Workstation Monitoring using Botnet

Minor Project Report

Submitted in partial fulfillment for the requirement of the award of the
Degree of
Bachelor of Technology
In
Computer Science and Engineering
Under the Supervision of
Mr. Anupam Kumar
Submitted By
Akshay Rohatgi
(03414802711)

Deepansh Sachdeva
(02214802711)

Varidhi Garg
(00214802711)

Maharaja Agrasen Institute Of Technology

Guru Gobind Singh Indraprastha University

November 2014

DECLARATION
This is to certify that Thesis/Report entitled Workstation Monitoring using Botnet which is
submitted by us in partial fulfillment of the requirement for the award of degree of Bachelor of
Technology in Computer Science & Engineering from MAIT, GGSIP University, Delhi
comprises only our original work and due acknowledgement has been made in the text to all
other material used.

Date: 27-11-2014

Akshay Rohatgi
(03414802711)

Deepansh Sachdeva
(02214802711)

Varidhi Garg
(00214802711)

CERTIFICATE
This is to certify that thesis/Report entitled Workstation Monitoring using Botnet which is
submitted by Akshay Rohatgi, Deepansh Sachdeva, and Varidhi Garg in partial fulfillment of the
requirement for the award of degree Bachelor of Technology in Computer Science &
Engineering from MAIT, GGSIP University, Delhi is a record of the candidate own work carried
out by them under my/our supervision. The matter embodied in this thesis is original and has not
been submitted for the award of any other degree.

Mr. Anupam Kumar

(Project Guide)

Dr. Namita Gupta

(HOD, CSE Dept.)

Date: 27-11-2014

ACKNOWLEDGMENT

We express are sincere thanks and deep sense of gratitude to our project mentor,
Mr. Anupam Kumar for his valuable motivation and guidance along with other members of our
development team, without which this project report would not have been possible. We consider
ourselves fortunate for having the opportunity to learn and work under their able supervision and
guidance over the entire period of association. We have deep sense of admiration for her innate
goodness. Also, we here deeply thank H.O.D, Dr. Namita Gupta Department of Computer
Science and Engineering, Maharaja Agrasen Institute of Technology, for her valuable
cooperation for this project report and giving us opportunity to innovate and implement our
ideas.
Finally, we would like to express our deep appreciation to our family members and friends who
have been a constant source of inspiration. We are internally grateful to them for always
encouraging us wherever and whenever we needed them.

Akshay Rohatgi

Deepansh Sachdeva

Varidhi Garg

(03414802711)

(02214802711)

(00214802711)

TABLE OF CONTENTS
1. Abstract---------------------------------------------------------------------------------------06
2. Introduction----------------------------------------------------------------------------------07
3. Background and Literature Survey-------------------------------------------------------08
4. Design----------------------------------------------------------------------------------------11
5. Implementation------------------------------------------------------------------------------26
6. Results----------------------------------------------------------------------------------------30
7. Testing and Evaluation---------------------------------------------------------------------35
8. Conclusions----------------------------------------------------------------------------------38
9. References------------------------------------------------------------------------------------39
10. Appendix A: List of Tables---------------------------------------------------------------40
11. Appendix B: Dependency Graph---------------------------------------------------------43

ABSTRACT
[6]

The basic aim of the project was to create a monitoring system for organizations or
institutions to surveil on their personnel, in order to control data theft, access to
impermissible websites and other such prohibited activities, according to their code of
conduct.
The following project report explains the process of project development in the subsequent
chapters. Report initiates with requirements analysis required for the project where various
requirements are gathered and analyzed for feasibility, supported by various diagrams such
as use case scenarios, flow charts, etc. for ease of understanding of the reader. Next section
defines the implementation of the project along with design implications, using the
appropriate technology chosen to deploy the project. Testing and evaluations of the project
done during the course of development and its subsequent results are discussed in the final
section. Appropriate references are also mentioned in the report, from where the
consultation was taken to develop the system and surpass the problems or errors that came
in the process of development.

Chapter 1: INTRODUCTION
[7]

In the topic Workstation Monitoring Using Botnets we aim at monitoring the activities of
the user on a workstation with the use of an automated program called bot. The bot is
remotely controlled by the C&C Server which itself is controlled by Administrator of an
organization. The basic architecture of our project is similar to the architecture of the
botnet hence the name Workstation Monitoring using Botnets.
The need for this project has emerged because of the losses suffered by the organizations
due the inefficient performance of the employee and secondly because of the data theft.

In

a survey it was found that that 51% of Employees admit to taking data when they left an
organization, 5% Amount of revenue lost to fraud each year by typical organizations, 16
minutes per hour of an employees time on social networks. So, to deal with these problems
we felt that there is need of system that can track the activities of employee and prevent
these activities incurring losses to the organization.
In the past few systems have been developed to record the user activities and give the
records to the administrator but system like this were merely increasing load on the
administrator to find the useless activities.
In this project we intent to give live alerts to the Administrator on the console or SMS about
the unhealthy activities performed by the users so that appropriate actions can be taken on
time such that loss incurred by the organization is reduced and moreover the task of
finding the culprit becomes easier. Along with the live alerts we intent to provide the report
of unhealthy activities of users along with the proof of timestamp and screenshot so that
user cannot deny their involvement at later stage. So, on the whole we intent to complete
following goals:

Provide live alerts to administrator on GUI or SMS.

Provide ability to remotely lock the user workstation.
Provide administrator to view the screen of user.
Provide the summary of unhealthy data usage or browsing to the administrator.
Provide the capability to remotely execute the system commands by the
administrator.

Chapter 2: BACKGROUND AND LITERATURE SURVEY

[8]

Employee monitoring has been with us for thousands of years. Think about the craftsmen
who taught their apprentices the skills necessary to produce paper, glass, jewelry, &
whatever else was produced this was probably the best illustration of one on one
monitoring.
Then we move into the Industrial Revolution where employees were constantly monitored
to ensure steady production was being met & sabotage was not being done. Spies were
often employed as workers to report to management of any sentiments that were not
favorable to the company. Companies would pay sheriffs to keep the unions out, & sack
anyone trying to organize the workers to form a union.
And now, in the Information Age, we have all kinds of monitoring from reading emails,
listening in surreptitiously to phone calls, to reading the blogosphere for anyone bad
mouthing the company. In this age in order to monitor an employee one simply has to
monitor his workstation as a workstation can reveal all of employees activities, same also
applies to students in university in computer labs. Teachers can monitor students to check
whether they are doing the work that is assigned to them of spending their lab time on
social media.

Why You Should Monitor

Everything a team does on company time and on company resources matters. Time spent
on frivolous Websites can seriously hamper productivity, and visiting objectionable sites on
company PCs can subject a business to serious legal risks, including costly harassment suits
from staffers who may be exposed to offensive content.
That doesn't look like work. Other consequences may be far worse than mere productivity
loss or a little legal hot water. Either unintentionally or maliciously, employees can reveal
proprietary information, jeopardizing business strategy, customer confidentiality, data
integrity, and more.

[9]

And, of course, unchecked Web activity can expose a network and systems to dangers from
malware and other intrusions. Even something as simple as a worker's failure to keep up
with Windows patches can be a threat to the business, it is safe to say that monitoring is not
merely snooping.

Monitoring Software
Employee monitoring is just one facet of a larger discipline known as endpoint security,
which includes everything from malware protection to policy enforcement and asset
tracking. Large enterprise computing environments demand comprehensive endpointsecurity systems, consisting of server software coupled with client software on each user's
machine that can handle many of these functions at once. These systems tend to be complex
enough to require the expertise of a trained IT pro.
For a small business, there are several good ways to achieve endpoint security. A Webhosted system can be installed that combines software on the PC with remote monitoring
services to protect organizations computers and enforce compliance with company
policies.
The most secure way to monitor PC use is to deploy a system that consists of a host, server,
or appliance together with client-installed software. Unless a company has a dedicated IT
staff or the budget to bring someone in on a regular basis to check on things, a cloud-based
service is probably the best choice. These services are relatively inexpensive and easy to set
up compared with server offerings, and they can give you the flexibility to set and monitor
compliance with acceptable-use policies from a single management interface. They can also
protect sensitive files to prevent data from leaking out of your company. Better still, these
hosted systems effectively protect laptops that frequently leave the office.
If one is not up for a total security overhaul and just want to track user activity on a few
systems, then they can monitor all e-mail and IM sessions, track and filter Web usage, log
users' keystrokes and program use, and capture screenshots on command, keep tabs on
which applications your staffers are using and which sites they're visiting, complete with

[10]

simple reports that give you a pretty clear idea as to how employees are spending their time
on their PCs.

Best Practices
It should go without saying that employee monitoring ought to be just one small component
in a comprehensive strategy to protect a business and maintain productivity. Once the
choice is made to monitor, following guidelines should be followed in order to ensure
success.
Be forthright: Nobody likes being spied on unwittingly. It's best to be up front with staffers
about what is being tracked and why. Many companies accomplish this with a simple
statement in the employee handbook telling workers plainly that everything they do on
company computers, including individual keystrokes, can and will be tracked. Letting
employees know that their behavior is being monitored can serve as a powerful deterrent
against unwanted online activity.
Filter proactively: Most good endpoint-security tools include Web and e-mail content
filters that can block inappropriate sites and prevent users from sending or receiving files
that can jeopardize a business. They should be implemented in order to limit the ways
staffers can get into trouble, problems can be prevented up front.
Check reports regularly: There's little point in generating usage reports if no one is not
going to look at them. Time should be spent to at least spot-check the reports that
monitoring software generates so that potential problems can be identified early and
remedial action can be taken.

[11]

Chapter 3: DESIGN
1. System Development Process
Development of project followed an evolutionary lifecycle model which followed a
simple cycle of identifying basic requirement, followed by development of software
prototype & reviewing, then revising and enhancing of prototype by introducing
changes according to the feedback.

Id e n t ify
B a s ic
R e q u ire m e n
ts

Prototype
Construction

Revise and
Enhance
Prototype

Review

Fig. 3.1
A vertical prototype was developed at each stage to construct a subsystem with
focus on particular functionality. Therefore, a bottom up approach was followed to
carry out development by emphasizing on atomic functionalities to drill down
whole system to simpler modules.
[12]

2. Requirements Analysis
During the initial stages of development following requirements were gathered by
observing various statistics and reports concerning the system:

Multiple clients are able to connect and communicate to a single server,

which administer those clients and gathers data from it. A similar

architecture was required to construct the system.

Client monitoring executable should run incognito in the system i.e. it must

run silently without showing any alerts or pop ups in client system.
Client on the network should surveil on various activities and report them to

administration system or server.

Browsing activities of clients should be logged to create analysis report.
Any new hardware such as USB drive, Hard Drive, etc. should be alerted to

server.
Ability to monitor and display bandwidth usage of a particular client.
Remote monitoring by screen sharing and snapshot of client screen.
Execute various commands in the background as an administrator of the
client system.

Whole system focus on two types of users:

User (client): Here a user refers to person operating a client machine in an

organizations or institutes network.

System Administrator (server): A server is maintained for each network, to

monitor clients in each. Each client reports its activities to the concerned
server system, for administrator to take action according to it.

Apart from requirements which emphasizes on basic functionalities, the system

must also comply with following quality factors:

Reliable: the system should be reliable enough to perform its functionalities

with accuracy and according to standards without getting compromise.

[13]

Usability: user of the system should feel comfortable while using the system

and can operate with minimal skills to operate a computer.

Efficiency: an efficient working of the system is required for performing

tasks with less inputs but greater outputs.

Security: it is an important factor to take care of such system that focus on

itself on maintaining security standards in an organization.

Maintainability: system should be constructed in a way to maintain with

minimum efforts, in the future.

Portability: a portable system is highly obliged where the system remains
dynamic and needs relocation of various resources, which may affect
working of the system.

3. Use Case
Following Use Case scenarios are discussed below:

i.

Usage Summary
Brief Description
This use case describes how the administrator visualize the usage

ii.
iii.

iv.

summary of network of a client workstation

Actors
Administrator
Preconditions
There should be active network connection to the database and the data
about the user on date should be available.
Basic Flow of Events
a. The use case starts when administrator wants to see the network
usage summary of an employee workstation.
b. The administration fills the start date and end date up to which he
wants the summary.
c. After the selection the use case display the result in the form of pie

v.
vi.
vii.

chart.
d. The use case ends successfully.
Alternative Flows
a.No Data Available
The use case displays no data found when the data is unavailable.
Post-conditions
The data is displayed.
Special Requirements
None

[14]

Remote Command Execution

i.

Brief Description
This use case describes how the administrator uses the system to
remotely execute the system commands on the employee/client

ii.
iii.

iv.

workstation.
Actors
Administrator
Preconditions
There should be active network connection to the employee workstation
and the client software running should have administrative privileges.
Basic Flow of Events
a. The use case begin when the user type the commands to be executed
on the client workstation.
b. The command is send to the client workstation.
c. The command is executed by the remote client.
d. The output of the execution is sent back to the server to be displayed

v.

on the console window.

Alternative Flows
a.
No Command Found
The use case displays no data found when the command is not
found specifying that no command found.
b. Invalid Syntax
The use case displays the appropriate data when the usage of

vi.

command is incorrect.
Post-conditions
The result of the command execution is displayed back to the

administrator.
Special Requirements
The client software should have administrative privileges.
Process Monitoring
i.
Brief Description
This use case describes how the administrator uses the system to monitor

vii.

ii.
iii.

iv.

the processes running on the client and also terminate them if needed.
Actors
Administrator
Preconditions
There should be active network connection to the employee workstation
and the client software running should have administrative privileges.
Basic Flow of Events

[15]

a. The use case begin when the administrator press the process monitor
button.
b. The list of process running on the client system is returned to the

v.
vi.
vii.

user.
c. The administrator can terminate the process he/she wants to.
Alternative Flows
None
Post-conditions
None
Special Requirements
The client software should have administrative privileges.

Fig 3.2

4. Data Flow

[16]

Fig. 3.3

5. Class Diagrams
i. Client Application
a. Main program

Fig. 3.4

b. Client side monitoring components package

[17]

Fig 3.5
Class definitions

Fig 3.6

[18]

Fig. 3.7

Fig. 3.8

Fig. 3.9

[19]

Fig. 3.10

ii.

Server Application

[20]

Fig. 3.11
Class definitions are as follows:

[21]

Fig 3.12

[22]

Fig. 3.13

6. Architecture
The system follows a simple client-server model, where multiple clients on a
particular network are connected to a single server and communicate with each
other.

Clie
nt 1

Serv
er
Clie
nt 3

Clie
nt 2
Fig. 3.14
[23]

Following architecture was chosen to manage and monitor multiple client machine
using a single administrative system in a network. Clients collect necessary data
from their systems and send them over to server for analyzing and reporting the
activities of a particular user.
Therefore, Botnet architecture was implemented to design the system. A Botnet is a
collection of Bots that are remotely controlled by a botmaster, where bot is a generic
term derived from ro-bot that is used to define a script or sets of scripts designed
to perform various predefined functions in an automated manner and botmaster is
the one who control all these bots in the network. A bot-botmaster pair in a botnet
communicates using a Command and Control (C&C) server.

Bot
Botmast
er

C&C

Bot
Bot

Fig. 3.15

7. Technologies used
The system was implemented using the following technologies to meet the
requirements and keeping in mind the efficiency of the system over the platform of
implementation:
i.

.NET Framework 4.5.1 with C# 5.0

It is a software framework developed by Microsoft that runs primarily on
Microsoft Windows. It is open source and Microsoft with .NET 2015 is
extending it to run on Mac OS platforms and Linux. It includes a large class
library known as Framework Class Library (FCL) and provides language
interoperability (each language can use code written in other languages)
across several programming languages. Programs written for .NET
Framework execute in a software environment (as contrasted to hardware

[24]

environment), known as Common Language Runtime (CLR), and an

application virtual machine that provides services such as security, memory
management, and exception handling. FCL and CLR together constitute
.NET Framework.
ii.

Microsoft SQL server

Microsoft SQL Server is a relational database management system
developed by Microsoft. As a database, it is a software product whose
primary function is to store and retrieve data as requested by other software
applications, be it those on the same computer or those running on another
computer across a network (including the Internet). There are at least a
dozen different editions of Microsoft SQL Server aimed at different
audiences and for workloads ranging from small single-machine applications
to large Internet-facing applications with many concurrent users. Its primary
query languages are T-SQL and ANSI SQL.

iii.

MahApps.Metro UI toolkit
MahApps.Metro is a project that Paul Jenkins started back in 2011 as a
simple way to bring a Metro-style user interface into your WPF application.

iv.

WPF Toolkit Data Visualization

The WPF Toolkit is a collection of WPF features and components that are
being made available outside of the normal .NET Framework ship cycle.
The WPF Toolkit not only allows users to get new functionality more
quickly, but allows an efficient means for giving feedback to the product
team. Many of the features will be released with full source code as well.
The Toolkit Roadmap outlines some of the upcoming features we have
planned.

v.

Native Windows API

The Native API (with capitalized N) is the application programming
interface (API) by Windows NT and user mode applications. It is usually
used during system boot, when other components of Windows are
unavailable, and by routines such as those in kernel32.dll that implement the

[25]

Windows API. The entry point of ntdll.dll is LdrInitializeThunk. Most of the

Native API calls are implemented in ntoskrnl.exe and are exposed to user
mode by ntdll.dll. Some Native API calls are implemented in user mode
directly within ntdll.dll.

Chapter 4: IMPLEMENTATION

Complete project was developed using .net framework in c#. Visual Studio was used for
writing code as it helps in managing several code files in one project. Github was used for
version control which was integrated using a plugin in IDE itself.
The most important and interesting aspect of the system was client server communication,
which defines how a client communicates with the server. Several difficulty factors in this
implementation were as follows:
1. The server is centralized application therefore it must not change its IP address else
client application wont be able to know whom it shall contact, to rectify this
problem a free dns was used to bind a static name to dynamic IP address of the
server machine which binds its IP whenever the server is booted.
2. Another problem is that there should be a standard message format for client-server
to pass messages between them. For this proper message format is standardized for
complete communication process which is shown below

[26]

Code

Details

IP

Usernam
e

TimeSta
mp

Fig. 4.1
a. Code defines the purpose of the message which include :
0 for Host Turned On
1 for Host Turned Off
2 for USB Inserted
3 for USB Removed
4 for Excess Bandwidth
5 for Idle Time
6 for Request RDP
7 for Send RDP Connection String
8 for Close RDP Connection
9 for Browsing Log
10 for Screenshot
11 for Command Request
12 for Command Response
90 for Keep Alive + Current Speed
91 for Keep Alive Acknowledge
b. Details includes any extra information like for code 7 it includes connection
string
c. IP is the IP address of the sender
d. Username is the username of sending machine
e. Timestamp is the time at which a message is sent
3. Another question arises in communication is that how a server will know that
messages it is sending is reaching its destination or it can be said that how server
will know when a client is disconnected, whatever may be the reason? For this keep
alive packets (Code: 90) were sent from client application to the server application
every second and in response of each packet the server sends an ACK i.e.
acknowledgement packet (Code: 91). If the server does not receive any keep alive
packet for 5 seconds it disconnects the client, same goes for the client i.e. if it does
not receive ACK for 5 seconds it assumes that server is offline and stop sending
keep alive packets. If server is offline the client tries to connect to server every 10
seconds until it successfully makes a connection.
4. At last the most interesting implementation for connection part is the management
of multiple clients and maintaining connections with all of them simultaneously. For
[27]

this part multi-threading was used in the program. A new thread is started whenever
a new client gets connected. Code snippet for the above mentioned operation is as
follows :

Live alerts is another notable feature of this system because of which it outshine others.
Live alerts are shown as live feeds on the server GUI which pushes a message into alert list
which is shown as below:

Fig. 4.2

[28]

There is also an option to send sms of the alerts to the mobile phone of the admin or person
in charge of monitoring at server. This is implemented using gateway of site2sms which is
free sms sending site.
The complete working of the server and client is divided into several classes to make the
system modularized. These classes are as follows:
i.

Message: This class is used to encapsulate a message into proper format and it is
sent over the network by serializing the class into json string. This is done using
Microsofts javascriptserializer class using following code snippet

Here line 1-2 are used to convert a message to a string to be sent in tcp packet over
the network. Line 3 is used to convert data string read from tcppacket data and
convert it to Message class object.
ii.

Alert: This class is responsible for adding alerts to GUI and sending sms to admins

iii.

mobile phone.
ConnectionManager: This class handles all connection related tasks for eg.

iv.

Connection establishment, sending and receiving packets etc.

BrowsingActivity: This class is responsible for logging all browsing activity of the

v.

client machine and send it to the server

MainWindow: This is the central class which is also responsible for GUI of the
main screen. This class handles all other classes and is responsible for maintaining

vi.

multiple clients at the same time.

UsbInfo: This class is used to monitor all usb ports of the client machine which
generates an alert using alert class when an event occurs which is fired when any
usb devices is plugged in or ejected.

The difficulty aroused in the implementation of sending screenshot over the network as it
contains binary data but our server and clients were using predefined message format which
didnt accommodated provision for sending binary data in the details part of the message
and there was no way to mark the start and end of the screenshot picture file. So in order to

[29]

tackle this problem a new method was devised which was used exclusively for sending file
from client to server and vice versa.

Chapter 5: RESULTS

The design and operation of our system is explained in this section. The screenshots
provided will show the various windows and features of our system.

1. Main Window
The window shown below is the monitoring window that will show the activities
from various workstations. This software will run on the workstation of the
administrator and using this window the administrator can issue various commands
and can remotely control and monitor the activities of the user.

Fig 5.1
The main window is divided in to three panes. The leftmost panel shows the users
that are currently on and some work is being done on them. Each entry in the main
correspond to the user connect. Along with the name two buttons are provided ie
Screenshot and logout button. The screenshot button pressed at any moment
[30]

captures the screenshot of the user desktop and the logout button logout the user
from the system.
The right most pane show the alerts from the workstation. The alerts include mainly
the new mass storage device connected and removed. The clock icon show with
each alert entry show the timestamp of the occurrence of the event.
The middle pane shows the various control and monitoring windows. The first grid
control show the NIC activity of the workstation i.e. the Bandwidth Monitoring. The
second grid control is the interface for executing the commands. The bottom most
grid control is the remote monitoring control which will be shown in the figure
below.

2. Remote Desktop Monitoring Window

This window will capture the screen of the user and administrator can monitor the
activities of the user.

Fig. 5.2

3. Usage Summary Window.

[31]

This window provides administrator the facility to check the browsing details of
blocked content by the user. This window provides the administrator two calendar
control from where administrator can select the starting and ending period of which
he/she needs to see the summary. The result of the summary is shown in the pie
chart which is on the right side of the window as shown in Fig. 3. The administrator
can hover over the different sections of the pie chart and can see the time spend by
the user on a particular blocked website.

Fig. 5.3 (Note: The time shown in the pie chart is measured in the seconds)
4. Command Execution Window
In this window the administrator can simply type the command and see the result in
the output window as shown in the figure 4. The administrator can even the run a
file or utility on the system silently and can get the result on his/her screen. Even the
administration can create a batch file and save it remotely on the workstation and
can run it any time.

[32]

Fig. 5.4
5. Alerts and SMS.
As shown in the Figure we can see that the right pane shows the alerts from the
various workstations. In Fig. the alerts are shown when an external device is
inserted in the workstation. Along with this the administrator receives the copy of
the alert on the mobile number specified by him.

Fig. 5.5

[33]

As we can see the administrator receives the copy of the alert on the devices
registered in the system.

6. Screenshot Storage
The system also stores the copy of the screenshots clicked automatically and by the
administrator and are stored on the organized fashion by the username of the user of
the workstation.

[34]

Chapter 6: TESTING AND EVALUATION

The system developed underwent many tests to ensure the proper functioning of the
software and reliability. The system was tested for various functionalities and bugs found
were patched successfully.

Connectivity Test
First of all as project demanded the continuous connection between the bots and the
server so to check the system following tests were conducted on server as well as
client side:
1. Firstly (client side), the clients network adapter was turned off and then turned
on again o check whether the bot was able to reconnect to server and also resume its
proper functioning.
2. Secondly (client side), the server program was terminated and then restarted to
check whether the client was able to reconnect without any extra efforts.
3. Thirdly (server side), servers network adapter was turned off and then again
turned on to ensure whether the bots running on clients were able to connect to the
server and resume their proper function.
4. Lastly (both on client and server), some exceptions were raised on both server
and client program and then checked whether the program was able to recover from
the exception and then reconnect again to the server.
Analysis
After conducting the following tests we found that the client and server were able to
reconnect again and perform their normal operations as soon as they both are up and
not offline on either side.

Load Test
The system was tested against various loads connected to the server. The main aim
in this test was to monitor the resources the program at the server took under normal
and anticipated peak load conditions. The system was tested to handle simultaneous
[35]

keep alive messages from various client, also the connection string for various
remote control, screenshot was requested from various clients to keep the track of
memory usage. In, other test it was also checked the resources took by the program
when the server is restarted or when all the clients tries to connect the serer at same
instance.
Evaluation
The modules and threads were optimized to release the RAM memory after this test
so as to improve the system performance and response time of the program.

User Interface Test

The application underwent several UI related tests which include the following:
1

The server must have a user friendly interface, so in order to test this several
of people were requested to try to operate the server application when
several clients were connected. It was seen that most of the users which were
friendly with the computers were able to understand the UI and operate the

server.
The UI should be smooth and must not hang under normal operation, if it
does it must be able to recover afterwards. To test this various spurious
inputs were given here and there in input fields of the server application, the
test was successful as the server is made this way that it will not accept any

unrecognized inputs and will simply ignore them.

In the browser activity part a provision is made that user cannot confuse
application by entering end date less then start date, this thing was tested by
trying to do so which failed as the application disables all previous dates
then start date.

Compatibility Test
As the server and client were both coded on windows 8.1 a compatibility test was
necessary in order to check its functioning on different windows like windows 8,7
etc. Compatibility test for windows xp were not done as its support is officially
[36]

ended by Microsoft, so it is considered as very old OS. All the features were
working as expected on windows 8 so it is marked as compatible OS. When the
tests were held on windows 7 it was that found that most of the features were
working as expected except some including remote desktop connection. This feature
was working on some windows 7 laptops/PCs and not working on others. Several
more tests were conducted to find the proper reason, upon close inspection of
laptops which were able to run client and server on windows 7 revealed that service
pack 1 of windows 7 was installed on them. So after this testing it was deduced that
Microsoft remote desktop API requires windows 7 sp1 or higher OS in order to
work properly.

Security Test
Several security and vulnerability testing were done on the application including sql
injection through fake request from fake client on database used, which server
rejected as sql parameters are passed to database through sql parameter class of c#
which protects database from attacks like sql injection.
Another security test done was DoS i.e. Denial of service attack in which hundreds
of thousands of fake requests were sent to the server in an attempt to overload
server resources. This test was failed as currently no such technique is used in the
server to prevent same IP from connecting twice. When this attack was carried out
the server application was allocated tremendous amount of resources including ram
and processor, as a result the server machine hanged and was not operable for some
time until server started its garbage collection after 5 seconds. This is a major bug
which can cause large problems. Even if this bug if fixed it is irrefutable that it will
still be vulnerable to DDoS i.e. Distributed denial of service which generates
thousands of fake request per second but all with different IP addresses. Only proper
firewall can prevent this and this cant be implemented in an application whose
main aim is provide feature and not network security.

Chapter 7: CONCLUSION
[37]

Botnet is generally used for malicious purposes. A similar architecture was employed and
put to constructive use. Employee monitoring is very important aspect of an organization to
increase productivity and prevent organization from data theft, unintentional or malicious
revealing of proprietary information, jeopardization of business strategy, customer
confidentiality, data integrity, and more. Only the presence of employee monitoring
software is a powerful deterrent for employees to do such activities. Apart from this the
system performs quite well in reporting activities like attachment of new device to USB
ports, employee visit to blocked website, remote screen viewing etc. .
The software can be extended to calculate idle times on the screen through which it can
calculate productivity on each machine. This system still lacks security modules due to
which it is vulnerable to attacks like Denial of Service which when performed hogs up all
the server resources. These security modules will be added in the future iterations of the
project. This system lacks to detect browser activity if client is using any proxy website, but
performs well if client uses VPN, reason being that tab titles of the website are read to
check which website is being visited on the client machine. Proxy bypass will also be
patched in the future releases and is on the top of our to-do list. Interesting thing is people
today consider VPN more secure so no one uses proxy anymore so this software will work
flawlessly under these circumstances.
The software works under normal conditions as was anticipated and the results of its
performance were also good as it is very resource efficient. The client takes nearly 5mb of
ram at client machine so it can run silently without disturbing work of the employee. On the
other hand server application runs on server which require a dedicated machine for flawless
operation, as each client connection requires resources at server end.

REFRENCES
[38]

Reference from the following sources has been taken for the development of these
modules:
1. Detection of USB:
Title: Detect Insertion and Removal of USB Drive C#
URL: http://www.c-sharpcorner.com/Blogs/14227/detect-insertion-and-removal-ofusb-drive-C-Sharp.aspx
Date referenced: 27/9/2014
2. Communication using sockets:
Title: Socket Class
URL: http://msdn.microsoft.com/enus/library/system.net.sockets.socket(v=vs.110).aspx
Date referenced: 22/9/2014
3. Serializing data:
Title: Serialization (C# and Visual Basic)
URL: http://msdn.microsoft.com/en-IN/library/ms233843.aspx
Date referenced: 2/10/2014
4. Interface Designing Documentation:
Title: Mahapps.Metro Documentation
URL: http://mahapps.com/
Date referenced: 22/10/2014
5. Remote Assistance:
Title: C# Remote desktop application using RDP
URL: http://stackoverflow.com/questions/23545717/c-sharp-remote-desktopapplication-using-rdp-how-to-generate-the-certificate
Date referenced: 12/10/2014

Appendix A: LIST OF TABLES

The server application regularly send list of blocked websites which are frivolous to the
organization which must not be visited by any of the employee. If they do so there activity
of that website will be logged and saved to the database at the server. For this Microsoft
SQL server was used which employed two separate tables with definitions as follows:

1. BrowserActivity:
[39]

This table is used to store browser activity of all the employees. Table definition is
as follows.
CREATE TABLE [dbo].[BrowserActivity](
[id] [int] IDENTITY(1,1) NOT NULL,
[ip] [nvarchar](20) NOT NULL,
[username] [nvarchar](50) NOT NULL,
[website] [nvarchar](50) NOT NULL,
[tabtitle] [nvarchar](max) NOT NULL,
[date] [date] NOT NULL,
[totaltime] [int] NOT NULL,
CONSTRAINT [id] PRIMARY KEY CLUSTERED
)

The columns definition is as follows:

Id It is unique id used to uniquely identify a column.It is of type identity i.e. it is
auto generated by the sql server.
Ip Stores IP address of the client machine to which corresponding entry belongs.
Username- Stores username of the client computer to which corresponding entry
belongs.
Website Stores the website tag which matched the url a client machine is visiting.
For eg. If a client visits facebook.com and facebook tag was stored in db then
website column will store the term facebook. This is speciaaly useful in pie chart
creation which shows which websites employee visits and in what ratio.
Tabtitle This entry stores the title of the website which any employee visits.This
gives information about what exactly the employee is doing on a blocked website.
Date This field stores date of website visit.
TotalTime - This field stores how musch time an employee spent on corresponding
site.

[40]

Some Example entries of the above table are shown in the below image.

Fig. a
2. WebsiteList:
This table is used to store list of blocked/frivolous websites for the employees.
Table definition is as follows.
CREATE TABLE [dbo].[WebsiteList](
[id] [int] IDENTITY(1,1) NOT NULL,
[website] [nvarchar](max) NOT NULL,
CONSTRAINT [PK_WebsiteList] PRIMARY KEY CLUSTERED
(
[id] ASC
)
)

Id It is unique id used to uniquely identify a column.It is of type identity i.e. it is

auto generated by the sql server.

Website Stores the website tag which is matched to the url a client machine is
visiting. This defines the website which is blocked.
Some Example entries of the above table are shown in the below image.
[41]

Fig. b

Appendix B: DEPENDENCY GRAPH

There are several modules in client application. Each of which is dependent on some of
others. The following dependency graph shows how different modules are dependent and
on whom.

[42]

Fig. c
The dependency graph for server application which shows relationship between different
components of the server is as follows:

[43]

Fig. d

[44]