Escolar Documentos
Profissional Documentos
Cultura Documentos
CYBERNETICS FACULTY
DISSERTATION
SPECIALIZATION COURSE
Author: Supervisor:
Acceptation of work
…………………………………..
Supervisor
mgr inż. Paweł Głębocki
TABLE OF CONTENTS
ABSTRACT
The report is focus on deploying Intrusion Prevention Systems – IPS in a LAN
Network in order to detect, monitor and prevent the network applications using unsafe
connections to the Internet.
Unsafe connections are determined: Go through firewalls using Port Hopping
Technique; Link to Block IP Address; Access to violent or porn websites.
The IPS System model in a LAN network is a Client – Server Type. Clients will
sniff all network traffic and send the information to Server. After that, Server will analyze
the information to identify the applications that include unsafe connections. The server
then requests the clients to make secured decisions for PCs like killing processes,
deleting applications, establishing firewalls and so on.
INTRODUCTION
The Internet has been increasing more and more importance for almost field in our
daily life. However, there is many risks for users, especially security aspects. In fact, the
applications and software that can detect malicious softwares or unsafe connection
behavior to the Internet are often installed in PCs. The first reason is that most of these
applications are not free. Secondly, operation methods and behaviors of malicious
software are always developed to go through firewall systems.
The project is focus on researching a method for detecting and monitoring unsafe
connection based on network traffic. The method analyzes all information of network
connection in order to detect port hopping, blocked IP, porn and violent sites. The
paper architecture includes:
- Chapter 1: Introduction network sercurity, intrusion detection system (IDS),
intrusion prevention system (IPS).
- Chapter 2: Introduction network traffic, some functions of netstat and powershell
tools in Windows OS. Final, describe network traffic sniffing methods.
- Chapter 3: Techniques for port hopping, blocked IP, characteristics of porn or
violent sites. Presenting method to detect port hopping application, connections to
blocked IP address, access to porn or violent sites
- Chapter 4: Overview about project, introduction system model, database
diagram, policies for LAN, codes. Final, show some of test results.
CHAPTER 1
INTRODUCTION INTRUSION PREVENTION SYSTEMS
CHAPTER 2
NETWORK TRAFFIC ANALYSIS
• Introduction to network traffic
Network traffic is amount of data traveling across the network at a given point of
time. Networked data is mainly packaged in network packets, such as IP packet,
providing load in the network. Network traffic is main factor of network traffic
measurement, control, and network traffic simulation. Also, network traffic is the main
component for bandwidth measurement and management.
• Netstat and powershell functions in Windows OS
* Introduction to netstat
It is simply a program designed to display the information needed to handle
network-related errors. This is a cross-platform program, on Linux also, OSX is also
available and Windows is of course all-around.
Some outstanding features of the NETSTAT command are as follows:
- Display incoming and outgoing traffic.
- Display the route routing table.
- Display network protocol information statistics.
Command structure "netstat" on Windows:
Fig. .
* Introduction to powershell
PowerShell is a new interactive Windows operating system (Windows shell -
command shell), especially suitable for system administration tasks. This includes an
interactive command-line tool and an environment for executing scripts.
PowerShell itself is written in the .NET language and is based primarily on the
.NET Framework. So PowerShell is designed as an object-oriented utility and scripting
language. All in PowerShell are treated as objects with full functionality of the .NET
Framework. An ordered set of objects can be used by using attributes and methods of
that object type. When you want to put output data of a command into a pipe for another
command, PowerShell actually passes the object through, not just the first command-
line text output. This gives the next command complete access to all properties and
methods of the object in the pipeline.
Considering everything as an object and the ability to accept objects between
commands is a big theoretical change for command line utilities. That said, PowerShell
still works like a traditional shell utility. Commands, scripts, and executables can be
typed and run from the command line and the results are displayed in text. Windows
.CMD and .BAT files, VBScripts, JScripts, and executables operate within CMD.EXE, all
running in PowerShell. However, since they are not object oriented, they do not have
full access to objects created and used in PowerShell. These scripts and legacy
implementations will still treat everything as text, but you can combine PowerShell with
some other technology. This is very important if you want to start using PowerShell with
a collection of existing scripts that can not be converted at once.
The basic commands in PowerShell – Cmdlets:
Windows PowerShell (Cmdlet) Describe
Get-ChildItem List all files / directories in the current
directory
Get-Content Displays the content of a file
Get-Command List the commands included in
Powershell
Get-Help Help
Clear-Host Delete the screen
Copy-Item Copy the file / folder to the new location
Move-Item Move files / folders to a new location
Remove-Item Delete a file / folder
Rename-Item Rename a file / folder
Get-Location Displays the current directory path.
Pop-Location Change the current directory to the
nearest folder added to the stack
Push-Location Add the current directory to the stack
Set-Location Change the current directory
Write-Output Print, transform ... into an output
Get-Process List of running processes
Stop-Process Stop a process
Select-String Print the corresponding lines according
to the pattern
Set-Variable Set the value for the variable
• Network traffic sniffer method
In order to sniffer network traffic, we run a ps1 script in powershell. Result of script
includes: PID (Process ID), Process name, Path’s process, Protocol (TCP or UDP),
Local IP (Source IP address), Local port (Source port), Remote IP (Destination IP
address), Remote port (Destination port), State (Connection state).
Fig. . scriptGetInfo.ps1
Result after run scriptGetInfo.ps1
CHAPTER 3
MALICIOUS NETWORK APPLICATIONS: DETECTION METHOD
• Introduction to project
This project is simple HIDS based on software, include two tools: Clien and LAN
Monitor. Tool Client run in Client computers, tool LAN monitor run Server computer.
Programming language is C# with Visual studio 2012 IDE. Version of NET framework
for application is 4.0. Database management system (DBMS) is Sql server 2017.
• System model
In LAN, one high performance computer used as server, others are clients.
* Client computer run application client with tasks:
- Sniffing network traffic of all running processes. when it connected will send data
to database on server.
- Checking and perform the requests about stopping, deleting malicious
application, setting firewall (such as open, close port...).
* Server computer storage database and run application LAN Monitor with
tasks:
- Read and analysis network traffic in database, then detemine port hopping
process, connections to blocked IP addresses, access to porn or violent sites and
mark them.
- Support admin setting requests to client computers, such as: stop, delete
process; block or open port...
• Database
Database includes 9 tables with below diagram:
REFERENCES
WEB REFERENCES
• https://origin-
symwisedownload.symantec.com/resources/webguides/packetguide/11.5/Conten
t/Topics/solutions/security/wan-application-
security.htm?TocPath=Recommendations%7CSecurity%7C_____2
LIST OF TABLES
LIST OF FIGURES
APPENDIX 1
Source code.