School of Science and Technology 科技學院
Electronic and Computer Engineering 電子工程學系

Keylogger Surveillance System

Student Poon Yin Sang Bernie
Programme Bachelor of Science with Honours in Cyber and Computer Security
Supervisor Alick Mak
Year 2021/22

Objectives

In this project, the Keylogger Surveillance System is used for monitoring every action that the computer has produced and based on the action, report to the user and react to the situation. To implement the system, the following tasks will be achieved. The tasks include the monitoring functions, web-based configuration function, quick configuration function, reporting function, and data analyzing function. In addition, the system will be able to operate in different operating system including Windows, Mac and Linux.

Element 1: Monitoring Functions

To monitor the action aspect, the application would be able to record the keystrokes, mouse movement, packet send and receive, screen capture, webcam usage

For keystrokes, the system would identify suspicious combination of keystrokes, large amounts of keystrokes in small amount of time or user custom combination of keystrokes. Normally, the system will only record the problematic keystrokes logs instead of all keystrokes. This could prevent leaking user's privacy and avoid keeping useless data.

For mouse movement, the system will mark the movement on a screen capture of the present state and indicate the mouse movement and mouse click position. In the meantime, there will be a text only log for further analysis of the data.

For the packet send and receive monitoring, the system could record suspicious packet send or receive by the computer. The system will continuously monitor the traffic of the computer and if suspicious traffic is discovered, the system will alert and log down the packet destination or origin for further investigation. Users are able to set up whitelist and blacklist for specific destination or origin to check and identify wanted or unwanted traffic.

Element 2: Web-based Configuration function

To simplify the configuration progress and enhance the modifiability of the system, the Web-based configuration function will be implemented into the system. This element can provide a GUI for user to do configuration to the system, including switching on and off for each monitoring functions, parameters of every monitoring function, and viewing reports and logs file with better readability. The Web-based Configuration function will require authorization in order to access the configuration panel to improve privacy.

Element 3: Quick Configuration function

Beside the web-based configuration function, a quick configuration function would be implemented to the system as well. This function serves a purpose of providing a quicker setup change option for users. Rather than login to the web-based configuration panel, a setup button will locate in the system tray and there will be quick setup change option provided for user, such as turning on or off for monitoring function, minor change to some parameter of some monitoring function.

Element 4: Reporting function

To alert and report to the user of suspicious and emergency events within the system, there will be an online reporting functions implement to the Keylogger Surveillance System.

The online reporting function is responsible for alerting through online method. Online method includes emailing and messaging will be available for doing alert to user. This function provides way to alert user even if user is not physically located near the system. Emailing and messaging could work as a record or log for user to review and alert of what happened to their system.

Also, the log file format and encryption provide a better security and readability of the log file. The log files are responsible for storing the data that log from the logger functions but also it provides a way for user and the system to analyze and review the traces of the system. As the sensitive data may store in the log file, the file encryption of the log file is very essential to protect the user information.

Demonstration Video

 

Element 5: Data Analyzing function

After monitoring different aspect within the system, the record or the log is also useful to show patterns and odds. By analyzing the records and logs from the monitoring function, the data analyzing function could provide reports for user to review. Report like attack report, pattern report, safety advise and more could be generate by this data analyzing function. The user could review and study the report to improve the security measure for their own system.

Methodologies and Technologies used

This project is to develop a monitoring input, function and traffic of the system and the system will runs in the background and not affecting the normal usage of user's computer. The whole system is mainly using Python, Javascript and HTML to develop.

Monitoring Functions

In the monitoring system, monitoring function for the keystrokes, mouse movement, monitoring packet in and out, detecting screen capture, and webcam monitoring will be available, and the working mechanism will be discussed below.

For the monitoring keystrokes function, the function will use python and use “keyboard” to realize the idea. The library could allow me to record down the keystroke I have typed. This could allow the system to response to those automated program that simulate the keystrokes. This library can also help to log down the record for further analyzing. The log file will have great readability for user as well as the system itself. The flow chart of the function is as (Figure 1).

For the mouse tracking, I will use python and use “logging” to realize the idea. The library could allow me to record down the mouse position and the mouse click. This could allow system to track the mouse movement and record the timestamp of each mouse click. After tracking the movement and clicks, the system could generate a movement graph with the screen capture to visualize the result(Figure 2). The flow chart of the function is as below(Figure 3).

Figure 2. 

Figure 3. 

Figure 1. 

For monitoring packet function, I will also use the python and “psutil” and “scapy” library to check the traffic of a selected port like the 80, 20, 21, 22, 25 etc. Detecting the traffic on some common port can allow the system to identify suspicious traffic and stop or alert the user immediately. And by the help of “psutil”, the system could allow the user to choose which interface to monitor. Also, the system would allow the user to set up custom location that would alert when traffic goes to there and from there. The flow chart of this function is shown below(Figure 4).

Figure 4. 

For the screen capture and webcam, the idea is to monitor the event logs to look for the system doing a screen capture or opening a webcam. I will still use Python and “PyPiWin32” library to retrieve the event log and afterward, use algorithm to identify the suspicious events. On top of it, I will also use ”keyboard” library to detect the “print screen” key. This could add an alternative way to check the event of screenshot. The flow chart of the function would be like this figure(figure 5).

Figure 5. 

Web-based Configuration function

In order to achieve the objective of high modifiability of the system, the Web-based Configuration function is constructed for user to do configuration on the system. The Web-based Configuration function is formed by two parts, the front-end GUI part and the back-end changing parameter part. The flow chart of the whole Web-based Configuration function is like (Figure 6).

Figure 6. 

First, about the front-end part, the GUI is mostly developed by TypeScript, the React framework “Next.js”. The advantage of using TypeScript instead of JavaScript is the control of variable and data management. And the reason behind using the framework“Next.js” is the option with more flexibility and more functional than the original React module. Which both benefits provide a versatile development environment for the GUI part of the Web-based Configuration function. The Web-based Configuration function contains the log in page for authorization. The login page would have a simple and generic look, similar to Figure 7. After login, The Web-based Configuration function would have numbers of option for user, including the “Setting”, “Log Files”, “Performance”, “Analyzing”. Each option would lead to page that show corresponding content. The brief illustrate would be like Figure 8.

Figure 7. 

Figure 8. 

Second, the back-end part, this function will use python to construct the parameter changing function. As all monitoring functions are controlling by their own JSON file which contain numbers of control parameter, the back-end function would be able to change the individual parameter in order to control the status of each monitoring function. The file read and write action is performed by the python original file read and write. And as the back-end needs to communicate with the front-end in order to show the appropriate content, the linkage between both side would be using API. The API would be constructed by python and the library that would be using is “flask”. The overall flow chart of the Web-based Configuration function would be shown as Figure 9.

Figure 9. 

Quick Configuration function

Apart from the Web-based Configuration function, the system also contains a Quick Configuration function for user to do some quick and small configuration to the system. The quick configuration button will be located on the system tray and would pop out a list of options for user to interact with, similar to the figure 10. The functions will be constructed by python and the library that would be using is the “pystray”. This library allow the function to create an icon in the system tray and provide different option for user to interact with. Components like individual item, menu can be construct using the library.

Figure 10. 

Reporting function

The system will have reporting system in order to alert user and data logging. There are different ways to alert user such as emailing function. It provides an instant alert and precaution alert for the user to prevent additional damage to the computer and to the user himself/herself. For emailing function, this function will be using python to construct and the libraries that will be used are the “smtplib”, “ssl”, “email. These libraries can allow the system to send email to the user's desired destination and easy modification of the content of the email.

Along with the alert function, the system is also designed to record the above-mentioned action like keystrokes, mouse movement etc. and then generate a report daily, weekly, monthly, yearly. Also, the system could use the recorded data and do analysis of it. Another main function in the reporting function section is the log file format and security. The log files generated by the logging function are all encrypted and require user to provide password in order to decrypt the file. The libraries that will be used for this encryption action are the “hashlib”, “base64”, and “cryptography”. These libraries allow the system to encrypt the file with desired password and store it without easy access to the content of the log file.

Data Analyzing function

After collecting all logs and result from the monitoring function, the Data Analyzing function could perform a wide range of data analyzing action to investigate the logs and result, in order to retrieve any pattern or threat from the data. The Data Analyzing function would be able to generate reports and charts for user to review and study. Python would be the preferable language to construct the function and similar to the API connecting the back-end to the first-end of the Web-based Configuration function, the reports and charts, like Figure 11, would pass to front-end GUI part through API and have greater readability for user. The library that would be used for the back-end data analyzing is “flask”. This library could allow the system to create API linkage with the front-end to pass the analyzed data from back-end to front-end.

Figure 11. 

Result & Discussion

After conducting the above experiments to every section of the Keylogger Surveillance System, promising result is shown. In the following, the result will be presented and further discussion will be performed as well.

Monitoring Functions

First, result from the keystroke monitoring function, the test has been successful, and the result is matching with the expected result.

Figure 19. 

As we can see in the figure 19, the keystroke monitoring has started, and the keylogger-report was successfully created. On the left, the first line was the designed phrase that would be tested with, and the third line would be the actual input of the test.

Figure 20.

And for the result, the report can clearly show the correct sequence of the designed phrase and the hotkeys such as [Shift] + T to type an uppercased T letter.

Figure 21.

For the second test for the keystroke monitoring function, the report was successfully created.

Figure 22.

The report clearly showed the time when the Shift button was pressed down and the time of release.

The result of both tests shows the keystroke monitoring function is functional now and able to do the expected work without have any issue. The function could be implemented into the system now and able to monitor the input of the user.

Second, result from the mouse movement and clicking monitoring function, the test has been successful and could reproduce the expected result.

Figure 23. 

Figure 23 shows that the mouseLogger was able to work and Figure 24 shows the report was successfully created. It matched the expected result from above and the report have displayed the position of the mouse movement and the corresponding timestamp. Also, figure 25 shows the function could detect the button click from the mouse, which it is desired.

Figure 25.

Figure 24.

However, there are a very few error in the log file(Figure 26) and it indicated the monitoring function still has some kind of bug inside and need to be addressed as soon as possible if the function need to implement to the system.

 

Third, from the result of the packet monitoring function, the test was conducted and the result was matched with the expected result.

Figure 27.

Figure 26.

As figure 28 shows, the interface searching function is working right now and it is able to detect the working interface and stopped interface, which match the expectation. Also, the format is readable for user able to identify the detail of the pack. As a result, the packet monitoring function is finished, and it is available for implementation.

Figure 28.

Conclusion

The overall experiments that performed on the system were highly successful. All functions that inside the system could perform as expected and able to generate expected outcome of the function. Nevertheless, there are still some minor enhancements could implement to some function like in web-based configuration function, the log file section could have a better solution for displaying the content of the log files. At the end, the integration of each function is working perfectly and the system could run well with all function attached.

Future Work

In the current state of the system, there are some enhancement and fine tone on couple sections of the system. Below some ideas will be mentioned and described on the corresponding section.

First, about the web-based configuration function, the content of the function is enough and able to provide high modularity for user when operating the system. However, the design of the webpage and the UI optimisation of the webpage is below average. The UI design is a bit dull and lack of functionality. The enhancement of the web-based configuration function should be improving the design and the layout of each page and some element like pop-up modal size should be vary according to the content.

Second, about the reporting function, the email body and the timing of when the email sent could be improved. Currently, the email would be sent when the log file is generated, or the suspicious file is spotted. However, when the interval of the log file generation is short, the number of files sent will be enormous, which is not ideal. Improvement like the scheduled time to send the email would be helpful for user to review the file generation information.

Third, about the data analyzing function, the current status of the data analyzing function is able to identify suspicious log file of the key logger. This function could be very helpful for user to be alerted the strange events of the system as the file contains the timestamp of the log file. However, there can be more analyzing item added to the data analyzing function. Item like identifying action performer, pattern searching could be implemented to the data analyzing function.

And apart from the original planning for the Keylogger Surveillance System, there are some new ideas and construction are planned for the future to implement to the existing, already finished function.

The first idea would be the log file encryption. This idea comes up as the logs or reports generated after all monitoring function contain a huge amount of sensitive information such as credential and credit card number. Log file encryption could prevent information leak and secure the sensitive information of the user. This new element will be added in the future to the generation of the log and report file and the password could be customizable by the user.

The second idea would be the modifying of operating structure of the system. At the current state of the system, all monitoring function is controlled by a single JSON control file. The problem with only a single control file is if the file is damaged or deleted, the whole system will be unfunctional. The idea of splitting the single control JSON file to multiple control JSON files could increase the crush resistance of the system. For example, if the control file for the keystroke monitoring function is damage, the system could still be running without the keystroke monitoring function and other monitoring function could still working. This change of operating structure could be implemented in the future and it would not be a difficult task to perform.

Conclusion

The ongoing development on the internet and new technology right now benefits all of us. Life gets more convenient and easier by the help of the internet and new technology. But the threat also grows as the technology getting more advance, virus and malware is getting more serious than before. That is why this Keylogger Surveillance System is an important topic to discuss and discover. The options of experts show the importance of having good security measure within the personal computer and network. It enriched the idea of building a good Keylogger Surveillance System and by the use of the system, improve the security measure of the personal computer and network.

The strength of this Keylogger Surveillance System compares with other similar system are clear. The web-based configuration system and packet monitoring function is not usual in other system. With the help of these useful function, the user could gain more controllability of the system and more information about the user's computer. Which helps the user to perform a better security measure to protect themselves.

Also, the packet logging function could be a strength of this Keylogger Surveillance System. There are not many similar surveillance systems have the option of tracking packet sending in and out. Being able to review and analyze the packet history could be extremely helpful for user as it could reveal the hidden packet may receive or send out by the system.

To outline the progress of the current development, in the current progress, the monitoring function is finished, and it could be implemented to the system with a little bit of refinement. Both configuration function, the web-based and the quick setting, have also finished and all functions are working and able to work with other functions. And for the reporting function and the data analyzing function, the basic functions are finished and simple function like emailing function and key logger's suspicious file detection are able to implement to the system.

In conclusion, the system is able to work as a whole and able to deliver the expected functions to the system. Although all functions are basic, the practicality and the sturdiness of the functions are above average. The background running system provides a clearer and less disturbance solution for running the system. Also, easy access and easy-to-use web-based configuration function could allow a less computer experienced user to use the system, which provides an advantage compared to other more advance systems. Overall, the system is a great solution for user to oversee and protect their own system.

Jonathan Chiu
Marketing Director
3DP Technology Limited

Jonathan handles all external affairs include business development, patents write up and public relations. He is frequently interviewed by media and is considered a pioneer in 3D printing products.

Krutz Cheuk
Biomedical Engineer
Hong Kong Sanatorium & Hospital

After graduating from OUHK, Krutz obtained an M.Sc. in Engineering Management from CityU. He is now completing his second master degree, M.Sc. in Biomedical Engineering, at CUHK. Krutz has a wide range of working experience. He has been with Siemens, VTech, and PCCW.

Hugo Leung
Software and Hardware Engineer
Innovation Team Company Limited

Hugo Leung Wai-yin, who graduated from his four-year programme in 2015, won the Best Paper Award for his ‘intelligent pill-dispenser’ design at the Institute of Electrical and Electronics Engineering’s International Conference on Consumer Electronics – China 2015.

The pill-dispenser alerts patients via sound and LED flashes to pre-set dosage and time intervals. Unlike units currently on the market, Hugo’s design connects to any mobile phone globally. In explaining how it works, he said: ‘There are three layers in the portable pillbox. The lowest level is a controller with various devices which can be connected to mobile phones in remote locations. Patients are alerted by a sound alarm and flashes. Should they fail to follow their prescribed regime, data can be sent via SMS to relatives and friends for follow up.’ The pill-dispenser has four medicine slots, plus a back-up with a LED alert, topped by a 500ml water bottle. It took Hugo three months of research and coding to complete his design, but he feels it was worth all his time and effort.

Hugo’s public examination results were disappointing and he was at a loss about his future before enrolling at the OUHK, which he now realizes was a major turning point in his life. He is grateful for the OUHK’s learning environment, its industry links and the positive guidance and encouragement from his teachers. The University is now exploring the commercial potential of his design with a pharmaceutical company. He hopes that this will benefit the elderly and chronically ill, as well as the society at large.

Soon after completing his studies, Hugo joined an automation technology company as an assistant engineer. He is responsible for the design and development of automation devices. The target is to minimize human labor and increase the quality of products. He is developing products which are used in various sections, including healthcare, manufacturing and consumer electronics.

Course Code Title Credits
  COMP S321F Advanced Database and Data Warehousing 5
  COMP S333F Advanced Programming and AI Algorithms 5
  COMP S351F Software Project Management 5
  COMP S362F Concurrent and Network Programming 5
  COMP S363F Distributed Systems and Parallel Computing 5
  COMP S382F Data Mining and Analytics 5
  COMP S390F Creative Programming for Games 5
  COMP S492F Machine Learning 5
  ELEC S305F Computer Networking 5
  ELEC S348F IOT Security 5
  ELEC S371F Digital Forensics 5
  ELEC S431F Blockchain Technologies 5
  ELEC S425F Computer and Network Security 5
 Course CodeTitleCredits
 ELEC S201FBasic Electronics5
 IT S290FHuman Computer Interaction & User Experience Design5
 STAT S251FStatistical Data Analysis5
 Course CodeTitleCredits
 COMPS333FAdvanced Programming and AI Algorithms5
 COMPS362FConcurrent and Network Programming5
 COMPS363FDistributed Systems and Parallel Computing5
 COMPS380FWeb Applications: Design and Development5
 COMPS381FServer-side Technologies and Cloud Computing5
 COMPS382FData Mining and Analytics5
 COMPS390FCreative Programming for Games5
 COMPS413FApplication Design and Development for Mobile Devices5
 COMPS492FMachine Learning5
 ELECS305FComputer Networking5
 ELECS363FAdvanced Computer Design5
 ELECS425FComputer and Network Security5