International School Capstone Project CMU-CS451 Testing Document Version 1.0 Date: 28-5-2021 Implement IDS system integrating machine learning for Hai Dang Travel company Submitted by Hieu, Le Quang Vu, Duong The Khai, Tran Dinh Hoang, Duong Ngoc Approved by Assoc Prof Nguyen Gia Nhu Proposal Document Review Panel Representative: Name Signature Date Capstone Project 2- Mentor: Name Signature Date Testing Document –ML-IDS PROJECT INFORMATIO Project acronym Project Title Start Date Lead Institution Project Mentor Scrum Master / Project Leader & contact details Team members Version 1.0 C2NE.02 Page of 12 Testing Document –ML-IDS Table of Contents Table of Contents Introduction 1.1 Purpose 1.2 Scope Scenario deployment 2.1 Scenario 1: DDoS attack 2.2 Scenario 2: Brute Force Attack 2.3 Scenario 3: SQL Injection Attack 10 Conclusion 12 Table of Figures Figure Setup Metasploitable Figure Metasploitable's UI Figure Run Firewall Figure Tab used to capture packets from outside Figure Tab used to analyze packets Figure DDoS attack tool Figure 2nd tab sends results for 1st tab Figure Information recorded Figure Result on phone Figure 10 Scan for Host Figure 11 Hydra's scan result 10 Figure 12 Information recorded 10 Figure 13 SQL Injection attack with SQLmap 11 Figure 14 Sqlmap is attacking to Metasploitable 11 Figure 15 The result recorded 11 Figure 16 Result on phone 11 C2NE.02 Page of 12 Testing Document –ML-IDS Introduction 1.1 Purpose Testing document is a detailed document that describes the test strategy, objectives, schedule, estimation, deliverables, and resources required to perform testing for a system Through this document, we will have a closer look at what the system can and the shortcomings that need to be overcome through the detailed results 1.2 Scope – Test all the functions of the system with three criteria following: + Accurate + Security + Performance – Compare the results of the tests with the requirements in the requirements document to assess the completeness of the system Scenario deployment An intrusion detection system that allows businesses to protect their networks from threats with increased network connectivity and the reliability of the information system It is becoming increasingly imperative that cybersecurity is questioning corporate network administrators whether to use system ids or not Intrusion detection system (IDS) is the solution to solve the above problem The use of IDS will help the network of the business to operate normally and smoothly, avoiding the risk of data destruction by an attacker or on the internet The most important features of IDS are: + Monitoring: Take control of network and suspicious activities + Warning: Report network status for system and administrator + Security: Use settings and configurations from administrator to take appropriate action against intruders and vandals Step 1: Install the Metasploitable virtual machine on VMware as a host of the vulnerability to attack C2NE.02 Page of 12 Testing Document –ML-IDS Figure Setup Metasploitable Below is the result after the Metasploitable is successfully set up Figure Metasploitable's UI Step 2: Start a Firewall with integrated IDS Firewall will be assigned two ip addresses + Ip 10.0.2.2/24 will be used to connect to Metasploitable + Ip 192.168.20.129/24 will be used to connect to the Internet C2NE.02 Page of 12 Testing Document –ML-IDS Figure Run Firewall After that, we will run the firewall on two Windows PowerShell tabs: On the first tab we will run the command "Cicflowmeter -i ens35 -c out.csv -u http: / localhost: 8000 / predict" Let the Firewall receive the incoming packet via ens35 and send it to localhost Figure Tab used to capture packets from outside And on the second tab we will use it to receive packets sent from the first tab to analyze whether the packet is dangerous and return the results to the first tab Figure Tab used to analyze packets C2NE.02 Page of 12 Testing Document –ML-IDS 2.1 Scenario 1: DDoS attack Scenario’s Purpose: This scenario requires the sniffer to react when there are too many TCP_SYN packets sent to it (a SYN_Flood DDos attack is suspected) In this situation Sniffer will have to send a request to Machine Learning Model, asking it to notify the administrator Preparation: Download and install the DDoS attack support tool, here we use Low Orbit Ion Cannon (LOIC) and run on a Linux environment LOIC is an open-source network stress testing and denial-of-service attack application, written in C# Step 1: Launch LOIC Here enter the URL of the Metaploitable virtual machine's address "http://10.0.2.197", the port you want to perform attack on is 80, the method you want to the attack is UDP and the threads is 100 Figure DDoS attack tool This tool will continuously send SYN packets to the targeted target causing the attack target to flood, with the aim of intercepting the services running on the target and causing the target to crash Port 80 is the port commonly used by Hypertext Transfer Protocol (Http) to transfer data between Web servers to Web browsers and vice versa Or it can be understood that when you type an address into a Web browser, the Web browser will now send a request via Http protocol to the Web server Web server and will receive this request and return the result to the Web browser C2NE.02 Page of 12 Testing Document –ML-IDS Step 2: Check the status of packets in Firewall Figure 2nd tab sends results for 1st tab The second tab analyzed the packets and sent them to the 1st Figure Information recorded 1st tab will record the information that has been analyzed in 2nd tab On the picture can see: Packets are transmitted from addresses "10.0.2.1", 10.0.2.2 " through ports " 68 "," 51493 "," 51490 " to addresses " 255.255.255.255 "," 10.0.2.197 " through the ports " 67 "," 80 "," 3702 " etc The right column shows the status of the packets that the IDS system has analyzed + Benign means that the packet is normal and nothing dangerous + Malicious means that the packet is considered dangerous And the next number indicates the accuracy of that analyzed result And also according to the same image, we can see that packets sent from address 10.0.2.1 to address 10.0.2.197 via port 80 were identified as malicious The above results are exactly what we have set in LOIC Step 3: Check the phone Figure Result on phone Here is a message to my phone sent from Twilio stating that something was wrong about flows 10.0.2.1 to 10.0.2.197 C2NE.02 Page of 12 Testing Document –ML-IDS Twilio is an American cloud communications platform as a service (CPaaS) company based in San Francisco, California Twilio allows software developers to programmatically make and receive phone calls, send and receive text messages, and perform other communication functions using its web service APIs That proves that the IDS system can correctly emit the DDoS attack and send notifications back to the administrator so that appropriate actions can be taken to prevent that attack 2.2 Scenario 2: Brute Force Attack Scenario’s Purpose: This scenario requires the evaluator to react when a series of flows sent to the server in order to try and find the correct password In that situation Sniffer will have to send a request to Machine Learning Model, asking it to notify the administrator Preparation: Download and install Nmap & Hydra on Linux Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features Nmap can adapt to network conditions including latency and congestion during a scan Hydra is a parallelized network logon cracker built in various operating systems like Kali Linux, Parrot and other major penetration testing environments Hydra works by using different approaches to perform brute-force attacks in order to guess the right username and password combination Hydra is commonly used by penetration testers together with a set of programmers’ like crunch, cupp etc., which are used to generate wordlists Hydra is then used to test the attacks using the wordlists that these programmers created Step 1: We will use NMAP to scan port 22, which is the port of the SSH service In this test, we will scan network 10.0.2.197, which is a Metasploitable address with the command "nmap 192.168.1.0 -p22" Figure 10 Scan for Host The result shows that ssh is open at address 10.0.2.197 C2NE.02 Page of 12 Testing Document –ML-IDS Step 2: Use Hydra to attack the scanned address Figure 11 Hydra's scan result The command is used is: "hydra -s 22 -l msfadmin -P /home/huy2/Desktop/Passlist.txt -t 16 10.0.2.197 ssh " With "22" is port, "msfadmin" is the user name, "/home/huy2/Desktop/Passlist.txt" is the path to the file that summarizes the password variables that we have gathered "," 10.0 2.197 "is the attacked address and" ssh "is the service that will be attack The above image shows the metasploitable password "msfadmin" The password is exactly the same as the password set earlier Step 3: Check the status of packets in Firewall Figure 12 Information recorded The results showed that the Firewall was able to catch the incoming attack packets, but was returned that packet Benign And on the phone, we didn't get any notifications The above proves that our system bypassed the risk of a Brute Force attack 2.3 Scenario 3: SQL Injection Attack Scenario’s Purpose: In this scenario we will inject malicious code into the website to be attacked, asking the Machine Learning Model to analyze the malicious code without relying on the request payload The Machine Learning Model then knows if there is danger or not to notify the administrator Preparation: Download and install SQLmap Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections Step 1: Open terminal and type the following command: sqlmap –u “http://10.0.2.254/mutillidae/index.php?page=user-info.php” batch form u: is the URL of the target SQLMap will detect the target's vulnerability and give out information about the vulnerability C2NE.02 Page 10 of 12 Testing Document –ML-IDS Figure 13 SQL Injection attack with SQLmap Figure 14 Sqlmap is attacking to Metasploitable Step : Check the status of packets in Firewall Figure 15 The result recorded According to the above image, we can see that packets sent from address 10.0.2.89 to address 10.0.2.254 via port 80 were identified as malicious with an estimated accuracy of 70.39% Step 3: Check the phone Figure 16 Result on phone Here is a message to my phone sent from Twilio stating that something was wrong about flows 10.0.2.89 to 10.0.2.254 The above results show that the IDS system can detect intrusion, but its accuracy is still not as high as DDoS and there is a possibility of missing dangerous flows C2NE.02 Page 11 of 12 Testing Document –ML-IDS Conclusion Through the three tests above, it can be seen clearly that the system can detect a DDoS attack with high accuracy and quickly, but the accuracy is not high when under the Sql injection attack But it was still acceptable, and for a Brute Force attack it was completely impossible to detect an intrusion Demonstrates that the system still needs more training to be able to more accurately and accurately detect intrusions C2NE.02 Page 12 of 12 ... be attacked, asking the Machine Learning Model to analyze the malicious code without relying on the request payload The Machine Learning Model then knows if there is danger or not to notify the... estimation, deliverables, and resources required to perform testing for a system Through this document, we will have a closer look at what the system can and the shortcomings that need to be overcome... results for 1st tab Figure Information recorded Figure Result on phone Figure 10 Scan for Host Figure 11 Hydra''s scan result 10 Figure 12 Information