Skip to content

DjGorillaz/anomaly-detection-and-monitoring

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

88 Commits
docs
docs
 
 
img
img
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
appveyor.yml
appveyor.yml
 
 

Repository files navigation

Anomaly detection and monitoring Appveyor

This program uses client-server model.

  • Client collects data (traffic data, logon/logoff time) and sends it to server.
  • Server (has GUI) receives data and calculates score, which describes user behaviour anomaly. Anomaly score is between 0 and 100. Also server can obtain keyboard log and screenshots from clients.

Getting started

Download executable files.

Prerequisites

  • Windows 7/8/10
  • Winpcap driver

Usage

server.exe port path
  • port - TCP port, used by clients to connect
  • path - path, used to receive data
client.exe ip dest_port local_port path
  • ip - server's ip
  • dest_port - server's port
  • local_port - TCP port, used to send data
  • path - default path to collect data

❗ For correct score measuring it's needed to collect data at least for 7 days of normal user behaviour.

Program structure

  • Client
    • Sniffer module
    • Keylogger module
    • Screenshot module
  • Server
    • Score calculation module

See architecture diagram

Sniffer

Collects parameters of traffic going through user's PC:

  • Size of incoming traffic
  • Number of unique incoming IP-addresses
  • Size of outgoing traffic
  • Number of unique outgoing IP-addresses

Keylogger

This module uses filter function, which gets keypresses. This function connects to WH_KEYBOARD_LL hook by using WinAPI function SetWindowsHookEx.

All keypresses are saved in fullData.log. This file contains path to process and data:

C:\ProgramFiles (x86)\Google\Chrome\Application\chrome.exe 18:12:06 22.07.2018
Hello, world!

Screenshot

Filter function connects to WH_MOUSE_LL hook. All screenshots can be saved by:

  • Timer timeout (seconds)
  • Mouse clicks (right/left/middle mouse buttons)
  • Mouse wheel

Score

This module gets traffic data, login and logoff time and total session time as input and outputs anomaly score and contributions.

Parameters:

  • N - number of observations of normal user behaviour
  • d0 - distance of the 50% score
  • k - steepness of the curve, which used to calculate score
  • weights - vector used to correct score
  • one-sided deviations - used to calculate only positive or negative deviations
  • contribution - result of algorithm, contribution rate of each feature

See full flowchart of score measuring and anomaly detection algorithm .docx [RU]

Server's GUI

Server GUI

Built With

  • Eigen31
  • Libtins2
  • Winpcap3
  • WinAPI
  • GDIPlus

License

This project is licensed under the MIT License - see the LICENSE.md file for details

About

Anomaly detection and monitoring software

Topics

screenshot monitoring sniffer keylogger client-server anomaly-detection ueba user-control user-entity-behaviour-analytics

Resources

Readme

License

MIT license
Activity

Stars

20 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases 16

v1.0.26 Latest
Sep 7, 2018
+ 15 releases

Packages

No packages published

Languages