MILITARY UNIVERSITY of TECHNOLOGY

CYBERNETICS FACULTY

DISSERTATION
SPECIALIZATION COURSE

Security in ICT network environments

Topic:Monitoring and Warning Unsafe-connection of

Network Applications

Author: Supervisor:

Hieu PHAM mgr inż. Paweł GŁĘBOCKI

 W a r s a w 2018

Acceptation of work

…………………………………..
Supervisor
mgr inż. Paweł Głębocki

TABLE OF CONTENTS
ABSTRACT
The report is focus on deploying Intrusion Prevention Systems – IPS in a LAN
Network in order to detect, monitor and prevent the network applications using unsafe
connections to the Internet.
Unsafe connections are determined: Go through firewalls using Port Hopping
Technique; Link to Block IP Address; Access to violent or porn websites.
The IPS System model in a LAN network is a Client – Server Type. Clients will
sniff all network traffic and send the information to Server. After that, Server will analyze
the information to identify the applications that include unsafe connections. The server
then requests the clients to make secured decisions for PCs like killing processes,
deleting applications, establishing firewalls and so on.

INTRODUCTION
The Internet has been increasing more and more importance for almost field in our
daily life. However, there is many risks for users, especially security aspects. In fact, the
applications and software that can detect malicious softwares or unsafe connection
behavior to the Internet are often installed in PCs. The first reason is that most of these
applications are not free. Secondly, operation methods and behaviors of malicious
software are always developed to go through firewall systems.
The project is focus on researching a method for detecting and monitoring unsafe
connection based on network traffic. The method analyzes all information of network
connection in order to detect port hopping, blocked IP, porn and violent sites. The
paper architecture includes:
- Chapter 1: Introduction network sercurity, intrusion detection system (IDS),
intrusion prevention system (IPS).
- Chapter 2: Introduction network traffic, some functions of netstat and powershell
tools in Windows OS. Final, describe network traffic sniffing methods.
- Chapter 3: Techniques for port hopping, blocked IP, characteristics of porn or
violent sites. Presenting method to detect port hopping application, connections to
blocked IP address, access to porn or violent sites
- Chapter 4: Overview about project, introduction system model, database
diagram, policies for LAN, codes. Final, show some of test results.

CHAPTER 1
INTRODUCTION INTRUSION PREVENTION SYSTEMS

• Overview of network security

 The content of information security and safety as the demand for information
exchange grows and diversifies, advances in electronics and telecommunications and
information technology are constantly being developed to improve the application.
Quality and flow of information, ideas and measures to protect data and information are
also renewed. Safeguarding data security is a broad topic that is relevant to many areas
and in practice there may be many methods that are employed to safeguard data
security. Data protection methods can be roughly devided into the following three
groups:
- Secure information by administrative measures.
- Secure information by technical measures (hardware).
- Protect the information security by means of algorithms (software).
The above three groups can be applied separately or in combination. The most
difficult environment to protect information security and also the most vulnerable to the
environment is the network environment and communication. The most effective and
economical method available today on the network and the computer network is the
algorithm.
Information security includes the following: (CIA: Confidentiality, integrity and
availability). ???
- Confidentiality: confidentiality of information.
- Authenticity of information, including authentication of the partner (authentication
problem), authentication of information change.
- Accountability: ensure that the sender can’t divert responsibility for the
information that he has sent.
In order to ensure the safety of information on the data transmission line and on
the computer network, the first thing to do is to anticipate or anticipate unsafe, abusive,
risky assets. It can happen to information stored and exchanged on the Internet as well
online. The more accurately determined the risks, the better decisions will be made to
minimize the damage.
There are two types of data information infringement that are: active infringement
and passive infringement. Passive infringement is only for the ultimate purpose of
capturing information (stealing information). Doing this sometimes does not know the
specific content, but it is possible to detect the sender or recipient using the protocol
control information contained in the packet header. The intruder can check the number,
length and frequency of the exchange. Therefore passive viruses do not distort or
destroy the content of information exchanged. Passive offenses are often difficult to
detect, but there may be effective preventive measures. Active infringement is a
violation that may alter the content, remove, delay, reorder, or repeat the packet at that
time or later. Active infringement may add some foreign information to falsify the content
of the exchange information. Active violations are easy to detect, but to prevent the
effect is much more difficult.
The fact that there is no safeguard of data protection is absolutely safe. An
absolutely secure system can’t guarantee absolute security.
• Intrusion detection system
* Define
Intrusion Detection System (IDS) is a network traffic monitoring system for
detecting abnormalities, unauthorized intrusion and system activity. IDS can distinguish
attacks from within (internal) or external attacks (from hackers).
IDS detects specific markings of known threats (in the same way that antivirus
software relies on specific signs for detecting and killing viruses) or based on current
network traffic comparison with The baseline (the standard metric of the system is
acceptable at the present time) to find unusual signs.
* The most important feature of IDS
- Monitor network traffic and suspicious activity.
- Network status and administrator status alerts.
- Combined with surveillance systems, firewalls, antiviruses constitute a complete
security system.
* IDS classification
- Network intrusion detection system (NIDS): The system will aggregate the
packets for in-depth analysis without altering the packet structure. NIDS can be
software deployed on a server or integrated appliance appliance.
- Host intrusion detection system (HIDS): Monitor abnormal activity on individual
hosts. HIDS are installed directly on the hosts to monitor.
 Each participant in the network architecture has different functions, strengths and
weaknesses. Using and exploiting the right purpose will bring high efficiency. IDS is one
of the key components in system protection solutions. When deployed can help the
system:
- Monitor abnormal activity on the system.
- Determine who is impacting the system and how.
- Where intrusion occurs in the network structure.
* Advantages and limitations of IDS
- Advantages:
+ Provides a holistic view of all network traffic.
+ Helps to troubleshoot problems with your network.
+ Used to gather evidence for investigation and rescue.
- Limitations:
+ May cause false alarms if configuration is not reasonable.
+ The ability to analyze traffic is relatively low.
+ The cost of deploying and operating the system is relatively large.
• Intrusion prevention system
* Define
Intrusion Prevention Systems (IPS) is a system for monitoring and preventing
unwanted intrusion.
* The most important feature of IP
The main function of IPS is to identify hazardous activities, keeping this
information. Then combined with the firewall to stop these activities, and finally to
provide detailed reports on these unauthorized activities.
IPS is considered to be an extension of the IDS system, and the manner in which
the two systems work is similar. The only difference is that the IPS system, in addition to
monitoring and monitoring capabilities, also has the function of preventing malicious
activity on the system. The IPS system uses the same set of rules as the IDS system.
* IDS classification
- Network-based Intrusion Prevention (NIPS): is typically deployed before or after
the firewall.
 When deploying IPS before the firewall is able to protect the entire system
including the firewall, the DMZ. Can reduce the risk of denial of service attacks with
firewalls.
When deploying IPS behind the firewall, it can prevent some types of attacks by
exploiting weaknesses on mobile devices that use VPNs to connect inside.
- Host-based Intrusion Prevention (HIPS): systems are typically deployed for the
purpose of detecting and preventing timely intrusion on hosts.
In order to prevent immediate attacks, HIPS uses the same technology as antivirus
solutions. In addition to detecting preventive activity, HIPS also has the ability to detect
changes to configuration files.

CHAPTER 2
NETWORK TRAFFIC ANALYSIS
 • Introduction to network traffic
Network traffic is amount of data traveling across the network at a given point of
time. Networked data is mainly packaged in network packets, such as IP packet,
providing load in the network. Network traffic is main factor of network traffic
measurement, control, and network traffic simulation. Also, network traffic is the main
component for bandwidth measurement and management.
• Netstat and powershell functions in Windows OS
* Introduction to netstat
It is simply a program designed to display the information needed to handle
network-related errors. This is a cross-platform program, on Linux also, OSX is also
available and Windows is of course all-around.
Some outstanding features of the NETSTAT command are as follows:
- Display incoming and outgoing traffic.
- Display the route routing table.
- Display network protocol information statistics.
Command structure "netstat" on Windows:
 Fig. .

* Introduction to powershell
PowerShell is a new interactive Windows operating system (Windows shell -
command shell), especially suitable for system administration tasks. This includes an
interactive command-line tool and an environment for executing scripts.
PowerShell itself is written in the .NET language and is based primarily on the
.NET Framework. So PowerShell is designed as an object-oriented utility and scripting
language. All in PowerShell are treated as objects with full functionality of the .NET
Framework. An ordered set of objects can be used by using attributes and methods of
that object type. When you want to put output data of a command into a pipe for another
command, PowerShell actually passes the object through, not just the first command-
line text output. This gives the next command complete access to all properties and
methods of the object in the pipeline.
Considering everything as an object and the ability to accept objects between
commands is a big theoretical change for command line utilities. That said, PowerShell
still works like a traditional shell utility. Commands, scripts, and executables can be
typed and run from the command line and the results are displayed in text. Windows
.CMD and .BAT files, VBScripts, JScripts, and executables operate within CMD.EXE, all
running in PowerShell. However, since they are not object oriented, they do not have
full access to objects created and used in PowerShell. These scripts and legacy
implementations will still treat everything as text, but you can combine PowerShell with
some other technology. This is very important if you want to start using PowerShell with
a collection of existing scripts that can not be converted at once.
The basic commands in PowerShell – Cmdlets:
Windows PowerShell (Cmdlet) Describe
Get-ChildItem List all files / directories in the current
directory
Get-Content Displays the content of a file
Get-Command List the commands included in
Powershell
Get-Help Help
Clear-Host Delete the screen
Copy-Item Copy the file / folder to the new location
Move-Item Move files / folders to a new location
Remove-Item Delete a file / folder
Rename-Item Rename a file / folder
Get-Location Displays the current directory path.
Pop-Location Change the current directory to the
nearest folder added to the stack
Push-Location Add the current directory to the stack
Set-Location Change the current directory
Write-Output Print, transform ... into an output
Get-Process List of running processes
Stop-Process Stop a process
Select-String Print the corresponding lines according
to the pattern
Set-Variable Set the value for the variable
 • Network traffic sniffer method
In order to sniffer network traffic, we run a ps1 script in powershell. Result of script
includes: PID (Process ID), Process name, Path’s process, Protocol (TCP or UDP),
Local IP (Source IP address), Local port (Source port), Remote IP (Destination IP
address), Remote port (Destination port), State (Connection state).

Ps1 script sniffer network traffic is described as follows:

Fig. . scriptGetInfo.ps1
Result after run scriptGetInfo.ps1
 CHAPTER 3
MALICIOUS NETWORK APPLICATIONS: DETECTION METHOD

• Detect port hopping application

* Port hopping technology
Port hopping [1] is technology apply for avoiding firewall and application detection.
It will try to connect to remote host on a different port when it is unable to connect on the
default port. For example, a P2P (peer-to-peer) program might first try to connect on
port 80. If this fails, it might try on port 3904. If port 3904 doesn’t work, it might jump to
port 4556.
Some of P2P application, such as AOL (America Online), KaZaA, FROSWIRE,
uTorrent, Vuze bittorrent use port hopping so that they can bypass firewalls and router
configurations that are designed to block or rate-limit them.
* Detecting method
If we observe connections in TCPViewer tool, application port hopping will init
many connections to remote address with many different ports (and port number >
1023). This is the way to identify port hopping application.

• Detecting connections to blocked IP address

* IP Address blocking
IP Address blocking is a security measure that prevents a connection between a
specific or group of IP addresses and a mail, web or Internet server .
IP address blocking is a configuration of a network service so that requests from
hosts with certain IP addresses are rejected.
For example, some of services check blocked ip such as:
- https://p2pblocklist.net/free-blacklists/
- https://www.iblocklist.com/lists.php.
* Detecting method
The first, we build list of blocked IP address and storage them in database.
Resource of blocked IP can refer at
https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_
Real-time, https://www.iblocklist.com/lists.php, https://p2pblocklist.net/free-blacklists.
The second, when one connection is initialized, we sniffer remote IP address and
check exist in database. If it exist, we mark application connected to blocked IP
address.
• Detect connections to malicious website
* Malicious website
Norton Company (US) define that a malicious site is a site that content is very bad
(porn or violent) or attempts to install malware onto devices. The malware is a general
term for anything that will disrupt computer operation, gather your personal information
or, in a worst-case scenario, gain total access to your machine. Some websites may
effect dangerously to computers without asking for permission such as stealthy coin
mining sites (coinhive.com...), porn sites (www.xvideos.com, www.pornhub.com ...),
violent sites (www.bestgore.com, www.documentingreality.com ...).
* Detecting method
The first, we build three list keyword about porn field, violent field, malicious
javascript. Each website connected by application, we get html content of homepage’s
site. If it cointain porn keyword or violent keyword or malicious javascript, it will marked
as malicious site.
 CHAPTER 4
PROJECT, IMPLEMENTATION AND TESTING

• Introduction to project
This project is simple HIDS based on software, include two tools: Clien and LAN
Monitor. Tool Client run in Client computers, tool LAN monitor run Server computer.
Programming language is C# with Visual studio 2012 IDE. Version of NET framework
for application is 4.0. Database management system (DBMS) is Sql server 2017.
• System model
In LAN, one high performance computer used as server, others are clients.
* Client computer run application client with tasks:
- Sniffing network traffic of all running processes. when it connected will send data
to database on server.
- Checking and perform the requests about stopping, deleting malicious
application, setting firewall (such as open, close port...).
* Server computer storage database and run application LAN Monitor with
tasks:
- Read and analysis network traffic in database, then detemine port hopping
process, connections to blocked IP addresses, access to porn or violent sites and
mark them.
- Support admin setting requests to client computers, such as: stop, delete
process; block or open port...
• Database
Database includes 9 tables with below diagram:

- Table tbl_ExampleFirewallRule: storage examples about firewall rule.

 - Table tbl_Firewall: storage firewall rules created by admin
- Table tbl_IPBlackList: storage list of blocked IPs.
- Table tbl_MaliciousScript: storage list of malicious scripts
- Table tbl_ViolentWordList: storage list of violent words
- Table tbl_PornWordList: storage list of porn words
- Table tbl_Machine: storage list of computers in LAN
- Table tbl_ProcessInfo: storage list of processes of computers in LAN
- Table tbl_NetworkTraffic: storage network traffic of processes of computers in
LAN.
• Requestments and policies for LAN
In order to implement solution monitoring and warning unsafe-connection in LAN
effectively, some policies should be implemented as follows:
* The request hardware, software on the sever: Server have performance hight,
install operating system Window Server 2012 and DBMS is SQL server 2017.
* The request software on the computers client: Install operating system
Window 7 or better, browse unique web have install on the computer is Chrome
(version English); install NET famework 4.0; install application Client with administrator
rights running bachground, automatic running when restart computer.
* The policy for account logon on the computer client: User only have rights
logon computer with account inside group user; rights of account restrict, can not ability
delete, install any application on the computer, can not modify firewall, registry, task
manager, can not delete or delete application Client.
• Client tool functions
Client tool installed in client computer. Some of main functions as follows:
* GetProcessInfo(): Run scriptGetInfo.ps1 to get network traffic of processes on
Client computer, then send data to server. Operation diagram as follows:
 Network traffic includes information: PID (Process ID), Process name, Path’s
process, Protocol (TCP or UDP), Local IP (Source IP address), Local port (Source port),
Remote IP (Destination IP address), Remote port (Destination port), State (Connection
state).

* GetVisitedSiteFromChrome(): Get visited sites, ip address of site, which user

access over chrome browser. Then send data to server. Operation diagram as follows:
 * ProcessController(): Receive requires from server and perform to stop, delete
malicious running processes on client computer. Operation diagram as follows:
 * FirewallController(): Receive requires from server and perform firewall rules
on client computer. Operation diagram as follows:

• LAN Monitor tool functions

LAN Monitor tool installed in server computer. Some of main functions as follows:
* Display status connection of all computers in LAN:

* Display list of processes on Client connected to the Internet:

Some of fields information as follows: IP address of client, Process name
connected to the Internet, last connection time of process, process is port hopping
application or not, process connected to BlockIP or not, process connected to malicious
site or not, mark stopping running process or not, mark deleting process or not, mark
continuing process by Client tool or not.
 Value of IsPortHoppingApplication field is determine auto by function
CheckPortHopping. Values of IsConnectToblockIP, IsConnectoMaliciousSite fields are
determine as follow network traffic of process.
Admin can change values of some fields by rightclick mouse.

* Display traffic network of process in Client connected to the Internet:

Some of fields information as follows: User name logon to client computer,
connection time of tcp (udp) connection, process name, local address, local port,
remote address, remote port, status connection, domain name (reverse form remote
address), mark remote address is blocked ip or not, mark remote address is malicious
malicious site or not.
Values of IsConnectToblockIP, IsConnectoMaliciousSite fields are determine auto
by functions such as: CheckBlockIP, CheckMaliciousSite.
Admin can change values of some field by rightclick mouse.
 * Support adm config firewall on client computers: admin can refer examples
about firewall and rewrite suitable firewall rules.
 • Testing result
* Detecting port hopping application
List of applications for testing are p2p applications, includes: Gift Credit Card (gift),
FrostWire-6.6.3, Kazaa.Lite.2.7, kceasy-0.19, Shareaza_2.7.10.2, uTorrent,
VuzeBittorrentClient (Azureus).
Testing result: detect 5/7 applications are port hopping.
Application name Is port hopping
Azureus Yes
FrostWire Yes
Kazaa.Lite Yes
Gift Credit Card Yes
Shareaza Yes
uTorrent No
kceasy No
 Below image display result testing:

* Detecting access to blocked ip and malicious sites

List sites for testing: 5 porn sites (xhamster.com, www.youporn.com, vlxx.tv,
www.freefuckvids.com, www.xvideo.com); 2 coin mining sites (coinhive.com,
quantrinet.com)
Coin mining application: minergate tool (connected to 176.9.47.243).
Testing result: detect 4/5 porn sites; 2/2 coin mining sites; 1/1 coin mining
application.
Site/IP address Is malicious site Is Blocked IP
xhamster.com Yes No
www.youporn.com Yes No
www.freefuckvids.com Yes No
www.xvideo.com Yes No
vlxx.tv No No
coinhive.com Yes Yes
quantrinet.com Yes
176.9.47.243 No Yes

Below image display result testing:

SUMMARY

REFERENCES

WEB REFERENCES
• https://origin-
symwisedownload.symantec.com/resources/webguides/packetguide/11.5/Conten
t/Topics/solutions/security/wan-application-
security.htm?TocPath=Recommendations%7CSecurity%7C_____2
LIST OF TABLES

LIST OF FIGURES

APPENDIX 1
Source code.