This program uses client-server model.

• Client collects data (traffic data, logon/logoff time) and sends it to server.
• Server (has GUI) receives data and calculates score, which describes user behaviour anomaly. Anomaly score is between 0 and 100. Also server can obtain keyboard log and screenshots from clients.

• Windows 7/8/10
• Winpcap driver

server.exe port path

• port - TCP port, used by clients to connect
• path - path, used to receive data

client.exe ip dest_port local_port path

• ip - server's ip
• dest_port - server's port
• local_port - TCP port, used to send data
• path - default path to collect data

❗ For correct score measuring it's needed to collect data at least for 7 days of normal user behaviour.

• Client
  • Sniffer module
  • Keylogger module
  • Screenshot module
• Server
  • Score calculation module

See architecture diagram

Collects parameters of traffic going through user's PC:

• Size of incoming traffic
• Number of unique incoming IP-addresses
• Size of outgoing traffic
• Number of unique outgoing IP-addresses

This module uses filter function, which gets keypresses. This function connects to WH_KEYBOARD_LL hook by using WinAPI function SetWindowsHookEx.

All keypresses are saved in fullData.log. This file contains path to process and data:

C:\ProgramFiles (x86)\Google\Chrome\Application\chrome.exe 18:12:06 22.07.2018
Hello, world! 

Filter function connects to WH_MOUSE_LL hook. All screenshots can be saved by:

• Timer timeout (seconds)
• Mouse clicks (right/left/middle mouse buttons)
• Mouse wheel

This module gets traffic data, login and logoff time and total session time as input and outputs anomaly score and contributions.

Parameters:

• N - number of observations of normal user behaviour
• d₀ - distance of the 50% score
• k - steepness of the curve, which used to calculate score

• weights - vector used to correct score
• one-sided deviations - used to calculate only positive or negative deviations
• contribution - result of algorithm, contribution rate of each feature

See full flowchart of score measuring and anomaly detection algorithm .docx [RU]

• Eigen3¹
• Libtins²
• Winpcap³
• WinAPI
• GDIPlus

This project is licensed under the MIT License - see the LICENSE.md file for details