International School

Capstone Project 2
CMU-CS451

Testing Document
Version 1.0
Date: 28-5-2021

Implement IDS system integrating machine learning

for Hai Dang Travel company
Submitted by

Hieu, Le Quang
Vu, Duong The
Khai, Tran Dinh
Hoang, Duong Ngoc

Approved by
Assoc. Prof. Nguyen Gia Nhu

Proposal Document Review Panel Representative:

Name Signature Date

Capstone Project 2- Mentor:

Name Signature Date

 Testing Document –ML-IDS
PROJECT INFORMATIO

Project acronym ML-IDS

Project Title Implement IDS system integrating machine learning for Hai
Dang Travel company
Start Date 5 March 2021 End Date 5 June 2021
Lead Institution International School, Duy Tan University
Project Mentor Assoc. Prof. Nguyen Gia Nhu
Scrum Master / Vu, Duong The
Project Leader Email: thevudn16021999@gmail.com
& contact details
Tel: 0924037054
Team members Name Email Tel
Hieu, Le Quang hieulw99@gmail.com 0905974123
Khai, Tran Dinh Khaitran9499@gmail.com 0707375015
Hoang, Duong duonghoang159357@gmail.c
0387574359
Ngoc om

REVISION HISTORY

Version Date Comments Author Approval

1.0 May 28 Final Release C2NE.02

C2NE.02 Page 2 of 12
 Testing Document –ML-IDS

Table of Contents
Table of Contents.............................................................................................................3
1. Introduction .................................................................................................................4
1.1. Purpose..................................................................................................................4
1.2. Scope .....................................................................................................................4
2. Scenario deployment ...................................................................................................4
2.1. Scenario 1: DDoS attack .......................................................................................7
2.2. Scenario 2: Brute Force Attack.............................................................................9
2.3. Scenario 3: SQL Injection Attack .......................................................................10
3. Conclusion .................................................................................................................12

Table of Figures
Figure 1. Setup Metasploitable ........................................................................................5
Figure 2. Metasploitable's UI ..........................................................................................5
Figure 3. Run Firewall .....................................................................................................6
Figure 4. Tab used to capture packets from outside ........................................................6
Figure 5. Tab used to analyze packets .............................................................................6
Figure 6. DDoS attack tool .............................................................................................. 7
Figure 7. 2nd tab sends results for 1st tab .......................................................................8
Figure 8. Information recorded........................................................................................8
Figure 9. Result on phone ................................................................................................ 8
Figure 10. Scan for Host ..................................................................................................9
Figure 11. Hydra's scan result .......................................................................................10
Figure 12. Information recorded....................................................................................10
Figure 13. SQL Injection attack with SQLmap ............................................................. 11
Figure 14. Sqlmap is attacking to Metasploitable .........................................................11
Figure 15. The result recorded.......................................................................................11
Figure 16. Result on phone ............................................................................................ 11

C2NE.02 Page 3 of 12
 Testing Document –ML-IDS

1. Introduction
1.1. Purpose
Testing document is a detailed document that describes the test strategy, objectives,
schedule, estimation, deliverables, and resources required to perform testing for a
system.
Through this document, we will have a closer look at what the system can do and
the shortcomings that need to be overcome through the detailed results.
1.2. Scope
– Test all the functions of the system with three criteria following:
+ Accurate
+ Security
+ Performance
– Compare the results of the tests with the requirements in the requirements
document to assess the completeness of the system.
2. Scenario deployment
An intrusion detection system that allows businesses to protect their networks
from threats with increased network connectivity and the reliability of the information
system. It is becoming increasingly imperative that cybersecurity is questioning
corporate network administrators whether to use system ids or not.
Intrusion detection system (IDS) is the solution to solve the above problem. The
use of IDS will help the network of the business to operate normally and smoothly,
avoiding the risk of data destruction by an attacker or on the internet.
The most important features of IDS are:
+ Monitoring: Take control of network and suspicious activities.
+ Warning: Report network status for system and administrator.
+ Security: Use settings and configurations from administrator to take
appropriate action against intruders and vandals.
Step 1: Install the Metasploitable virtual machine on VMware as a host of the
vulnerability to attack.

C2NE.02 Page 4 of 12
 Testing Document –ML-IDS

Figure 1. Setup Metasploitable

Below is the result after the Metasploitable is successfully set up

Figure 2. Metasploitable's UI
Step 2: Start a Firewall with integrated IDS
Firewall will be assigned two ip addresses.
+ Ip 10.0.2.2/24 will be used to connect to Metasploitable
+ Ip 192.168.20.129/24 will be used to connect to the Internet

C2NE.02 Page 5 of 12
 Testing Document –ML-IDS

Figure 3. Run Firewall

After that, we will run the firewall on two Windows PowerShell tabs:
On the first tab we will run the command "Cicflowmeter -i ens35 -c out.csv -u http:
// localhost: 8000 / predict" Let the Firewall receive the incoming packet via ens35 and
send it to localhost.

Figure 4. Tab used to capture packets from outside

And on the second tab we will use it to receive packets sent from the first tab to
analyze whether the packet is dangerous and return the results to the first tab.

Figure 5. Tab used to analyze packets

C2NE.02 Page 6 of 12
 Testing Document –ML-IDS
2.1. Scenario 1: DDoS attack
Scenario’s Purpose: This scenario requires the sniffer to react when there are too
many TCP_SYN packets sent to it (a SYN_Flood DDos attack is suspected). In this
situation Sniffer will have to send a request to Machine Learning Model, asking it to
notify the administrator.
Preparation: Download and install the DDoS attack support tool, here we use Low
Orbit Ion Cannon (LOIC) and run on a Linux environment.
LOIC is an open-source network stress testing and denial-of-service
attack application, written in C#.
Step 1: Launch LOIC
Here enter the URL of the Metaploitable virtual machine's address
"http://10.0.2.197", the port you want to perform attack on is 80, the method you want
to do the attack is UDP and the threads is 100.

Figure 6. DDoS attack tool

This tool will continuously send SYN packets to the targeted target causing the
attack target to flood, with the aim of intercepting the services running on the target
and causing the target to crash.
Port 80 is the port commonly used by Hypertext Transfer Protocol (Http) to transfer
data between Web servers to Web browsers and vice versa. Or it can be understood
that when you type an address into a Web browser, the Web browser will now send a
request via Http protocol to the Web server. Web server and will receive this request
and return the result to the Web browser.

C2NE.02 Page 7 of 12
 Testing Document –ML-IDS
Step 2: Check the status of packets in Firewall

Figure 7. 2nd tab sends results for 1st tab

The second tab analyzed the packets and sent them to the 1st

Figure 8. Information recorded

1st tab will record the information that has been analyzed in 2nd tab. On the picture
can see:
Packets are transmitted from addresses "10.0.2.1", 10.0.2.2 " through ports " 68 ","
51493 "," 51490 "..... to addresses " 255.255.255.255 "," 10.0.2.197 "... through the
ports " 67 "," 80 "," 3702 ".... etc.
The right column shows the status of the packets that the IDS system has analyzed.
+ Benign means that the packet is normal and nothing dangerous.
+ Malicious means that the packet is considered dangerous.
And the next number indicates the accuracy of that analyzed result.
And also according to the same image, we can see that packets sent from address
10.0.2.1 to address 10.0.2.197 via port 80 were identified as malicious. The above
results are exactly what we have set in LOIC
Step 3: Check the phone

Figure 9. Result on phone

Here is a message to my phone sent from Twilio stating that something was wrong
about flows 10.0.2.1 to 10.0.2.197.

C2NE.02 Page 8 of 12
 Testing Document –ML-IDS
Twilio is an American cloud communications platform as a service (CPaaS)
company based in San Francisco, California. Twilio allows software developers to
programmatically make and receive phone calls, send and receive text messages, and
perform other communication functions using its web service APIs.
That proves that the IDS system can correctly emit the DDoS attack and send
notifications back to the administrator so that appropriate actions can be taken to
prevent that attack.
2.2. Scenario 2: Brute Force Attack
Scenario’s Purpose: This scenario requires the evaluator to react when a series of
flows sent to the server in order to try and find the correct password. In that situation
Sniffer will have to send a request to Machine Learning Model, asking it to notify the
administrator.
Preparation: Download and install Nmap & Hydra on Linux.
Nmap (Network Mapper) is a free and open-source network scanner created by
Gordon Lyon. Nmap is used to discover hosts and services on a computer network by
sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host
discovery and service and operating system detection. These features are extensible by
scripts that provide more advanced service detection, vulnerability detection, and other
features. Nmap can adapt to network conditions including latency and congestion
during a scan.
Hydra is a parallelized network logon cracker built in various operating systems
like Kali Linux, Parrot and other major penetration testing environments. Hydra works
by using different approaches to perform brute-force attacks in order to guess the right
username and password combination. Hydra is commonly used by penetration testers
together with a set of programmers’ like crunch, cupp etc., which are used to generate
wordlists. Hydra is then used to test the attacks using the wordlists that these
programmers created.
Step 1: We will use NMAP to scan port 22, which is the port of the SSH service. In
this test, we will scan network 10.0.2.197, which is a Metasploitable address with the
command "nmap 192.168.1.0 -p22"

Figure 10. Scan for Host

The result shows that ssh is open at address 10.0.2.197

C2NE.02 Page 9 of 12
 Testing Document –ML-IDS
Step 2: Use Hydra to attack the scanned address.

Figure 11. Hydra's scan result

The command is used is: "hydra -s 22 -l msfadmin -P
/home/huy2/Desktop/Passlist.txt -t 16 10.0.2.197 ssh "
With "22" is port, "msfadmin" is the user name, "/home/huy2/Desktop/Passlist.txt"
is the path to the file that summarizes the password variables that we have gathered ","
10.0. 2.197 "is the attacked address and" ssh "is the service that will be attack.
The above image shows the metasploitable password "msfadmin". The password is
exactly the same as the password set earlier.
Step 3: Check the status of packets in Firewall

Figure 12. Information recorded

The results showed that the Firewall was able to catch the incoming attack packets,
but was returned that packet Benign. And on the phone, we didn't get any notifications.
The above proves that our system bypassed the risk of a Brute Force attack.
2.3. Scenario 3: SQL Injection Attack
Scenario’s Purpose: In this scenario we will inject malicious code into the website
to be attacked, asking the Machine Learning Model to analyze the malicious code
without relying on the request payload. The Machine Learning Model then knows if
there is danger or not to notify the administrator.
Preparation: Download and install SQLmap.
Sqlmap is an open-source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers. It
comes with a powerful detection engine, many niche features for the ultimate
penetration tester and a broad range of switches lasting from database fingerprinting,
over data fetching from the database, to accessing the underlying file system and
executing commands on the operating system via out-of-band connections.
Step 1: Open terminal and type the following command:
sqlmap –u “http://10.0.2.254/mutillidae/index.php?page=user-info.php” --batch --
form
u: is the URL of the target.
SQLMap will detect the target's vulnerability and give out information about the
vulnerability.

C2NE.02 Page 10 of 12
 Testing Document –ML-IDS

Figure 13. SQL Injection attack with SQLmap

Figure 14. Sqlmap is attacking to Metasploitable

Step 2 : Check the status of packets in Firewall

Figure 15. The result recorded

According to the above image, we can see that packets sent from address 10.0.2.89
to address 10.0.2.254 via port 80 were identified as malicious with an estimated
accuracy of 70.39%.
Step 3: Check the phone

Figure 16. Result on phone

Here is a message to my phone sent from Twilio stating that something was wrong
about flows 10.0.2.89 to 10.0.2.254.
The above results show that the IDS system can detect intrusion, but its accuracy is
still not as high as DDoS and there is a possibility of missing dangerous flows.

C2NE.02 Page 11 of 12
 Testing Document –ML-IDS
3. Conclusion
Through the three tests above, it can be seen clearly that the system can detect a
DDoS attack with high accuracy and quickly, but the accuracy is not high when under
the Sql injection attack. But it was still acceptable, and for a Brute Force attack it was
completely impossible to detect an intrusion.
Demonstrates that the system still needs more training to be able to more accurately
and accurately detect intrusions.

C2NE.02 Page 12 of 12