Technical Report - Intrusion Detection ?· Intrusion Detection System for Malicious Email Technical…

Download Technical Report - Intrusion Detection ?· Intrusion Detection System for Malicious Email Technical…

Post on 17-Sep-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • StephenKellyx12386816 x12386816@student.ncirl . ie

    IntrusionDetectionSystemforMaliciousEmailTechnicalReportBSHC(Honours)inComputingSoftwareProjectNationalCollegeofIrelandSupervisor:SaraKadry

    10thMay 2017

    08 Fall

  • Technical Report

    Page 2

    Table of Contents ExecutiveSummary ................................................................................................ 41 Introduction ...................................................................................................... 5

    1.1 Background ................................................................................................ 5

    1.2 Aims ........................................................................................................... 61.3 Scope .......................................................................................................... 6

    1.4 Technologies ............................................................................................... 72 UserClassesandCharacteristics ........................................................................ 8

    3 RequirementsSpecification ............................................................................... 9

    3.1 FunctionalRequirements ............................................................................ 93.1.1 UseCaseDiagram ............................................................................... 10

    3.1.2 Requirement1:Register ..................................................................... 103.1.3 Requirement2:UploadPhoto(CreateAlbum) ..................................... 15

    3.1.4 Requirement3:InviteUsers ............................................................... 19

    3.1.5 Requirement4:SharePhoto ............................................................... 213.1.6 Requirement5:EditFriendList(TrustedUser) ................................... 22

    3.2 Non-FunctionalRequirements .................................................................. 29

    3.2.1 Performance/Responsetimerequirement .......................................... 293.2.2 SafetyRequirement ............................................................................ 29

    3.2.3 SecurityRequirement ......................................................................... 293.2.4 RequirementAttributes ...................................................................... 30

    3.2.5 BusinessRules .................................................................................... 30

    3.2.6 Userrequirement ............................................................................... 313.2.7 Maintainabilityrequirement ............................................................... 31

    3.2.8 Portabilityrequirement ...................................................................... 313.2.9 Extendibilityrequirement ................................................................... 31

    3.3 DesignandArchitecture ............................................................................ 32

    3.4 GraphicalUserInterface(GUI) .................................................................. 333.5 Testing ..................................................................................................... 42

    3.6 Evaluation ................................................................................................ 43

    4 Conclusion ...................................................................................................... 435 FutureDevelopment ........................................................................................ 43

  • Technical Report

    Page 3

    6 References ...................................................................................................... 44

    7 Appendix ........................................................................................................ 447.1 MonthlyJournals ...................................................................................... 44

    7.2 ProjectProposal ........................................................................................ 54

  • Technical Report

    Page 4

    ExecutiveSummary

    Nowadays,usersallaroundtheworlduseemailastheirfundamentalmethodtoshare informationovertheweb.Thenetworkprovidersallowall typesofemailfor the purpose of communication. During this transfer of information somemaliciousemailsarereceivedwhichcancauseproblemseitherattheserversideor at the client side. In this project,we propose an intrusion detection systemdesignedtodetectthesemaliciousemails.

    Inrecenttimes,someofthemostdangeroussecuritythreatsagainstprivateuserdataathomeandintheworkplaceisphishing.Phishinghasbecomeanextremelycommonformofcyberattack.Itconsistsofdefraudingpeoplebyluringthemtofake websites where users unknowingly provide personal details such as logininformation and credit card details. These fraudsters appear as a trusted thirdparty,likeawell-knownbank.Themostcommonmethodsofphishingaredoneby email. Once these details are acquired they can be used in the practice ofidentity theft or credit card fraud. In thepast, efforts havebeenmade to stoptheseattacksby identifyingphishingsitesusingplug-ins,but theseeffortshavebeenmadeinvainbyemergingblockingtechniques,whichrenderthemuseless.There isanabundanceofthesetypesofattacks,somuchso,thattheeverydayuserwillbeindangerwhethertheyknowitornot.InthisprojectweproposeanIntrusion Detection System for identifying these types of malicious emails androotthemtotheirsourcetoevaluate.Thiswillbemadepossiblebyusingadatacapture facility thatwill categorize a number of incoming emails as potentiallymalicious actions and an evaluation system thatwill send crawlers towebsitesrelatedtothesedetectedemailstodeterminetheirtrueintentions.Bydetectingmalicious emails in incoming traffic, this filters a users inbox and removes therequirementofauserbeing trained in thepracticeof securewebbrowsing.Asmostusersarenottrainedinthismanner,thissystemwillprovequiteuseful.TheIntrusionDetectionSystem(IDS)willdetectmaliciousemailsandensurethatalloftheincomingemails/dataisnotharmful.Whenamaliciousemailisdetected,the next step is to send crawlers to these phishingwebsites that are linked intheseemailsandalsothewebsitethat it is tryingto impersonate.Analgorithmthen stripsboth sitesdownand compares themusinga scoring system for thedifferencebetweenthetwoultimatelydecidingwhetherornotitisaphishingwebsite. This Intrusion Detection System will be implemented into a photosharingwebapplicationwithemailfunctionality.

  • Technical Report

    Page 5

    1 Introduction

    1.1 BackgroundI am a current employee of ACIA (Aon Centre for Innovation and Analytics)workingpart-timeduringmystudies.IhavebeenanemployeeofACIAsincethesummerof2015whenIappliedforaninternship.IhavenotbeenworkingwiththiscompanyforlongbutIhaveseenmyfairshareofmisleadingandmaliciousemails in the workplace. Even in a technology-based company such as this,employeeswerestillthevictimsofthesephishingattacks.

    Itjustgoestoshowhowcomplexanddeceitfultheseattacksarebecoming.ThiswasthebasisofmydecisiontodesignanddevelopanIntrusionDetectionSystemfor my final year project. It was one attack in particular that was successfulamong a small number of my colleagues. It occurred during my six-monthplacementforthirdyear,aroundthemonthofJuly.Anumberofstaffbegantoreceive fake emails purporting to come from the Revenue Commissioners andwerewarnedsoonafterwardsthatalthoughtheemailaddressseemsvalid, it isjustapieceoftextandcaneasilybefaked.Emailaddressesarenotverifiedandcannot be relied on as proof of the identity of the sender organization. Theseemails seemed very professionallymade and tried to trick users into believingthattheyweredueataxrefund,mostlyintherangeofaround160,andenticedthemtoenterbankdetails. Itwasntuntil theverynextday thatsimilaremailsstartedtorollin.Colleagueswerewarnedtoremainextremelyvigilantandneverto click on suspicious links or provide any sensitive information. This time thephishingemailswere indisguise as invoices fromApple andagain, looked verylegitimate.AnofficewideemailwassentoutfromITtowarnthatproceedsfromsuch scams are quickly transferred offshore, usually through multiplecountries/banks and prove impossible to retrieve, even where amounts aregreatlyinexcessof25.99.

    Althoughthesetypesofattacksareveryunfortunate,itwasgoodtoexperienceitfirsthand in theworkplace, and to see how the office dealtwith the situation.HoweverIfeltthatitwasntenoughandIwantedtocreatesomethingthatwouldtacklethisissueheadon,eradicatingtheproblemontheusersend.

  • Technical Report

    Page 6

    1.2 AimsThepurposeofthisproject istoprovideaneasyanduser-friendlywaytoallowuserstohaveasafeworkingenvironmentwhenusinganonlinewebapplicationwithemail functionality.Themainobjectiveofthisproject is tomaintainasafeanduser-friendlyenvironmentand toeradicateany incoming threatsviaemail.Thisproductwillconsistoftwomaincomponents:anIntrusionDetectionSystemandawebapplicationthatwillallowuserstosharephotoswithfriends.

    1.3 ScopeThewebapplicationwillallowuserstosignuptoaservicewhichwillprovideasafeenvironmentforthemtosharephotoswiththeirfriends.Tosignuptothisservice, eachusermust have a valid email address.Once a user has becomearegisteredmember,theycaninviteotherusersviaemailtojointheservice.Theydothisbysendinganemail,whichwillincludeaninvitation.Whenthereceiverofthe invitation email accepts the invite, they will be brought to the webapplication to register as amember.Once completed, theywill thenbecomeafriend (trusted user) and will appear on a trusted user friends list. This willconnectbothusersandallowthemtosharephotosonthewebsite.

    To ensure the safety and security of the process of sending emails, we haveimplemented an intrusion detection system that will detect malicious emails.Whensharingphotos,anyphotosreceivedfromanuntrusteduserwillbemarkedasmaliciousemailandbeplaced ina junk folder.Thissystemwill co-existwiththe web application and improve the overall security for its members. TheIntrusionDetectionSystemusesadatacapturefacilitythatwillcategorizesomeoftheincomingemailsaspotentialmaliciousactivities.Bydoingso,wecreateauser-friendlyenvironmentwherepeoplecansharephotoswithoutanyconcern.

    Bydetectingmalicious emails in incoming traffic, this systemwill filter a usersinbox and eradicate the need and cost of requiring users to be trained in thepracticeofsecurewebbrowsing.TheIntrusionDetectionSystem(IDS)willdetectphishingemailsandensurethatallincomingtrafficisnotharmful.Theprojectisspecificallydesigned for theuseofuserswhosignup toourphoto-sharing sitewithavalidemailaddress.Theproductwillworkasacompleteuserinterfaceforthesite.

  • Technical Report

    Page 7

    Anybody with a valid email address and an Internet connection can use thissystem.It isespeciallyusefulforanyonewhoneedsasecureandsafeoptiontosharephotos.Theprojectcanveryeasilybemodifiedgivendifferentscenarios.New featureswillbeable tobeaddedwhenneeded.Thismakes theaspectofreusability possible. The language that was used for the development of thisproject is PHPas it is verybeneficial over other programming languages in theareasofperformance,toolsavailable,crossplatformcompatibility, librariesandcost.

    1.4 Technologies

    This system will consist of three main components: a Spam filter to detectunsolicitedemails,aSimpleMailTransferProtocol(SMTP)serverwhichisthedefactostandardforsendingemailovertheinternet,andApachewebserverwhichisanopensourcewebserver.TheIDSscannerwillscanallreceivede-mailsandwillmarksomeofthemessagesasmaliciousactivitiesandthenentersthemintoadatabase.EmailsareclassifiedasmaliciousiftheycontainembeddedHTMLorif they are received from an untrusted user. MySQL will be used to storeinformation regarding the detectedmalicious emails, where data entered intothe database consists of the content of the email and time of receipt. Abackground process will run to scan all URLs listed on marked emails, stripsHTMLtagsanddetermineswhetherornottheyhavebeenearlierobserved.Thespamfilterwillmarkemailasphishingemailsiftheycarrysomeofthefollowingattributes:

    Receivedfromuntrusteduser

    URLincludingIPaddresses

    HTMLmaskedURLs

    EmailscontainingencodedHTML

    Crosssiteimages

  • Technical Report

    Page 8

    2 UserClassesandCharacteristics

    DifferentservicesareprovidedbytheIDSsecuredwebapplicationbasedonthetypeofuser.Inthiscasewehaveanumberofdifferentusers:PhotoOwnerandTrustedUser.Aphotoowner isamemberwhouploadsaphototothesiteandinvitesausertojointheservicetoviewthephoto.Atrusteduserisanyonewhoreceives this email invitation and accepts, placing them in the senders trusteduserfriendslist.

    ThefeaturesthatareavailabletoaPhotoOwnerare:

    Login/logout ChangeProfilePicture Uploadphoto DeletePhoto Requestasfriend Blockuser Share/SendPhoto Inviteuser CreateAlbum/Gallery Tagphoto Addcomment

    ThefeaturesthatareavailabletoaTrustedUserare:

    Login/logout View/DownloadPhoto Edittrusteduserfriendlist Commentonaphoto Candelete/blockothermembers/friends Tagfriends/placesinphotos

  • Technical Report

    Page 9

    3 RequirementsSpecification

    3.1 FunctionalRequirements1. Registration(CreateAccount)Usersmustbeabletocreateanaccount

    forthisservicebyregisteringwithavalidemailaddress.2. ChangePasswordUserswillhavetheoptiontorequestatemporary

    passwordiftheyhaveforgottentheirs,thistemporarypasswordwilltakethefirst4lettersoftheiremailandadd5randomlyselectednumbersontothatandwillbeemailedtotheuser.Userswillthenalsohavetheoptiontochangetheirpasswordtosomethingmorefamiliartothem.

    3. UploadPhotoUsersmusthavethefunctionalitytobeabletouploadphotosintopredefinedgalleriesonthewebsite.

    4. DeletePhotoUserswillhavetheoptiontodeleteaphotoformtheirgallery.Thisfunctionwillonlybelongtothephotoowner.

    5. InviteUsersUsersmusthavetheabilitytoinviteotherpeopletojointheserviceviaemailinvitation.

    6. SharePhotoUsersmustbeabletosharephotosamongstotherusers.Photoswillbesharedoveremail.ThisprocesswillbesecuredbyourIntrusionDetectionSystem.

    7. EditFriendsList(Friend/UnfriendUser)Usersmustbeallowedtomodifytheirtrustedusers,givingthemthepowertodecidewhotheycansharephotoswithsendingorreceiving.

    8. BlockUserUsersmusthavethefunctionalitytoactivelyblockanyothermemberofthewebapplication,disablingthemfromviewing/sharinganyphotos.

    9. CommentUserswillhavetheabilitytoleavemessages/commentsonuserprofilesandpictures.

    10. ChangeProfilePictureUserswillhavetheabilitytochangetheirprofilepictureatanytimefromtheiruserprofilepage.

  • Technical Report

    Page 10

    3.1.1 UseCaseDiagram

    3.1.2 Requirement1:Registration

    3.1.2.1 Description&Priority

    Thisrequirementdescribestheactionstakenbyausertoregisterasamemberon the photo sharing web application. A user must provide a username, validemail address, password, confirm password, gender and country. Thisrequirementisvitaltothesystemasitistheonlymeansofaccesstothesystem.Italsoensuresthatonlyregistereduserscanaccessthesystem.Uponregisteringanautomatedemailwillbesenttotheuserwithanactivationlink.Onlyactivateduserswillbeallowedtoaccessthesite,ensuringthatvalidemailsarebeingused.

  • Technical Report

    Page 11

    3.1.2.2 UseCaseScope

    Thescopeofthisusecaseistoensurethatonlyregistereduserscanaccessthesystemandensurestha...

Recommended

View more >