<h1 align='center'> COMP2420/COMP6420 - Introduction to Data Management,<br/> Analysis and Security</h1>

<h1 align='center'> Assignment - 2 (2022)</h1>

-----

|**Maximum Marks**         |**100 for COMP2420 and 120 for COMP6420 students**
|--------------------------|--------
|  **Weight**              |  **15% of the Total Course Grade**
|  **Submission deadline** |  **11.59M, Tuesday, May 24th**
|  **Submission mode**     |  **Electronic, Using GitLab**
|  **Penalty**             |  **100% after the deadline**


## Learning Outcomes
The following learning outcomes apply to this assignment:
- **LO1** - Demonstrate a conceptual understanding of database systems and architecture, data models and declarative query languages
- **LO2** - Define, query and manipulate a relational database
- **LO3** - Demonstrate basic knowledge and understanding of descriptive and predictive data analysis methods, optimization and search, and knowledge representation.
- **LO4** - Formulate and extract descriptive and predictive statistics from data
- **LO5** - Analyse and interpret results from descriptive and predictive data analysis
- **LO6** - Apply their knowledge to a given problem domain and articulate potential data analysis problems
- **LO7** - Identify potential pitfalls, and social and ethical implications of data science
- **LO8** - Explain key security concepts and the use of cryptographic techniques, digital signatures and PKI in security


## Submission

You need to submit the following items:
- The notebook `Assignment_2_2022_uXXXXXXX.ipynb` (where uXXXXXXX is your uid) [Please note that if you have to pull from the upstream repo you will need to change the name back first and add your uid after the pull again]
- A completed `statement-of-originality.md`, found in the root of the forked gitlab repo.

Submissions are performed by pushing to your forked GitLab assignment repository. For a refresher on forking and cloning repositories, please refer to `Lab 1`. Issues with your Git repo (with the exception of a CECS/ANU wide Gitlab failure) will not be considered as grounds for an extension. Any variation of this will result in a `zero mark`.

***** 

### Notes:

* It is strongly advised to read the whole assignment before attempting it and have at least a cursory glance at the dataset in order to gauge the requirements and understand what you need to do as a bigger picture.
* Backup your assignment to your Gitlab repo often. 
* Extra reading and research will be required. Make sure you include all references in your Statement of Originality. If this does not occur, at best marks will be deduced. Otherwise, academic misconduct processes will be followed.
* For answers requiring free form written text, use the designated cells denoted by `YOUR WRITTEN ANSWER HERE` -- double click on the cell to write inside them. You can change these to Markdown cells where necessary (e.g. you may need to include some figures in your answer).
* For all coding questions please write your code after the comment `YOUR CODE HERE`.
* In the process of testing your code, you can insert more cells or use print statements for debugging, but when submitting your file remember to remove these cells and calls respectively. You are welcome to add additional cells to the final submission, provided they add value to the overall piece.
* Your code answers will be marked on **correctness** and **readability** of your code, if your marker can't understand your code your marks may be deducted. 
* Your written answers will be marked on the **correctness**, **depth** and **clarity** of your written answers. If your marker cannot understand your answer, marks may be deducted
* Before submitting, restart the kernel in Jupiter Lab and re-run all cells before submitting your code. This will ensure the namespace has not kept any old variables, as these won't come across in submission and your code will not run. Without this, you could lose a significant number of marks.

*****

In [23]:
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
from matplotlib import cm
import seaborn as sns
import sqlite3
from sqlite3 import Error
import hashlib

*****
## Q3: Serious SQL (20 marks for COMP2420, 25 marks for COMP6420)
Consider the following scenario.

> You are applying for a job as a database developer for an unnamed wrestling company. Part of the job description includes creating an automation system for running SQL queries. During the hiring process, the interviewers want to ensure you understand the SQL language. They have provided a set of questions to be answered by you, and your responses will later be reviewed by them. They are unwilling to give you access to their real database (which is mysteriously missing), so they have provided an SQLite3 database and asked you to interact with it using Python. 


Based on the above scenario, you have been asked to answer a number of questions to test your skills. You will be using the _Sakila_ database for this question. The database model is as follows:

![sakila](./img/SQLite3_Sakila_Sample_Database_ERD.png)

In the following questions, you will be asked to execute the SQL statements, and explain any reasoning as necessary. Answers to each sub-question should be obtained by a single SQL query **only**.  Data can be formatted as raw printed output or a Pandas DataFrame. 

**Note**: There may be slight discrepancies between the above figure and the loaded database.

In [4]:
# THIS IS YOUR CONNECTION BLOCK, DO NOT MODIFY THIS. 
# OTHERWISE, YOU WILL NOT BE ABLE TO READ THE DATABASE
def create_connection(db_file):
    """ Connect to the specified SQLite database, if not exist, create a new one;
    :db_file: location of db to connect to
    :return: Connection object or None
    """
    conn = None
    try:
        conn = sqlite3.connect(db_file)
        print("Connection established!")
        
    except Error as e:
        print("Error Connecting to Database")
        raise(e)
    return conn

sakila_db = 'data/sqlite-sakila.db'
conn = create_connection(sakila_db) 
cur = conn.cursor()
# remember to close the connection when everything is done

Connection established!


### 3.1: Names of the tables
List the names of the tables found in this database.
<span style= 'float: right;'><b>[2 marks]</b></span>

In [5]:
# YOUR CODE HERE
query = "SELECT name, sql FROM sqlite_master WHERE type='table';"
df_result = pd.read_sql_query(query, conn)
display(df_result)

Unnamed: 0,name,sql
0,actor,CREATE TABLE actor (\n actor_id numeric NOT N...
1,country,CREATE TABLE country (\n country_id SMALLINT ...
2,city,"CREATE TABLE city (\n city_id int NOT NULL,\n..."
3,address,CREATE TABLE address (\n address_id int NOT N...
4,language,CREATE TABLE language (\n language_id SMALLIN...
5,category,CREATE TABLE category (\n category_id SMALLIN...
6,customer,CREATE TABLE customer (\n customer_id INT NOT...
7,film,"CREATE TABLE film (\n film_id int NOT NULL,\n..."
8,film_actor,CREATE TABLE film_actor (\n actor_id INT NOT ...
9,film_category,CREATE TABLE film_category (\n film_id INT NO...


### 3.2: Number of Customers
List the number of customers in the database.
<span style= 'float: right;'><b>[2 marks]</b></span>

In [7]:
# YOUR CODE HERE
query = "SELECT COUNT(customer_id) FROM customer"
df_result = pd.read_sql_query(query, conn)
display(df_result)

Unnamed: 0,COUNT(customer_id)
0,599


### 3.3: Films with PG rating
What are the titles and descriptions of films with a PG rating?
<span style= 'float: right;'><b>[2 marks]</b></span>

In [8]:
# YOUR CODE HERE
query = "SELECT title, description FROM film WHERE rating='PG'"
df_result = pd.read_sql_query(query, conn)
display(df_result)

Unnamed: 0,title,description
0,ACADEMY DINOSAUR,A Epic Drama of a Feminist And a Mad Scientist...
1,AGENT TRUMAN,A Intrepid Panorama of a Robot And a Boy who m...
2,ALASKA PHANTOM,A Fanciful Saga of a Hunter And a Pastry Chef ...
3,ALI FOREVER,A Action-Packed Drama of a Dentist And a Croco...
4,AMADEUS HOLY,A Emotional Display of a Pioneer And a Technic...
...,...,...
189,WIZARD COLDBLOODED,A Lacklusture Display of a Robot And a Girl wh...
190,WON DARES,A Unbelieveable Documentary of a Teacher And a...
191,WONDERLAND CHRISTMAS,A Awe-Inspiring Character Study of a Waitress ...
192,WORDS HUNTER,A Action-Packed Reflection of a Composer And a...


### 3.4: Films by category
What are the counts of films for each category in the database? Display the category names with the number of films in each category.
<span style= 'float: right;'><b>[4 marks]</b></span>

In [9]:
# YOUR CODE HERE
query = "SELECT category.name, COUNT(category.name) FROM film \
            INNER JOIN film_category ON film_category.film_id=film.film_id \
            INNER JOIN category ON film_category.category_id=category.category_id \
            GROUP BY category.name"
df_result = pd.read_sql_query(query, conn)
display(df_result)

Unnamed: 0,name,COUNT(category.name)
0,Action,64
1,Animation,66
2,Children,60
3,Classics,57
4,Comedy,58
5,Documentary,68
6,Drama,62
7,Family,69
8,Foreign,73
9,Games,61


### 3.5: Most rented
Find the details of the top film in the database as measured by the most number of rentals.
<span style= 'float: right;'><b>[4 marks]</b></span>

In [10]:
# YOUR CODE HERE
query = "SELECT * FROM film WHERE rental_rate=(SELECT MAX(rental_rate) FROM film)"
df_result = pd.read_sql_query(query, conn)
display(df_result)

Unnamed: 0,film_id,title,description,release_year,language_id,original_language_id,rental_duration,rental_rate,length,replacement_cost,rating,special_features,last_update
0,2,ACE GOLDFINGER,A Astounding Epistle of a Database Administrat...,2006,1,,3,4.99,48,12.99,G,"Trailers,Deleted Scenes",2021-03-06 15:52:00
1,7,AIRPLANE SIERRA,A Touching Saga of a Hunter And a Butler who m...,2006,1,,6,4.99,62,28.99,PG-13,"Trailers,Deleted Scenes",2021-03-06 15:52:00
2,8,AIRPORT POLLOCK,A Epic Tale of a Moose And a Girl who must Con...,2006,1,,6,4.99,54,15.99,R,Trailers,2021-03-06 15:52:00
3,10,ALADDIN CALENDAR,A Action-Packed Tale of a Man And a Lumberjack...,2006,1,,6,4.99,63,24.99,NC-17,"Trailers,Deleted Scenes",2021-03-06 15:52:00
4,13,ALI FOREVER,A Action-Packed Drama of a Dentist And a Croco...,2006,1,,4,4.99,150,21.99,PG,"Deleted Scenes,Behind the Scenes",2021-03-06 15:52:00
...,...,...,...,...,...,...,...,...,...,...,...,...,...
331,985,WONDERLAND CHRISTMAS,A Awe-Inspiring Character Study of a Waitress ...,2006,1,,4,4.99,111,19.99,PG,Commentaries,2021-03-06 15:52:08
332,989,WORKING MICROCOSMOS,A Stunning Epistle of a Dentist And a Dog who ...,2006,1,,4,4.99,74,22.99,R,"Commentaries,Deleted Scenes",2021-03-06 15:52:08
333,994,WYOMING STORM,A Awe-Inspiring Panorama of a Robot And a Boat...,2006,1,,6,4.99,100,29.99,PG-13,Deleted Scenes,2021-03-06 15:52:08
334,995,YENTL IDAHO,A Amazing Display of a Robot And a Astronaut w...,2006,1,,5,4.99,86,11.99,R,"Trailers,Commentaries,Deleted Scenes",2021-03-06 15:52:08


### 3.6: Not returned rentals
Find out how many rentals have not yet been returned.
<span style= 'float: right;'><b>[2 marks]</b></span>

In [11]:
# YOUR CODE HERE
query = "SELECT COUNT(rental_id) FROM rental WHERE return_date IS NULL"
df_result = pd.read_sql_query(query, conn)
display(df_result)

Unnamed: 0,COUNT(rental_id)
0,183


### 3.7: Finding a customer
List the film titles that the customer _BARBARA JONES_ has rented. 

<span style= 'float: right;'><b>[4 marks]</b></span>

In [12]:
# YOUR CODE HERE
query = "SELECT film.title FROM customer \
            INNER JOIN rental ON customer.customer_id=rental.customer_id \
            INNER JOIN inventory ON inventory.inventory_id=rental.inventory_id \
            INNER JOIN film ON film.film_id=inventory.film_id  \
        WHERE customer.first_name='BARBARA' AND customer.last_name='JONES'"
df_result = pd.read_sql_query(query, conn)
display(df_result)

Unnamed: 0,title
0,DOGMA FAMILY
1,BEDAZZLED MARRIED
2,ARTIST COLDBLOODED
3,AMADEUS HOLY
4,MAGIC MALLRATS
5,IDAHO LOVE
6,WARDROBE PHANTOM
7,SHANGHAI TYCOON
8,ARACHNOPHOBIA ROLLERCOASTER
9,TOMORROW HUSTLER


In [13]:
conn.close() #close connection

*****
## Q4: Database Design (15 marks)

You task is to design and implement a relational database for the data that we encountered in the Assignment 1 and in Question 1 of this assignment. For a refresher on the data and more information on the schema descriptions, go check the [about.md](./data/cvss/about.md) file.

### 4.1 With considering normalisation, design a database to match the CVSS dataset provided in the assignment. 
Draw a simple ER diagram showing the relationship between the 3 tables that has been provided to you. 
- cvss_data_complete.csv
- cve_configurations_mapping.csv
- cwe_capec_mapping.csv

__Note:__  Remember to state all assumptions beforehand. 

__Note 2:__ Diagrams can be drawn by hand and scanned/photographed, or you can use a tool such as [draw.io](https://draw.io). You should include the diagram in the `img` folder, and import it into a markdown box in your notebook. You can use the command `![er.png](./img/er.png)` where `er.png` is the name of your ER diagram file.
<span style= 'float: right;'><b>[7 marks]</b></span>

![er_diagram.png](./img/er_diagram.png)

### 4.2 Evaluate the design of your database with respect to the normalisation considerations. 
<span style= 'float: right;'><b>[3 marks]</b></span>

### 4.3 Implement the database in an SQLite database 
Create the database with the tables you designed above. (You are not required to fill in the tables with the data from the files.)
<span style= 'float: right;'><b>[5 marks]</b></span>

```sql
CREATE TABLE cve_configurations_mapping (
    cve_id VARCHAR(20) NOT NULL,
    vendor VARCHAR(20) NOT NULL,
    product_name VARCHAR(20) NOT NULL,
    version VARCHAR(50) NOT NULL,
    PRIMARY KEY (cve_id)
);

CREATE TABLE cvss_data  (
    cve_id VARCHAR(20) NOT NULL,
    assigner VARCHAR(50) NOT NULL,
    description VARCHAR(50) NOT NULL,
    PRIMARY KEY (cve_id)
);

CREATE TABLE cvss_metrics_data (
    cve_id VARCHAR(20) NOT NULL,
    cwe_id VARCHAR(50) NOT NULL,
    v3_attackVector VARCHAR(20) NOT NULL,
    v3_attackComplexity VARCHAR(20) NOT NULL,
    v3_privilegesRequired VARCHAR(20) NOT NULL,
    v3_userInteraction VARCHAR(20) NOT NULL,
    v3_scope VARCHAR(20) NOT NULL,
    v3_confidentialityImpact VARCHAR(20) NOT NULL,
    v3_integrityImpact VARCHAR(20) NOT NULL,
    v3_availabilityImpact VARCHAR(20) NOT NULL,
    v3_baseScore FLOAT NOT NULL,
    v3_baseSeverity VARCHAR(20) NOT NULL,
    v3_exploitabilityScore FLOAT NOT NULL,
    v3_impactScore FLOAT NOT NULL,   
    PRIMARY KEY (cve_id),
    FOREIGN KEY (cwe_id) REFERENCES cwe_capec_mapping
);

CREATE TABLE cwe_capec_mapping (
    cwe_id VARCHAR(50) NOT NULL,
    capecs VARCHAR(50) NOT NULL,
    PRIMARY KEY (cwe_id)
);

CREATE TABLE cvss_references (
    cve_id VARCHAR(20) NOT NULL,
    refs VARCHAR(50) NOT NULL,
    ref_names VARCHAR(50) NOT NULL,
    ref_sources VARCHAR(50) NOT NULL,
    ref_tags VARCHAR(50) NOT NULL,
    PRIMARY KEY (cve_id)
);



In [16]:
# YOUR CODE HERE
def create_connection(db_file):
    """ Connect to the specified SQLite database, if not exist, create a new one;
    :db_file: location of db to connect to
    :return: Connection object or None
    """
    conn = None
    try:
        conn = sqlite3.connect(db_file)
        print("Connection established!")
        
    except Error as e:
        print("Error Connecting to Database")
        raise(e)
    return conn

In [17]:
cvss_db = 'data/cvss.db'
conn = create_connection(cvss_db) 
cur = conn.cursor()

Connection established!


In [18]:
cur.execute('''
            CREATE TABLE IF NOT EXISTS cve_configurations_mapping
            (cve_id VARCHAR(20) NOT NULL PRIMARY KEY, 
            vendor VARCHAR(20) NOT NULL,
            product_name VARCHAR(20) NOT NULL,
            version VARCHAR(50) NOT NULL)
            ''')

cur.execute('''
            CREATE TABLE IF NOT EXISTS cvss_data
            (cve_id VARCHAR(20) NOT NULL PRIMARY KEY,
            assigner VARCHAR(50) NOT NULL,
            description VARCHAR(50) NOT NULL)
            ''')

cur.execute('''
            CREATE TABLE IF NOT EXISTS cvss_metrics_data
            (cve_id VARCHAR(20) NOT NULL,
            cwe_id VARCHAR(50) NOT NULL,
            v3_attackVector VARCHAR(20) NOT NULL,
            v3_attackComplexity VARCHAR(20) NOT NULL,
            v3_privilegesRequired VARCHAR(20) NOT NULL,
            v3_userInteraction VARCHAR(20) NOT NULL,
            v3_scope VARCHAR(20) NOT NULL,
            v3_confidentialityImpact VARCHAR(20) NOT NULL,
            v3_integrityImpact VARCHAR(20) NOT NULL,
            v3_availabilityImpact VARCHAR(20) NOT NULL,
            v3_baseScore FLOAT NOT NULL,
            v3_baseSeverity VARCHAR(20) NOT NULL,
            v3_exploitabilityScore FLOAT NOT NULL,
            v3_impactScore FLOAT NOT NULL,   
            PRIMARY KEY (cve_id),
            FOREIGN KEY (cwe_id) REFERENCES cwe_capec_mapping)
            ''')

cur.execute('''
            CREATE TABLE IF NOT EXISTS cwe_capec_mapping (
            cwe_id VARCHAR(50) NOT NULL,
            capecs VARCHAR(50) NOT NULL,
            PRIMARY KEY (cwe_id))
            ''')

cur.execute('''
            CREATE TABLE IF NOT EXISTS cvss_references (
            cve_id VARCHAR(20) NOT NULL,
            refs VARCHAR(50) NOT NULL,
            ref_names VARCHAR(50) NOT NULL,
            ref_sources VARCHAR(50) NOT NULL,
            ref_tags VARCHAR(50) NOT NULL,
            PRIMARY KEY (cve_id))
            ''')

conn.commit()

In [19]:
conn.close() # Close connection

*****
## Q5: Data Ethics and Data Security (20 marks)

Many people use the social media platform Facebook daily to keep in touch with friends and family.  Currently, Facebook is by far the most used social media platform (see [statistics by Data reportal](https://datareportal.com/reports/digital-2022-future-of-facebook)). 

The Facebook news feed is normally what users rely on to keep track of what is happening within their social network,  catching up with status updates, messages, videos and photos that their connections post.  The Facebook news feed is a curated list presented to users using various algorithms to determine what best to present.  Most users barely even think about how items in their news feed get picked.

For one week in January 2012, a group of data scientists from Facebook and Cornell University manipulated the newsfeed of selected Facebook users without their knowledge:
- one group of users were shown a greater proportion of positive content on their newsfeed.
- another group of users were shown a greater proportion of negative content on their newsfeed.
    
This was done as part of a research experiment to investigate _"whether emotional states can be transferred to others via emotional contagion,leading people to experience the same emotions without their awareness"_ [\[1\]](https://www.pnas.org/doi/10.1073/pnas.1320040111).  The results were even published in a reputable [journal article](https://www.pnas.org/doi/10.1073/pnas.1320040111).  The results showed that the group of users who were shown a greater proportion of positive content tended to post more positive content themselves whereas the group of users who were shown a greater proportion of negative content tended to post more negative content themselves.  In other words, they demonstrated _"emotional contagion"_.

While many previous studies have used Facebook to examine _"emotional contagion"_, this particular experiment just described is different because it did not just involve observing Facebook users behaviour, it actually manipulated this behaviour through curating users' news feed in a particular manner and did so without asking them first.

**Was this experiment legal?**

Facebook's terms of service states that _"users relinquish the use of their data for 'data analysis testing and research."_

Facebook also released the following statement _"This research was conducted for a single week in 2012 and none of the data used was associated with a specific person’s Facebook account. We do research to improve our services and to make the content people see on Facebook as relevant and engaging as possible. A big part of this is understanding how people respond to different types of content, whether it’s positive or negative in tone, news from friends, or information from pages they follow. We carefully consider what research we do and have a strong internal review process. There is no unnecessary collection of people’s data in connection with these research initiatives and all data is stored securely."_

Much has been written about this experiment, a example opinion pieces are given here:

Robinson Meyer (2014), ['Everything We Know About Facebook's Secret Mood-Manipulation Experiment'](https://www.theatlantic.com/technology/archive/2014/06/everything-we-know-about-facebooks-secret-mood-manipulation-experiment/373648/)

Michelle Meyer (2014), ['Everything You Need to Know About Facebook's Controversial Emotion Experiment'](https://www.wired.com/2014/06/everything-you-need-to-know-about-facebooks-manipulative-experiment/)

### 5.1: Company perspective 
As a company executive working for Facebook, do you think this experiment was a good thing? Discuss your reasons.
<span style= 'float: right;'><b>[3 marks]</b></span>


### 5.2: User perspective 
As a Facebook user, do you think this experiment was a good thing? Discuss your reasons.
<span style= 'float: right;'><b>[3 marks]</b></span>



### 5.3: Was the research ethical? 
Discuss both the legal and ethical aspects of the research.  (What ethical considerations should the data scientists have taken into account?  Given the legal terms specified, was the experiment reasonable and justified? Make sure to substantiate your presented arguments.)
<span style= 'float: right;'><b>[4 marks]</b></span>

### 5.4: Responsibilties of data scientists

What ethical responsibilities do data scientists have when carrying out their job? Why are those ethical responsibilities important?  Discuss in relation to the facebook experiment described.
<span style= 'float: right;'><b>[3 marks]</b></span>

### 5.5: Data Security
Reading about this experiment has now made you think about your data on Facebook.  You are now wondering not only about what the good folks at Facebook could be doing to manipulate your news feed, but also about preserving the security of your data and the various vulnerabilities that could be exploited to access and misuse your data.  

For the following activities, please assess the security risk and reflect on possible consequences:

**5.5.1: Your friends send you a lot of facebook quizzes (such as "Which Superhero are you?" or "Which Disney Princess are you?"**

If any, what are the security risks involved in posting your answers to those quizzes and how can you mitigate against them?
<span style= 'float: right;'><b>[2 marks]</b></span>

**5.5.2: This good-looking person sent you a friend's request, and you feel conflicted about whether to accept or reject it.**

If any, what are the security risks involved in accepting this request and what could be possible consequences?
<span style= 'float: right;'><b>[2 marks]</b></span>

### 5.6: Getting under the hood with data privacy and security
You bought something from that quirky clothing store and now suddenly you are noticing their ads on Facebook.  You did sign up for their loyalty program, who would say no to 5% off! So, did they share your contact information with Facebook? How does Facebook know you like that particular store when you have not posted about going there? (you did not want your Mum to find out you bought those clothes yet.)  It turns out that businesses can target customers already on their list through Facebook but your contact details are not directly shared.  To ensure your privacy, Facebook hashes the list of contacts that a particular business uploads for advertising before it gets used.  Facebook hashes contact information it already has of its own users before comparing with the hashed list from the business to see if there is a match.  (https://www.facebook.com/help/597339877966751)

**5.6.1: Hashing**
<br>Suppose your email address is punk_rocker@email.com  
[This article](https://3qdigital.com/wp-content/uploads/2016/06/facebook_audiences_data_security_overview.pdf ) suggests that Facebook uses the SHA-256 hashing algorithm. What would the hashed fingerprint of your email address be?  

<span style= 'float: right;'><b>[2 marks]</b></span>|

In [22]:
# YOUR CODE HERE
email_address = "punk_rocker@email.com"
hashed_email = hashlib.sha256(email_address.encode('utf-8')).hexdigest()
print(hashed_email)

0f46c219c69d85c45e15e9a091f5d7dcde6279659e8361b5e4682464cd46b8e3


**5.6.2: Reflection**
<br>Reflect on how it makes you feel about getting targeted in this manner by a business you gave your details to?
You can consider human, ethics, privacy and security aspects (but you are welcome to raise additional points) in your reflection.
<span style= 'float: right;'><b>[1 mark]</b></span>