Contenu connexe
Similaire à 50120140501013
Similaire à 50120140501013 (20)
Plus de IAEME Publication
Plus de IAEME Publication (20)
50120140501013
- 1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
6367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), © IAEME
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 5, Issue 1, January (2014), pp. 112-117
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2013): 6.1302 (Calculated by GISI)
www.jifactor.com
IJCET
©IAEME
ROBUST CAMPUS WIDE NETWORK DEFENDER
Archana D Wankhade1, Dr. P. N. Chatur2
1
2
Assistant Professor in information Technology Department, GCOE, Amravati, India
Head and Professor in Computer Science and Engineering Department, GCOE, Amravati, India.
ABSTRACT
The proposed software architecture is implemented by using agile software development
process. The proposed software for the defence against attacks deals with the attack generation,
attack detection in the intranet and then prevention of attacks. Attack prevention module is flexible
as we can add the rule in the firewall to prevent the any known attack. Due to space problem we
considered two attacks on every packet such as ICMP, UDP and TCP packet.
Keywords: Smurf, Ping of Death, ICMP Flood, LAND, XMAS, TCP Flood, Ping Pong Attack
Generation, Firewall Rules.
1. INTRODUCTION
Nations without controlled borders cannot ensure the security and safety of their citizens, nor
can they prevent privacy and theft. Similarly, networks without controlled access cannot ensure the
security or privacy of stored data, nor can they keep network resources from being exploited by
hackers. When internal network is connected to the internet, there is no inherent central point of
security control; in fact there is no security at all. Network security is one of the major considerations
in computer networking. Various types of tools are being used for providing security to networks.
Firewall and Intrusion Detection System are majors among them. We start with description of
firewall, types of firewall, comparison between firewalls, followed by algorithms used in our system.
Then we will cover IDS part of our system followed by algorithms. Lastly we see programming
languages and tools to be used in our system. Security consists of mechanisms for providing
confidentiality, integrity, and availability. Confidentiality means that only the individuals allowed
access to particular information should be able to access that information. Integrity refers to those
controls that prevent information from being altered in any unauthorized manner. Availability
controls are those that prevent the proper functioning of computer systems from being interfered
112
- 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), © IAEME
with. As mentioned in computer network, security of data from network attacks is a major concern
area. In most networks firewalls are used as filter to prevent unwanted entry into private network.
Firewall is dedicated to only one thing – Deciding between authorized and unauthorized
communications. But still firewall cannot detect attacks on network. But IDS has its own limitations.
So we try to integrate them in such a way that to get best out of them.
2. LITERATURE SURVEY
2.1 Firewall
Firewall is dedicated to only one thing – Deciding between authorized and unauthorized
communications. This prevents having to make compromises between security, usability and
functionality. Without a firewall, systems are left to their own security devices and configurations.
The firewall is a single point of contact between untrusted networks. In general, firewalls mitigate
the risk that system will use for unauthorized or unintended purposes. There are three primary
attributes that are protected by a firewalls.
•
Risk to confidentiality
•
Risk to data integrity
•
Risk to availability
Most common usage of a firewall is between the internet connection and the local area
network. Other common firewall usages include protecting connections to external third parties, such
as market data providers, and between sensitive areas of an internal network.
2.2 How Firewall Works
A firewall is a software program or device that monitors, and sometimes controls, all
transmissions between an organization's internal network and the Internet. However large the
network, a firewall is typically deployed on the network's edge to prevent inappropriate access to
data behind the firewall. The firewall ensures that all communication in both directions conforms to
an organization's security policy. Firewall technologies are configurable. You can limit
communication by direction, IP address, protocol, ports, or numerous other combinations. If you
have access to the firewall, you can configure it to enable the ports, protocols, and addresses. In
some cases, however, your organization's security policy may prevent optimal streaming. For
example, firewalls configured to only allow TCP traffic may cause the user to see frequent buffering
of clips. User experience of the presentation is compromised; greater latency and start up times affect
the time needed to view the clip, and delivery of the clip requires more total bandwidth.
There are three techniques used for detection
•
Anomaly detection (behaviour based)
•
Misuse detection or Signature detection (knowledge based)
•
State full protocol analysis
113
- 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976
09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), © IAEME
Figure 1.1 Detection Capabilities of Different Intrusion Detection Model
Above Figure 1.1 shows detection capabilities of legal and illegal activities, it is misuse for
knowledge based and behaviour-based systems.
based
Anomaly detection: Anomaly detection is describes abnormal patterns behaviour, where
“abnormal” patterns it is defined beforehand. Anomaly based models are supposed to describe only
legal activities. and Also in this case, incompleteness and inaccuracy can false positive and false
negatives. Anomaly-based detection is process of comparing definitions of what activity is
based
considered normal against observed events to identify significant deviations. An IDPS using
ormal
anomaly-based detection has profiles that represent the normal behaviour of such things as users,
based
hosts, network connections, or applications. The profiles are developed by mon
monitoring the
characteristics of typical activity over a period of time. Following tables are shown comparison of
firewalls. Table 1.1 Comparison of firewalls.
114
- 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), © IAEME
3. PROPOSED INTRUSION PREVENTION SYSTEM
Due to space problems, we have considered very few attacks and their defence mechanisms.
The implementation of proposed system is divided into following process: Attack Generation
algorithms, Defence Against Attack (Attack Prevention algorithms), Attack Detection Algorithms.
Some of the sample attack detection and prevention rules are discussed below:
3.1 Attack Generation algorithms
Packet Capture: We o used TCP dump and window dump to capture the incoming flow of
information and analysed this traffic by using the proposed IDS. Attack Generation Process can use
different tools like NMAP, Nessus, hping3 and Scapy to generate different kinds of trailer made
packet to do the attack. For Attack Generation we used the following tools
Scapy(http://www.scapy.org),Nmap(http://www.nmap.org),Hping3http://www.hping.org)
3.1.1 Land Attack Generation: #hping3 –a –spoof -flood <src_ip> <dst_ip> where a:spoof source
address src_ip : source ip address which is spoofed dst_ip : destination ip address
3.1.2 XMAS Attack Generation:
Using the Hping #hping3 –c 1 –V –p 80 –s 5050 –M 0 –UPF 192.16.0.103 Where c: count
V: command line switch for addition information about the packet
p : port no , s: source port, M: set the sequence
3.1.3 SYN Flood Attack Generation
Using the command: hping3 –S –fast –a <src_ip> <dest_ip>
where S : SYN packets are generated
fast : 10 packets per second
a:for spoofing option
src_ip : is a Source ip
3.1.4 XMAS Attack Generation
Using Scapy #hping3 –c 1 –V –p 80 –s 5050 –M 0 –UPF 192.16.0.103 Where: src :source ip,
dst :destination ip
flags : FPU-FIN,PUSH,URGENT
count : no of packet to generate.
3.2 Attack Detection Algorithms
Attack detection task will be carried out through
SnortIDSwww.snort.org),SPADE(www.silicondefence.com/Spice_JCS.pdf,www.silicondefense.org)
,NIDES(www.nides.org),HONEYPOT(www.Honeydpot.org),KESENSOR(www.keyfocus.net/kfsen
sor),HONEYD(www.Honeyd.org),TRIPWIRE(www.tripwire.org)
3.2.1 ICMP Attacks Detection: If protocol: ICMP and tyop: Request check if state[ipaddress] :
active else if state[ipaddress] :active and returncheck if lastpacket.time < 1 [1in 1sec]
count[ipaddress]++ else cout[ipaddress] : 0 if count[ipaddress] > 25 [70 in 1sec] reset
count[ipaddress]:0 and lastpacket.time :0 set alarm flag.
3.2.2 Smurf attack Detection: Alert icmp $External_net any : $home_net any (msg:”icmp smurf
attack detected”; dsize:4; icmp_id:0 ;icmp_seq:0 ; itype:8 ; classtype: attempted – recon ;
sid:78787878; )
115
- 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), © IAEME
3.2.3 SYN Flood Attack Detection: If protocol: TCP and Type: Syn check if state[ipaddress] :
active else if state[ipaddress] : active and return
check if lastpacket.time < 1 [1in 1sec] count[ipaddress]++
else cout[ipaddress] : 0 if count[ipaddress] > 25 [70 in 1sec]
reset count[ipaddress]:0 and lastpacket.time :0
set alarm flag
3.2.4 LAND Attack Detection
If protocol: TCP and type: SYN,
if Sourceip port == Destination port ,
if Sourceip ip : Destination ip, set alarm flag
Udp Attacks
3.2.5 XMAS Attack Detection: Alert tcp any any : any any (msg: “X mas attack detected” flow:
stateless; flags: FPU,12; sid: 1234556;)
3.2.6 Fraggle Attack Detection: alert udp $EXTERNAL_NET any: $HOME_NET any
(msg:"UDP_Flood Attack!!!!!"; content:"UDP Flood Test"; flow:stateless; threshold:type threshold,
track .
4. CONCLUSIONS
Critical literature survey is made in order to carry this work. Enterprise’s general purpose
Application firewall / IDS evolved in way that has created conundrum for security. So, prime goal is
provide emerging solution which gives hybrid functionality of IDS, IPS, and Firewalls functionality
in single box which would be practical and easy to maintain. We have studied various packet
generation tools such as Nmap, Nessus, hping3 and Scapy. Then we have made experimentation for
the detection of attacks using the open source tools such as snort IDS, NIDES, HONEYPOT
KESENSOR, HONEYD, TRIPWIRE, and then we run the various firewalls such as iptable/Netfilter,
fwSnort Squid, CCProxy, Kerio.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
Intrusion detection system using Sax 2.0 and wire shark 1.2.2.
Shaw n Conaway, “Using an Intrusion Prevention System as Part of a Layered Security
Approach”, Network Support, Technical Enterprises, October-2006.
Ido green, tzvi raz, moshe zviran, “analysis of active intrusion prevention data for predicting
hostile activity in computer networks”, communications of the acm april 2007/vol. 50, no. 4.
suresh n. chari and pau-chen cheng, “BlueBoX: A Policy-Driven, Host-Based Intrusion
Detection System”, ACM Transactions on Information and System Security, Vol. 6, No. 2,
May 2003.
Nong Ye, Senior Member, IEEE, Syed Masum Emran, Qiang Chen, and Sean Vilbert(2002),
“Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection”, ieee
transactions on computers, vol. 51, no. 7, july 2002.
Fang Yu, T. V. Lakshman, Randy H. Katz (2006), “Efficient Multimatch Packet
Classification for Network Security Applications”, ieee journal on selected areas in
communications, vol. 24, no. 10, october 2006.
Jianchao Han, Mohsen Beheshti, Kazimierz Kowalski, Joel Ortiz, Johnly Tomelden,
“Component-based Software Architecture Design for Network Intrusion Detection and
Prevention System”, IEEE Computer society Sixth International Conference on Information
Technology: New Generations 2009.
116
- 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), © IAEME
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[20]
[21]
[21]
[22]
[23]
[24]
[25]
[26]
david j., chaboya, richard a. raines, rusty o. aldwin, and barry e. mullins,”Network ntrusion
etection Automated and Manual Methods Prone to Attack and Evasion”, published by the
ieee computer society, 2006.
Jiong Zhang, Mohammad Zulkernine, and Anwar Haque(2008), “Random-Forests-Based
Network Intrusion Detection Systems”.
Catherine Paquet “Network security using Cisco IDS IPS”, Pearson Education intrusion
detection system using Sax 2.0 and wireshark 1.2.2.
Nong Ye, Senior Member, IEEE, Syed Masum Emran, Qiang Chen, and Sean Vilbert(2002),
“Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection”, ieee
transactions on computers, vol. 51, no. 7, july 2002.
George Lawton, “Open Source Security: Opportunity or Oxymoron?” March 2002.
K. Salah A. Kahtani(2009), “Improving Snort performance under Linux”, IET Commun.,
2009, Vol. 3, Issue. 12.
Fang Yu, T. V. Lakshman, Randy H. Katz (2006), “Efficient Multimatch Packet
Classification for Network Security Applications”, ieee journal on selected areas in
communications, vol. 24, no. 10, october 2006.
Jianchao Han, Mohsen Beheshti, Kazimierz Kowalski, Joel Ortiz, Johnly
TomeldenComponentbased Software Architecture Design for Network Intrusion Detection
and Prevention System, 2009 IEEE Computer society Sixth International Conference on
Information Technology: New Generations 2009.
Hui Li, Dihua Liu, “Research on Intelligent Intrusion Prevention System Based on Snort”,
International Conference on Computer, Mechatronics, Control and Electronic Engineering
(CMCE) 2010.
Snort Manual and Whitepapers on Rule Optimization, Detection, High-performance multi
rule detection engine, Protocol Flow analyzer. All available at the Snort homepage:
http://www.sourcefire.com/products/library.html.
Jiong Zhang, Mohammad Zulkernine, and Anwar Haque(2008), “Random-Forests-Based
Network Intrusion Detection Systems”, vol. 38, no. 5, september 2008.
SNORT R Users Manual 2.9.1.
Anna Sperotto, Gregor Schaffrath, Ramin Sadre, Cristian Morariu, Aiko Pras and Burkhard
Stiller (2010)”An Overview of IP Flow-Based Intrusion Detection”, ieee communications
surveys & tutorials, vol. 12, no. 3, third quarter 2010.
P.Vigneshwaran and Dr. R. Dhanasekaran, “A Novel Protocol To Improve TCP Performance
– Proposal”, International Journal of Computer Engineering & Technology (IJCET), Volume
3, Issue 2, 2012, pp. 372 - 377, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
Kusum Nara and Aman Dureja, “A Dynamic Approach for Improving Performance of
Intrusion Detection System Over Manet”, International Journal of Computer Engineering &
Technology (IJCET), Volume 4, Issue 4, 2013, pp. 61 - 81, ISSN Print: 0976 – 6367,
ISSN Online: 0976 – 6375.
Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, “Energy Efficient
Intrusion Detection System for WSN”, International Journal of Electronics and
Communication Engineering & Technology (IJECET), Volume 3, Issue 3, 2012,
pp. 246 - 250, ISSN Print: 0976- 6464, ISSN Online: 0976 –6472.
JPCAP online tutorial.
http://www.cert.org/advisories/CA-1996-01.html.
http://www.cert.org/advisories/CA-1996-26.html.
117