Making existing network analysis tools/applications more user friendly.

Started Dec. 3, 2021

Abstract or project description

CapyNet: A user-friendly network analysis application, with improved features from wireshark: more user-friendly filtering system, match up domain names with ip addresses, extended analytics to identify network anomalies using a pre-existing network packet parsing library.

Github Repo Link: https://github.com/williamnamgyal/capynet

Prerequisites: Version of Python <=3.8 Installed packages from requirements.txt on github (Scapy, tkinter, matplotlib)

Basic Use of App: When opened, it will display a list of your network interfaces on your network. Click on whichever network interface you want to scan - Note it lists all network interfaces, and some interfaces may be inactive, so make sure you know which interface to sniff on. It will prompt you how many packets you want to sniff after clicking your network interface name Enter the amount of packets (Notice extremely large amounts of packets like 100,000 might cause application to freeze for a couple seconds, and then load.)

Features: Filtering network packets display by Network Protocol, Source, and Destination Viewing more detailed information about packets IPv6 Support Generate I/O Graphs from packets Opening pcap/pcapng files to analyze Saving sniffed packets into file on computer DNS Host name resolution for DNS Response packets

Filtering network packets: Click on Big top left button that says filter, and choose 3 options, either Network Protocol, Source, or Destination. When choosing a single one, a textbox will be prompted, and input either the network protocol (Ex: TCP, HTTP, etc.), or source/destination address (Ex: 24.5.91.64, 2345:0425:2CA1:0000:0000:0567:5673:23b5, etc.). Once finished inputting, click the red filter button, which will implement the filtering.

Viewing more detailed information about packets: To View more information about packets, just double click on them, and on the top half of the screen it will display the information and field descriptions about the packet.

Generating I/O Graphs: After having sniffed packets open, click on statistics in the menu header on the top left, and click Generate I/O Graph, which will generate a graph for the packets, and give you options to zoom in, out, move around, and save. (MatPlotLib)

Opening pcap files: Navigate to the menu header labeled "File" in the top left, and hover/click on it, and then click open as one of the dropdown options. Then, select the pcap or pcapng file.

Saving sniffed packets: Navigate to the menu header labeled "File" in the top left, and hover/click on it, and click "Save As" from the dropdown menu. It will then open up a menu telling the directory it was saved in (default directory) and the file name.

DNS response packet host name resolution: Navigate to the menu header labeled "View", and hover/click over it and select "Resolve DNS Hostnames" which will resolve all the DNS hosts to their domain hostnames.

How can machine learning be used for anomaly detection in attacks on networks by analyzing packet information and patterns?

Started Sept. 29, 2022

Abstract or project description

Along with the increasing use of internet and technology, businesses and individuals are relying on networks for certain services in their everyday lives and entrusting their data and privacy. There is an estimated 15% increase of cyber attacks per year, with over 800,000 individuals hacked and businesses dealing with great financial costs. Network anomaly detection is crucial in detecting and preventing attacks ranging from malware to denial-of-service attacks. Using the MINDS (Minnesota Intrusion Detection System) anomaly detection model, we are able to build a system that captures network packets, filters, and then uses feature extraction to either match with known attacks or use machine learning for anomaly detection. Using the identified patterns associated with detected anomalies, we are able to generate accurate results to detect attacks carried through network packets such as ARP Poisoning, Cache Poisoning, DDOS attacks, and port scanning.