and “To” which indicate the source and destination addresses respectively. Under the two-column data table, a Play button (indicated by an arrow within a square), and a checkbox “Play continuously” are provided. If the Play ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 5

button is clicked with the Play continuously checkbox unchecked, the demo will show the animation for one data pair. This allows the user to step through the simulation by clicking on the Play button repeatedly. If the Play button is clicked with the Play continuously checkbox checked, the animation will run from Demo I through Demo IV sequentially and go through all the data pairs in the data table sequentially in each demo. In what follows, each of the five demos is described. 2.1 Demo I: Direct Path Demo I displays the path a data packet goes through to reach the destination. A data packet is represented as an oval, labeled by the source and destination numbers. Figure 1 shows a data packet, Packet 1–8 moving from computer 1 to the hub. In Demo I it will go through the hub to the left, the router in the middle, the hub to the right, and finally arrive at computer 8. Since hubs are used in the two subnets, the real path that Packet 1–8 traverses is not the same as the direct path. Demo II demonstrates the real path of a data packet in the simulated network. 2.2 Demo II: The Real Path Since the computers in each subnet are connected with a hub, all traffic can be seen by all the computers in the subnet. The network interface card of each computer in the subnet detects the electrical signal and extracts a copy of the frame. It checks the address of each incoming frame to determine whether it should accept the frame. The network interface card compares the destination address in the frame to the computer’s physical address. If they match, the interface card accepts the frame and passes it to the operating system. If they do not match, the interface hardware discards the frame and waits for the next frame to appear [Comer 2004]. Figure 2 shows that, after the hub receives Packet 1–8, it broadcasts Packet 1–8 to computers 0, 2, and 3 in the same subnet and the router. The router then forwards Packet 1–8 to the subnet with bus topology. All the computers attached to the bus will receive Packet 1–8, but only computer 8’s network interface will accept Packet 1–8. The other computers will discard Packet 1– 8. If the hubs in both subnets are replaced by switches or bridges, then the path Packet 1–8 traverses will be the same as in Demo I. By comparing Demo I and Demo II, the concepts of repeater, hub, bridge, switch, and router can be reviewed with the students. 2.3 Demo III: Promiscuous Mode Normally, a computer’s network interface card checks the destination address of each incoming frame to determine whether the frame should be accepted. A frame whose destination address does not match the physical address of the network interface card will be discarded. However, a computer’s network interface card can be configured by software into promiscuous mode, which overrides the conventional address checking. Once in promiscuous mode, the network interface does not check the destination address of the incoming ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 6

·

X. Yuan et al.

Fig. 2. Demo II: The real path when a packet is sent by the source computer.

frame, but accepts all frames. The network interface simply places a copy of each frame in the computer’s memory and informs the CPU about the arrival of the frame. This is demonstrated in Demo III by labeling the computer that is configured into promiscuous mode with a “DISCARD” comment indicating that the data packet captured by the computer is simply discarded, since there is no packet sniffer installed on the computer to process the packet. The other computers that are not configured into promiscuous mode are labeled with a “not mine!” comment indicating that they have checked the destination address of the frame and have rejected the frame.

2.4 Demo IV: Packet Sniffer Figure 3 shows the result of an animation when computer 3 is configured into promiscuous mode and also has a packet sniffer installed. Computer 3 captured Packet 1–8 and accepted it, even though the packet was not addressed to it. This is indicated by the “mine” comment in red in Figure 3. In comparison, computer 8 is labeled with the “mine” comment in green since it is the destination of Packet 1–8. The packet sniffer then examines the content of the data packet according to its configuration. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 7

Fig. 3. Demo IV: Packet sniffer.

2.5 Demo V: Telnet Over TCP/IP Demo V displays a protocol stack and animates the encapsulation and deencapsulation process. It assumes a Telnet application sending data packets over a network with TCP/IP protocol. Figure 4 represents three computers (PC0, PC1, and PC2) connected to a hub. In each computer a protocol stack of five layers is displayed: application, transport, network, data link, and physical layer. The animation demonstrates how a data packet generated at the application layer at PC0 is encapsulated while moving down through the protocol stack, and how it is de-encapsulated while moving up through the protocol stack at PC1 and PC2. During the encapsulation process, a header (and a trailer sometimes) is added at each protocol layer. During the de-encapsulation process, the headers (and/or trailers) are removed in reverse order. The user can step through the animation by clicking on the play button repeatedly, or run the simulation continuously by checking the Play continuously checkbox. In Figure 4, the data frame from PC0 is transmitted to PC1 and PC2. At the data link layer, the network interface card of PC2 discards the data packet since its destination address is not PC2. PC1’s network interface card recognizes that the data packet is addressed to PC1, so the frame is forwarded to ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 8

·

X. Yuan et al.

Fig. 4. Demo V: The De-Encapsulation process.

the operating system and is further de-encapsulated until it reaches the application layer in PC1.

3. THE ANIMATED LEARNING TOOL FOR KERBEROS AUTHENTICATION ARCHITECTURE Originated at MIT, Kerberos has become one of the most widely used services. Being an elaborate protocol, it is very difficult for the students to understand the many elements contained in the protocol. This motivated us to develop an animated tool to assist students in understanding this protocol. The design of this software tool is based on the strategy used by Bill Bryant of Project Athena [Bryant 1988; Stallings 2003]. It includes a series of four animated scenes that progressively demonstrate the ideas that underlie the design of the Kerberos authentication architecture. Each scene demonstrates a stage of the protocol development. Each successive scene adds additional complexity to counter security vulnerabilities revealed in the preceding scene. For some of the scenes, hacking scenarios are provided to illustrate the vulnerabilities of the scene. This software tool is based on Kerberos version 4 [Yuan et al. 2007b]. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 9

The learning objectives of the Kerberos learning tool are that, upon completion of the tool, the students should be able to: —explain the encryption method used in the Kerberos protocol. —explain the roles of Authentication Server and Ticket Granting Server. —describe the meaning and/or purpose of Kerberos protocol elements such as Kc,tgs , Kc , Lifetime2 , Tickettgs . —explain how the Kerberos protocol protects against password stealing and replay attacks. —explain why the Kerberos does not require a user to enter password multiple times when the user requests multiple services. —describe the protocol stack and the encapsulation/de-encapsulation process of a data packet. —explain the purpose of session keys and how they are transmitted to the two parties that share a session key. The animated learning tool includes a series of four scenes: distributed authentication, centralized authentication, ticket-granting service, and the Kerberos system. These scenes progressively demonstrate the underlying ideas of Kerberos. In what follows, each of the four scenes is described. 3.1 Scene I: Distributed Authentication Scene I (Figure 5) shows an open network with three workstations (Alice, Bob, and John) and two service servers (Microsoft Exchange/Email Server and Windows NT application/file server). Alice and Bob are connected to a hub; the hub, John, and the two servers are connected to a switch. Each service server has a password database to authenticate the users requesting service. The user interface includes navigation buttons “Main”, “Prev”, and “Next” which allow the user to go to the main page, the previous scene, and the next scene. The “Demo Controllers” are buttons that allow the user to pause, stop, start, rewind, and fast forward the animation. Clicking on the Help button will bring out a window explaining the functions of the buttons. Clicking on the Tracking button will bring out a window explaining the animation process. The Challenge button will bring out a set of multiple choices questions which evaluates the user’s understanding of the demonstrated scene. The user can click on a Check Answer button to check whether his/her answer is correct. This scene animates the following process: Alice sends a request which includes Alice’s ID and password to the e-mail server. The e-mail server verifies Alice’s ID and password using its password database. If Alice is verified, the e-mail server sends a response back to Alice. In the animation, a message is represented as a box which contains information. Message transmission is depicted as the box moving along the network links from source to destination. The security mechanism of distributed authentication has two drawbacks: (1) The user’s ID and password are sent in plaintext over the network; (2) If a user wants to change his password, he has to change passwords in all the servers. This leads to the next scene, “Centralized Authentication.” ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 10

·

X. Yuan et al.

Fig. 5. Distributed authentication.

3.2 Scene II: Centralized Authentication In this scene (see Figure 6), an Authentication Server (AS) is added which has a centralized password database. Alice sends to the AS her ID, password, and the e-mail server ID. The AS verifies Alice’s ID and password using its centralized database. If Alice is verified, AS creates an e-mail server ticket encrypted with the shared secret key of e-mail server and AS and sends this ticket to Alice. Alice then sends this e-mail server ticket along with her ID to the e-mail server. The e-mail server decrypts the ticket and verifies that the user ID in the ticket is the same as the unencrypted user ID in the message. If these two match, the e-mail server sends the requested information back to Alice. In the animation, e-mail server ticket is represented as a small green box. Encrypting the e-mail server ticket is depicted as using a green key icon to lock the green box, and decrypting the ticket is depicted as using the same key to unlock the green box. The drawbacks of Centralized Authentication are: (1) The user’s ID and password are still sent in plaintext over the network; (2) The service server ticket is reusable, and can be stolen and used by the hacker; (3) The user has to give the AS his password every time he wants to use a service for which he does not have a ticket. Two hacking scenarios are designed for this scene. One demonstrates password stealing using packet sniffer, and the other ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 11

Fig. 6. Centralized authentication.

demonstrates replay attack. The animation of the hacking scenarios can be viewed by clicking on the “Pass. Steal.” button and the Replay Attack button.

3.3 Scene III: Ticket-Granting Service Compared with Centralized Authentication, a Ticket-Granting Server (TGS) is added (see Figure 7). First the client sends the user’s ID and TGS ID to the Authentication Server (AS) to request a ticket-granting ticket (the client refers to either the user, e.g., Alice or the program that contacts the server on behalf of the user). The AS responds with a ticket that is encrypted with a key derived from the user’s password (i.e., the client’s private key). When the client receives the response, it generates the key from the user’s password and attempts to decrypt the response using the key. After successfully recovering the ticket-granting ticket, the client sends a message to the TGS to request a service ticket. After verifying the client and the ticket granting ticket, the TGS sends the service ticket to the client. The client then uses this ticket to request service from the service server. With this mechanism, the client only has to use the password once. The password is not sent over the network in clear text. It is converted to a DES key and used to decrypt the response from the AS. However, the ticket can still be stolen, and a replay attack can be launched. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 12

·

X. Yuan et al.

Fig. 7. Ticket-granting service.

3.4 Scene IV: Kerberos System Kerberos [Steiner et al. 1988] is a trusted third-party authentication service. It provides a centralized authentication server whose function is to authenticate users to servers and servers to users. It uses symmetric encryption with keys shared with the authentication server. Kerberos keeps a database containing the private keys of clients and servers and uses the private keys to authenticate one network node to another. Kerberos also generates temporary session keys to be shared by the two parties in a conversation. All communications between the two parties are then encrypted with the session key. The Kerberos authentication process is as follows (we follow the description given in Whitman and Mattord [2009]). (1) User logs into client machine. The client refers to the program that requests services on behalf of the user. The client encrypts user password based on DES to create the client’s private key. The client’s private key is only known to the client and the Authentication Server (AS) and will be used to decrypt messages sent to the client. The client’s private key will always be the same for all uses by this user with this particular password. (2) Client sends clear request to AS asking for a ticket to the ticket-granting server (TGS). (3) AS creates a client/TGS session key for future communication between client and TGS. AS then sends to the client a message encrypted with ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

(4)

(5)

(6)

(7)

·

20: 13

the client’s private key. This message consists of Client/TGS session key, TGS ID, timestamp, ticket valid time, and ticket-granting ticket (TGT). The TGT contains client ID, client address, timestamp, ticket valid time, and client/TGS session key. The TGT is encrypted in the TGS’ private key known only to the AS and the TGS. Client requests service from TGS sending: server ID, TGT, and authenticator (containing client ID, client address and timestamp, all encrypted in the client/TGS session key). TGS responds with a message encrypted with the client/TGS session key. The message contains server ID, timestamp, client/server session key, and the server’s ticket. The server’s ticket contains the client ID, client address, server ID, timestamp, ticket valid time, and client/server session key, all encrypted with server’s private key. Client authenticates to server by sending server ticket and authenticator (containing client ID, client address, and timestamp, all encrypted in client/server session key). Server provides the requested service to client.

Scene IV demonstrate the Kerberos protocol. The network architecture in this scene is the same as in the previous scene. It counters the vulnerability of replay attack by using session keys and authenticator. The Kerberos protocol also allows mutual authentication, that is, the servers may be required to authenticate themselves to the clients. In the animation, various colors are used to indicate different messages or tickets exchanged. 4. THE VISUALIZATION TOOL FOR WIRELESS NETWORK ATTACKS The topic of computer network attacks is an important component in information security curricula. We have developed a visualization tool to demonstrate various wireless network attacks. It includes a series of five demos that animates the following attacks popular in wireless networks: Eavesdropping, Evil Twin, Man in the Middle, ARP Cache Poisoning, and ARP Request Replay. Each demo includes at least one user (Alice), sometimes a second user (Bob), a hacker (John), and an access point (AP). The user interface of this tool is similar to that of the Kerberos learning tool. The user can choose to play the animation, rewind to see the previous step of the animation, forward to see the next step of the animation, pause, or stop the animation. The tool also provides challenge questions to give the user a quiz on the animation he watched. The learning objectives of the visualization tool for wireless network attacks are that, upon completion of the tool, the students should be able to: —explain how a hacker eavesdrops in a wireless network. —describe the steps a host goes through to connect to an IEEE 802.11 access point. —explain how a host connects to an evil twin. —explain how Man-in-the-Middle attack is conducted by the hacker. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 14

·

X. Yuan et al.

Fig. 8. A snapshot of the Eavesdropping demo.

—explain how a hacker uses ARP cache poisoning to intercept data packets. —explain the purpose of ARP request replay. In what follows, the visualization scenarios of the five types of wireless network attacks are described [Yuan et al. 2008]. 4.1 Eavesdropping In an eavesdropping attack, the attacker configures his/her network interface card (NIC) into promiscuous mode. The Eavesdropping scenario demonstrates how a hacker eavesdrops on the communication between two wireless nodes. Figure 8 shows a snapshot of the Eavesdropping demo. The network includes two users (Alice, Bob), an AP, and a hacker (John). The messages between two network nodes are represented by a small box. Textual explanation is provided to describe the animation scenario. The sequence of the animation is described here. (1) John sets his NIC to promiscuous mode. This allows John to capture packets between Alice and the AP. (2) Alice sends a message to Bob. The packets are sent from Alice to the AP, and then forwarded by the AP to Bob. (3) John captures the message since its NIC is configured to promiscuous mode, and its radio is tuned to the communication channel between Alice and the AP. (4) Bob sends a message back to Alice. The packets are forwarded by the AP to Alice. (5) John captures the message (sent by the AP to Alice). ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 15

4.2 Evil Twin An evil twin is a wireless access point that masquerades as a legitimate one. An attacker can create an evil twin by using a laptop, a wireless network card, and some readily-available software. The attacker positions himself in the vicinity of a legitimate AP and discovers what service set identifier (SSID) and radio frequency the legitimate AP uses. He then sends out radio signals using the same SSID. The attacker’s computer becomes a Rogue AP or evil twin. Since the Rogue AP may be physically closer to the user than the legitimate AP, the user may be connected to the evil twin rather than the legitimate AP. The evil twin scenario demonstrates how the hacker sets up an evil twin, and has the client connect to it. The sequence of the animation is described as follows. (1) John is eavesdropping on the communication between Alice and the AP. (2) Alice sends out a PROBE REQUEST requesting the ESSID (Essential SSID) of an AP nearby. The AP responds with a PROBE RESPONSE which includes its ESSID and BSSID (Basic SSID). John captures the ESSID information that is in the PROBE RESPONSE. (3) Alice then sends AUTHENTICATE REQUEST to the AP, and receives AUTHENTICATE RESPONSE from the AP; after that, Alice sends ASSOCIATE REQEST to the AP, and receives ASSOCIATE RESPONSE from the AP. Alice is now associated to the AP whose ESSID is “CORP.” (4) John sets up a Rogue AP using the ESSID John captured through eavesdropping. (5) John broadcasts a de-authenticate frame to Alice to disconnect Alice from the AP. (6) Alice is disconnected from the AP. (7) Alice re-associates with the rogue AP since it is physically closer. 4.3 Man in the Middle In the Man in the Middle (MITM) attack, the attacker intercepts the traffic between two computers. The attacker sniffs packets from the network, may modify the packets and inserts them back into the network. In a wireless environment, the attacker can set up a Rogue AP. When the user associates with the Rogue AP, the Rogue AP can be the man in the middle between the user and the legitimate AP. The Man in the Middle scenario demonstrates this process and the sequence of the animation is described as follows. (1) Alice is connected to the AP. John is eavesdropping and captures the PROBE RESPONSE sent by the AP. (2) John sets up a Rogue AP. (3) John broadcasts a de-authenticate frame to Alice and Alice is disconnected from the AP. (4) Alice re-authenticates to John by accident or because John is physically closer to Alice. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 16

(5) (6) (7) (8) (9)

·

X. Yuan et al.

John authenticates to the AP on behalf of Alice. The AP responds to John’s Re-authenticate request. John responds to Alice’s Re-authenticate request. Alice re-associates to John. John re-associates to the AP on behalf of Alice.

4.4 ARP Cache Poisoning Address Resolution Protocol (ARP) is a network layer protocol used to associate an IP address with a MAC address. A network device has an ARP cache, which contains all the IP and MAC addresses the device has already matched together. With the ARP cache the device does not have to repeat ARP Requests for devices it has already communicated with. In an ARP cache poisoning attack, the attacker introduces erroneous IP to MAC address mapping in another host’s ARP cache. This results in IP traffic intended for one host being diverted to a different host or to no host at all. The ARP Cache Poisoning scenario demonstrates how the hacker causes incorrect IP/MAC address mapping to be added to a computer’s ARP cache. Figure 9 shows a snapshot of the ARP Cache Poisoning demo. In Figure 9, each user computer is labeled with its IP and MAC addresses. An ARP cache table that stores IP/MAC address mapping is displayed beside each user computer. The sequence of the animation is described here. (1) Bob broadcasts an ARP request: “Who has IP address 192.168.0.2”? (2) The ARP request is broadcasted by the AP to Alice and John. (3) Alice sends out ARP response: “I have 192.168.0.2, my MAC address is: BB:BB:BB:BB:BB:BB.” (4) Alice’s IP and MAC addresses are added to Bob’s ARP cache table. (5) John sends to Alice a fake ARP response: “I have 192.168.0.3, my MAC address is AA:AA:AA:AA:AA:AA.” This message is forwarded by the AP to Alice. (6) Alice’s ARP cache table adds the entry 192.168.0.3, AA:AA:AA:AA:AA:AA. (7) Alice sends a packet to Bob; because of the incorrect IP and MAC address mapping, the package is sent to John instead of Bob. (8) John forwards the packet to Bob. John acts as a man in the middle between Alice and Bob. 4.5 ARP Request Replay Replay is a network attack where a validated data transmission is intercepted and retransmitted at a later time. An ARP request replay attack is used by the attacker to generate new initialization vectors (IVs), which can be used to crack the WEP encryption key. An IV is a continuously changing number used in combination with a key to encrypt data. The attacker first eavesdrops on an ARP request on the network and then retransmits it back to the network. The computer with the IP address in the ARP request then sends an ARP response ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 17

Fig. 9. A snapshot of the ARP Cache Poisoning demo.

to the attacker. Every time the computer sends an ARP response, it generates a new IV which is captured by the attacker. The attacker repeatedly sends out ARP request until large quantities of IVs are captured. These IVs are then used to crack the WEP key. The ARP Request Replay scenario demonstrates how an attacker replays ARP request in order to crack a WEP key. Figure 10 shows a snapshot of the ARP Cache Poisoning demo. In Figure 10, each station is labeled with its IP and MAC Addresses. John also has an IV table that stores the IVs he captured. The sequence of the animation for the ARP Request Replay scenario is described as follows. (1) Bob broadcasts an ARP request: “Who has IP address 192.168.0.2”? John captures Bob’s ARP request. (2) The ARP request is sent to the AP, and is broadcasted by the AP to Alice and John. (3) Alice sends the encrypted ARP response to Bob. The encrypted ARP response includes an IV. (4) John captures the ARP response through eavesdropping, extracts the IV from the packet, and stores the IV in the Captured IV Table. (5) John resends the captured ARP request: “Who has IP address 192.168.0.2”? ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 18

·

X. Yuan et al.

Fig. 10. A snapshot of the ARP Request Replay demo.

(6) The ARP request is broadcasted by the AP to Alice and Bob. (7) Alice sends the encrypted ARP response to John. This ARP response uses a new IV. (8) John receives the response packet, extracts the new IV, and adds it to its IV table. (9) Repeat steps 5 – 8 until John collects enough different IVs for cracking the WEP key. (10) John cracks the WEP key using the captured IVs. 5. CLASSROOM EXPERIENCE The packet sniffer simulator, the animated learning tool for Kerberos authentication architecture and the visualization tool for wireless network attacks have been used in various network security courses in different semesters at North Carolina A&T University. The student feedback on these tools has been very positive. In what follows, we discuss our classroom experience with these tools and the limitations of the evaluations. 5.1 Classroom Experience with the Packet Sniffer Simulator The packet sniffer simulator was used in the Network Security class in the Fall 2005 and Fall 2006 semesters. Before the tool was introduced to the students, the students were first given a pre-test. Then the instructor gave a brief introduction of the packet sniffer simulator in the class. The packet sniffer simulator was accessible through the Web by the students. Two weeks later, ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 19

Table I. t-test Results of Packet Sniffer Pre- and Post-Test Scores pre-test mean 40.20833 pre-test variance 696.9354 post-test mean 75.97222 post-test variance 672.6852 degree of freedom 23 observations 24 two-tail p-value 1.21E-09

Table II. Student Questionnaire Results on Packet Sniffer Simulator (Total Number of Students: 25) Question Do you think the demo helped in learning computer network and security concepts? Do you think the learning objectives are met by using the tool?

Do you think this demo is easy to learn and understand? Would you like to see more of these demos (or simulators) in the remaining duration of this course? How likely are you to recommend this tool to others?

Response 48% strongly agree 44% agree 8% neither agree or disagree 52% strongly agree 40% agree 4% neither agree or disagree 4% disagree 52% strongly agree 40% agree 8% neither agree or disagree 72% strongly agree 20% agree 8% neither agree or disagree 60% definitely will recommend 28% probably will recommend 8% not sure 4% probably will not recommend

the students were given a post-test. During the two weeks, the instructor did not give any further instruction on packet sniffer. The post-test weighs 2% for the student grade for this course. An anonymous questionnaire was also given to the students at the end of the semester. The packet sniffer pre-test is included in Appendix A. The packet sniffer post-test is basically the same as the pre-test except that the orders of the questions have been changed. Out of the thirteen students enrolled in the Fall 2005 class, eleven took both the pre-test and post-test. Out of the sixteen students enrolled in the Fall 2006 class, thirteen took both the pre-test and post-test. Paired t-test was run on the pre- and post-test scores of the 24 students in the two classes. The results are listed in Table I. The t-test results show that the improvement from pre-test to post-test is statistically significant. Twenty-five students in the two classes participated in the questionnaire. Table II summarizes the results of the questionnaire. Ninety-two percent of the students agree that the packet sniffer simulator has helped them in learning computer network and security concepts, the learning objectives are met by using the tool, and the tool is easy to learn and understand. Ninety-two percent of the students would like to see more of this kind of visualization tools in the classes they take, and 92% of the students would definitely or probably recommend this tool to others. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 20

·

X. Yuan et al. Table III. Student Questionnaire Results on the Kerberos Learning Tool (Total Number of Students: 16)

Question Do you think the demo helped in learning Kerberos authentication architecture? Do you think this demo is easy to learn and understand? Would you like to see more of these demos (or simulators) in the remaining duration of this course? How likely are you to recommend this tool to others?

Response 43.8% strongly agree 43.7% agree 12.5% neither agree nor disagree 31.3% strongly agree 56.2% agree 12.5% disagree 50% strongly agree 18.8% agree 18.7% neither agree nor disagree 12.5% disagree 81.3% definitely will recommend 6.2% probably will recommend 12.5% not sure

5.2 Classroom Experience with the Kerberos Learning Tool The Kerberos learning tool was introduced to the Network Security class in the Fall 2006 semester. Sixteen students were enrolled in this class. The instructor first gave an introduction to the Kerberos learning tool in the class. Then the students were asked to use the software after class. The Kerberos learning tool was accessible through the Web. A quiz (see Appendix B) on Kerberos concepts was given one week after the students used the software. During that week no further instruction on Kerberos was given to the students in the class. Of the ten students who took the quiz, six got scores above 90. The average score was 80. The Kerberos learning tool was also introduced to the Security Management of Information Systems course in the Fall 2006 semester. Nine students were enrolled in this class. Homework questions (see Appendix B) on Kerberos concepts were given to the students after the Kerberos learning tool was introduced to them in a class. The students were to use the tool after class and turn in the homework after a week. During that week no further instruction on Kerberos was given to the students in the class. Of the six students who turned in the homework, five got scores above 90. The students’ opinions on this tool were collected through anonymous survey and summarized in Table III. Sixteen students participated in the survey. Eighty-seven and a half percent of the students strongly agree or agree that the tool has helped them in learning the Kerberos authentication architecture, and that the tool is easy to learn and understand and are very likely to recommend the tool to others. Some comments from the students include: “It provides comprehensive explanation about the topic using questions,” “It will help reinforce concepts that most students would not get from a diagram. It is a positive teaching tool, the students would be able to refer and use it at their own leisure,” “The tool is easy to learn and understand,” “It is interesting and informative,” “It demonstrates Kerberos concepts thoroughly,” “It is well-designed, user-friendly,” and “It is interesting.” ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 21

Table IV. t-test Results of Wireless Network Attacks Pre- and Post-Test Scores pre-test mean 49.167 pre-test variance 288.1944 post-test mean 83.61111 post-test variance 80.52249 degree of freedom 23 observations 14 two-tail p-value 6.38E-07

5.3 Classroom Experience with the Visualization Tool for Wireless Network Attacks The visualization tool for wireless network attacks was used in the Network Security and Security Management for Information Systems courses in the Fall 2007 semester. Ten students enrolled in the Network Security class and eight students enrolled in the Security Management for Information Systems class. The students in both classes were first given a pre-test on wireless network attacks. Then they were provided with the link to the Web site of the tool. The students were asked to complete a post-test after they used the tool. The post-test was given as a homework assignment with credit towards their grades for the class. Nine students from the Network Security class and six students from the Security Management for Information Systems class participated in the pre- and post-test. The wireless network attacks pre-test is included in Appendix C. The post-test is basically the same as pre-test, but the order of the questions, and the order of the answer choices have been changed. Paired t-test was run on the pre- and post-test scores of the 15 students in the two classes. The results are listed in Table IV. The t-test results show that the improvement from pre-test to post-test is statistically significant. Table V lists the questions asked in the anonymous questionnaire and the student responses to them. Twelve students participated in the survey. The survey results show that the students had very positive experiences using this tool. 5.4 Limitations of the Evaluations Our experience using the developed visualization tools in the classroom has been positive. However, the evaluations of the effectiveness of the tools in teaching and learning are limited. Focus group studies comparing students who used the visualization tools and those who did not use the tools have not been conducted. Therefore it is difficult to determine if the gains in learning were as a result of interacting with the visualizations. When the packet sniffer simulator and the Kerberos learning tool were given to the students, the instructors also explained the tools to the students. So there is the possibility that the students were learning as a result of the direct teaching. The visualization tool for wireless network attacks were given to the students without the instructor explaining the concepts illustrated by the tool. However, the post-test was given as a homework assignment and therefore was not carefully controlled. The student questionnaire results are encouraging. However, due ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 22

·

X. Yuan et al.

Table V. Student Survey Results for Wireless Network Attacks Visualization (Total Number of Students: 12) Question 1. Do you enjoy using the tool? 2. Do you think the tool is easy to use? 3. Do you feel you understand the concept better when using the tool? 4. How likely are you to recommend this tool to others? 5. Would you like to see more of these demos (or simulators) in your courses? 6. How much time did you spend with the tool on average? 7. What were the three things you liked best about this demo? 8. What were the three things you liked least about this demo? 9. What would you suggestion to make this tool a better application?

Response 25% strongly agree 75% agree 67% strongly agree 33% agree 42% strongly agreed 50% agree 8% neither agreed or disagreed 58% definitely will recommend 33% probably will recommend 9% not sure 92% strongly agree 8% agree The average time of use was 21 minutes Easy to use, visual effects, easy to understand, interactive, neat, details, challenge questions, structure No sound, not enough detail Add sound, more color, make sure the questions increase in difficulty

to the small number of samples, it is difficult to draw strong inferences. More extensive studies on the educational impact of these visualization tools need to be conducted in the future. 6. AVAILABLE RESOURCES The three visualization tools introduced in this paper are available through our project Web site.1 Each tool can run as Macromedia Flash Applet from the Web site. For each tool, the Web site provides a brief introduction to the tool, describes the concepts explained by the tool, and provides a list of suggested exercises. We encourage their ethical adaptation and use in other computer security and information assurance curricula. 7. RELATED WORK Though a variety of visualization and interactive demonstrations are available in the field of cryptography [Gerhart et al. 2005; Deutsche Bank AG 2009; Bishop 2003; Schweitzer and Baird 2006], visualization tools that demonstrate various network attacks are few. Crandall et al. [2002] have developed java applets to demonstrate various types buffer overflow attacks. The purpose of this interactive module is to educate students and industrial programmers to avoid the practices that cause buffer overflows. This module may be used in classes such as operating systems, C/C++ and assembly programming, compiler and software tools, surveys of operating systems and computer 1 http://www.ncat.edu/∼xhyuan/security

visual tools/index.html

ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 23

security. Our packet sniffer simulator and visualization tool for wireless network attacks present real-life attack scenarios, and can be used in computer security and computer networks classes. Holliday [2003]; Holliday and Johnson [2004] developed a series of Java applets and explanatory material to illustrate key computer networking concepts. The applets include protocol stack applet, error-control applet, reliable data transfer applet, and media access applet. The Demo V of the packet sniffer simulator is similar to the protocol stack applet. The protocol stack applet demonstrates how a message goes from the source machine to the destination machine across a router; whereas Demo V shows how a message goes from the source machine to the destination machine and other machines connected to a hub. Both demonstrate the encapsulation and de-encapsulation process. The protocol stack applet allows the user to specify the size of the message and the headers at the different protocol stack layers, whereas Demo V allows the user to step through the simulation or run the simulation continuously. The purpose of Demo V is to help students understand the packet sniffing attack in depth to the protocol level. ProtoViz [Elmqvist 2004] is a protocol visualization tool that allows arbitrary protocols to be entered in a specification language based on EBNF grammar and animated in a step-by-step fashion. The visualization consists of animated message packets moving between actors. Though the effectiveness of the visualization in ProtoViz in relation to the protocol specification hasn’t been evaluated yet, Elmqvist argues that the visual representation does alleviate the cognitive load of recognizing the symbols in the protocol through the use of intuitive icons and that the animation helps in comprehending the message flow in the protocol. Based on ProtoViz, Schweitzer et al. [2006] describe an interactive visualization tool, GRASP, that allows arbitrary protocols to be demonstrated visually in a user-controlled stepwise manner. GRASP uses a very “human-readable” “English-like” specification language, and the visualization models after the traditional timeline used for describing protocols. Arrows are used to show variables being sent from one actor to another actor, and computations are shown in the timeline at the appropriate point. The user can interactively change the protocol to see the effects of various attacks. Different from these general protocol visualization tools, the learning tool for Kerberos authentication architecture is specifically designed to learn the ideas that underlie Kerberos and related authentication concepts. The objective of the Kerberos learning tool is to demonstrate how a simple authentication mechanism is evolved into the complex Kerberos protocol and through demonstrating such a process help the students to understand various attacks. The animation approach of the Kerberos learning tool is similar to ProtoViz, however, it provides more detailed explanation of the protocol procedure. To use ProtoViz or GRASP, the user needs to construct protocol specification using the particular protocol specification languages designed for the tools, while the Kerberos learning tool directly visualizes the protocol. While ProtoViz and GRASP are valuable for helping students to understand and analyze any protocol, the Kerberos learning tool can be used in a computer network and security course to provide a quick introduction to Kerberos, without ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 24

·

X. Yuan et al.

the effort of installing a tool, learning how to use the tool and how to construct a protocol specification using the protocol specification language for the tool. The animated scenarios in the Kerberos learning tool could be represented in the specification languages of ProtoViz and GRASP and visualized by them. It will be interesting to compare the visualizations of the three tools. This will be our future work. CyberCIEGE [Irvine and Thompson 2005] is a high-end, commercial-quality video game developed for user training and awareness in information assurance. It is a resource-management simulation in which the players engage in planning and construction and observe the results of their choices. Cone et al. [2007] demonstrate how CyberCIEGE was employed to meet a specific set of Navy IA training requirements. Fung et al. [2008] report an initial pilot study on the use of CyberCIEGE for raising the awareness and knowledge on Information Security among a small group of Thai students. Greitzer et al. [2007] describe how cognitive principles can be applied to improve the training effectiveness of CyberCIEGE. Different from our tool and other related visualization tools mentioned in this article, CyberCIEGE focuses on information assurance awareness. The effectiveness of CyberCIEGE for basic information assurance awareness remains to be fully assessed. Reports on experiences of integrating CyberCIEGE into an information security curriculum are still lacking. CyberCIEGE is currently designed to address wired networks, while our tool includes demonstration of wireless network attacks. 8. CONCLUSION This article describes three visualization tools we developed for teaching information security concepts: packet sniffer simulator, an animated learning tool for Kerberos authentication architecture, and a visualization tool for wireless network attacks. These tools have been used in various computer network and information security courses. Our experience with these tools indicates a positive impact on student learning. Our future work would include conducting more extensive assessment on the effectiveness of these visualization tools in improving student learning, and developing more visualization tools that demonstrate information security concepts and engage the learners in active learning. APPENDIXES APPENDIX A: PACKET SNIFFER PRE-TEST 1. 2. 3. 4. 5. 6.

Explain the differences between a hub, a bridge, and a router. Explain the bus and star topology. Explain how a data packet is transmitted in a local area network. Explain the purpose of promiscuous mode of a network interface. What is a packet sniffer and how does it work? Explain the encapsulation and de-encapsulation process of a data packet while going through the protocol stack.

ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 25

APPENDIX B: KERBEROS QUIZ AND HOMEWORK ASSIGNMENT Quiz 1. The following figure shows the beginning steps of Kerberos: obtaining ticket-granting ticket from authentication server.

Describe the meaning or the purpose of each following items: Kc,tgs : Kc : Lifetime2 : Tickettgs : 2. How many times does a user need to access his/her password to use three services in a Kerberos system? 3. What is the role of TGS in Kerberos? Kerberos Learning Tool Homework Assignment 1. How does Kerberos authentication architecture protect against password stealing attack? Explain. 2. How does Kerberos authentication architecture protect again replay attack? Explain. 3. With Kerberos, how many times does a user have to enter his password if he requests e-mail service first, then file service, and then printing service? Explain. 4. In the Kerberos system demo, why does the Authentication Server (AS) create a session key between Alice and the ticket granting server? Explain. APPENDIX C: WIRELESS NETWORK ATTACKS PRE-TEST Multiple choice (choose all that are correct): 1. During an eavesdropping attack, the network interface card of the hacker computer is set to promiscuous mode. a. True b. False 2. During a Man in the Middle attack in a wireless network, the hacker a. Poses as the AP to the user b. Poses as the user to the AP c. Sets up a Rogue AP d. None of the above ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 26

·

X. Yuan et al.

3. Which attack(s) violates the information confidentiality? a. Man in the Middle b. ARP Request Replay c. Eavesdropping d. None of the above 4. Which attack(s) can be used to violate information integrity? a. Man in the Middle b. ARP Request Replay c. Eavesdropping d. None of the above 5. Essential Service Set Identifier (ESSID) a. Identifies an ad-hoc network b. Identifies a wireless access point c. Is a secret key that is set by administrator d. None of the above 6. The Address Resolution Protocol (ARP) associates the Media Address Controller (MAC) address of a network node to the Internet Protocol (IP) address. a. True b. False 7. An “evil twin” is a a. Hacker posing as a legitimate user. b. Duplicate AP created by hacker to deceive users. c. Key shared by two different users. d. None of the above. 8. In ARP request replay attack, why does the hacker replays ARP request? a. To increase the traffic in the network. b. To capture large quantities of different IVs. c. To crack the WEP key. d. None of the above. 9. ARP cache poisoning attack is performed by the attacker by a. Sending fake ARP response. b. Modifying the ARP cache content. c. Deleting the content of ARP cache. d. None of the above. 10. A Rogue AP can make a computer disconnect from an existing AP by a. Moving physically closer to the computer. b. Moving physically farther from the computer. c. Broadcasting de-authenticate frame. d. None of the above.

REFERENCES B HAGYAVATI ET AL . 2005. Teaching hands-on computer and information systems security despite limited resources. In Proceedings of the 36th SIGCSE Technical Symposium (SIGCSE’05), 325–326. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

Visualization Tools for Teaching Computer Security

·

20: 27

B ISHOP, D. 2003. Introduction to Cryptography with Java Applets. Jones and Bartlett Publishers, Boston. C OMER , E. 2004. Computer Networks and Internets 4th Ed. Pearson Prentice Hall. B RYANT, W. 1988. Designing an authentication system: A dialogue in four scenes. http://web.mit.edu/kerberos/www/dialogue.html. C ONE B. D. ET AL . 2007. A video game for cyber security training and awareness. Comput. Secur. 26, 63–72. C RANDALL J. R. ET AL . 2002. Driving home the buffer overflow problem: A training module for programmers and managers. In Proceedings of the National Colloquium for Information Systems Security Education (NCISSE’02). D EUTSCHE B ANK AG. CrypTool. 2009. http://www.cryptool.org. E LMQVIST, N. 2004. ProtoViz: A simple security protocol visualization report. http://www.cs.chalmers.se/∼elm/courses/security/report.pdf. F RINCKE , D. AND B ISHOP, M. 2004. Joining the security education community. IEEE Security Privacy 2, 5, 61–63. F UNG ET AL . 2008. Raising information security awareness in digital ecosystem with games – A pilot study in Thailand. In Proceedings of the 2nd IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST’08). 375–379. G ERHART S. ET AL . 2005. Increasing security in aviation-oriented computing education: A modular approach. http://nsfsecurity.pr.erau.edu/. GVU. 2002. Algorithm animation. http://www.cc.gatech.edu/gvu/softviz/algoanim/. G REITZER F. L. ET AL . 2007. Cognitive science implications for enhancing training effectiveness in a serious gaming context. J. Educ. Res. Comput. 7, 3. G RISSOM S. ET AL . 2003. Algorithm visualization in CS education: Comparing levels of student engagement. In Proceedings of the ACM Symposium on Software Visualization (SV’03). 87–93. H OLLIDAY, M. A. 2003. Animation of computer networking concepts. J. Educ. Res. Comput. 3, 2. H OLLIDAY, M. A. AND J OHNSON, M. 2004. A Web-based introduction to computer networks for non-majors. The protocol stack. http://cs.wcu.edu/∼holliday/cware/Stack/indexStack.html. I RVINE , C. E. AND T HOMPSON, M. F. 2005. CyberCIEGE: Gaming for information assurance. IEEE Security Privacy 3, 3, 61–64. L E B LANC, C. AND S TILLER , E. 2004. Teaching computer security at a small college. In Proceedings of the 35th SIGCSE Technical Symposium on Computer Science Education (SIGCSE’04). 407–411. M ULLINS P. ET AL . 2002. Panel on integrating security concepts into existing computer courses. In Proceedings of the 33th SIGCSE Technical Symposium on Computer Science Education (SIGCSE’02). N APS T. L. ET AL . 2003a. Exploring the role of visualization and engagement in computer science education. SIGCSE Bull. 35, 2, 131–152. N APS T. L. ET AL . 2003b. Evaluating the educational impact of visualization. In Proceedings of the 8th Annual Conference on Innovation and Technology in Computer Science Education (ITiCSE’03). N ULL , L. AND R AO, K. 2005. CAMERA: Introducing memory concepts via visualization. In Proceedings of the 36th SIGCSE Technical Symposium (SIGCSE’05). 96–100. S CHWEITZER , D. AND B AIRD, L. 2006. The design and use of interactive visualization applets for teaching ciphers. In Proceedings of the IEEE Workshop on Information Assurance (WIA’06). 69–75. S CHWEITZER , D., B AIRD, L., C OLLINS, M., B ROWN, W., AND S HERMAN, M. 2006. GRASP: A visualization tool for teaching security protocols. In Proceedings of the 10th Colloquium for Information Systems Security Education (CISSE’06), 75–81. S TALLINGS, W. 2003. Cryptography and Network Security. Prentice Hall, Upper Saddle River, NJ. S TEINER , J. G., N EUMAN, C., AND S CHILLER , J. I. 1988. Kerberos: An authentication service for open network systems. In Proceedings of the Winter USENIX Conference (USENIX’88). 191–202. ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.

20: 28

·

X. Yuan et al.

W HITMAN, M. E. AND M ATTORD, H. J. 2009. Principles of Information Security 3rd Ed. Course Technology. Y UAN, X., V EGA , P., X U, J., Y U, H., AND L I , Y. 2007a. Using packet sniffer simulator in the class: Experience and evaluation. In Proceedings of the 45th ACM Southeast Conference (ACMSE’07). Y UAN, X., Q ADAH , Y., X U, J., Y U, H., A RCHER , R., AND C HU, B. 2007b. An animated learning tool for Kerberos authentication architecture. J. Comput. Sci. Coll. 22, 6. Y UAN, X., A RCHER , R. L., X U, J., AND Y U, H. 2008. A visualization tool for wireless network attacks. In Proceedings of the 6th International Conference on Education and Information Systems, Technologies and Applications (EISTA’08).

Received August 2008; revised January 2009, February 2009, May 2009; accepted June 2009

ACM Transactions on Computing Education, Vol. 9, No. 4, Article 20, Pub. date: January 2010.