Professional Documents
Culture Documents
C2NE.02 TestingDocument ML IDS
C2NE.02 TestingDocument ML IDS
Capstone Project 2
CMU-CS451
Testing Document
Version 1.0
Date: 28-5-2021
Hieu, Le Quang
Vu, Duong The
Khai, Tran Dinh
Hoang, Duong Ngoc
Approved by
Assoc. Prof. Nguyen Gia Nhu
REVISION HISTORY
C2NE.02 Page 2 of 12
Testing Document –ML-IDS
Table of Contents
Table of Contents.............................................................................................................3
1. Introduction .................................................................................................................4
1.1. Purpose..................................................................................................................4
1.2. Scope .....................................................................................................................4
2. Scenario deployment ...................................................................................................4
2.1. Scenario 1: DDoS attack .......................................................................................7
2.2. Scenario 2: Brute Force Attack.............................................................................9
2.3. Scenario 3: SQL Injection Attack .......................................................................10
3. Conclusion .................................................................................................................12
Table of Figures
Figure 1. Setup Metasploitable ........................................................................................5
Figure 2. Metasploitable's UI ..........................................................................................5
Figure 3. Run Firewall .....................................................................................................6
Figure 4. Tab used to capture packets from outside ........................................................6
Figure 5. Tab used to analyze packets .............................................................................6
Figure 6. DDoS attack tool .............................................................................................. 7
Figure 7. 2nd tab sends results for 1st tab .......................................................................8
Figure 8. Information recorded........................................................................................8
Figure 9. Result on phone ................................................................................................ 8
Figure 10. Scan for Host ..................................................................................................9
Figure 11. Hydra's scan result .......................................................................................10
Figure 12. Information recorded....................................................................................10
Figure 13. SQL Injection attack with SQLmap ............................................................. 11
Figure 14. Sqlmap is attacking to Metasploitable .........................................................11
Figure 15. The result recorded.......................................................................................11
Figure 16. Result on phone ............................................................................................ 11
C2NE.02 Page 3 of 12
Testing Document –ML-IDS
1. Introduction
1.1. Purpose
Testing document is a detailed document that describes the test strategy, objectives,
schedule, estimation, deliverables, and resources required to perform testing for a
system.
Through this document, we will have a closer look at what the system can do and
the shortcomings that need to be overcome through the detailed results.
1.2. Scope
– Test all the functions of the system with three criteria following:
+ Accurate
+ Security
+ Performance
– Compare the results of the tests with the requirements in the requirements
document to assess the completeness of the system.
2. Scenario deployment
An intrusion detection system that allows businesses to protect their networks
from threats with increased network connectivity and the reliability of the information
system. It is becoming increasingly imperative that cybersecurity is questioning
corporate network administrators whether to use system ids or not.
Intrusion detection system (IDS) is the solution to solve the above problem. The
use of IDS will help the network of the business to operate normally and smoothly,
avoiding the risk of data destruction by an attacker or on the internet.
The most important features of IDS are:
+ Monitoring: Take control of network and suspicious activities.
+ Warning: Report network status for system and administrator.
+ Security: Use settings and configurations from administrator to take
appropriate action against intruders and vandals.
Step 1: Install the Metasploitable virtual machine on VMware as a host of the
vulnerability to attack.
C2NE.02 Page 4 of 12
Testing Document –ML-IDS
Figure 2. Metasploitable's UI
Step 2: Start a Firewall with integrated IDS
Firewall will be assigned two ip addresses.
+ Ip 10.0.2.2/24 will be used to connect to Metasploitable
+ Ip 192.168.20.129/24 will be used to connect to the Internet
C2NE.02 Page 5 of 12
Testing Document –ML-IDS
After that, we will run the firewall on two Windows PowerShell tabs:
On the first tab we will run the command "Cicflowmeter -i ens35 -c out.csv -u http:
// localhost: 8000 / predict" Let the Firewall receive the incoming packet via ens35 and
send it to localhost.
C2NE.02 Page 6 of 12
Testing Document –ML-IDS
2.1. Scenario 1: DDoS attack
Scenario’s Purpose: This scenario requires the sniffer to react when there are too
many TCP_SYN packets sent to it (a SYN_Flood DDos attack is suspected). In this
situation Sniffer will have to send a request to Machine Learning Model, asking it to
notify the administrator.
Preparation: Download and install the DDoS attack support tool, here we use Low
Orbit Ion Cannon (LOIC) and run on a Linux environment.
LOIC is an open-source network stress testing and denial-of-service
attack application, written in C#.
Step 1: Launch LOIC
Here enter the URL of the Metaploitable virtual machine's address
"http://10.0.2.197", the port you want to perform attack on is 80, the method you want
to do the attack is UDP and the threads is 100.
This tool will continuously send SYN packets to the targeted target causing the
attack target to flood, with the aim of intercepting the services running on the target
and causing the target to crash.
Port 80 is the port commonly used by Hypertext Transfer Protocol (Http) to transfer
data between Web servers to Web browsers and vice versa. Or it can be understood
that when you type an address into a Web browser, the Web browser will now send a
request via Http protocol to the Web server. Web server and will receive this request
and return the result to the Web browser.
C2NE.02 Page 7 of 12
Testing Document –ML-IDS
Step 2: Check the status of packets in Firewall
C2NE.02 Page 8 of 12
Testing Document –ML-IDS
Twilio is an American cloud communications platform as a service (CPaaS)
company based in San Francisco, California. Twilio allows software developers to
programmatically make and receive phone calls, send and receive text messages, and
perform other communication functions using its web service APIs.
That proves that the IDS system can correctly emit the DDoS attack and send
notifications back to the administrator so that appropriate actions can be taken to
prevent that attack.
2.2. Scenario 2: Brute Force Attack
Scenario’s Purpose: This scenario requires the evaluator to react when a series of
flows sent to the server in order to try and find the correct password. In that situation
Sniffer will have to send a request to Machine Learning Model, asking it to notify the
administrator.
Preparation: Download and install Nmap & Hydra on Linux.
Nmap (Network Mapper) is a free and open-source network scanner created by
Gordon Lyon. Nmap is used to discover hosts and services on a computer network by
sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host
discovery and service and operating system detection. These features are extensible by
scripts that provide more advanced service detection, vulnerability detection, and other
features. Nmap can adapt to network conditions including latency and congestion
during a scan.
Hydra is a parallelized network logon cracker built in various operating systems
like Kali Linux, Parrot and other major penetration testing environments. Hydra works
by using different approaches to perform brute-force attacks in order to guess the right
username and password combination. Hydra is commonly used by penetration testers
together with a set of programmers’ like crunch, cupp etc., which are used to generate
wordlists. Hydra is then used to test the attacks using the wordlists that these
programmers created.
Step 1: We will use NMAP to scan port 22, which is the port of the SSH service. In
this test, we will scan network 10.0.2.197, which is a Metasploitable address with the
command "nmap 192.168.1.0 -p22"
C2NE.02 Page 9 of 12
Testing Document –ML-IDS
Step 2: Use Hydra to attack the scanned address.
C2NE.02 Page 10 of 12
Testing Document –ML-IDS
C2NE.02 Page 11 of 12
Testing Document –ML-IDS
3. Conclusion
Through the three tests above, it can be seen clearly that the system can detect a
DDoS attack with high accuracy and quickly, but the accuracy is not high when under
the Sql injection attack. But it was still acceptable, and for a Brute Force attack it was
completely impossible to detect an intrusion.
Demonstrates that the system still needs more training to be able to more accurately
and accurately detect intrusions.
C2NE.02 Page 12 of 12