Download pdf - Technical Report - Intrusion Detection Systemtrap.ncirl.ie/2734/1/stephenkelly.pdf · Intrusion Detection System for Malicious Email Technical Report BSHC ... 3.1.2 Requirement 1:

StephenKelly–x12386816 [email protected] . ie

IntrusionDetectionSystemforMaliciousEmailTechnicalReportBSHC(Honours)inComputing–SoftwareProjectNationalCollegeofIrelandSupervisor:SaraKadry

10thMay 2017

08 Fall

Technical Report

Page 2

Table of Contents ExecutiveSummary ................................................................................................ 41 Introduction ...................................................................................................... 5

1.1 Background ................................................................................................ 5

1.2 Aims ........................................................................................................... 61.3 Scope .......................................................................................................... 6

1.4 Technologies ............................................................................................... 72 UserClassesandCharacteristics ........................................................................ 8

3 RequirementsSpecification ............................................................................... 9

3.1 FunctionalRequirements ............................................................................ 93.1.1 UseCaseDiagram ............................................................................... 10

3.1.2 Requirement1:Register ..................................................................... 103.1.3 Requirement2:UploadPhoto(CreateAlbum) ..................................... 15

3.1.4 Requirement3:InviteUsers ............................................................... 19

3.1.5 Requirement4:SharePhoto ............................................................... 213.1.6 Requirement5:EditFriendList(TrustedUser) ................................... 22

3.2 Non-FunctionalRequirements .................................................................. 29

3.2.1 Performance/Responsetimerequirement .......................................... 293.2.2 SafetyRequirement ............................................................................ 29

3.2.3 SecurityRequirement ......................................................................... 293.2.4 RequirementAttributes ...................................................................... 30

3.2.5 BusinessRules .................................................................................... 30

3.2.6 Userrequirement ............................................................................... 313.2.7 Maintainabilityrequirement ............................................................... 31

3.2.8 Portabilityrequirement ...................................................................... 313.2.9 Extendibilityrequirement ................................................................... 31

3.3 DesignandArchitecture ............................................................................ 32

3.4 GraphicalUserInterface(GUI) .................................................................. 333.5 Testing ..................................................................................................... 42

3.6 Evaluation ................................................................................................ 43

4 Conclusion ...................................................................................................... 435 FutureDevelopment ........................................................................................ 43

Technical Report

Page 3

6 References ...................................................................................................... 44

7 Appendix ........................................................................................................ 447.1 MonthlyJournals ...................................................................................... 44

7.2 ProjectProposal ........................................................................................ 54

Technical Report

Page 4

ExecutiveSummary

Nowadays,usersallaroundtheworlduseemailastheirfundamentalmethodtoshare informationovertheweb.Thenetworkprovidersallowall typesofemailfor the purpose of communication. During this transfer of information somemaliciousemailsarereceivedwhichcancauseproblemseitherattheserversideor at the client side. In this project,we propose an intrusion detection systemdesignedtodetectthesemaliciousemails.

Inrecenttimes,someofthemostdangeroussecuritythreatsagainstprivateuserdataathomeandintheworkplaceisphishing.Phishinghasbecomeanextremelycommonformofcyberattack.Itconsistsofdefraudingpeoplebyluringthemtofake websites where users unknowingly provide personal details such as logininformation and credit card details. These fraudsters appear as a trusted thirdparty,likeawell-knownbank.Themostcommonmethodsofphishingaredoneby email. Once these details are acquired they can be used in the practice ofidentity theft or credit card fraud. In thepast, efforts havebeenmade to stoptheseattacksby identifyingphishingsitesusingplug-ins,but theseeffortshavebeenmadeinvainbyemergingblockingtechniques,whichrenderthemuseless.There isanabundanceofthesetypesofattacks,somuchso,thattheeverydayuserwillbeindangerwhethertheyknowitornot.InthisprojectweproposeanIntrusion Detection System for identifying these types of malicious emails androotthemtotheirsourcetoevaluate.Thiswillbemadepossiblebyusingadatacapture facility thatwill categorize a number of incoming emails as potentiallymalicious actions and an evaluation system thatwill send crawlers towebsitesrelatedtothesedetectedemailstodeterminetheirtrueintentions.Bydetectingmalicious emails in incoming traffic, this filters a user’s inbox and removes therequirementofauserbeing trained in thepracticeof securewebbrowsing.Asmostusersarenottrainedinthismanner,thissystemwillprovequiteuseful.TheIntrusionDetectionSystem(IDS)willdetectmaliciousemailsandensurethatalloftheincomingemails/dataisnotharmful.Whenamaliciousemailisdetected,the next step is to send crawlers to these phishingwebsites that are linked intheseemailsandalsothewebsitethat it is tryingto impersonate.Analgorithmthen stripsboth sitesdownand compares themusinga scoring system for thedifferencebetweenthetwo–ultimatelydecidingwhetherornotitisaphishingwebsite. This Intrusion Detection System will be implemented into a photosharingwebapplicationwithemailfunctionality.

Technical Report

Page 5

1 Introduction

1.1 BackgroundI am a current employee of ACIA (Aon Centre for Innovation and Analytics)workingpart-timeduringmystudies.IhavebeenanemployeeofACIAsincethesummerof2015whenIappliedforaninternship.IhavenotbeenworkingwiththiscompanyforlongbutIhaveseenmyfairshareofmisleadingandmaliciousemails in the workplace. Even in a technology-based company such as this,employeeswerestillthevictimsofthesephishingattacks.

Itjustgoestoshowhowcomplexanddeceitfultheseattacksarebecoming.ThiswasthebasisofmydecisiontodesignanddevelopanIntrusionDetectionSystemfor my final year project. It was one attack in particular that was successfulamong a small number of my colleagues. It occurred during my six-monthplacementforthirdyear,aroundthemonthofJuly.Anumberofstaffbegantoreceive fake emails purporting to come from the Revenue Commissioners andwerewarnedsoonafterwardsthatalthoughtheemailaddressseemsvalid, it isjustapieceoftextandcaneasilybefaked.Emailaddressesarenotverifiedandcannot be relied on as proof of the identity of the sender organization. Theseemails seemed very professionallymade and tried to trick users into believingthattheyweredueataxrefund,mostlyintherangeofaround€160,andenticedthemtoenterbankdetails. Itwasn’tuntil theverynextday thatsimilaremailsstartedtorollin.Colleagueswerewarnedtoremainextremelyvigilantandneverto click on suspicious links or provide any sensitive information. This time thephishingemailswere indisguise as invoices fromApple andagain, looked verylegitimate.AnofficewideemailwassentoutfromITtowarnthatproceedsfromsuch scams are quickly transferred offshore, usually through multiplecountries/banks and prove impossible to retrieve, even where amounts aregreatlyinexcessof€25.99.

Althoughthesetypesofattacksareveryunfortunate,itwasgoodtoexperienceitfirsthand in theworkplace, and to see how the office dealtwith the situation.HoweverIfeltthatitwasn’tenoughandIwantedtocreatesomethingthatwouldtacklethisissueheadon,eradicatingtheproblemontheuser’send.

Technical Report

Page 6

1.2 AimsThepurposeofthisproject istoprovideaneasyanduser-friendlywaytoallowuserstohaveasafeworkingenvironmentwhenusinganonlinewebapplicationwithemail functionality.Themainobjectiveofthisproject is tomaintainasafeanduser-friendlyenvironmentand toeradicateany incoming threatsviaemail.Thisproductwillconsistoftwomaincomponents:anIntrusionDetectionSystemandawebapplicationthatwillallowuserstosharephotoswithfriends.

1.3 ScopeThewebapplicationwillallowuserstosignuptoaservicewhichwillprovideasafeenvironmentforthemtosharephotoswiththeirfriends.Tosignuptothisservice, eachusermust have a valid email address.Once a user has becomearegisteredmember,theycaninviteotherusersviaemailtojointheservice.Theydothisbysendinganemail,whichwillincludeaninvitation.Whenthereceiverofthe invitation email accepts the invite, they will be brought to the webapplication to register as amember.Once completed, theywill thenbecomeafriend (trusted user) and will appear on a trusted user friend’s list. This willconnectbothusersandallowthemtosharephotosonthewebsite.

To ensure the safety and security of the process of sending emails, we haveimplemented an intrusion detection system that will detect malicious emails.Whensharingphotos,anyphotosreceivedfromanuntrusteduserwillbemarkedasmaliciousemailandbeplaced ina junk folder.Thissystemwill co-existwiththe web application and improve the overall security for its members. TheIntrusionDetectionSystemusesadatacapturefacilitythatwillcategorizesomeoftheincomingemailsaspotentialmaliciousactivities.Bydoingso,wecreateauser-friendlyenvironmentwherepeoplecansharephotoswithoutanyconcern.

Bydetectingmalicious emails in incoming traffic, this systemwill filter a user’sinbox and eradicate the need and cost of requiring users to be trained in thepracticeofsecurewebbrowsing.TheIntrusionDetectionSystem(IDS)willdetectphishingemailsandensurethatallincomingtrafficisnotharmful.Theprojectisspecificallydesigned for theuseofuserswhosignup toourphoto-sharing sitewithavalidemailaddress.Theproductwillworkasacompleteuserinterfaceforthesite.

Technical Report

Page 7

Anybody with a valid email address and an Internet connection can use thissystem.It isespeciallyusefulforanyonewhoneedsasecureandsafeoptiontosharephotos.Theprojectcanveryeasilybemodifiedgivendifferentscenarios.New featureswillbeable tobeaddedwhenneeded.Thismakes theaspectofreusability possible. The language that was used for the development of thisproject is PHPas it is verybeneficial over other programming languages in theareasofperformance,toolsavailable,crossplatformcompatibility, librariesandcost.

1.4 Technologies

This system will consist of three main components: a Spam filter to detectunsolicitedemails,aSimpleMailTransferProtocol(SMTP)serverwhichisthedefactostandardforsendingemailovertheinternet,andApachewebserverwhichisanopensourcewebserver.TheIDSscannerwillscanallreceivede-mailsandwillmarksomeofthemessagesasmaliciousactivitiesandthenentersthemintoadatabase.EmailsareclassifiedasmaliciousiftheycontainembeddedHTMLorif they are received from an untrusted user. MySQL will be used to storeinformation regarding the detectedmalicious emails, where data entered intothe database consists of the content of the email and time of receipt. Abackground process will run to scan all URL’s listed on marked emails, stripsHTMLtagsanddetermineswhetherornottheyhavebeenearlierobserved.Thespamfilterwillmarkemailasphishingemailsiftheycarrysomeofthefollowingattributes:

• Receivedfromuntrusteduser

• URLincludingIPaddresses

• HTMLmaskedURLs

• EmailscontainingencodedHTML

• Crosssiteimages

Technical Report

Page 8

2 UserClassesandCharacteristics

DifferentservicesareprovidedbytheIDSsecuredwebapplicationbasedonthetypeofuser.Inthiscasewehaveanumberofdifferentusers:PhotoOwnerandTrustedUser.Aphotoowner isamemberwhouploadsaphototothesiteandinvitesausertojointheservicetoviewthephoto.Atrusteduserisanyonewhoreceives this email invitation and accepts, placing them in the sender’s trusteduserfriend’slist.

ThefeaturesthatareavailabletoaPhotoOwnerare:

• Login/logout• ChangeProfilePicture• Uploadphoto• DeletePhoto• Requestasfriend• Blockuser• Share/SendPhoto• Inviteuser• CreateAlbum/Gallery• Tagphoto• Addcomment

ThefeaturesthatareavailabletoaTrustedUserare:

• Login/logout• View/DownloadPhoto• Edittrusteduserfriendlist• Commentonaphoto• Candelete/blockothermembers/friends• Tagfriends/placesinphotos

Technical Report

Page 9

3 RequirementsSpecification

3.1 FunctionalRequirements1. Registration(CreateAccount)–Usersmustbeabletocreateanaccount

forthisservicebyregisteringwithavalidemailaddress.2. ChangePassword–Userswillhavetheoptiontorequestatemporary

passwordiftheyhaveforgottentheirs,thistemporarypasswordwilltakethefirst4lettersoftheiremailandadd5randomlyselectednumbersontothatandwillbeemailedtotheuser.Userswillthenalsohavetheoptiontochangetheirpasswordtosomethingmorefamiliartothem.

3. UploadPhoto–Usersmusthavethefunctionalitytobeabletouploadphotosintopredefinedgalleriesonthewebsite.

4. DeletePhoto–Userswillhavetheoptiontodeleteaphotoformtheirgallery.Thisfunctionwillonlybelongtothephotoowner.

5. InviteUsers–Usersmusthavetheabilitytoinviteotherpeopletojointheserviceviaemailinvitation.

6. SharePhoto–Usersmustbeabletosharephotosamongstotherusers.Photoswillbesharedoveremail.ThisprocesswillbesecuredbyourIntrusionDetectionSystem.

7. EditFriendsList(Friend/UnfriendUser)–Usersmustbeallowedtomodifytheirtrustedusers,givingthemthepowertodecidewhotheycansharephotoswith–sendingorreceiving.

8. BlockUser–Usersmusthavethefunctionalitytoactivelyblockanyothermemberofthewebapplication,disablingthemfromviewing/sharinganyphotos.

9. Comment–Userswillhavetheabilitytoleavemessages/commentsonuserprofilesandpictures.

10. ChangeProfilePicture–Userswillhavetheabilitytochangetheirprofilepictureatanytimefromtheiruserprofilepage.

Technical Report

Page 10

3.1.1 UseCaseDiagram

3.1.2 Requirement1:Registration

3.1.2.1 Description&Priority

Thisrequirementdescribestheactionstakenbyausertoregisterasamemberon the photo sharing web application. A user must provide a username, validemail address, password, confirm password, gender and country. Thisrequirementisvitaltothesystemasitistheonlymeansofaccesstothesystem.Italsoensuresthatonlyregistereduserscanaccessthesystem.Uponregisteringanautomatedemailwillbesenttotheuserwithanactivationlink.Onlyactivateduserswillbeallowedtoaccessthesite,ensuringthatvalidemailsarebeingused.

Technical Report

Page 11

3.1.2.2 UseCaseScope

Thescopeofthisusecaseistoensurethatonlyregistereduserscanaccessthesystemandensuresthatallusershaveavalidemailaddress.

Description

Thisusecasedescribestheactionstakenbyauserinsettingupanaccountbyprovidingauniqueusername,password,validemailaddress,genderandcountry.

UseCaseDiagram

FlowDescription

Precondition

Thesystemisinstand-bymode

Activation

Thisusecasestartswhenauserclicksthe“SignUp”button

Technical Report

Page 12

Mainflow

1. Thesystemidentifiestheclickingofthe“SignUp”button2. Theuserentersausername(SeeA1)3. Thesystemacceptsusername4. Theuserentersapassword(SeeE1)5. Thesystemacceptsthepassword6. Theuserconfirmspassword7. Thesystemacceptsthepassword8. Theuserentersavalidemailaddress9. Thesystemacceptsemailaddress10. Theuserselectsgender11. Thesystemacceptsgender12. Theuserselectstheircountry13. Thesystemacceptscountry14. Userclicks“CreateAccount”

Alternateflow

A1:Invalidusername1. Thesystemrejectstheusernameasitalreadyexistsinthedatabase

andrequestsusertoenteranewone2. Theuserentersavalidusername3. Theusecasecontinuesatposition3ofthemainflow

Exceptionalflow

E1:Invalidpassword–tooshort4. Thesystemrejectsthepasswordandrequestsusertoenteralonger

one5. Theuserentersavalidpassword6. Theusecasecontinuesatposition5ofthemainflow

Termination

The system sends an automated email with an activation link to activateusersaccount

Postcondition

Thesystemgoesintoawaitstate

Technical Report

Page 13

3.1.3 Requirement2:ChangePassword


Thisrequirementdescribestheactionstakenbyausertochangetheirpasswordfor logging into the site. Users will have the option to request a temporarypasswordiftheyhaveforgottentheirs,thistemporarypasswordwilltakethefirst4lettersoftheiremailandadd5randomlyselectednumbersontothatandwillbe emailed to the user. Users will then also have the option to change theirpasswordtosomethingmorefamiliartothem.


The scope of this use case is to ensure that users have the option ofchangingtheirpassword.

Description

Thisusecasedescribestheactionstakenbyauserinordertochangetheirpassword.

UseCaseDiagram

Technical Report

Page 14

FlowDescription

Precondition


Activation

Thisusecasestartswhenauserclicksthe“ChangePassword”button

Mainflow

15. Thesystemidentifiestheclickingofthe“ChangePassword”button16. Theuserenterstheircurrentpassword(SeeA1)17. Thesystemacceptspassword18. Theuserenterstheirnewpassword(SeeE1)19. Thesystemacceptsthepassword20. Theuserconfirmspassword21. Thesystemacceptsthepassword22. Userclicks“MakeChanges”button

Exceptionalflow

E1:Invalidpassword–tooshort7. Thesystemrejectsthepasswordandrequestsusertoenteralonger

one8. Theuserentersavalidpassword9. Theusecasecontinuesatposition5ofthemainflow

Termination

The system sends newdetails to database; newpassword is encrypted indatabase.

Postcondition


Technical Report

Page 15

3.1.4 Requirement3:UploadPhoto


Thisrequirementdescribestheactionstakenbyaphotoownertouploadaphototothewebapplicationandbydoingso,entersitintooneoffivegalleriesthattheusercanchoosefrom.Fromthe“Photos”homepage,amembercanaccess the“UploadPhotoNow”button.Thisrequirementholdsgreatimportanceasitistheverybasisforthiswebapplication.Withoutthefunctionalitytouploadaphoto,ourphotosharingwebsiteisrendereduseless.


Thescopeofthisusecase is toallowamembertouploadaphototothiswebapplicationintooneof5galleries.

Description

This use case describes the actions taken by a registered member ofnavigatingthe“Photos”homepageandselectingthe“UploadPhotoNow”button and following the necessary instructions to successfully upload animagetothewebsite.

UseCaseDiagram

Technical Report

Page 16

FlowDescription

Precondition


Activation

Thisusecase startswhena registeredmember chooseswhatgallery theywishtheirphototobeuploadedto.

Mainflow

1. Thesystemidentifiestheclickingofthe“ChooseGallery”dropdownbutton

2. Thememberselectsanimagetoupload(SeeA1)3. Thesystemacceptstheimage4. Thememberclicksthe“UploadPhotoNow”button]5. Photogetsuploadedtoselectedgalleryandisstoredinthedatabase

Alternateflow

A1:FormatRejected10. Thesystemrejectstheimageonthebasisthatitisnotthecorrect

format11. Thememberconvertstheimagetothecorrectformat12. Theusecasecontinuesatposition3ofthemainflow

Termination

Thephotoisaddedintoselectedgallery

Postcondition


Technical Report

Page 17

3.1.5 Requirement4:DeletePhoto


Thisrequirementdescribestheactionstakenbyaphotoownertodeleteaphotooffthewebapplication.Whenviewingphotosinagallery,amembercanaccessthe“Deletethisphoto”button.Thisrequirementholdsgreatimportanceasit isimportantforuserstobeabletodeleteanyunwantedphotosfromtheirpage.

3.1.5.2 UseCase

Scope

Thescopeofthisusecaseistoallowamembertodeleteaphotofromthiswebapplicationfromoneofthegalleries.

Description

This use case describes the actions takenby a photoowner of navigatingthephotosinagalleryandselectingthe“Deletethisphoto”button.

UseCaseDiagram

Technical Report

Page 18

FlowDescription

Precondition


Activation

Thisusecasestartswhenaphotoownerselectsaphototheywishdelete.

Mainflow

1. Thesystemidentifiesphotoownerviewingownedphoto2. Theuserselects“Deletethisphoto”button(SeeA1)3. Systemdisplayspopupmessageaskingtoconfirmdeletion4. Thesystemdeletesthephoto5. Thesystemremovesphotofromgallery

Alternateflow

A1:Notownedphoto13. Thesystemdoesnotdisplaythedeletebuttonifuserdoesnotown

image

Termination

Thephotoisaddedintoselectedgallery

Postcondition


Technical Report

Page 19

3.1.6 Requirement5:InviteUsers


Thisrequirementdescribestheactionstakenbyamembertosendaninvitationto join the service via email.When a user accepts this invitation, they will bebroughttothewebsiteandbeplacedinthesender’strusteduserfriendlistoncetheyhavesignedup.Thiswillallowthetwousers toconnectandsharephotoswith each other. This requirement is vital as it is a means of populating thewebsiteandalsoallowsuserstovieweachothersphotos.


The scope of this use case is to allow amember to send an invitation toanotheruserviaautomatedemail

Description

Thisusecasedescribestheactionstakenbyamembertosendaninvitationoveremail

UseCaseDiagram

Technical Report

Page 20

FlowDescription

Precondition


Activation

Thisusecasestartswhenamemberclicksthe“InviteUser”Button

Mainflow

1. Thesystemidentifiestheclickingofthe“Invite”Button2. Thememberentersanemailaddress(SeeA1)3. Thesystemacceptstheemailaddress4. Thememberclicks“SendInvitation”5. Thesystemsendsemail6. Userreceivesemail7. Useracceptsinvitation(SeeE1)8. Userbecomesfriendonthewebapplicationandisaddedtomember’s

friendlist

Alternateflow

A1:InvalidEmailAddress9. Thesystemrejectstheemailaddressasitalreadyexistsinthedatabase10. Thememberentersavalidemailaddress11. Theusecasecontinuesatposition3ofthemainflow

Exceptionalflow

E1:UserDeclinesInvite12. Theuserdeclinesinvitation

Termination

Thesystemplacesnewfriendinsenderstrustedfriendlist

Postcondition


Technical Report

Page 21

3.1.7 Requirement6:SharePhoto


Thisrequirementdescribestheactionstakenbyaphotoownertoshareaphotowithaanotheruser.PhotoswillbesentoveremailandwillbeprotectedbyourIntrusionDetectionSystem.Thisrequirementisvitalasitistheverybasisofthephotosharingwebsite.

3.1.7.2 Use Case

Scope

Thescopeofthisusecaseistoallowaphotoownertoshareaphotowithanotheruser

Description

Thisusecasedescribestheactionstakenbyaphotoownertoshareaphotowithanotheruser

UseCaseDiagram

FlowDescription

Precondition


Activation

Technical Report

Page 22

Thisusecasestartswhenaphotoownersharesaphotowithanotheruser

Mainflow

1. Thesystemidentifiestheclickingofthe“SharePhoto”button2. ThePhotoOwnerselectsausertosharephotowith3. Thesystemacceptsrequest4. ThePhotoOwnersendsphoto(SeeA1)5. Usersaddeachothertotrusteduserlist(SeeE1)6. PhotoOwnersendsphotototrusteduser

Alternateflow

A1:Userisnotatrusteduser7. Theuserreceivesthephotobutismarkedasmaliciousemail8. TheIDSplacesemailinjunkfolder9. Theusecasecontinuesatposition5ofthemainflow

Exceptionalflow

E1:EditTrustedUser/Friendlist10. PhotoOwneraddsusertolist11. Thesystemacceptsrequest12. Theusecasecontinuesatposition6ofthemainflow

Termination

Thesystemexecutesrequests

Postcondition


3.1.8 Requirement7:EditFriendList(Friend/UnfriendUser)


This requirementdescribes theactions takenbyamember tomanuallymodifytheirtrustedusersonthesystemwhichisdisplayedasa“FriendsList”byaddingsomeonetothelistby“friending”themor“Unfriending”them.Thisrequirementproves very important as this gives users the power to choose who they can

Technical Report

Page 23

sharetheirphotoswith.Onceauserhasbeenremovedfromthelist,anyphotosreceivedfromthemwillbemarkedasmaliciousemailbyourIDS.


Thescopeofthisusecaseistoallowausertomodifytheirfriendslist

Description

Thisusecasedescribes theactions takenbyauser inmanuallymodifyingtheirfriend’slist

UseCaseDiagram

FlowDescription

Precondition


Activation

This use case starts when a user clicks “Request as Friend” button on auser’sprofile

Technical Report

Page 24

Mainflow

1. Thesystemidentifiestheclickingofthe“RequestasFriend”Button2. Thesystemdisplaysamessageconfirmingtheactionhasbeencompleted3. Systemwillsendanotificationtootheruserabouttherequest4. Otheruseracceptsrequest5. Bothusersarenowfriendsandwillappearineachothersfriendlist6. Usercanthenselect“UnfriendUser”7. Thisuserwillnolongerbedisplayedintheirfriendlist8. Thesystemnowdisplaysa“FriendUser”buttoniftheusereverwishesto

addthisuseragaininthefuture

Termination

Thesystemreturnstotheuser’sprofile

Postcondition


3.1.9 Requirement8:BlockUser

3.1.9.1 Description&PriorityUsersmusthavethefunctionalitytoactivelyblockanyothermemberofthewebapplication,disablingthemfromviewing/sharinganyphotos.


Thescopeofthisusecaseistoallowausertoblockanotheruser

Description

This use case describes the actions taken by a user to manually blockanotheruser

Technical Report

Page 25

UseCaseDiagram

FlowDescription

Precondition


Activation

This use case starts when a user clicks “Block User” button on a user’sprofile

Mainflow

1. Thesystemidentifiestheclickingofthe“BlockUser”Button2. Thesystemdisplaysamessageaskingusertoconfirmtheblock3. Userclicks“ok”4. Systemblocksuser

Technical Report

Page 26

Termination


Postcondition


3.1.10 Requirement9:Comment


Users must have the functionality to leave comments on user profiles andphotos.

3.1.10.2 UseCase

Scope

Thescopeofthisusecaseistoallowausertopostacommentonauser’sprofile/photo

Description

This use case describes the actions taken by a user to write and post acommentonauser’sprofileorphoto

UseCaseDiagram

Technical Report

Page 27

FlowDescription

Precondition


Activation

Thisusecasestartswhenauserclicksonthecommentboxtobeginwriting

Mainflow

1. Thesystemidentifiestheclickingofthecommenttextbox2. Typingcursordisplaysincommentbox3. Userwritesmessage4. Userclicks“postcomment”button5. Systempostscommenttouser’sprofile/photo6. Userreceivesnotificationoftheeventinnotificationspage

Termination


Postcondition


3.1.11 Requirement10:ChangeProfilePicture


Thisrequirementdescribestheactionstakenbyausertochange/uploadanewprofilepicture.

3.1.11.2 Use Case

Scope

Thescopeofthisusecaseistoallowaphotoownertochangetheirprofilephoto

Description

Thisusecasedescribestheactionstakenbyaphotoownertochangethephotousedastheirprofilepicture

Technical Report

Page 28

UseCaseDiagram

FlowDescription

Precondition


Activation

Thisusecasestartswhenaphotoownerclicks“toggleavatarform”ontheircurrentprofilephoto.

Mainflow

1. Thesystemidentifiestheclickingofthe“toggleavatarform”button2. ThePhotoOwnerthenselects“Choosefile”3. Theuserthenselectsthephotohe/shedesires4. Theuserthenselects“uploadphoto”5. Thesystemacceptsphoto6. Thesystemchangesprofilepicture

Technical Report

Page 29

Termination

Thesystemexecutesrequests

Postcondition


3.2 Non-FunctionalRequirements

3.2.1 Performance/ResponsetimerequirementThisIDSphotogallerythatwearedevelopingwillbeusedasthemainperformancesystemwhichinteractswithmembersandadministrators.Therefore, it is expected that the system would perform all therequirementsthatarespecified.

- Thesystemshouldbefastandaccurate- Systemwillhandleexpectedandnon-expectederrorsinamannerthat

willpreventinformationlossandlongdowntimeperiod.- System should have error testing to identify invalid username or

passwordandemail- Systemshouldbeabletohandlelargeamountsofdata- Systemshouldaccommodatehighnumberofphotosanduserswithout

anyfault

3.2.2 SafetyRequirementIthas tobe taken intoaccount thatatanygiven time thedatabasemaycrashduetoavirusoroperatingsystemfailure.Therefore,itisrequiredtotake the database backup to prevent losing it. Appropriate UPS facilityshouldbeinstalledincaseofpowersupplyfailure.

3.2.3 SecurityRequirement- Appropriateuserauthenticationshouldbeprovided

Technical Report

Page 30

- Securityquestionswillneedtobesetupwhenauserregistersasauser- Securityquestionswillneedtobeansweredwhenauserforgetstheir

password- The system will have a number of unique users and each user has

accessconstraints- Thesystemwilluseasecureddatabase,photosandpasswordswillbe

encryptedinthedatabase- User details such as username and passwordswill be protectedwith

Md5hash- Function ‘evalLoggedUser’ checks a user’s session data to see if it

matchessomethingonfile,systemdoublecheckstomakesureuseriswhotheysaytheyare.ProtectsagainstCrossSiteScriptingattacks.

- The system is designed to prevent any user from enteringmaliciousjavascriptcodetoconductCrossSitescriptingorSQLInjection.

- Userscanreadinfobutcannoteditanythingexceptfortheirpersonaldetailsandphotos

- Userswillhavethefunctionalityofblockingauser,disablingthemformviewinganyoftheirphotos

- Whenusers share a photo, theywill be protectedwith an encryptedform(short4digitpassword)

- A .htaccess file will be established to prevent directory file listing aswellasspecifyamoreuserfriendly404errorpagethroughhtaccess.

- Separate account types for admin andmembers so that nomembercanaccessthedatabaseandonlyadmincanupdatethedatabase

3.2.4 RequirementAttributes- Theprojectshouldbeopensource- Adminscancreatechangestothesystem,butmembersorotherusers

cannotmakeanychanges.- Thequality of thewebsite anddatabase ismaintained in such away

thatitcanbeveryuserfriendlytoallusers- Theusershouldbeabletodownloadandinstallthesystemveryeasily

3.2.5 BusinessRulesA business rule is anything that captures and implements businesspolicies and practices. A rule can enforce business policy, make a

Technical Report

Page 31

decision,or infernewdatafromexistingdata. This includestherulesand regulations that the System users should abide by. This includesthe cost of the project and the discount offers provided. The usersshould avoid illegal rules and protocols. Neither admin nor membershouldcrosstherulesandregulations.

3.2.6 UserrequirementTherearetwomaintypesofusersofthissystem.Themember,whichisaregistereduserthathasloggedintothesystemandtheadmin.Themembersareassumedtohavebasicknowledgeofthecomputersandinternet browsing. The admins of the system are expected to havemoreknowledgeofthe internalsofthesystemandshouldbeabletorectify the small problems thatmay arise due to disk crashes, powerfailures and other catastrophes that may occur to maintain thesystem’swellbeing.TheUI,usermanual,onlinehelpand installationguidemustbe sufficient enough toeducate theusersonhow tousethesystemwithoutanyproblems.Admincanprovidehelptotheusersinthefollowingareas:

o BackupandRecoveryo ForgotPasswordo Loginissueso ReportingPhotoso Modifyprofile/photoso Maintainingfiles

3.2.7 MaintainabilityrequirementIn order to maintain our database, we will continue to delete unwanted orunnecessary data as they can become very large aswe continuously add data.Wewillalsobebackingupourdatabasesandsamplingdatabasescripts.

3.2.8 PortabilityrequirementThisservicewillbeavailableonlaptops,tabletsandmobiledevices.

3.2.9 ExtendibilityrequirementWewillextendthissystemtoincorporateFacebookimages.

Technical Report

Page 32

3.3 DesignandArchitecture

This system will consist of three main components: a Spam filter to detectunsolicitedemails,aSimpleMailTransferProtocol(SMTP)serverwhichisthedefactostandardforsendingemailovertheinternet,andApachewebserverwhichisanopensourcewebserver.TheIDSscannerwillscanallreceivede-mailsandwill mark some of them as potential phishing messages or an email that isreceived fromanuntrusteduser and thenenters them into adatabase. EmailsareclassifiedasmaliciousiftheycontainembeddedHTMLoriftheyarereceivedfromanuntrusteduser.MySQLwillbeused tostore information regarding thedetectedmaliciousemails,wheredataenteredintothedatabaseconsistsofthecontentoftheemailandtimeofreceipt.AbackgroundprocesswillruntoscanallURL’slistedonmarkedemails,stripsHTMLtagsanddetermineswhetherornottheyhavebeenearlierobserved.

PrototypeArchitectureDiagram:

Technical Report

Page 33

3.4 GraphicalUserInterface(GUI)For both user and administrator, this software provides good graphicalinterface.Bothuserscanoperatethesystemperformingdifferenttaskssuchaslogin,register,uploadphoto,inviteuser,sharephotoandmore.

Log in: Below is the login page for the photo gallery; users are required to provide a username and password to successfully login. If a user forgets their password they can click the “Forgot your password?” link, which will send necessary instructions via email to recover the password. There is also an auto login feature, which exists for the convenience of frequent members. If a user is a first time visitor they can click the “Register” link, which will bring them to the Register page.

Technical Report

Page 34

Register: Below we can see all credentials that are necessary for a registered member. A member will need a username, password and valid email address. When a user clicks the “Register” button, a confirmation email will be sent to the user’s inbox. Once confirmed, the user is now a member of the photo gallery website.

Technical Report

Page 35

Albums: Below we can see the home page, which displays different categories of photos. Some examples below are animals, people and landscapes. When a user chooses a category to browse, all photos in that category will be viewable. From here, a user can also access pages related to uploading photos, sharing photos and friend list, which we will touch on later.

Technical Report

Page 36

Upload Photo: Below we can see how a user can upload a photo to the web application. It is a very simple process. All a user has to do is select an image that is stored locally on their computer or external hard drive, add a description (optional) and select which album they want to upload it to. If this is the first time uploading a photo, or they simply want to create a new album, they can do so by clicking one of the two buttons provided on this page. Once all details have been entered, the user hits “Upload Photo” and the process is complete. The user can then go on to share this photo with trusted users, which we will look at next.

Technical Report

Page 37

Share Photo: Below we can see how a photo owner can share an image with any user with a valid email address. All that is necessary to share a photo is to enter the email of the receiver, select the image you want to share, add a description (optional) and hit the “share photo” button. Note that if a user receives a photo from an untrusted user, our IDS will mark that email as malicious and it will be placed in a junk folder.

Technical Report

Page 38

Edit Friend List (Trusted User): In the screenshot below we can see how a user can manually edit his/her friend list. It is a very simple process. This page displays the user’s friend list, when a user clicks the “Edit” button, x’s will appear beside the names of each user in the list. All a user has to do to edit this list is click the x and that user will be removed as a trusted user. The system will ask for confirmation upon clicking an x to ensure it was not clicked by mistake. In the top left hand corner we can see the “Invite User” button, which we will now take a look at.

Technical Report

Page 39

Invite Users: In the screenshot below, we can see how a user can go about inviting other users to join the photo sharing web application. The user enters an email address of the person they want to join. A link will be provided in the email to find the web application but a user may also add a body to the email if they so wish. By clicking “Send Invitation”, an email will be sent housing all the information the receiver needs to become a registered member. By following this link, the new user will automatically be assigned as a trusted user to the sender and vice versa.

Technical Report

Page 40

Album Category – People: Below we can see the display page when a user chooses an album category. The below category is “People”. There are a number of features available to a user from this page. In the top right hand corner there are four symbols: sort A to Z, photo sizes, slideshow and a calendar to display creation date. To the right of these symbols you will see a dropdown box; this allows users to change the interface theme. An example of a different theme is down below. From here, a user can select an individual photo to view.

Technical Report

Page 41

View Photo: Below we can see the display page for viewing an individual photo. Here a user can view details such author, upload date and rating. Users can also leave a comment or rate the photo using a 5 star system.

Technical Report

Page 42

3.5 Testing

To ensure that our software is functioning correctly, we will conduct thefollowingtypesoftesting:

WhiteBoxTesting

Whiteboxtestingisatestcasedesignphilosophythatusesthecontrolstructureaspartofcomponentleveldesigntoderivetestcases.

• BasisPathTestingBasispathmethodenablesdesignertoderivealogicalcomplexitymeasureofaproceduraldesignandusethismeasureasaguidefordefiningabasissetofexecutionpaths.

• ControlStructureTestingIttestscontrolstructuresofprogram.

BlackBoxTesting

Blackboxtestingenablesthesoftwaredesignertoderivesetsofinputconditionsthatwillfullyexerciseallfunctionalrequirementsofaprogram.

• GraphBasedTestingMethod• EquivalencePartitioning• BoundaryValueAnalysis• OrthogonalArrayTesting

IntegrationTesting

Integration testing is a systematic technique for constructing softwarearchitecturewhileatthesametimeconductingteststouncovererrorsassociatedwithinterfacing.

RegressionTesting

Each time a new model is added as part of integration testing, the softwarechanges.Atthistimewewillapplyregressiontesting.

Technical Report

Page 43

3.6 Evaluation

Weplantoevaluatethissystembycollectingadatasetthatconsistofmalicioussitesanduse themwithour implementation.Thiswill allowus tocalculate theefficiency of detection, which is an extremely important parameter of ourIntrusion Detection System. The outcome will be analyzed for accuracy andtimeliness.

4 Conclusion Phishing has already become a very popular form of malicious email cyber attack resulting in the theft of personal information. Usingexistingsecuritytechnologiesto completelyprevent securitybreaches is un-realistic. This iswhyan IDS is animportantcomponentinsecurityasitcanoffertheadvantagesofreducingmanpowerthatisnecessaryformonitoring,increasingdetectionefficiency,providingdatathatwould inothercasesnotbepresent,helpingthe informationsecuritycommunitylearnaboutnewvulnerabilitiesandprovidelegalevidence.

5 FutureDevelopment

• Thissystemhasthepotentialtoevolveintovideosharingandimplementmoresocialmediafeatures,extendingitsreachtoalargercustomerbase.

• Thissystemcouldbeusedinfutureinstancesasacoreinformationextractionsystem.

• Betteralgorithmscouldbeimplementedtoincreaseefficiencyandqualityofresults.

Technical Report

Page 44

6 References

Dofree (2013) Black Box vs. White Box Testing. Available at:https://technologyconversations.com/2013/12/11/black-box-vs-white-box-testing/[Accessed5/12/16]

HasikaPamunuwa(2007)AnIntrusionDetectionSystemforDetectingPhishing

Attacksat:https://link.springer.com/chapter/10.1007%2F978-3-540-752486_13

[Accessed2/11/16]

Fette, I (2007) Learning to Detect Phishing Emails. Available at:http://www.cs.cmu.edu/tomasic/doc/2007/FetteSadehTomasicWWW2007.pdf

Vanderavero, N (2004) Scalable Approach to collect malicious Internet Traffic.Availableat:http://www.info.ucl.ac.be/people/OBO/papers/honeytank.pdf

7 Appendix

7.1 MonthlyJournals

-September2016-

InitialPlanningIt is September 3rd, and as my final year of college approaches I find myselfstruggling to formulatean idea formyproject that I am trulyhappywith.As aCyberSecuritystudent,IamextremelyinterestedindevelopingasecuritybasedprojectasIhaveahugeinterest inthisarea,butdecidingonacertaintopicformyprojecthasprovedquitedifficult–something Ididnot take intoaccount inmymanagementoftime.WhenIstartbackinNCIonthe19th,Iwanttobefullypreparedwithagreat securitybasedproject ideagivingme thepush Ineed togettoworkrightaway!Meanwhile,IhavestartedbrushinguponmyjavaskillsasIhavebeenoutofpracticeforquitesometimenow.Duringmyworkplacement

Technical Report

Page 45

with ACIA (Aon Centre for Innovation and Analytics) I was visited by mysupervisorEugeneMcLaughlin.Hegavemegreatadvice,whichwas topracticeprogramming again as some students return to 4th year very ill prepared. Iappreciatedtheadviceandacteduponitrightaway.

It isonlyaweekuntilwereturntoclassas IentertheweekofSeptember12th,2016.Ihavetosay,Iamverymuchlookingforwardtostartingclassagain.Itfeelslikesuchalongtimeaswehavebeenkeptbusywithourworkplacementforthepastsix-to-sevenmonths.Ihavebeenkeepingmyselfbusy/preparingforcollegeby looking over old assignments and recoding some old projects. I am actuallyverysurprisedathowfastIhavebeenabletopickitbackup,itsjustsomethingthatgetsburnedintoyourbrainIguess–notabadthing!WiththisinmindIfeelwellprepared.StillhavenotyetdecidedonatopicformyprojectbutIknowitwill come to me soon. If I was to make any improvements to my work ethictowardsthisproject,Iwouldhavedefinitelystartedresearchonmyprojectalotearlier.

BacktoClassIt is September 19th and all fourth years have returned to NCI. Our very firstlecture isofcourseSoftwareProjectandthere isgreatexcitement intheroom.Eamon gave us an excellent run down of what was expected from us in thecoming weeks and I came away from that class with a heightened sense ofconfidenceandsupport fromthecollege.AsEamonasked fora showofhandsaroundtheclassroomastowhohadalreadythoughtofanideafortheirprojectIwasalittlerelievedasitseemedtobea50/50difference.AsrelievedasIwasIknewIhadtofinalizeanideaandIhadtodoitsoon.Eachstudenthastopreparea5minutepitchpresentationtoagroupofthreelecturerswhowilltheneitheraccept your project, deny your project, or accept your project with some nicelittleimprovementsandadvice.Itwasourfirstweekbacktocollegebuttheworkhadalreadyverymuchbegun.

Itwasn’tuntilmysecondweekofcollegethatIfinallydecidedonanideaformyproject. I decided todesignand implementan IntrusionDetectionSystemwithSelfProgrammingFunctionality.Basicallywhatitsgoingtobeabletodoisdetectanyintrusiononthesystemandhastheabilitytocreateafakeprogramthatwillhelpanattackergetaccesstowithcompleteanalysisonthepatternofattack.Itwill alsocreate fake counter measures to prevent the attack on the fakeprogramandsecuretheoriginalapplicationandtracktheactivityandpatternofattack. The system will alsolog every moment.However, from looking at pastprojectsandhearingaboutotherstudent’s ideasIhavelostsomeconfidencein

Technical Report

Page 46

thisidea.Itseemsthattheseprojectsneedtohaveacustomerandhaveacertainappeal i.e. most projects seem to be aimed at facilitating everyday needs orhobbies. I feel likemyidea lacksthissenseofusefulnessandhasmademefeellikeI’mnotontherighttrackatall.Idon’tknowwhomycustomerwouldbeforsomethinglikethis?However,thepresentationsarenextweek,October4thandIhavebegunthinkingaboutpickingaprojectfromthelistprovidedbythecollege.Iamcurrentlyjusttryingtoweighoutmyoptions.

-October2016-

PitchPresentationOnOctober4thwehadourpitchpresentationswherestudentshadtopitchtheirideastoagroupofthreelecturerswhereitwouldeitherbe:accepted,acceptedwithrevisionsorrejected.Thisprocesswasaverygood ideaas it improvestheoverall quality of all final year projects. After much thought and debate withfellowclassmates,Idecidedtogowithaprojectfromtheapprovedlistfromthelecturers, as I didn’t have enough confidence inmyown idea.Duringmypitchpresentation I informed the lecturers of my idea for an Intrusion DetectionSystemalthoughIhadalreadyrequestedtochoosefromthelist.Tomydismay,theytoldmethattheidea(althoughquitevague)wasoneofthebesttheyhadheard for the Cyber Security stream. I was very disappointed that I didn’t putmore thought intomy idea as I was under the impression that it wasn’t goodenough or not the right type of project.My own lacks of confidence leadmeastray,butmyluckhadn’trunoutquiteyet.SaraKadry,mySecureApplicationsProgramminglecturer,hadproposedanIntrusionDetectionSystemforMaliciousEmailasoneoftheprojectsthatstudentswereabletochoosefromanapprovedlist. As I was extremely interested in working in this area I pounced on thisopportunity right away. All the doubt that I had with my own idea had beenwashedawayandIcouldn’twaittostart.IbeganmyresearchintofilteringemailsandhadalookathowGmailandotherbigemailingservicesdonethisjobalreadybylookingatsourcecode.IwantedtohavebasicknowledgewhenmeetingSaraforthefirsttimetoensurethatIwouldbegiventheopportunitytoworkonthisproject.

Technical Report

Page 47

SupervisorMeetingsOnOctober 13th I hadmy firstmeeting with Sara. I felt I had learned enoughthroughmyinitialresearchtoappearreadytotakeonthisproject.Wediscusseddifferent typesof approaches that couldbe taken to complete theproject.Weconversedonthesubject forabout30minutesand itwasanextremelyhelpfulandlearningexperience.Icameawayfromthismeetingwithabetterfeelingofconfidencethat Iwasready for the job.Upontheadvice fromSara, I furtheredmyresearchandbegantolookatdifferenttypesofSpamfilters.OnesuchspamfilterwasSpamAssassin–anopenSourcemail filter,written inPerl, to identifyspamusing awide rangeof heuristic testsonmail headers andbody text. Theidea to implement this IDS (Intrusion Detection System) onto an existing webapplication of mine was suggested. As one of my third year projects wedeveloped a charitywebsitewhere users couldmakedonations to a charity oftheirchoice.AtfirstIthoughtthiswasagoodidea,butlaterdecidedagainstit,asyouwillreadlateron.IalsobeganlookingatallthedifferentfeaturesofGmail,and picked out what features were similar in my own project, as I wanted tocreatesomethingnew,notsomethingthathasalreadybeendonebefore.Ihadalotofwork cutout formeaftermy firstmeetingbutwasextremelyexcited tomakesomeprogress.

WithourProjectProposaldeadlineon the21st ofOctober itwas time toputaconcrete idea together. My final idea was to create an IDS that specificallytargetedphishingemails.This issomethingthatIhadexperiencedmyself intheworkplacesoIthoughtitmightbeagoodideatoapplythisexperienceintomyproject. The proposal took quite some time to complete but I was very happywith theoutcome. I hadbeen in contactwithSaraduring this timeviaemail. Iwould send her my first draft and she would reply with some very helpfulfeedback.Althoughthe IDShadbeen thoughtout, Iwasstillunsureofwhat toimplement it onto. As said previously, I wasn’t very pleased with the idea ofimplementingittomycharitydonationwebapplication.ButduringanotheroneofmymeetingswithSara,shesuggestedthe ideaofcreatingawebapplicationthatalloweduserstosharephotos.ThiswasagreatstartingpointandIhoppedontheidearightawayandbegantolookatsourcecodeofexistingapplications.WithourRequirementsSpecificationdeadlineapproachingIhaveplacedmostofmytimeonthisdocument,whichisdueonthe11thofNovember.

Technical Report

Page 48

-November2016-

InitialPrototype–Week1

OnNovember4thIbegancreatingmyinitialprototypeformyfinalyearproject.Itwaseasier tostartnowthat Ihadgathereda lotofmyrequirements,asourrequirements specification document is due on the 14th. I researched a lot ofopensourcephotosharingwebsitesandtriedtogetafeelforthetypeofwebsiteI wanted to build. This took more time that anticipated and with a lot ofassignmentsandprojectsdueinthenextfewweeksthingswerestartingtopileon the workload started to get bigger and bigger. During my first week ofNovemberIhadtoputmyprototypeasidetofocusonmyotherwork.

RequirementsSpecification–Week2

I spentmost of week 2 focusing on deadlines and upcoming CA’s for ArtificialIntelligenceandWebServices&APIDevelopment,andcontinuedmyworkonmyRequirementsSpecification. Ispenta lotoftimeduringthesefewdaysworkingto get the initial version of my Requirements Specification for my SoftwareProject completed in time for the submission date. Upon completing my RSdocument I started to gain a better image of my application after creating amockupGUI, thishadmeexcitedand Iwantedtogettoworkrightaway. Iputmoretimeinwithmyprototypeandmadeasimplelogin.Itwasn’tmuch,butitwasastart.Otherassignments/projectsstartedtofloodinandonceagainIhadtoputtheprototypeasidetofocusonthese.

ShareSafePrototype–Week3

Technical Report

Page 49

Ispentmoretimethisweektoworkonmyprototype,Iaddedsecuritytomywebapplication that is deployed to the Oracle GlassFish Open Source Edition. Iconfigured security authentication using a login form in a web page. After Icreated the users, I then created the security roles by setting the securityproperties in the deployment descriptor. I also gave my application a name:ShareSafe.

TechnicalReport–Week4

MyfinalweekofNovemberwasmanly spent focusingonmyTechnicalReport.This is a huge document and will be used for our midpoint presentation inDecember.Thedocumentisn'tdueuntilthe9thofDecemberbutwithsomanyotherassignments/projectsIwantedtogetanearlystart.OnceIamhappywiththeTechnicalReport Iwillcontinueworkonmyworkingprototype,whichIwilldemoduringthispresentation.

- December2016-

PresentationPreparation–Week1

Decemberwas a very busymonthwith numerous project deadlines, it was anextremely stressful period couple of weeks but I was able to get everythingsubmitted on time. On top of this we all had our mid-point presentation toprepare for.Unlikemost students, I hadmypresentation inweek 12whilewewerestillworkingonourprojects,whichwasabitofadisadvantagebutnothingtoomajor.Iwasslightlydisappointedwithhowmypresentationwentduetobebeing so busywith otherwork but I feltmy documentation (Technical Report)was strong enough to pull me through. The presentation was a good learningexperience, as I now know what is expected when it comes to our finalpresentation in the coming months. My supervisor (Sara Kadry) and secondmarker (JoeMolumby)were extremely helpful on the daywith their feedbackandadviceonwhatto improveforthenextpresentation.Theywereextremelyfriendlyandmadethewholeexperiencemuchmorepleasantandlessstressful.

Technical Report

Page 50

OverallIfeelhappywiththeworkIputinwithmyprojectbutIneedtoimproveonmypresentationskillsandincludemuchmoreinformationinmyslidesforthenextone.

ExamPreparation

FortherestofthemonthIneedtofocusonmyexams,whichcommenceonthe5thofJanuary2017.TheystartveryearlythisyearsomuchoftheChristmasbreakwillhavetobesacrificedinordertostudy.Iwillhavetoputmyprogressonthisprojectonpausesothat Ican focusmoreonmystudiesbut I look forwardtocontinuingmyworkwhen Ireturnforsemester2.

-January2017-

1stto14th

ThefirsttwoweeksofJanuarywereprimarilyfocusedonstudyingformyexamssoverylittleworkhasbeenputtowardsmyproject.Iamverypleasedwithhowmyexamswentwhichhasgivenmea lotofmotivation toworkonmyprojectbeforewereturnbacktocollegeforoursecondsemester.

15thto21st

During this time I put a lot of effort into improving my algorithm for sharingphotoswith trustedusers. I also spent some time improvingmyprototypeandgivingitamuchsleekeranduser-friendlyinterface.Iamhappywiththeprogressbeingmadesofar.

Technical Report

Page 51

22ndto28th

During this time I was on a family holiday in Dubai so no work was done. Iunfortunately had tomiss our firstweekback at college but Iwill put inmoreefforttomakeupforlosttime.IcontactedmysupervisortoletherknowthatIwouldnotbepresentduringthistime.

-February2017-

1stto8th

DuringoneofmysupervisormeetingswithSara,sheproposeda fantastic idea.As I ama current employeeatACIA (AonCentre for InnovationandAnalytics),SarasuggestedthatIaskpermissiontoimplementmyprojectontheirwebsite.Itwould lookgreat to implement theproject toa real lifebusinessand lookveryimpressiveduringmypresentationandshowcase. I thoughtthiswasa fantasticideasoIorganisedameetingwithmymanager inwork.Unfortunatelythiswasnot something that Aon was prepared to help with as they already have anIntrusiondetection system implemented in thebusiness.But itwasallworthatry.WiththisinmindIbegantoworkonthedevelopmentofmyproject.

9thto15th

Aftermuch thought, I decided tousePHP formyproject instead.Bitof a riskymove so late in the college year but I feel it is a good decision. PHP is verypopular;thereforethereareanumberofreferencesandguidelinesavailableonthenet.Onecanalso findmanysupportgroups, forums,andteamssupportingPHP. As I am not the strongest programmer, I feel this will help my progresstremendouslyasthere’salwaysenoughonlinelibrarysupporttogetyouthrough.PHP,beingveryfasttodevelopensuresthatthereisaquickturnaroundtime.Italsohasmultipleextensionsandisextremelyscalable.

Before Ibegantocreatemy index.phppageIdownloadedand installedXAMPPtostoretheprojectonalocalserver.XAMPPisafreeopensourcecross-platformwebserversolutiondevelopedbyApacheFriends.ItconsistsoftheApacheHTTPserver, MariaDB database and interpreters for scripts written in PHP and Perlprogramming languages. Iwasexcitedtobefinallystartingdevelopmentonmy

Technical Report

Page 52

projectbut Ihavea lotofworkaheadofme. Icreatedthe logoformywebsiteusingAdobeFireworksandalsocreatedsomeother iconssuchasasearchbar,searchbutton,homebutton,headersliverandsoon.ThistookmoretimethanitshouldofasIwaslearningtheropesoffireworks,butonlinetutorialshelpedmegetthroughit.Iamquitepleasedwiththedesignandaestheticofmywebsite.Inow need to focus on Database Creation and Table Structure and from theremoveontoaddinginsomeofthefunctionalityneeded.AlotofworkaheadbutitisexcitingandIlookforwardtoprogressingfurther.

16thto28th

AllstudentswererequiredtogettheirphotostakenintheAtriumforourprojectshowcase profiles (photos could also be used for LinkedIn). I updated myshowcase profile by entering a 40-word profile for the project and also a 200-wordprofile,whichwasamoredetaileddescription.Ilookforwardtodevelopingmyproject further in thenext fewweekswith the kindhelp and support fromSara.

-March2017-

1st to 8th CreatedthedatabaseonmyhostenvironmentandwroteamodularPHPscriptfor establishing connection to the database using the improved MySQLiextension.Afterdoingsomeresearch I foundthatPHPandMySQLarethecoredata processing technologies of some of the most popular social webapplications.IthenscriptedtablecreationintomyMySQLdatabasetoestablishallof the software system's tablesusingPHPandSQL syntax.Toadda levelofsecurity to my web application, I established a .htaccess file and learned topreventdirectoryfilelistingaswellasspecifyamoreuserfriendly404errorpagethroughhtaccess. Iusedthephp.ini filetoadjustmyPHPconfigurationsettingsontheapacheserver.IthencreatedthemainJavaScriptmodule,whichisthefilethatwillbecalledintoeverypageofthewebapplication.IspenttherestofthisweektoworkonotherCA’sandstartedpreparingformyupcomingexams.

Technical Report

Page 53

9thto16th

Began progress on programming a user sign up form and corresponding emailactivationscript.IusedHTML,CSSandJavaScriptforuserinterfacing.TheserversidescriptingisPHPconnectedtoaMySQLdatabase.Thissectionoftheprojectincludes real time field restricting, user must view terms of use, real timeusernamecheckingandmore.Ajaxisinuseforallserversidedatatransmissions.User must activate their account through email in order to interact on theapplication. I usedPHPMailer for automatedemailsbeing sentout tousers forsigning up and sending temporary passwords, as you will read further down.PHPMailerisaclasslibraryforPHPthatprovidesacollectionoffunctionstobuildand send email messages. PHPMailer supports several ways of sendingemail:mail(),Sendmail,qmail&directtoSMTPservers.Youcanuseanyfeatureof SMTP-based e-mail. The email activation process verifies and confirms thattheyhavegiventheirrealemailaddress.Afterthesignupformwascomplete IprogrammedtheHTML/PHP/Ajax login form,the logoutscript,andstartedtheuser profile page. I also created a module for checking user session andauthentication against the MySQL database. Once this functionality wascompleted I began research on site maintenance automation using Cron Jobs.UponmyresearchIdiscoveredthatIcouldsetthemtoexecuteatanyinterval.Inmy application I created a PHP cron job that will delete all non-activate usersafter10days.ThereasonIimplementedthiswastoclearthedatabaseoftheseusersperiodicallysothatthesystemdoesn’tbecomecloggedwithnon-activatedusers. IspenttherestofthisweektoworkonotherCA’sandstartedpreparingformyupcomingexams.

17thto25th

IprogrammedanAjaxPHPMySQLForgotPasswordscriptfortheuserswhomay happen to forget their password. This logic generates a temporarypassword for the user. Also implemented in their account editingfunctionality is an option for the user to change their password tosomething they desire as often as they like. Once that was completed Ifocusedmyattentionon creatingwebdevelopment logicbehind creating“Friend” systems and “BlockUser” systems using PHP,MySQL, JavaScriptAjax, and simple dynamic HTML rendering. I then programmed PHP andmysqlilogicintomyheaderfilethatrendersdynamiclinksfortheusers.Iftheuserisnotloggedintheywillseeadifferentsetoflinksthanaloggedinuser. I then implemented PHP,MySQL, JavaScript and Ajax programming

Technical Report

Page 54

logic behind scripting friend lists and notification lists. This also includedaccepting and rejecting friend requests, which gets placed into thefriend_system.phpmodulethatcanbecalledbyAjaxanywhereinthewebapplication.

26thto31stImplemented the functionality toallowusers to change theirprofilephotoandbeganbuildingthephotouploadapplication.IhadtofamiliarizemyselfwiththePHPandMySQLsideofcreatingimageuploadapplicationsandcreatedasimplefront-end form. I created a PHP and Ajax photo gallery, the initial gallerythumbnailsareloadedusingPHP,everythingelseisbroughtintoviewusingAjaxthatrequests imagesfromPHPandMySQL. Italsocontainsasimplefileuploadscript so that the users can populate their galleries with pictures. I installed adelete link only for the photo owner when they view any images that theyuploadedthemselves.

Iwanted to continueworking onmy project as I felt Iwasmaking some goodprogressbutIhadtosetasidemoretimeforotherassignmentsandexams.Verybusytime!!

7.2 ProjectProposal

-Objectives-

Nowadays,usersallaroundtheworlduseemailastheirfundamentalmethodtoshare informationovertheweb.Thenetworkprovidersallowall typesofemailfor the purpose of communication. During this transfer of information somemaliciousemailsarereceivedwhichcancauseproblemseitherattheserversideorattheclientside.Inthisproject,weproposeanintrusiondetectionsystemfordetectingthesemaliciousemails.

Technical Report

Page 55

Inrecenttimes,oneofthemostdangerousthreatsagainstpersonaldatasecurityat home and in the workplace is phishing. Phishing has become an extremelycommonformofcyberattack.Itconsistsofdefraudingpeoplebyluringthemtofake websites where users unknowingly provide personal details such as logininformation and credit card details. These fraudsters appear as a trusted thirdparty,likeawell-knownbank.Themostcommonmethodsofphishingaredoneby email. Once these details are acquired they can be used in the practice ofidentity theft or credit card fraud. In thepast, efforts havebeenmade to stoptheseattacksby identifyingphishingsitesusingplug-ins,but theseeffortshavebeenmadeinvainbyemergingblockingtechniques,whichrenderthemuseless.There isanabundanceofthesetypesofattacks,somuchso,thattheeverydayuserwillbeindangerwhethertheyknowitornot.Iwillalsoincludeapersonalexperience of my own later in this document, which brought this topic tomyattention. In this project we propose an Intrusion Detection System foridentifying these types of malicious emails and root them to their source toevaluate. This will be made possible by using a data capture facility that willcategorize some of the incoming emails as potential phishing activities and anevaluationsystemthatwill sendcrawlers towebsitesrelatedtothesedetectedemails to determine their true intentions. By detecting malicious emails inincomingtraffic,thisfiltersauser’sinboxandremovestherequirementofauserbeing trained in the practice of secure web browsing. As most users are nottrained in this manner, this system will prove quite useful. The IntrusionDetectionSystem (IDS)willdetectphishingemailsandensure thatall incomingtraffic is not harmful. Upon detection of amalicious email, the next step is tosendcrawlerstothesephishingwebsitesthatarelinkedintheseemailsandalsothewebsite that it is trying to impersonate.Analgorithmthenstripsbothsitesdownandcomparesthemusingascoringsystemforthedifferencebetweenthetwo–ultimatelydecidingwhetherornotitisaphishingwebsite.

-Background-

I am a current employee of ACIA (Aon Centre for Innovation and Analytics)workingpart-timeduringmystudies.IhavebeenanemployeeofACIAsincethesummerof2015whenIappliedforaninternship.IhavenotbeenworkingwiththiscompanyforlongbutIhaveseenmyfairshareofmisleadingandmaliciousemails in the workplace. Even in a technology-based company such as this,employeeswere still the victimsof thesephishingattacks. It just goes to show

Technical Report

Page 56

howcomplexanddeceitfultheseattacksarebecoming.Thiswasthebasisofmydecision todesignanddevelopan IntrusionDetectionSystem formy final yearproject.Itwasoneattackinparticularthatwassuccessfulamongasmallnumberof my colleagues. It occurred during my six-month placement for third year,around the month of July. A number of staff began to receive fake emailspurporting to come from the Revenue Commissioners and were warned soonafterwardsthatalthoughtheemailaddressseemsvalid, it is justapieceoftextandcaneasilybefaked.Emailaddressesarenotverifiedandcannotbereliedonas proof of the identity of the sender organization. These emails seemed veryprofessionallymadeandtriedtotrickusers intobelievingthattheyweredueataxrefund,mostlyintherangeofaround€160,andenticedthemtoenterbankdetails. It wasn’t until the very next day that similar emails started to roll in.Colleagues were warned to remain extremely vigilant and never to click onsuspicious links or provide any sensitive information. This time the phishingemailswereindisguiseasinvoicesfromAppleandagain,lookedverylegitimate.OnofficewideemailwassentoutfromITtowarnthatproceedsfromsuchscamsare quickly transferred offshore, usually through multiple countries/banks andprove impossible to retrieve, even where amounts are greatly in excess of€25.99. Although these types of attacks are very unfortunate, it was good toexperienceitfirsthandintheworkplace,andtoseehowtheofficedealtwiththesituation.HoweverIfeltthatitwasn’tenoughandIwantedtocreatesomethingthatwouldtacklethisissueheadon,eradicatingtheproblemontheuser’send.Thereareanumberofcurrentsolutionsouttherethatusestrongspamfilterstosegregatephishingsolicitations.Afewexampleswouldinclude:

• SpoofGuard

• SpamAssassin

• Phishwish

SpoofGuard

SpoofGuardisabrowserbasedplug-inthatmonitorsuser’sInternetactivityanddisplaysawarningmessageifitsuspectsawebsitetobeaphishingsite.ThetooldeterminesthisbyobservingifthepagewasloadedformanemailandwhetherornottheURLwasvisitedbefore.SpoofGuardusesthreemethodstodetermineimpersonation. 1 – a statelessmethod that determineswhether adownloadedpage is suspicious. 2 – a stateful method that evaluates a downloaded page

Technical Report

Page 57

seeinguser’spreviousactivity.3–amethod,whichevaluatesoutgoingpostdata.SpoofGuardusesanaggregatefunctiontocalculatethetotalspoofscore(TSS).

SpamAssassin

SpamAssassin isatoolthatrecognizesspamcontainingphishingemail. Ithasafalsenegativeof15%forspame-mails,andperformsworstwhentestedwith10foldcrossvalidation. Itusesarangeofheuristictestsontheheadersofmail toidentifyspamandcanbeanIDSfordetectingphishingattacks.Initsalgorithm,ituses text analysis, Bayesian filtering, DNS block list and a Stochastic GradientDescentmethodintraininganeuralnetwork.Thisisusedforitsscoringbasedonperception.SpamAssassindoesnotdeleteemailsbutcanrouteclassifiedemailstomailboxesorfolders.

Phishwish

The primary goal of Phishwish is to maximize the number of phishing emailsdetectedwhileminimizingthenumberoffalsepositives.Itisapplicabletoemailsthatinstructtherecipienttologintoawebsite.ItprocessestextbasedandHTMLformattedemails,althoughsomerulesareonlyapplicabletoHTML.Eachoftherulesareassignedaconfigurableweight.

ThisiswhereIbelievethereisasignificantresearchgapastheseexamplesarealleitherclientside,plug-insor justspamfilter.There isagapherewithroomforimprovement.

ExistingSoftware

Inthissectionwewilldiscusssomeofthecurrentgenerationintrusiondetectionsystems:

Network IDS–Thenetwork IDSusuallyhas two logicalcomponents: thesensorandthemanagementstation.Thesensorsitsonanetworksegment,monitoringitforsuspicioustraffic.Themanagementstationreceivesalarmsfromthesensoranddisplaysthemtoanoperator.Thesensorsareusuallydedicatedsystemsthatexistonlytomonitorthenetwork.Theyhaveanetworkinterfaceinpromiscuousmode, which means they receive all network traffic not just that destined fortheir IP address and they capture passing network traffic for analysis. If theydetectsomethingthatlooksunusual,theypassitbacktotheanalysisstation.

Technical Report

Page 58

Host IDS – The host-based IDS looks for signs of intrusion on the local hostsystem.Thesefrequentlyusethehostsystem’sauditandloggingmechanismasasourceofinformationforanalysis.Theylookforunusualactivitythatisconfinedto the local host such as logins, improper file access, unapproved privilegeescalation, or alterations on system privileges. This IDS architecture generallyusesrule-basedenginesforanalyzingactivity;anexampleofsucharulemightbe,“superuserprivilegecanonlybeattainedthroughthesucommand”.Thereforesuccessiveloginattemptstotherootaccountmightbeconsideredanattack.

Oursystemhasanumberofadvantagesoversomeofthecurrentsystemsyoucanfindtoday:

• Thedetectionofaphishingemailisindependentofindividuals’settings.

• Because our system is server-based, it allows uniform securityenforcementwithinanorganizationandreducestheeffortsofperformingupdates.

• It is not vulnerable to an attack thatwouldbypass client browser baseddefenses.

-TechnicalApproach-

This system will consist of three main components: a Spam filter to detectunsolicitedemails,aSimpleMailTransferProtocol(SMTP)serverwhichisthedefactostandardforsendingemailovertheinternet,andApachewebserverwhichisanopensourcewebserver.TheIDSscannerwillscanallreceivede-mailsandwillmark some of them as potential phishingmessages and then enters themintoadatabase.Emailsare classifiedasphish if theycontainembeddedHTML.MySQLwillbeusedtostoreinformationregardingthedetectedmaliciousemails,wheredataentered into thedatabaseconsistsof thecontentof theemail andtimeofreceipt.AbackgroundprocesswillruntoscanallURL’slistedonmarkedemails,stripsHTMLtagsanddetermineswhetherornottheyhavebeenearlierobserved.Ifthesiteshavenotbeenpreviouslyevaluated,thecrawlerswilltrytodetermineiftheyarephishingwebsites.Knowncharacteristicsofphishingemails

Technical Report

Page 59

willbeusedtodetectthem.Thespamfilterwillmarkemailasphishingemailsiftheycarrysomeofthefollowingattributes:

• URLincludingIPaddresses

• HTMLmaskedURLs

• EmailscontainingencodedHTML

• Crosssiteimages

- SpecialResourcesRequired-

The following are highly valued resources in my learning of secure programming:

Website: https://www.owasp.org/index.php/Main_Page Book: J. Manico 2014, Iron-Clad Java: Building Secure Web Applications, McGraw-Hill Education.

-TechnicalDetails-

Thelanguageusedfordevelopingtheproject isJavaas it isquiteadvantageousthan other languages in terms of performance, tools available, cross platformcompatibility,libraries,cost(freelyavailable),anddevelopmentprocess.

-Evaluation-

Thisprojectwillbeevaluatedbyanumberoffactors:

Technical Report

Page 60

• Howwellitrunsuponcompletion• Howmanyspecifiedgoalsoftheprojecthavebeenreached• Demothisprojecttoatestgroupandreceivefeedbackandreviewson

theirexperiences