Wednesday, 23 March 2016

A tool to monitor your computer's real-time port usage

Screen snapshot of the tool
In recent 5 posts, we talked about how important is data in Machine Language algorithms and introduced a source of data every one of us who uses a computer and the Internet; has access to it. It is port information of our computer's connections to the Internet or the attached network. That is a good source of data because:
  • The port information does not contain data about the target or hosts you work with them, so you do not give us information about your host.
  • It is steady and always available.

We also introduced a simple script which gathers the information and sends them to the server. This script is the base of our data collection, and you can run it on Linux or Mac OS (On linux you just have to change the "-F." to "-F:" and may need some changes to work on Windows too):

netstat -an |  grep "ESTABLISHED"  | awk '{print  $5}'  | awk -F. '{print $NF}' |  sort -n |  uniq -c | awk '{print $2 ":" $1}'


We also showed how you can visualize this information and use some classification methods to learn the way your computer uses ports (spectrum & pattern).

Now, I have tried to build an online tool to show the status of your computer's port usage continuously. The thing I am talking about today is how to use it. But first some notes:
  • This is not a commercial application, so it does not have the fancy features of a commercial application, but as long as I tested it, it works well.
  • The part that sends data to the server is just a simple script; which you can open it in an editor and see what information get sent to the server.
  • Currently, I deployed the application on an Amazon's t2.micro server, and if I see people using it a lot, I am going to replace the instance type with better one. (So there is a chance you feel some slow response.)
  • It does not do any statistical calculation. By statistical I mean using standard deviation, interpolation, outlier statistical calculation and ... 
  • All it does is what we have talked about in recent 5 post, which is using probability, Bayes Theorem, and the Bayesian Network ideas.

How to use it
Go to the following link and download the script file "onlineAnalysis.sh" from the help link in the upper right corner of the screen:

Online port usage analysis

Give the execution permission to the script with "chmod +x onlineAnalysis.sh" command, and before running the script make sure there is only one page of the above report link is open. You can also open the script with an editor to make sure what information it sends to the server. Start sending the data by running the script like the following:

$./onlineAnalysis.sh 500


This command sends 500 samples of your computer Internet (network) connections' port information to the server. The delay between samples is just 2 seconds. The server recognizes you by your IP address, so it is better to have a valid IP address or at least only one machine sends information in your network. (Otherwise, things get messy.) However, you can send information from one machine and look at the results on another machine if you are using same shared IP address.


What it does?
The server application simply collects your sending data and tries to learn your latest 5-minutes usage pattern. If your most recent usage violates the learned pattern, it warns you. The orange warnings have some low priority, but the red ones belong to some significant changes in usage pattern.

The port transformation function transforms any given port to the following five categories:

Total:      Total port numbers
HTTP:       Port 80
HTTPS:      Port 443
0..1024:    Port <= 1024
1025..655:  Port >1024


So the application understands port 80, but not port 22, then port 22 and scores into 0.1024 category, port 80 also considered one in 0..1024 too. What you also need to know is that this service's design is not to tell you what application you are using. It has been designed to learn and test your computer's port usage pattern, which has a correlation with the application you use. Just do not expect it to catch immediately the changes because your computer's OS does not release or close the ports immediately after you exit a program.


Test procedure
The basic test procedure can be like the following steps:
  • Close all applications which use the Internet, like browsers, messaging softwares, torrents, etc.
  • Open the report link: Online port usage analysis
  • Wait a minute or two to let your computer closes all unused connections.
  • Run the given script "onlineAnalysis.sh" to send information.
  • As I said, during the first 30 sample, it only learns the pattern, but you see it gets data.
  • Then it starts to compare the new given dataset to the stored pattern. It keeps the latest 5 minutes information which means 5 x 60 / 2 = 150 samples to build the matrix we talked about in the previous post.
  • Now start using search with Google. Since Google works with HTTPS protocol, it catches the changes.
  • If you use a torrent application to download, since it opens many connections to download files, again it catches the change.
  • The positive point is, if you use torrent for a while, it learns your usage pattern, then if you stop using the torrent, it warns you. Or if you add a new file to download it understands. 

Play with the application you'll find how it works. Contact me if you find anything wrong or if you have any question or suggestion regarding this application.

No comments:

Post a Comment