StephenKelly–x12386816 [email protected] . ie
IntrusionDetectionSystemforMaliciousEmailTechnicalReportBSHC(Honours)inComputing–SoftwareProjectNationalCollegeofIrelandSupervisor:SaraKadry
10thMay 2017
08 Fall
Technical Report
Page 2
Table of Contents ExecutiveSummary ................................................................................................ 41 Introduction ...................................................................................................... 5
1.1 Background ................................................................................................ 5
1.2 Aims ........................................................................................................... 61.3 Scope .......................................................................................................... 6
1.4 Technologies ............................................................................................... 72 UserClassesandCharacteristics ........................................................................ 8
3 RequirementsSpecification ............................................................................... 9
3.1 FunctionalRequirements ............................................................................ 93.1.1 UseCaseDiagram ............................................................................... 10
3.1.2 Requirement1:Register ..................................................................... 103.1.3 Requirement2:UploadPhoto(CreateAlbum) ..................................... 15
3.1.4 Requirement3:InviteUsers ............................................................... 19
3.1.5 Requirement4:SharePhoto ............................................................... 213.1.6 Requirement5:EditFriendList(TrustedUser) ................................... 22
3.2 Non-FunctionalRequirements .................................................................. 29
3.2.1 Performance/Responsetimerequirement .......................................... 293.2.2 SafetyRequirement ............................................................................ 29
3.2.3 SecurityRequirement ......................................................................... 293.2.4 RequirementAttributes ...................................................................... 30
3.2.5 BusinessRules .................................................................................... 30
3.2.6 Userrequirement ............................................................................... 313.2.7 Maintainabilityrequirement ............................................................... 31
3.2.8 Portabilityrequirement ...................................................................... 313.2.9 Extendibilityrequirement ................................................................... 31
3.3 DesignandArchitecture ............................................................................ 32
3.4 GraphicalUserInterface(GUI) .................................................................. 333.5 Testing ..................................................................................................... 42
3.6 Evaluation ................................................................................................ 43
4 Conclusion ...................................................................................................... 435 FutureDevelopment ........................................................................................ 43
Technical Report
Page 3
6 References ...................................................................................................... 44
7 Appendix ........................................................................................................ 447.1 MonthlyJournals ...................................................................................... 44
7.2 ProjectProposal ........................................................................................ 54
Technical Report
Page 4
ExecutiveSummary
Nowadays,usersallaroundtheworlduseemailastheirfundamentalmethodtoshare informationovertheweb.Thenetworkprovidersallowall typesofemailfor the purpose of communication. During this transfer of information somemaliciousemailsarereceivedwhichcancauseproblemseitherattheserversideor at the client side. In this project,we propose an intrusion detection systemdesignedtodetectthesemaliciousemails.
Inrecenttimes,someofthemostdangeroussecuritythreatsagainstprivateuserdataathomeandintheworkplaceisphishing.Phishinghasbecomeanextremelycommonformofcyberattack.Itconsistsofdefraudingpeoplebyluringthemtofake websites where users unknowingly provide personal details such as logininformation and credit card details. These fraudsters appear as a trusted thirdparty,likeawell-knownbank.Themostcommonmethodsofphishingaredoneby email. Once these details are acquired they can be used in the practice ofidentity theft or credit card fraud. In thepast, efforts havebeenmade to stoptheseattacksby identifyingphishingsitesusingplug-ins,but theseeffortshavebeenmadeinvainbyemergingblockingtechniques,whichrenderthemuseless.There isanabundanceofthesetypesofattacks,somuchso,thattheeverydayuserwillbeindangerwhethertheyknowitornot.InthisprojectweproposeanIntrusion Detection System for identifying these types of malicious emails androotthemtotheirsourcetoevaluate.Thiswillbemadepossiblebyusingadatacapture facility thatwill categorize a number of incoming emails as potentiallymalicious actions and an evaluation system thatwill send crawlers towebsitesrelatedtothesedetectedemailstodeterminetheirtrueintentions.Bydetectingmalicious emails in incoming traffic, this filters a user’s inbox and removes therequirementofauserbeing trained in thepracticeof securewebbrowsing.Asmostusersarenottrainedinthismanner,thissystemwillprovequiteuseful.TheIntrusionDetectionSystem(IDS)willdetectmaliciousemailsandensurethatalloftheincomingemails/dataisnotharmful.Whenamaliciousemailisdetected,the next step is to send crawlers to these phishingwebsites that are linked intheseemailsandalsothewebsitethat it is tryingto impersonate.Analgorithmthen stripsboth sitesdownand compares themusinga scoring system for thedifferencebetweenthetwo–ultimatelydecidingwhetherornotitisaphishingwebsite. This Intrusion Detection System will be implemented into a photosharingwebapplicationwithemailfunctionality.
Technical Report
Page 5
1 Introduction
1.1 BackgroundI am a current employee of ACIA (Aon Centre for Innovation and Analytics)workingpart-timeduringmystudies.IhavebeenanemployeeofACIAsincethesummerof2015whenIappliedforaninternship.IhavenotbeenworkingwiththiscompanyforlongbutIhaveseenmyfairshareofmisleadingandmaliciousemails in the workplace. Even in a technology-based company such as this,employeeswerestillthevictimsofthesephishingattacks.
Itjustgoestoshowhowcomplexanddeceitfultheseattacksarebecoming.ThiswasthebasisofmydecisiontodesignanddevelopanIntrusionDetectionSystemfor my final year project. It was one attack in particular that was successfulamong a small number of my colleagues. It occurred during my six-monthplacementforthirdyear,aroundthemonthofJuly.Anumberofstaffbegantoreceive fake emails purporting to come from the Revenue Commissioners andwerewarnedsoonafterwardsthatalthoughtheemailaddressseemsvalid, it isjustapieceoftextandcaneasilybefaked.Emailaddressesarenotverifiedandcannot be relied on as proof of the identity of the sender organization. Theseemails seemed very professionallymade and tried to trick users into believingthattheyweredueataxrefund,mostlyintherangeofaround€160,andenticedthemtoenterbankdetails. Itwasn’tuntil theverynextday thatsimilaremailsstartedtorollin.Colleagueswerewarnedtoremainextremelyvigilantandneverto click on suspicious links or provide any sensitive information. This time thephishingemailswere indisguise as invoices fromApple andagain, looked verylegitimate.AnofficewideemailwassentoutfromITtowarnthatproceedsfromsuch scams are quickly transferred offshore, usually through multiplecountries/banks and prove impossible to retrieve, even where amounts aregreatlyinexcessof€25.99.
Althoughthesetypesofattacksareveryunfortunate,itwasgoodtoexperienceitfirsthand in theworkplace, and to see how the office dealtwith the situation.HoweverIfeltthatitwasn’tenoughandIwantedtocreatesomethingthatwouldtacklethisissueheadon,eradicatingtheproblemontheuser’send.
Technical Report
Page 6
1.2 AimsThepurposeofthisproject istoprovideaneasyanduser-friendlywaytoallowuserstohaveasafeworkingenvironmentwhenusinganonlinewebapplicationwithemail functionality.Themainobjectiveofthisproject is tomaintainasafeanduser-friendlyenvironmentand toeradicateany incoming threatsviaemail.Thisproductwillconsistoftwomaincomponents:anIntrusionDetectionSystemandawebapplicationthatwillallowuserstosharephotoswithfriends.
1.3 ScopeThewebapplicationwillallowuserstosignuptoaservicewhichwillprovideasafeenvironmentforthemtosharephotoswiththeirfriends.Tosignuptothisservice, eachusermust have a valid email address.Once a user has becomearegisteredmember,theycaninviteotherusersviaemailtojointheservice.Theydothisbysendinganemail,whichwillincludeaninvitation.Whenthereceiverofthe invitation email accepts the invite, they will be brought to the webapplication to register as amember.Once completed, theywill thenbecomeafriend (trusted user) and will appear on a trusted user friend’s list. This willconnectbothusersandallowthemtosharephotosonthewebsite.
To ensure the safety and security of the process of sending emails, we haveimplemented an intrusion detection system that will detect malicious emails.Whensharingphotos,anyphotosreceivedfromanuntrusteduserwillbemarkedasmaliciousemailandbeplaced ina junk folder.Thissystemwill co-existwiththe web application and improve the overall security for its members. TheIntrusionDetectionSystemusesadatacapturefacilitythatwillcategorizesomeoftheincomingemailsaspotentialmaliciousactivities.Bydoingso,wecreateauser-friendlyenvironmentwherepeoplecansharephotoswithoutanyconcern.
Bydetectingmalicious emails in incoming traffic, this systemwill filter a user’sinbox and eradicate the need and cost of requiring users to be trained in thepracticeofsecurewebbrowsing.TheIntrusionDetectionSystem(IDS)willdetectphishingemailsandensurethatallincomingtrafficisnotharmful.Theprojectisspecificallydesigned for theuseofuserswhosignup toourphoto-sharing sitewithavalidemailaddress.Theproductwillworkasacompleteuserinterfaceforthesite.
Technical Report
Page 7
Anybody with a valid email address and an Internet connection can use thissystem.It isespeciallyusefulforanyonewhoneedsasecureandsafeoptiontosharephotos.Theprojectcanveryeasilybemodifiedgivendifferentscenarios.New featureswillbeable tobeaddedwhenneeded.Thismakes theaspectofreusability possible. The language that was used for the development of thisproject is PHPas it is verybeneficial over other programming languages in theareasofperformance,toolsavailable,crossplatformcompatibility, librariesandcost.
1.4 Technologies
This system will consist of three main components: a Spam filter to detectunsolicitedemails,aSimpleMailTransferProtocol(SMTP)serverwhichisthedefactostandardforsendingemailovertheinternet,andApachewebserverwhichisanopensourcewebserver.TheIDSscannerwillscanallreceivede-mailsandwillmarksomeofthemessagesasmaliciousactivitiesandthenentersthemintoadatabase.EmailsareclassifiedasmaliciousiftheycontainembeddedHTMLorif they are received from an untrusted user. MySQL will be used to storeinformation regarding the detectedmalicious emails, where data entered intothe database consists of the content of the email and time of receipt. Abackground process will run to scan all URL’s listed on marked emails, stripsHTMLtagsanddetermineswhetherornottheyhavebeenearlierobserved.Thespamfilterwillmarkemailasphishingemailsiftheycarrysomeofthefollowingattributes:
• Receivedfromuntrusteduser
• URLincludingIPaddresses
• HTMLmaskedURLs
• EmailscontainingencodedHTML
• Crosssiteimages
Technical Report
Page 8
2 UserClassesandCharacteristics
DifferentservicesareprovidedbytheIDSsecuredwebapplicationbasedonthetypeofuser.Inthiscasewehaveanumberofdifferentusers:PhotoOwnerandTrustedUser.Aphotoowner isamemberwhouploadsaphototothesiteandinvitesausertojointheservicetoviewthephoto.Atrusteduserisanyonewhoreceives this email invitation and accepts, placing them in the sender’s trusteduserfriend’slist.
ThefeaturesthatareavailabletoaPhotoOwnerare:
• Login/logout• ChangeProfilePicture• Uploadphoto• DeletePhoto• Requestasfriend• Blockuser• Share/SendPhoto• Inviteuser• CreateAlbum/Gallery• Tagphoto• Addcomment
ThefeaturesthatareavailabletoaTrustedUserare:
• Login/logout• View/DownloadPhoto• Edittrusteduserfriendlist• Commentonaphoto• Candelete/blockothermembers/friends• Tagfriends/placesinphotos
Technical Report
Page 9
3 RequirementsSpecification
3.1 FunctionalRequirements1. Registration(CreateAccount)–Usersmustbeabletocreateanaccount
forthisservicebyregisteringwithavalidemailaddress.2. ChangePassword–Userswillhavetheoptiontorequestatemporary
passwordiftheyhaveforgottentheirs,thistemporarypasswordwilltakethefirst4lettersoftheiremailandadd5randomlyselectednumbersontothatandwillbeemailedtotheuser.Userswillthenalsohavetheoptiontochangetheirpasswordtosomethingmorefamiliartothem.
3. UploadPhoto–Usersmusthavethefunctionalitytobeabletouploadphotosintopredefinedgalleriesonthewebsite.
4. DeletePhoto–Userswillhavetheoptiontodeleteaphotoformtheirgallery.Thisfunctionwillonlybelongtothephotoowner.
5. InviteUsers–Usersmusthavetheabilitytoinviteotherpeopletojointheserviceviaemailinvitation.
6. SharePhoto–Usersmustbeabletosharephotosamongstotherusers.Photoswillbesharedoveremail.ThisprocesswillbesecuredbyourIntrusionDetectionSystem.
7. EditFriendsList(Friend/UnfriendUser)–Usersmustbeallowedtomodifytheirtrustedusers,givingthemthepowertodecidewhotheycansharephotoswith–sendingorreceiving.
8. BlockUser–Usersmusthavethefunctionalitytoactivelyblockanyothermemberofthewebapplication,disablingthemfromviewing/sharinganyphotos.
9. Comment–Userswillhavetheabilitytoleavemessages/commentsonuserprofilesandpictures.
10. ChangeProfilePicture–Userswillhavetheabilitytochangetheirprofilepictureatanytimefromtheiruserprofilepage.
Technical Report
Page 10
3.1.1 UseCaseDiagram
3.1.2 Requirement1:Registration
3.1.2.1 Description&Priority
Thisrequirementdescribestheactionstakenbyausertoregisterasamemberon the photo sharing web application. A user must provide a username, validemail address, password, confirm password, gender and country. Thisrequirementisvitaltothesystemasitistheonlymeansofaccesstothesystem.Italsoensuresthatonlyregistereduserscanaccessthesystem.Uponregisteringanautomatedemailwillbesenttotheuserwithanactivationlink.Onlyactivateduserswillbeallowedtoaccessthesite,ensuringthatvalidemailsarebeingused.
Technical Report
Page 11
3.1.2.2 UseCaseScope
Thescopeofthisusecaseistoensurethatonlyregistereduserscanaccessthesystemandensuresthatallusershaveavalidemailaddress.
Description
Thisusecasedescribestheactionstakenbyauserinsettingupanaccountbyprovidingauniqueusername,password,validemailaddress,genderandcountry.
UseCaseDiagram
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
Thisusecasestartswhenauserclicksthe“SignUp”button
Technical Report
Page 12
Mainflow
1. Thesystemidentifiestheclickingofthe“SignUp”button2. Theuserentersausername(SeeA1)3. Thesystemacceptsusername4. Theuserentersapassword(SeeE1)5. Thesystemacceptsthepassword6. Theuserconfirmspassword7. Thesystemacceptsthepassword8. Theuserentersavalidemailaddress9. Thesystemacceptsemailaddress10. Theuserselectsgender11. Thesystemacceptsgender12. Theuserselectstheircountry13. Thesystemacceptscountry14. Userclicks“CreateAccount”
Alternateflow
A1:Invalidusername1. Thesystemrejectstheusernameasitalreadyexistsinthedatabase
andrequestsusertoenteranewone2. Theuserentersavalidusername3. Theusecasecontinuesatposition3ofthemainflow
Exceptionalflow
E1:Invalidpassword–tooshort4. Thesystemrejectsthepasswordandrequestsusertoenteralonger
one5. Theuserentersavalidpassword6. Theusecasecontinuesatposition5ofthemainflow
Termination
The system sends an automated email with an activation link to activateusersaccount
Postcondition
Thesystemgoesintoawaitstate
Technical Report
Page 13
3.1.3 Requirement2:ChangePassword
3.1.3.1 Description&Priority
Thisrequirementdescribestheactionstakenbyausertochangetheirpasswordfor logging into the site. Users will have the option to request a temporarypasswordiftheyhaveforgottentheirs,thistemporarypasswordwilltakethefirst4lettersoftheiremailandadd5randomlyselectednumbersontothatandwillbe emailed to the user. Users will then also have the option to change theirpasswordtosomethingmorefamiliartothem.
3.1.3.2 UseCaseScope
The scope of this use case is to ensure that users have the option ofchangingtheirpassword.
Description
Thisusecasedescribestheactionstakenbyauserinordertochangetheirpassword.
UseCaseDiagram
Technical Report
Page 14
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
Thisusecasestartswhenauserclicksthe“ChangePassword”button
Mainflow
15. Thesystemidentifiestheclickingofthe“ChangePassword”button16. Theuserenterstheircurrentpassword(SeeA1)17. Thesystemacceptspassword18. Theuserenterstheirnewpassword(SeeE1)19. Thesystemacceptsthepassword20. Theuserconfirmspassword21. Thesystemacceptsthepassword22. Userclicks“MakeChanges”button
Exceptionalflow
E1:Invalidpassword–tooshort7. Thesystemrejectsthepasswordandrequestsusertoenteralonger
one8. Theuserentersavalidpassword9. Theusecasecontinuesatposition5ofthemainflow
Termination
The system sends newdetails to database; newpassword is encrypted indatabase.
Postcondition
Thesystemgoesintoawaitstate
Technical Report
Page 15
3.1.4 Requirement3:UploadPhoto
3.1.4.1 Description&Priority
Thisrequirementdescribestheactionstakenbyaphotoownertouploadaphototothewebapplicationandbydoingso,entersitintooneoffivegalleriesthattheusercanchoosefrom.Fromthe“Photos”homepage,amembercanaccess the“UploadPhotoNow”button.Thisrequirementholdsgreatimportanceasitistheverybasisforthiswebapplication.Withoutthefunctionalitytouploadaphoto,ourphotosharingwebsiteisrendereduseless.
3.1.4.2 UseCaseScope
Thescopeofthisusecase is toallowamembertouploadaphototothiswebapplicationintooneof5galleries.
Description
This use case describes the actions taken by a registered member ofnavigatingthe“Photos”homepageandselectingthe“UploadPhotoNow”button and following the necessary instructions to successfully upload animagetothewebsite.
UseCaseDiagram
Technical Report
Page 16
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
Thisusecase startswhena registeredmember chooseswhatgallery theywishtheirphototobeuploadedto.
Mainflow
1. Thesystemidentifiestheclickingofthe“ChooseGallery”dropdownbutton
2. Thememberselectsanimagetoupload(SeeA1)3. Thesystemacceptstheimage4. Thememberclicksthe“UploadPhotoNow”button]5. Photogetsuploadedtoselectedgalleryandisstoredinthedatabase
Alternateflow
A1:FormatRejected10. Thesystemrejectstheimageonthebasisthatitisnotthecorrect
format11. Thememberconvertstheimagetothecorrectformat12. Theusecasecontinuesatposition3ofthemainflow
Termination
Thephotoisaddedintoselectedgallery
Postcondition
Thesystemgoesintoawaitstate
Technical Report
Page 17
3.1.5 Requirement4:DeletePhoto
3.1.5.1 Description&Priority
Thisrequirementdescribestheactionstakenbyaphotoownertodeleteaphotooffthewebapplication.Whenviewingphotosinagallery,amembercanaccessthe“Deletethisphoto”button.Thisrequirementholdsgreatimportanceasit isimportantforuserstobeabletodeleteanyunwantedphotosfromtheirpage.
3.1.5.2 UseCase
Scope
Thescopeofthisusecaseistoallowamembertodeleteaphotofromthiswebapplicationfromoneofthegalleries.
Description
This use case describes the actions takenby a photoowner of navigatingthephotosinagalleryandselectingthe“Deletethisphoto”button.
UseCaseDiagram
Technical Report
Page 18
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
Thisusecasestartswhenaphotoownerselectsaphototheywishdelete.
Mainflow
1. Thesystemidentifiesphotoownerviewingownedphoto2. Theuserselects“Deletethisphoto”button(SeeA1)3. Systemdisplayspopupmessageaskingtoconfirmdeletion4. Thesystemdeletesthephoto5. Thesystemremovesphotofromgallery
Alternateflow
A1:Notownedphoto13. Thesystemdoesnotdisplaythedeletebuttonifuserdoesnotown
image
Termination
Thephotoisaddedintoselectedgallery
Postcondition
Thesystemgoesintoawaitstate
Technical Report
Page 19
3.1.6 Requirement5:InviteUsers
3.1.6.1 Description&Priority
Thisrequirementdescribestheactionstakenbyamembertosendaninvitationto join the service via email.When a user accepts this invitation, they will bebroughttothewebsiteandbeplacedinthesender’strusteduserfriendlistoncetheyhavesignedup.Thiswillallowthetwousers toconnectandsharephotoswith each other. This requirement is vital as it is a means of populating thewebsiteandalsoallowsuserstovieweachothersphotos.
3.1.6.2 UseCaseScope
The scope of this use case is to allow amember to send an invitation toanotheruserviaautomatedemail
Description
Thisusecasedescribestheactionstakenbyamembertosendaninvitationoveremail
UseCaseDiagram
Technical Report
Page 20
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
Thisusecasestartswhenamemberclicksthe“InviteUser”Button
Mainflow
1. Thesystemidentifiestheclickingofthe“Invite”Button2. Thememberentersanemailaddress(SeeA1)3. Thesystemacceptstheemailaddress4. Thememberclicks“SendInvitation”5. Thesystemsendsemail6. Userreceivesemail7. Useracceptsinvitation(SeeE1)8. Userbecomesfriendonthewebapplicationandisaddedtomember’s
friendlist
Alternateflow
A1:InvalidEmailAddress9. Thesystemrejectstheemailaddressasitalreadyexistsinthedatabase10. Thememberentersavalidemailaddress11. Theusecasecontinuesatposition3ofthemainflow
Exceptionalflow
E1:UserDeclinesInvite12. Theuserdeclinesinvitation
Termination
Thesystemplacesnewfriendinsenderstrustedfriendlist
Postcondition
Thesystemgoesintoawaitstate
Technical Report
Page 21
3.1.7 Requirement6:SharePhoto
3.1.7.1 Description&Priority
Thisrequirementdescribestheactionstakenbyaphotoownertoshareaphotowithaanotheruser.PhotoswillbesentoveremailandwillbeprotectedbyourIntrusionDetectionSystem.Thisrequirementisvitalasitistheverybasisofthephotosharingwebsite.
3.1.7.2 Use Case
Scope
Thescopeofthisusecaseistoallowaphotoownertoshareaphotowithanotheruser
Description
Thisusecasedescribestheactionstakenbyaphotoownertoshareaphotowithanotheruser
UseCaseDiagram
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
Technical Report
Page 22
Thisusecasestartswhenaphotoownersharesaphotowithanotheruser
Mainflow
1. Thesystemidentifiestheclickingofthe“SharePhoto”button2. ThePhotoOwnerselectsausertosharephotowith3. Thesystemacceptsrequest4. ThePhotoOwnersendsphoto(SeeA1)5. Usersaddeachothertotrusteduserlist(SeeE1)6. PhotoOwnersendsphotototrusteduser
Alternateflow
A1:Userisnotatrusteduser7. Theuserreceivesthephotobutismarkedasmaliciousemail8. TheIDSplacesemailinjunkfolder9. Theusecasecontinuesatposition5ofthemainflow
Exceptionalflow
E1:EditTrustedUser/Friendlist10. PhotoOwneraddsusertolist11. Thesystemacceptsrequest12. Theusecasecontinuesatposition6ofthemainflow
Termination
Thesystemexecutesrequests
Postcondition
Thesystemgoesintoawaitstate
3.1.8 Requirement7:EditFriendList(Friend/UnfriendUser)
3.1.8.1 Description&Priority
This requirementdescribes theactions takenbyamember tomanuallymodifytheirtrustedusersonthesystemwhichisdisplayedasa“FriendsList”byaddingsomeonetothelistby“friending”themor“Unfriending”them.Thisrequirementproves very important as this gives users the power to choose who they can
Technical Report
Page 23
sharetheirphotoswith.Onceauserhasbeenremovedfromthelist,anyphotosreceivedfromthemwillbemarkedasmaliciousemailbyourIDS.
3.1.8.2 UseCaseScope
Thescopeofthisusecaseistoallowausertomodifytheirfriendslist
Description
Thisusecasedescribes theactions takenbyauser inmanuallymodifyingtheirfriend’slist
UseCaseDiagram
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
This use case starts when a user clicks “Request as Friend” button on auser’sprofile
Technical Report
Page 24
Mainflow
1. Thesystemidentifiestheclickingofthe“RequestasFriend”Button2. Thesystemdisplaysamessageconfirmingtheactionhasbeencompleted3. Systemwillsendanotificationtootheruserabouttherequest4. Otheruseracceptsrequest5. Bothusersarenowfriendsandwillappearineachothersfriendlist6. Usercanthenselect“UnfriendUser”7. Thisuserwillnolongerbedisplayedintheirfriendlist8. Thesystemnowdisplaysa“FriendUser”buttoniftheusereverwishesto
addthisuseragaininthefuture
Termination
Thesystemreturnstotheuser’sprofile
Postcondition
Thesystemgoesintoawaitstate
3.1.9 Requirement8:BlockUser
3.1.9.1 Description&PriorityUsersmusthavethefunctionalitytoactivelyblockanyothermemberofthewebapplication,disablingthemfromviewing/sharinganyphotos.
3.1.9.2 UseCaseScope
Thescopeofthisusecaseistoallowausertoblockanotheruser
Description
This use case describes the actions taken by a user to manually blockanotheruser
Technical Report
Page 25
UseCaseDiagram
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
This use case starts when a user clicks “Block User” button on a user’sprofile
Mainflow
1. Thesystemidentifiestheclickingofthe“BlockUser”Button2. Thesystemdisplaysamessageaskingusertoconfirmtheblock3. Userclicks“ok”4. Systemblocksuser
Technical Report
Page 26
Termination
Thesystemreturnstotheuser’sprofile
Postcondition
Thesystemgoesintoawaitstate
3.1.10 Requirement9:Comment
3.1.10.1 Description&Priority
Users must have the functionality to leave comments on user profiles andphotos.
3.1.10.2 UseCase
Scope
Thescopeofthisusecaseistoallowausertopostacommentonauser’sprofile/photo
Description
This use case describes the actions taken by a user to write and post acommentonauser’sprofileorphoto
UseCaseDiagram
Technical Report
Page 27
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
Thisusecasestartswhenauserclicksonthecommentboxtobeginwriting
Mainflow
1. Thesystemidentifiestheclickingofthecommenttextbox2. Typingcursordisplaysincommentbox3. Userwritesmessage4. Userclicks“postcomment”button5. Systempostscommenttouser’sprofile/photo6. Userreceivesnotificationoftheeventinnotificationspage
Termination
Thesystemreturnstotheuser’sprofile
Postcondition
Thesystemgoesintoawaitstate
3.1.11 Requirement10:ChangeProfilePicture
3.1.11.1 Description&Priority
Thisrequirementdescribestheactionstakenbyausertochange/uploadanewprofilepicture.
3.1.11.2 Use Case
Scope
Thescopeofthisusecaseistoallowaphotoownertochangetheirprofilephoto
Description
Thisusecasedescribestheactionstakenbyaphotoownertochangethephotousedastheirprofilepicture
Technical Report
Page 28
UseCaseDiagram
FlowDescription
Precondition
Thesystemisinstand-bymode
Activation
Thisusecasestartswhenaphotoownerclicks“toggleavatarform”ontheircurrentprofilephoto.
Mainflow
1. Thesystemidentifiestheclickingofthe“toggleavatarform”button2. ThePhotoOwnerthenselects“Choosefile”3. Theuserthenselectsthephotohe/shedesires4. Theuserthenselects“uploadphoto”5. Thesystemacceptsphoto6. Thesystemchangesprofilepicture
Technical Report
Page 29
Termination
Thesystemexecutesrequests
Postcondition
Thesystemgoesintoawaitstate
3.2 Non-FunctionalRequirements
3.2.1 Performance/ResponsetimerequirementThisIDSphotogallerythatwearedevelopingwillbeusedasthemainperformancesystemwhichinteractswithmembersandadministrators.Therefore, it is expected that the system would perform all therequirementsthatarespecified.
- Thesystemshouldbefastandaccurate- Systemwillhandleexpectedandnon-expectederrorsinamannerthat
willpreventinformationlossandlongdowntimeperiod.- System should have error testing to identify invalid username or
passwordandemail- Systemshouldbeabletohandlelargeamountsofdata- Systemshouldaccommodatehighnumberofphotosanduserswithout
anyfault
3.2.2 SafetyRequirementIthas tobe taken intoaccount thatatanygiven time thedatabasemaycrashduetoavirusoroperatingsystemfailure.Therefore,itisrequiredtotake the database backup to prevent losing it. Appropriate UPS facilityshouldbeinstalledincaseofpowersupplyfailure.
3.2.3 SecurityRequirement- Appropriateuserauthenticationshouldbeprovided
Technical Report
Page 30
- Securityquestionswillneedtobesetupwhenauserregistersasauser- Securityquestionswillneedtobeansweredwhenauserforgetstheir
password- The system will have a number of unique users and each user has
accessconstraints- Thesystemwilluseasecureddatabase,photosandpasswordswillbe
encryptedinthedatabase- User details such as username and passwordswill be protectedwith
Md5hash- Function ‘evalLoggedUser’ checks a user’s session data to see if it
matchessomethingonfile,systemdoublecheckstomakesureuseriswhotheysaytheyare.ProtectsagainstCrossSiteScriptingattacks.
- The system is designed to prevent any user from enteringmaliciousjavascriptcodetoconductCrossSitescriptingorSQLInjection.
- Userscanreadinfobutcannoteditanythingexceptfortheirpersonaldetailsandphotos
- Userswillhavethefunctionalityofblockingauser,disablingthemformviewinganyoftheirphotos
- Whenusers share a photo, theywill be protectedwith an encryptedform(short4digitpassword)
- A .htaccess file will be established to prevent directory file listing aswellasspecifyamoreuserfriendly404errorpagethroughhtaccess.
- Separate account types for admin andmembers so that nomembercanaccessthedatabaseandonlyadmincanupdatethedatabase
3.2.4 RequirementAttributes- Theprojectshouldbeopensource- Adminscancreatechangestothesystem,butmembersorotherusers
cannotmakeanychanges.- Thequality of thewebsite anddatabase ismaintained in such away
thatitcanbeveryuserfriendlytoallusers- Theusershouldbeabletodownloadandinstallthesystemveryeasily
3.2.5 BusinessRulesA business rule is anything that captures and implements businesspolicies and practices. A rule can enforce business policy, make a
Technical Report
Page 31
decision,or infernewdatafromexistingdata. This includestherulesand regulations that the System users should abide by. This includesthe cost of the project and the discount offers provided. The usersshould avoid illegal rules and protocols. Neither admin nor membershouldcrosstherulesandregulations.
3.2.6 UserrequirementTherearetwomaintypesofusersofthissystem.Themember,whichisaregistereduserthathasloggedintothesystemandtheadmin.Themembersareassumedtohavebasicknowledgeofthecomputersandinternet browsing. The admins of the system are expected to havemoreknowledgeofthe internalsofthesystemandshouldbeabletorectify the small problems thatmay arise due to disk crashes, powerfailures and other catastrophes that may occur to maintain thesystem’swellbeing.TheUI,usermanual,onlinehelpand installationguidemustbe sufficient enough toeducate theusersonhow tousethesystemwithoutanyproblems.Admincanprovidehelptotheusersinthefollowingareas:
o BackupandRecoveryo ForgotPasswordo Loginissueso ReportingPhotoso Modifyprofile/photoso Maintainingfiles
3.2.7 MaintainabilityrequirementIn order to maintain our database, we will continue to delete unwanted orunnecessary data as they can become very large aswe continuously add data.Wewillalsobebackingupourdatabasesandsamplingdatabasescripts.
3.2.8 PortabilityrequirementThisservicewillbeavailableonlaptops,tabletsandmobiledevices.
3.2.9 ExtendibilityrequirementWewillextendthissystemtoincorporateFacebookimages.
Technical Report
Page 32
3.3 DesignandArchitecture
This system will consist of three main components: a Spam filter to detectunsolicitedemails,aSimpleMailTransferProtocol(SMTP)serverwhichisthedefactostandardforsendingemailovertheinternet,andApachewebserverwhichisanopensourcewebserver.TheIDSscannerwillscanallreceivede-mailsandwill mark some of them as potential phishing messages or an email that isreceived fromanuntrusteduser and thenenters them into adatabase. EmailsareclassifiedasmaliciousiftheycontainembeddedHTMLoriftheyarereceivedfromanuntrusteduser.MySQLwillbeused tostore information regarding thedetectedmaliciousemails,wheredataenteredintothedatabaseconsistsofthecontentoftheemailandtimeofreceipt.AbackgroundprocesswillruntoscanallURL’slistedonmarkedemails,stripsHTMLtagsanddetermineswhetherornottheyhavebeenearlierobserved.
PrototypeArchitectureDiagram:
Technical Report
Page 33
3.4 GraphicalUserInterface(GUI)For both user and administrator, this software provides good graphicalinterface.Bothuserscanoperatethesystemperformingdifferenttaskssuchaslogin,register,uploadphoto,inviteuser,sharephotoandmore.
Log in: Below is the login page for the photo gallery; users are required to provide a username and password to successfully login. If a user forgets their password they can click the “Forgot your password?” link, which will send necessary instructions via email to recover the password. There is also an auto login feature, which exists for the convenience of frequent members. If a user is a first time visitor they can click the “Register” link, which will bring them to the Register page.
Technical Report
Page 34
Register: Below we can see all credentials that are necessary for a registered member. A member will need a username, password and valid email address. When a user clicks the “Register” button, a confirmation email will be sent to the user’s inbox. Once confirmed, the user is now a member of the photo gallery website.
Technical Report
Page 35
Albums: Below we can see the home page, which displays different categories of photos. Some examples below are animals, people and landscapes. When a user chooses a category to browse, all photos in that category will be viewable. From here, a user can also access pages related to uploading photos, sharing photos and friend list, which we will touch on later.
Technical Report
Page 36
Upload Photo: Below we can see how a user can upload a photo to the web application. It is a very simple process. All a user has to do is select an image that is stored locally on their computer or external hard drive, add a description (optional) and select which album they want to upload it to. If this is the first time uploading a photo, or they simply want to create a new album, they can do so by clicking one of the two buttons provided on this page. Once all details have been entered, the user hits “Upload Photo” and the process is complete. The user can then go on to share this photo with trusted users, which we will look at next.
Technical Report
Page 37
Share Photo: Below we can see how a photo owner can share an image with any user with a valid email address. All that is necessary to share a photo is to enter the email of the receiver, select the image you want to share, add a description (optional) and hit the “share photo” button. Note that if a user receives a photo from an untrusted user, our IDS will mark that email as malicious and it will be placed in a junk folder.
Technical Report
Page 38
Edit Friend List (Trusted User): In the screenshot below we can see how a user can manually edit his/her friend list. It is a very simple process. This page displays the user’s friend list, when a user clicks the “Edit” button, x’s will appear beside the names of each user in the list. All a user has to do to edit this list is click the x and that user will be removed as a trusted user. The system will ask for confirmation upon clicking an x to ensure it was not clicked by mistake. In the top left hand corner we can see the “Invite User” button, which we will now take a look at.
Technical Report
Page 39
Invite Users: In the screenshot below, we can see how a user can go about inviting other users to join the photo sharing web application. The user enters an email address of the person they want to join. A link will be provided in the email to find the web application but a user may also add a body to the email if they so wish. By clicking “Send Invitation”, an email will be sent housing all the information the receiver needs to become a registered member. By following this link, the new user will automatically be assigned as a trusted user to the sender and vice versa.
Technical Report
Page 40
Album Category – People: Below we can see the display page when a user chooses an album category. The below category is “People”. There are a number of features available to a user from this page. In the top right hand corner there are four symbols: sort A to Z, photo sizes, slideshow and a calendar to display creation date. To the right of these symbols you will see a dropdown box; this allows users to change the interface theme. An example of a different theme is down below. From here, a user can select an individual photo to view.
Technical Report
Page 41
View Photo: Below we can see the display page for viewing an individual photo. Here a user can view details such author, upload date and rating. Users can also leave a comment or rate the photo using a 5 star system.
Technical Report
Page 42
3.5 Testing
To ensure that our software is functioning correctly, we will conduct thefollowingtypesoftesting:
WhiteBoxTesting
Whiteboxtestingisatestcasedesignphilosophythatusesthecontrolstructureaspartofcomponentleveldesigntoderivetestcases.
• BasisPathTestingBasispathmethodenablesdesignertoderivealogicalcomplexitymeasureofaproceduraldesignandusethismeasureasaguidefordefiningabasissetofexecutionpaths.
• ControlStructureTestingIttestscontrolstructuresofprogram.
BlackBoxTesting
Blackboxtestingenablesthesoftwaredesignertoderivesetsofinputconditionsthatwillfullyexerciseallfunctionalrequirementsofaprogram.
• GraphBasedTestingMethod• EquivalencePartitioning• BoundaryValueAnalysis• OrthogonalArrayTesting
IntegrationTesting
Integration testing is a systematic technique for constructing softwarearchitecturewhileatthesametimeconductingteststouncovererrorsassociatedwithinterfacing.
RegressionTesting
Each time a new model is added as part of integration testing, the softwarechanges.Atthistimewewillapplyregressiontesting.
Technical Report
Page 43
3.6 Evaluation
Weplantoevaluatethissystembycollectingadatasetthatconsistofmalicioussitesanduse themwithour implementation.Thiswill allowus tocalculate theefficiency of detection, which is an extremely important parameter of ourIntrusion Detection System. The outcome will be analyzed for accuracy andtimeliness.
4 Conclusion Phishing has already become a very popular form of malicious email cyber attack resulting in the theft of personal information. Usingexistingsecuritytechnologiesto completelyprevent securitybreaches is un-realistic. This iswhyan IDS is animportantcomponentinsecurityasitcanoffertheadvantagesofreducingmanpowerthatisnecessaryformonitoring,increasingdetectionefficiency,providingdatathatwould inothercasesnotbepresent,helpingthe informationsecuritycommunitylearnaboutnewvulnerabilitiesandprovidelegalevidence.
5 FutureDevelopment
• Thissystemhasthepotentialtoevolveintovideosharingandimplementmoresocialmediafeatures,extendingitsreachtoalargercustomerbase.
• Thissystemcouldbeusedinfutureinstancesasacoreinformationextractionsystem.
• Betteralgorithmscouldbeimplementedtoincreaseefficiencyandqualityofresults.
Technical Report
Page 44
6 References
Dofree (2013) Black Box vs. White Box Testing. Available at:https://technologyconversations.com/2013/12/11/black-box-vs-white-box-testing/[Accessed5/12/16]
HasikaPamunuwa(2007)AnIntrusionDetectionSystemforDetectingPhishing
Attacksat:https://link.springer.com/chapter/10.1007%2F978-3-540-752486_13
[Accessed2/11/16]
Fette, I (2007) Learning to Detect Phishing Emails. Available at:http://www.cs.cmu.edu/tomasic/doc/2007/FetteSadehTomasicWWW2007.pdf
Vanderavero, N (2004) Scalable Approach to collect malicious Internet Traffic.Availableat:http://www.info.ucl.ac.be/people/OBO/papers/honeytank.pdf
7 Appendix
7.1 MonthlyJournals
-September2016-
InitialPlanningIt is September 3rd, and as my final year of college approaches I find myselfstruggling to formulatean idea formyproject that I am trulyhappywith.As aCyberSecuritystudent,IamextremelyinterestedindevelopingasecuritybasedprojectasIhaveahugeinterest inthisarea,butdecidingonacertaintopicformyprojecthasprovedquitedifficult–something Ididnot take intoaccount inmymanagementoftime.WhenIstartbackinNCIonthe19th,Iwanttobefullypreparedwithagreat securitybasedproject ideagivingme thepush Ineed togettoworkrightaway!Meanwhile,IhavestartedbrushinguponmyjavaskillsasIhavebeenoutofpracticeforquitesometimenow.Duringmyworkplacement
Technical Report
Page 45
with ACIA (Aon Centre for Innovation and Analytics) I was visited by mysupervisorEugeneMcLaughlin.Hegavemegreatadvice,whichwas topracticeprogramming again as some students return to 4th year very ill prepared. Iappreciatedtheadviceandacteduponitrightaway.
It isonlyaweekuntilwereturntoclassas IentertheweekofSeptember12th,2016.Ihavetosay,Iamverymuchlookingforwardtostartingclassagain.Itfeelslikesuchalongtimeaswehavebeenkeptbusywithourworkplacementforthepastsix-to-sevenmonths.Ihavebeenkeepingmyselfbusy/preparingforcollegeby looking over old assignments and recoding some old projects. I am actuallyverysurprisedathowfastIhavebeenabletopickitbackup,itsjustsomethingthatgetsburnedintoyourbrainIguess–notabadthing!WiththisinmindIfeelwellprepared.StillhavenotyetdecidedonatopicformyprojectbutIknowitwill come to me soon. If I was to make any improvements to my work ethictowardsthisproject,Iwouldhavedefinitelystartedresearchonmyprojectalotearlier.
BacktoClassIt is September 19th and all fourth years have returned to NCI. Our very firstlecture isofcourseSoftwareProjectandthere isgreatexcitement intheroom.Eamon gave us an excellent run down of what was expected from us in thecoming weeks and I came away from that class with a heightened sense ofconfidenceandsupport fromthecollege.AsEamonasked fora showofhandsaroundtheclassroomastowhohadalreadythoughtofanideafortheirprojectIwasalittlerelievedasitseemedtobea50/50difference.AsrelievedasIwasIknewIhadtofinalizeanideaandIhadtodoitsoon.Eachstudenthastopreparea5minutepitchpresentationtoagroupofthreelecturerswhowilltheneitheraccept your project, deny your project, or accept your project with some nicelittleimprovementsandadvice.Itwasourfirstweekbacktocollegebuttheworkhadalreadyverymuchbegun.
Itwasn’tuntilmysecondweekofcollegethatIfinallydecidedonanideaformyproject. I decided todesignand implementan IntrusionDetectionSystemwithSelfProgrammingFunctionality.Basicallywhatitsgoingtobeabletodoisdetectanyintrusiononthesystemandhastheabilitytocreateafakeprogramthatwillhelpanattackergetaccesstowithcompleteanalysisonthepatternofattack.Itwill alsocreate fake counter measures to prevent the attack on the fakeprogramandsecuretheoriginalapplicationandtracktheactivityandpatternofattack. The system will alsolog every moment.However, from looking at pastprojectsandhearingaboutotherstudent’s ideasIhavelostsomeconfidencein
Technical Report
Page 46
thisidea.Itseemsthattheseprojectsneedtohaveacustomerandhaveacertainappeal i.e. most projects seem to be aimed at facilitating everyday needs orhobbies. I feel likemyidea lacksthissenseofusefulnessandhasmademefeellikeI’mnotontherighttrackatall.Idon’tknowwhomycustomerwouldbeforsomethinglikethis?However,thepresentationsarenextweek,October4thandIhavebegunthinkingaboutpickingaprojectfromthelistprovidedbythecollege.Iamcurrentlyjusttryingtoweighoutmyoptions.
-October2016-
PitchPresentationOnOctober4thwehadourpitchpresentationswherestudentshadtopitchtheirideastoagroupofthreelecturerswhereitwouldeitherbe:accepted,acceptedwithrevisionsorrejected.Thisprocesswasaverygood ideaas it improvestheoverall quality of all final year projects. After much thought and debate withfellowclassmates,Idecidedtogowithaprojectfromtheapprovedlistfromthelecturers, as I didn’t have enough confidence inmyown idea.Duringmypitchpresentation I informed the lecturers of my idea for an Intrusion DetectionSystemalthoughIhadalreadyrequestedtochoosefromthelist.Tomydismay,theytoldmethattheidea(althoughquitevague)wasoneofthebesttheyhadheard for the Cyber Security stream. I was very disappointed that I didn’t putmore thought intomy idea as I was under the impression that it wasn’t goodenough or not the right type of project.My own lacks of confidence leadmeastray,butmyluckhadn’trunoutquiteyet.SaraKadry,mySecureApplicationsProgramminglecturer,hadproposedanIntrusionDetectionSystemforMaliciousEmailasoneoftheprojectsthatstudentswereabletochoosefromanapprovedlist. As I was extremely interested in working in this area I pounced on thisopportunity right away. All the doubt that I had with my own idea had beenwashedawayandIcouldn’twaittostart.IbeganmyresearchintofilteringemailsandhadalookathowGmailandotherbigemailingservicesdonethisjobalreadybylookingatsourcecode.IwantedtohavebasicknowledgewhenmeetingSaraforthefirsttimetoensurethatIwouldbegiventheopportunitytoworkonthisproject.
Technical Report
Page 47
SupervisorMeetingsOnOctober 13th I hadmy firstmeeting with Sara. I felt I had learned enoughthroughmyinitialresearchtoappearreadytotakeonthisproject.Wediscusseddifferent typesof approaches that couldbe taken to complete theproject.Weconversedonthesubject forabout30minutesand itwasanextremelyhelpfulandlearningexperience.Icameawayfromthismeetingwithabetterfeelingofconfidencethat Iwasready for the job.Upontheadvice fromSara, I furtheredmyresearchandbegantolookatdifferenttypesofSpamfilters.OnesuchspamfilterwasSpamAssassin–anopenSourcemail filter,written inPerl, to identifyspamusing awide rangeof heuristic testsonmail headers andbody text. Theidea to implement this IDS (Intrusion Detection System) onto an existing webapplication of mine was suggested. As one of my third year projects wedeveloped a charitywebsitewhere users couldmakedonations to a charity oftheirchoice.AtfirstIthoughtthiswasagoodidea,butlaterdecidedagainstit,asyouwillreadlateron.IalsobeganlookingatallthedifferentfeaturesofGmail,and picked out what features were similar in my own project, as I wanted tocreatesomethingnew,notsomethingthathasalreadybeendonebefore.Ihadalotofwork cutout formeaftermy firstmeetingbutwasextremelyexcited tomakesomeprogress.
WithourProjectProposaldeadlineon the21st ofOctober itwas time toputaconcrete idea together. My final idea was to create an IDS that specificallytargetedphishingemails.This issomethingthatIhadexperiencedmyself intheworkplacesoIthoughtitmightbeagoodideatoapplythisexperienceintomyproject. The proposal took quite some time to complete but I was very happywith theoutcome. I hadbeen in contactwithSaraduring this timeviaemail. Iwould send her my first draft and she would reply with some very helpfulfeedback.Althoughthe IDShadbeen thoughtout, Iwasstillunsureofwhat toimplement it onto. As said previously, I wasn’t very pleased with the idea ofimplementingittomycharitydonationwebapplication.ButduringanotheroneofmymeetingswithSara,shesuggestedthe ideaofcreatingawebapplicationthatalloweduserstosharephotos.ThiswasagreatstartingpointandIhoppedontheidearightawayandbegantolookatsourcecodeofexistingapplications.WithourRequirementsSpecificationdeadlineapproachingIhaveplacedmostofmytimeonthisdocument,whichisdueonthe11thofNovember.
Technical Report
Page 48
-November2016-
InitialPrototype–Week1
OnNovember4thIbegancreatingmyinitialprototypeformyfinalyearproject.Itwaseasier tostartnowthat Ihadgathereda lotofmyrequirements,asourrequirements specification document is due on the 14th. I researched a lot ofopensourcephotosharingwebsitesandtriedtogetafeelforthetypeofwebsiteI wanted to build. This took more time that anticipated and with a lot ofassignmentsandprojectsdueinthenextfewweeksthingswerestartingtopileon the workload started to get bigger and bigger. During my first week ofNovemberIhadtoputmyprototypeasidetofocusonmyotherwork.
RequirementsSpecification–Week2
I spentmost of week 2 focusing on deadlines and upcoming CA’s for ArtificialIntelligenceandWebServices&APIDevelopment,andcontinuedmyworkonmyRequirementsSpecification. Ispenta lotoftimeduringthesefewdaysworkingto get the initial version of my Requirements Specification for my SoftwareProject completed in time for the submission date. Upon completing my RSdocument I started to gain a better image of my application after creating amockupGUI, thishadmeexcitedand Iwantedtogettoworkrightaway. Iputmoretimeinwithmyprototypeandmadeasimplelogin.Itwasn’tmuch,butitwasastart.Otherassignments/projectsstartedtofloodinandonceagainIhadtoputtheprototypeasidetofocusonthese.
ShareSafePrototype–Week3
Technical Report
Page 49
Ispentmoretimethisweektoworkonmyprototype,Iaddedsecuritytomywebapplication that is deployed to the Oracle GlassFish Open Source Edition. Iconfigured security authentication using a login form in a web page. After Icreated the users, I then created the security roles by setting the securityproperties in the deployment descriptor. I also gave my application a name:ShareSafe.
TechnicalReport–Week4
MyfinalweekofNovemberwasmanly spent focusingonmyTechnicalReport.This is a huge document and will be used for our midpoint presentation inDecember.Thedocumentisn'tdueuntilthe9thofDecemberbutwithsomanyotherassignments/projectsIwantedtogetanearlystart.OnceIamhappywiththeTechnicalReport Iwillcontinueworkonmyworkingprototype,whichIwilldemoduringthispresentation.
- December2016-
PresentationPreparation–Week1
Decemberwas a very busymonthwith numerous project deadlines, it was anextremely stressful period couple of weeks but I was able to get everythingsubmitted on time. On top of this we all had our mid-point presentation toprepare for.Unlikemost students, I hadmypresentation inweek 12whilewewerestillworkingonourprojects,whichwasabitofadisadvantagebutnothingtoomajor.Iwasslightlydisappointedwithhowmypresentationwentduetobebeing so busywith otherwork but I feltmy documentation (Technical Report)was strong enough to pull me through. The presentation was a good learningexperience, as I now know what is expected when it comes to our finalpresentation in the coming months. My supervisor (Sara Kadry) and secondmarker (JoeMolumby)were extremely helpful on the daywith their feedbackandadviceonwhatto improveforthenextpresentation.Theywereextremelyfriendlyandmadethewholeexperiencemuchmorepleasantandlessstressful.
Technical Report
Page 50
OverallIfeelhappywiththeworkIputinwithmyprojectbutIneedtoimproveonmypresentationskillsandincludemuchmoreinformationinmyslidesforthenextone.
ExamPreparation
FortherestofthemonthIneedtofocusonmyexams,whichcommenceonthe5thofJanuary2017.TheystartveryearlythisyearsomuchoftheChristmasbreakwillhavetobesacrificedinordertostudy.Iwillhavetoputmyprogressonthisprojectonpausesothat Ican focusmoreonmystudiesbut I look forwardtocontinuingmyworkwhen Ireturnforsemester2.
-January2017-
1stto14th
ThefirsttwoweeksofJanuarywereprimarilyfocusedonstudyingformyexamssoverylittleworkhasbeenputtowardsmyproject.Iamverypleasedwithhowmyexamswentwhichhasgivenmea lotofmotivation toworkonmyprojectbeforewereturnbacktocollegeforoursecondsemester.
15thto21st
During this time I put a lot of effort into improving my algorithm for sharingphotoswith trustedusers. I also spent some time improvingmyprototypeandgivingitamuchsleekeranduser-friendlyinterface.Iamhappywiththeprogressbeingmadesofar.
Technical Report
Page 51
22ndto28th
During this time I was on a family holiday in Dubai so no work was done. Iunfortunately had tomiss our firstweekback at college but Iwill put inmoreefforttomakeupforlosttime.IcontactedmysupervisortoletherknowthatIwouldnotbepresentduringthistime.
-February2017-
1stto8th
DuringoneofmysupervisormeetingswithSara,sheproposeda fantastic idea.As I ama current employeeatACIA (AonCentre for InnovationandAnalytics),SarasuggestedthatIaskpermissiontoimplementmyprojectontheirwebsite.Itwould lookgreat to implement theproject toa real lifebusinessand lookveryimpressiveduringmypresentationandshowcase. I thoughtthiswasa fantasticideasoIorganisedameetingwithmymanager inwork.Unfortunatelythiswasnot something that Aon was prepared to help with as they already have anIntrusiondetection system implemented in thebusiness.But itwasallworthatry.WiththisinmindIbegantoworkonthedevelopmentofmyproject.
9thto15th
Aftermuch thought, I decided tousePHP formyproject instead.Bitof a riskymove so late in the college year but I feel it is a good decision. PHP is verypopular;thereforethereareanumberofreferencesandguidelinesavailableonthenet.Onecanalso findmanysupportgroups, forums,andteamssupportingPHP. As I am not the strongest programmer, I feel this will help my progresstremendouslyasthere’salwaysenoughonlinelibrarysupporttogetyouthrough.PHP,beingveryfasttodevelopensuresthatthereisaquickturnaroundtime.Italsohasmultipleextensionsandisextremelyscalable.
Before Ibegantocreatemy index.phppageIdownloadedand installedXAMPPtostoretheprojectonalocalserver.XAMPPisafreeopensourcecross-platformwebserversolutiondevelopedbyApacheFriends.ItconsistsoftheApacheHTTPserver, MariaDB database and interpreters for scripts written in PHP and Perlprogramming languages. Iwasexcitedtobefinallystartingdevelopmentonmy
Technical Report
Page 52
projectbut Ihavea lotofworkaheadofme. Icreatedthe logoformywebsiteusingAdobeFireworksandalsocreatedsomeother iconssuchasasearchbar,searchbutton,homebutton,headersliverandsoon.ThistookmoretimethanitshouldofasIwaslearningtheropesoffireworks,butonlinetutorialshelpedmegetthroughit.Iamquitepleasedwiththedesignandaestheticofmywebsite.Inow need to focus on Database Creation and Table Structure and from theremoveontoaddinginsomeofthefunctionalityneeded.AlotofworkaheadbutitisexcitingandIlookforwardtoprogressingfurther.
16thto28th
AllstudentswererequiredtogettheirphotostakenintheAtriumforourprojectshowcase profiles (photos could also be used for LinkedIn). I updated myshowcase profile by entering a 40-word profile for the project and also a 200-wordprofile,whichwasamoredetaileddescription.Ilookforwardtodevelopingmyproject further in thenext fewweekswith the kindhelp and support fromSara.
-March2017-
1st to 8th CreatedthedatabaseonmyhostenvironmentandwroteamodularPHPscriptfor establishing connection to the database using the improved MySQLiextension.Afterdoingsomeresearch I foundthatPHPandMySQLarethecoredata processing technologies of some of the most popular social webapplications.IthenscriptedtablecreationintomyMySQLdatabasetoestablishallof the software system's tablesusingPHPandSQL syntax.Toadda levelofsecurity to my web application, I established a .htaccess file and learned topreventdirectoryfilelistingaswellasspecifyamoreuserfriendly404errorpagethroughhtaccess. Iusedthephp.ini filetoadjustmyPHPconfigurationsettingsontheapacheserver.IthencreatedthemainJavaScriptmodule,whichisthefilethatwillbecalledintoeverypageofthewebapplication.IspenttherestofthisweektoworkonotherCA’sandstartedpreparingformyupcomingexams.
Technical Report
Page 53
9thto16th
Began progress on programming a user sign up form and corresponding emailactivationscript.IusedHTML,CSSandJavaScriptforuserinterfacing.TheserversidescriptingisPHPconnectedtoaMySQLdatabase.Thissectionoftheprojectincludes real time field restricting, user must view terms of use, real timeusernamecheckingandmore.Ajaxisinuseforallserversidedatatransmissions.User must activate their account through email in order to interact on theapplication. I usedPHPMailer for automatedemailsbeing sentout tousers forsigning up and sending temporary passwords, as you will read further down.PHPMailerisaclasslibraryforPHPthatprovidesacollectionoffunctionstobuildand send email messages. PHPMailer supports several ways of sendingemail:mail(),Sendmail,qmail&directtoSMTPservers.Youcanuseanyfeatureof SMTP-based e-mail. The email activation process verifies and confirms thattheyhavegiventheirrealemailaddress.Afterthesignupformwascomplete IprogrammedtheHTML/PHP/Ajax login form,the logoutscript,andstartedtheuser profile page. I also created a module for checking user session andauthentication against the MySQL database. Once this functionality wascompleted I began research on site maintenance automation using Cron Jobs.UponmyresearchIdiscoveredthatIcouldsetthemtoexecuteatanyinterval.Inmy application I created a PHP cron job that will delete all non-activate usersafter10days.ThereasonIimplementedthiswastoclearthedatabaseoftheseusersperiodicallysothatthesystemdoesn’tbecomecloggedwithnon-activatedusers. IspenttherestofthisweektoworkonotherCA’sandstartedpreparingformyupcomingexams.
17thto25th
IprogrammedanAjaxPHPMySQLForgotPasswordscriptfortheuserswhomay happen to forget their password. This logic generates a temporarypassword for the user. Also implemented in their account editingfunctionality is an option for the user to change their password tosomething they desire as often as they like. Once that was completed Ifocusedmyattentionon creatingwebdevelopment logicbehind creating“Friend” systems and “BlockUser” systems using PHP,MySQL, JavaScriptAjax, and simple dynamic HTML rendering. I then programmed PHP andmysqlilogicintomyheaderfilethatrendersdynamiclinksfortheusers.Iftheuserisnotloggedintheywillseeadifferentsetoflinksthanaloggedinuser. I then implemented PHP,MySQL, JavaScript and Ajax programming
Technical Report
Page 54
logic behind scripting friend lists and notification lists. This also includedaccepting and rejecting friend requests, which gets placed into thefriend_system.phpmodulethatcanbecalledbyAjaxanywhereinthewebapplication.
26thto31stImplemented the functionality toallowusers to change theirprofilephotoandbeganbuildingthephotouploadapplication.IhadtofamiliarizemyselfwiththePHPandMySQLsideofcreatingimageuploadapplicationsandcreatedasimplefront-end form. I created a PHP and Ajax photo gallery, the initial gallerythumbnailsareloadedusingPHP,everythingelseisbroughtintoviewusingAjaxthatrequests imagesfromPHPandMySQL. Italsocontainsasimplefileuploadscript so that the users can populate their galleries with pictures. I installed adelete link only for the photo owner when they view any images that theyuploadedthemselves.
Iwanted to continueworking onmy project as I felt Iwasmaking some goodprogressbutIhadtosetasidemoretimeforotherassignmentsandexams.Verybusytime!!
7.2 ProjectProposal
-Objectives-
Nowadays,usersallaroundtheworlduseemailastheirfundamentalmethodtoshare informationovertheweb.Thenetworkprovidersallowall typesofemailfor the purpose of communication. During this transfer of information somemaliciousemailsarereceivedwhichcancauseproblemseitherattheserversideorattheclientside.Inthisproject,weproposeanintrusiondetectionsystemfordetectingthesemaliciousemails.
Technical Report
Page 55
Inrecenttimes,oneofthemostdangerousthreatsagainstpersonaldatasecurityat home and in the workplace is phishing. Phishing has become an extremelycommonformofcyberattack.Itconsistsofdefraudingpeoplebyluringthemtofake websites where users unknowingly provide personal details such as logininformation and credit card details. These fraudsters appear as a trusted thirdparty,likeawell-knownbank.Themostcommonmethodsofphishingaredoneby email. Once these details are acquired they can be used in the practice ofidentity theft or credit card fraud. In thepast, efforts havebeenmade to stoptheseattacksby identifyingphishingsitesusingplug-ins,but theseeffortshavebeenmadeinvainbyemergingblockingtechniques,whichrenderthemuseless.There isanabundanceofthesetypesofattacks,somuchso,thattheeverydayuserwillbeindangerwhethertheyknowitornot.Iwillalsoincludeapersonalexperience of my own later in this document, which brought this topic tomyattention. In this project we propose an Intrusion Detection System foridentifying these types of malicious emails and root them to their source toevaluate. This will be made possible by using a data capture facility that willcategorize some of the incoming emails as potential phishing activities and anevaluationsystemthatwill sendcrawlers towebsitesrelatedtothesedetectedemails to determine their true intentions. By detecting malicious emails inincomingtraffic,thisfiltersauser’sinboxandremovestherequirementofauserbeing trained in the practice of secure web browsing. As most users are nottrained in this manner, this system will prove quite useful. The IntrusionDetectionSystem (IDS)willdetectphishingemailsandensure thatall incomingtraffic is not harmful. Upon detection of amalicious email, the next step is tosendcrawlerstothesephishingwebsitesthatarelinkedintheseemailsandalsothewebsite that it is trying to impersonate.Analgorithmthenstripsbothsitesdownandcomparesthemusingascoringsystemforthedifferencebetweenthetwo–ultimatelydecidingwhetherornotitisaphishingwebsite.
-Background-
I am a current employee of ACIA (Aon Centre for Innovation and Analytics)workingpart-timeduringmystudies.IhavebeenanemployeeofACIAsincethesummerof2015whenIappliedforaninternship.IhavenotbeenworkingwiththiscompanyforlongbutIhaveseenmyfairshareofmisleadingandmaliciousemails in the workplace. Even in a technology-based company such as this,employeeswere still the victimsof thesephishingattacks. It just goes to show
Technical Report
Page 56
howcomplexanddeceitfultheseattacksarebecoming.Thiswasthebasisofmydecision todesignanddevelopan IntrusionDetectionSystem formy final yearproject.Itwasoneattackinparticularthatwassuccessfulamongasmallnumberof my colleagues. It occurred during my six-month placement for third year,around the month of July. A number of staff began to receive fake emailspurporting to come from the Revenue Commissioners and were warned soonafterwardsthatalthoughtheemailaddressseemsvalid, it is justapieceoftextandcaneasilybefaked.Emailaddressesarenotverifiedandcannotbereliedonas proof of the identity of the sender organization. These emails seemed veryprofessionallymadeandtriedtotrickusers intobelievingthattheyweredueataxrefund,mostlyintherangeofaround€160,andenticedthemtoenterbankdetails. It wasn’t until the very next day that similar emails started to roll in.Colleagues were warned to remain extremely vigilant and never to click onsuspicious links or provide any sensitive information. This time the phishingemailswereindisguiseasinvoicesfromAppleandagain,lookedverylegitimate.OnofficewideemailwassentoutfromITtowarnthatproceedsfromsuchscamsare quickly transferred offshore, usually through multiple countries/banks andprove impossible to retrieve, even where amounts are greatly in excess of€25.99. Although these types of attacks are very unfortunate, it was good toexperienceitfirsthandintheworkplace,andtoseehowtheofficedealtwiththesituation.HoweverIfeltthatitwasn’tenoughandIwantedtocreatesomethingthatwouldtacklethisissueheadon,eradicatingtheproblemontheuser’send.Thereareanumberofcurrentsolutionsouttherethatusestrongspamfilterstosegregatephishingsolicitations.Afewexampleswouldinclude:
• SpoofGuard
• SpamAssassin
• Phishwish
SpoofGuard
SpoofGuardisabrowserbasedplug-inthatmonitorsuser’sInternetactivityanddisplaysawarningmessageifitsuspectsawebsitetobeaphishingsite.ThetooldeterminesthisbyobservingifthepagewasloadedformanemailandwhetherornottheURLwasvisitedbefore.SpoofGuardusesthreemethodstodetermineimpersonation. 1 – a statelessmethod that determineswhether adownloadedpage is suspicious. 2 – a stateful method that evaluates a downloaded page
Technical Report
Page 57
seeinguser’spreviousactivity.3–amethod,whichevaluatesoutgoingpostdata.SpoofGuardusesanaggregatefunctiontocalculatethetotalspoofscore(TSS).
SpamAssassin
SpamAssassin isatoolthatrecognizesspamcontainingphishingemail. Ithasafalsenegativeof15%forspame-mails,andperformsworstwhentestedwith10foldcrossvalidation. Itusesarangeofheuristictestsontheheadersofmail toidentifyspamandcanbeanIDSfordetectingphishingattacks.Initsalgorithm,ituses text analysis, Bayesian filtering, DNS block list and a Stochastic GradientDescentmethodintraininganeuralnetwork.Thisisusedforitsscoringbasedonperception.SpamAssassindoesnotdeleteemailsbutcanrouteclassifiedemailstomailboxesorfolders.
Phishwish
The primary goal of Phishwish is to maximize the number of phishing emailsdetectedwhileminimizingthenumberoffalsepositives.Itisapplicabletoemailsthatinstructtherecipienttologintoawebsite.ItprocessestextbasedandHTMLformattedemails,althoughsomerulesareonlyapplicabletoHTML.Eachoftherulesareassignedaconfigurableweight.
ThisiswhereIbelievethereisasignificantresearchgapastheseexamplesarealleitherclientside,plug-insor justspamfilter.There isagapherewithroomforimprovement.
ExistingSoftware
Inthissectionwewilldiscusssomeofthecurrentgenerationintrusiondetectionsystems:
Network IDS–Thenetwork IDSusuallyhas two logicalcomponents: thesensorandthemanagementstation.Thesensorsitsonanetworksegment,monitoringitforsuspicioustraffic.Themanagementstationreceivesalarmsfromthesensoranddisplaysthemtoanoperator.Thesensorsareusuallydedicatedsystemsthatexistonlytomonitorthenetwork.Theyhaveanetworkinterfaceinpromiscuousmode, which means they receive all network traffic not just that destined fortheir IP address and they capture passing network traffic for analysis. If theydetectsomethingthatlooksunusual,theypassitbacktotheanalysisstation.
Technical Report
Page 58
Host IDS – The host-based IDS looks for signs of intrusion on the local hostsystem.Thesefrequentlyusethehostsystem’sauditandloggingmechanismasasourceofinformationforanalysis.Theylookforunusualactivitythatisconfinedto the local host such as logins, improper file access, unapproved privilegeescalation, or alterations on system privileges. This IDS architecture generallyusesrule-basedenginesforanalyzingactivity;anexampleofsucharulemightbe,“superuserprivilegecanonlybeattainedthroughthesucommand”.Thereforesuccessiveloginattemptstotherootaccountmightbeconsideredanattack.
Oursystemhasanumberofadvantagesoversomeofthecurrentsystemsyoucanfindtoday:
• Thedetectionofaphishingemailisindependentofindividuals’settings.
• Because our system is server-based, it allows uniform securityenforcementwithinanorganizationandreducestheeffortsofperformingupdates.
• It is not vulnerable to an attack thatwouldbypass client browser baseddefenses.
-TechnicalApproach-
This system will consist of three main components: a Spam filter to detectunsolicitedemails,aSimpleMailTransferProtocol(SMTP)serverwhichisthedefactostandardforsendingemailovertheinternet,andApachewebserverwhichisanopensourcewebserver.TheIDSscannerwillscanallreceivede-mailsandwillmark some of them as potential phishingmessages and then enters themintoadatabase.Emailsare classifiedasphish if theycontainembeddedHTML.MySQLwillbeusedtostoreinformationregardingthedetectedmaliciousemails,wheredataentered into thedatabaseconsistsof thecontentof theemail andtimeofreceipt.AbackgroundprocesswillruntoscanallURL’slistedonmarkedemails,stripsHTMLtagsanddetermineswhetherornottheyhavebeenearlierobserved.Ifthesiteshavenotbeenpreviouslyevaluated,thecrawlerswilltrytodetermineiftheyarephishingwebsites.Knowncharacteristicsofphishingemails
Technical Report
Page 59
willbeusedtodetectthem.Thespamfilterwillmarkemailasphishingemailsiftheycarrysomeofthefollowingattributes:
• URLincludingIPaddresses
• HTMLmaskedURLs
• EmailscontainingencodedHTML
• Crosssiteimages
- SpecialResourcesRequired-
The following are highly valued resources in my learning of secure programming:
Website: https://www.owasp.org/index.php/Main_Page Book: J. Manico 2014, Iron-Clad Java: Building Secure Web Applications, McGraw-Hill Education.
-TechnicalDetails-
Thelanguageusedfordevelopingtheproject isJavaas it isquiteadvantageousthan other languages in terms of performance, tools available, cross platformcompatibility,libraries,cost(freelyavailable),anddevelopmentprocess.
-Evaluation-
Thisprojectwillbeevaluatedbyanumberoffactors:
Technical Report
Page 60
• Howwellitrunsuponcompletion• Howmanyspecifiedgoalsoftheprojecthavebeenreached• Demothisprojecttoatestgroupandreceivefeedbackandreviewson
theirexperiences