CHAPTER 1 INTRODUCTION The rapid proliferation of wireless networks and mobile computing applications has changed the landscape

of network security. The nature of mobility creates new vulnerabilities that do not exist in a fixed wired network, and yet many of the proven security measures turn out to be ineffective. Therefore, the traditional way of protecting networks with firewalls and encryption software is no longer sufficient. We need to develop new architecture and mechanisms to protect the wireless networks and mobile computing applications. 1.1. Vulnerabilities of Mobile Wireless Networ s The nature of mobile computing environment makes it very vulnerable to an adversary's malicious attacks. First of all, the use of wireless links renders the network susceptible to attacks ranging from passive eavesdropping to active interfering. Unlike wired networks where adversary must gain physical access to the network wires or pass through several lines of defense at firewalls and gateways, attacks on a wireless network can come from all directions and target at any node. amages can include leaking secret information, message contamination, and node impersonation. !ll these mean that a wireless ad"hoc network will not have a clear line of defense, and every node must be prepared for encounters with an adversary directly or indirectly. #econd, mobile nodes are autonomous units that are capable of roaming independently. This means that nodes with inade$uate physical protection are receptive to being captured, compromised, and hi%acked. #ince tracking down a particular mobile node in a global scale network cannot be done easily, attacks by a compromised node from within the network are far more damaging and much harder to detect. Therefore, mobile nodes and the infrastructure must be prepared to operate in a mode that trusts no peer. Third, decision"making in mobile computing environment is sometimes decentrali&ed and some wireless network algorithms rely on the cooperative participation of all nodes and the infrastructure. The lack of centrali&ed authority means that the adversaries can exploit this vulnerability for new types of attacks designed to break the cooperative algorithms.

To summari&e, a mobile wireless network is vulnerable due to its features of open medium, dynamic changing network topology, cooperative algorithms, lack of centrali&ed monitoring and management point, and lack of a clear line of defense. 1.!. T"e Nee# for Intrusion Dete$tion 'ntrusion prevention measures, such as encryption and authentication, can be used in ad"hoc networks to reduce intrusions, but cannot eliminate them. For example, encryption and authentication cannot defend against compromised mobile nodes, which often carry the private keys. 'ntegrity validation using redundant information (from different nodes), such as those being used in secure routing, also relies on the trustworthiness of other nodes, which could likewise be a weak link for sophisticated attacks. To secure mobile computing applications, we need to deploy intrusion detection and response techni$ues, and further research is necessary to adapt these techni$ues to the new environment, from their original applications in fixed wired network. 'n this paper, we focus on a particular type of mobile computing environment called mobile ad"hoc networks and propose a new model for intrusion detection and response for this environment. We will first give a background on intrusion detection, and then present our new architecture.

CHAPTER ! RE%UIREMENT &PECI'ICATION

Har#ware &(e$ifi$ations *ard 0!1 5rocessor isk + ,-./ or !bove. + 2341/ or !bove. + 5entium '6 or !bove.

&oftware &(e$ifi$ations 7perating #ystem + Windows 3--- or !bove.

5rogramming 5ackage used + 8ava 2., or !bove, #wings.

CHAPTER ) &O'TWARE RE%UIREMENT& &PECI'ICATION

).1 E*ternal Interfa$e Re+uire,ents User Interfa$es The user can interact with the system through the user interface. There are different screens are available for the users to enter the details. 9rror messages are also generated. Har#ware Interfa$es :etwork cable, :etwork interface ;ard. &oftware Interfa$es The operating system used Windows 3---. .! can be viewed as a tool to help generate knowledge for the 0ule /ased #ystem (0/#). Co,,uni$ations Interfa$es The 5rotocol to be used is T;5<'5. ).! Ot"er Nonfun$tional Re+uire,ents ).!.1 Perfor,an$e Re+uire,ents The #oftware like 8ava is the important re$uirements for the performance improvement. ).!.! &e$urit- Re+uire,ents 'n the system, the ' # will check whether the chromosomes are match with dataset. 'f it is not match with the anomaly dataset, then the ' # will not allow the data to send. 'f it is match with the normal dataset, then the ' # will allow the data to send. #o the intruder cannot be able to attack the system by the virus.

).!.) &oftware %ualit- Attributes Using genetic algorithm at run time the set of new rules will be generated. 'nitially, there are only fifty rules. =ater, there will be more than thousand rules. The set of rules will be reused. #o it is flexible, reliable, secure and maintainable

CHAPTER . /ITERATURE &URVE0 ..1 RE%UIREMENT ANA/0&I& ! mobile !d"hoc network is a collection of nodes that is connected through a wireless medium forming rapidly changing topologies. The ynamic topology of wireless !d"*oc network allows the node to %oin and leave the network at any point of time. This generic characteristic of wireless !d"hoc network has rendered it vulnerable to security attacks. !ttackers maybe of any type. 'dentifying the attack type and providing the solution to the real time attacks can be done in real"time, by forming multiple numbers of wireless nodes in the cluster, cluster head, and implementing the ynamic #ource 0outing ( #0) protocol, detection of attack types, prevention of attacks, etc. There are several ways to categori&e ' # Misuse #ete$tion vs. ano,al- #ete$tion+ in misuse detection, the ' # analy&e the information it gathers and compares it to large databases of attack signatures. 9ssentially, the ' # look for a specific attack that has already been documented. =ike a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. 'n anomaly detection, the system administrator defines the baseline, or normal, state of the network>s traffic load, breakdown, protocol, and typical packet si&e. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies. Networ 1base# vs. "ost1base# s-ste,s+ in a network"based system, or :' #, the individual packets flowing through a network are analy&ed. The :' # can detect malicious packets that are designed to be overlooked by a firewall>s simplistic filtering rules. 'n a host"based system, the ' # examines at the activity on each individual computer or host. Passi2e s-ste, vs. rea$ti2e s-ste,+ in a passive system, the ' # detect a potential security breach, log the information and signal an alert. 'n a reactive system, the ' # respond to the suspicious activity by logging off a user or by

reprogramming the firewall to block network traffic from the suspected malicious source. ..! ATTAC3& IN AD1HOC NETWOR3& From the point of view of intrusion detection and response, we need to observe and analy&e the anomalies due to both the conse$uence and techni$ue of an attack. While the conse$uence gives evidence that an attack has succeeded or is unfolding, the techni$ue can often help identify the attack type and even the identity of the attacker. !ttacks in 1!:9T can be categori&ed according to their conse$uences as the following+ 4la$ "ole+ !ll traffic are redirected to a specific node, which may not forward any traffic at all. Routin5 /oo(+ ! loop is introduced in a route path. Networ Partition+ ! connected network is partitioned into k (k ?@ 3) sub networks where nodes in different sub networks cannot communicate even though a route between them actually does exist. &elfis"ness+ ! node is not serving as a relay to other nodes. &lee( De(ri2ation+ ! node is forced to exhaust its battery power. Denial-of-&er2i$e: ! node is prevented from receiving and sending data packets to its destinations #ome of the common attacking techni$ues are+ Ca$"e Poisonin5+ 'nformation stored in routing tables is either modified, deleted or in%ected with false information. 'abri$ate# Route Messa5es+ 0oute messages (route re$uests, route replies, route errors, etc.) with malicious contents are in%ected into the network. #pecific methods include+ a) False #ource 0oute+ !n incorrect route is advertised into the network, e.g., setting the route length to be 2 regardless where the destination is. b) 1aximum #e$uence+ 1odify the se$uence held in control messages to the maximal allowed value. ue to some implementation issues, a few protocol implementations cannot effectively detect and purge these ApollutedB messages timely so that they can invalidate all legitimate messages with a se$uence number falling into normal ranges for a fairly long time

Rus"in5: This can be used to improve Fabricated 0oute 1essages. 'n several routing protocols, some route message types have the property that only the message that arrives first is accepted by a recipient. The attacker simply disseminates a malicious control message $uickly to block legitimate messages that arrive later. Wor,"ole: ! tunnel is created between two nodes that can be utili&ed to secretly transmit packets. Pa$ et #ro((in56 ! node drops data packets (conditionally or randomly) that it is supposed to forward. &(oofin5+ 'n%ect data or control packets with modified source addresses. Mali$ious 'loo#in5+ eliver unusually large amount of data or control packets to

the whole network or some target nodes. ..!.1 IDENTI'0IN7 THE ATTAC3& For each attack, we call the node that runs the corresponding detection rule the AmonitoringB node, and the node whose behavior is being analy&ed (i.e., the possible attacking or misbehaving node) the AmonitoredB node. For attacks related to 5acket ropping, the monitoring node is a 2"hop :eighborhood of the AmonitoredB node. /oth the attack type and the attacker can be identified because the monitoring node can overhear traffic within its 2"hop neighborhood. For /lackhole attacks, the monitoring node is also the monitored node because the detection rule relies on information that is available only on the node (obviously, if an attacker has full control of the node, then the detection modules can be disabled unless they run on some tamper"resistant device). For Flooding and 1aximum #e$uence attacks, only the attack type, but not the attacker, can be identified by a monitoring node. We now describe some notations of statistics (features) used in these rules. We use 1 to represent the monitoring node and m the monitored node. C(DEm)+ the number of incoming packets on the monitored node m. C(mED)+ the number of outgoing packets from the monitored node m.

C(FmGED)+ the number of outgoing packets of which the monitored node m is the source. C(DEFmG)+ the number of incoming packets of which the monitored node m is the destination. C(FsGEm)+ the number of incoming packets on m of which node s is the source. C(mEFdG)+ the number of outgoing packets from m of which node d is the destination. C(mEn)+ the number of outgoing packets from m of which n is the next hop. C(FsGE1Em), the number of packets that are originated from s and transmitted from 1 to m. C(FsGE1EFmG), the number of packets that are originated from s and transmitted from 1 to m, of which m is the final destination. C(FsGEFdG), the number of packets received on the monitored node (m) which is originated from s and destined to d. These statistics are computed over a feature sampling interval, denoted as =s. 'n addition, we often need the same set of statistics that are computed over a longer period. These longer"term statistics can be computed directly from basic features by aggregating them in multiple feature sampling intervals. We use F9!TU09= to denote the aggregated F9!TU09 over a long period =. We always assume that time interval = is multiples of =s, for simplicity. For example, the notion, C=(DEm) are computed by summing up all sampling intervals. C(DEm) in =@=s rounds of feature

We also need finer"grained statistics on specific types of packets, e.g., the number of certain route control messages. These specific statistics are denoted by appending a predicate to the corresponding feature. For instance, C(DEm) (TH59@009I) represents the number of incoming 009I (route re$uest) packets on the monitored node m. The other common problem with this system is one where the operator or the users start cheating. 'n either way, the misuse of the system cannot be detected by the system proposed so far. The system misuse problem is clearly discussed below. ..!.) &0&TEM MI&U&E The system presented so far works as long as cheaters stay out of the game. Why should a user cheatJ The main reason is to get an advantage over other users. !s stated in before, nodes can alter their network card random back off times and get an advantage over unmodified ones. 'n detail, a modified node will win the contention for the channel more often, getting a higher bandwidth share. 7ther techni$ues to do so are to launch o# attacks against other nodes, like %amming or eauthentication. !nother possible reason would be to get the fee from the operator when the Io# is good in the commercial scenario we outlined above. For the following, we>ll consider this later case. ;heaters modify their lists of events to pretend to have bad Io# while it is good to get the fee from the operator. We>ll explain how to treat the other case later on .;heaters will make the matching of the event list fail. 'n fact, a cheater will provide a list which is (at least in part) incompatible with the correct ones provided by the other honest nodes. For example, let>s imagine that a node receives a packet K and claims not to have received it. The sender will of course report that it sent the packet. The receiver will alter his event list by marking packet KL2 from the sender as K, packet KL3 as KL2 and so on. When the matching will take place, it will show this difference. We modify then our algorithm, and for every event we keep track of which node reported it and of clashing and incompatible events. 'n the example above, assuming ! as the sender and / as the receiver, the list will report Achannel free (reported by node /) !: !: packet K from ! to / (reported by node !)M Mpacket K from ! to / (/) packet KL3 from packet KL2 from ! to / (!)M,Mpacket KL2 from ! to / (/) !:

! to / (!)M. Under the hypotheses that all nodes are in range of each other, and that

10

each node is either honest or cheater, when we try to build an aggregated list of events we>ll end up with all honest users agreeing on a list, and cheaters disagreeing from it (eventually agreeing among themselves). What we are doing is building clusters from the different lists of events. Under an optimistic assumption that most nodes are honest we>ll end up with a big cluster of honest nodes and a small number of outliers, representing the cheaters. *owever, if we don>t assume the general goodwill of the users, cheaters can coordinate their attack and become the bigger cluster. 'n this case, since there are no trust mechanisms we cannot decide which cluster represents the honest users and which one the cheaters. !s we note that each node can trust only itself, we modify the matching algorithm+ each node runs the basic 3"list matching algorithm between its own event list and each of the other nodes> lists. For each event, we mark if it>s shared among the two nodes or not. !t the end, the number of matched events will be a measure of similarity between the two lists. When all the matching will be done, each node will know how many other nodes share the same opinion as itself and thus how many other nodes are honest users or cheaters. This system will %ust tell how many nodes agree or disagree with a given node. To make every node know the opinion of all the other nodes, each node repeats the matching algorithm using the list of events of another node (instead of its own) as starting point, and iterates on all nodes. This modified algorithm will re$uire n 2 iterations to match a list of events with all the other ones. To match every list with all the other ones, if we do not repeat the already made matching (for example, when matching node C2 with every other one we match C2 with C3, CN etc. ..) E8I&TIN7 &0&TEM Traditional systems in place for intrusion detection primarily use a method known as AFinger 5rintingM to identify malicious users. They are complex. They are rule dependent. The behavior of packets flowing in the network is new, then the system cannot take any decision. #o they purely work in the basis of initial rules provided.

11

 The rules in the database are static unless the network administrator manually enters the rules. 't does not provide any option for generating dynamic rule set. 't cannot create its own rule depending on the current situation. 't re$uires manual energy to monitor the inflowing packets and analy&e their behavior. 't cannot take decision in runtime. 'f the pattern of the packet is new and not present in the records, then it allows the packets to flow without analy&ing whether it is an intruder or not. The packet with a new behavior can easily pass without being filtered.

...

PROPO&ED &0&TEM 't uses matching algorithm, which is an artificial intelligence problem"solving model. ' # compare learned user characteristics from an empirical to all users of a system. 't includes temporal and spatial information of the network traffic. 't is both network based and host based system. 't can take decision in runtime.

..9

ADVANTA7E& 't eliminates the need for an attack to be previously known to be detected because malicious behavior is different from normal behavior by nature.

12

 Using a generali&ed behavioral model is theoretically more accurate, efficient and easier to maintain than a finger printing system. 't uses constant amount of computer resources per user, drastically reducing the possibility of depleting available resources. 7nce installed, there is no need for any manual energy to monitor the system. 't promotes high detection rate of malicious behavior and a low false positive rate of normal behavior classified as malicious.

13

CHAPTER 9 &0&TEM DE&I7N 9.1 NETWOR3 MODE/ The rapid growth of WiFi networks over the past years is due primarily to the fact that they solve several of the intrinsic drawbacks of cellular data services such as .#1<.50#. These drawbacks are mainly the relatively low offered bit rates and the slow deployment of new features due to several factors such as the large si&e and the oligopolistic behavior of the operators, Their willingness to provide homogeneous service, and the huge upfront investment. Therefore, the deployment of wireless networks such as WiFi in unlicensed fre$uencies makes it possible to envision a substantial paradigm shift, with very significant benefits+ much higher bandwidth, deployment based possibly on local initiative, higher competition, and much shorter time"to"market for new features. This may, in turn, pave the way for new types of services. 'n recent years, wireless 'nternet service providers (W'#5s) have established thousands of WiFi hot spots notably in cafes, hotels and airports. *owever, two ma%or problems still need to be solved. The first problem is the provision of a seamless roaming2 scheme that would encourage small operators to enter into the market. This is a fundamental issue for the future of mobile communications.

14

'ndeed, without an appropriate scheme, only large stakeholders would be able to operate their network in a profitable way, and would impose a market organi&ation very similar to the one observed today for cellular networksE one of the greatest opportunities to fuel innovation in wireless communications would be missed. The second problem is the lack of a good $uality of service guarantee for the users. 9.1.1 A##in5 a new no#e to t"e networ :ode addition to the network can best be explained by use of an example. ;onsider a building with an existing wireless network maintained by an already present maintenance team. uring an intervention, a rescue team enters a building, and, to maintain connectivity, regularly deploys new nodes. /ecause of the nature of this procedure, the network will have a relaying character. We assume that each node has a maximum of two wireless interfaces. /ased on this scenario, the dynamic channel selection algorithm, assigns channels to each link, in such way that, for each node the uplink and downlink connections are configured at different channels.

15

Fig.O.3. !dding a node to the network To reduce interference between non"ad%acent links, each newly deployed node will scan the environment and will assign a channel that is not yet in use, to one of its interfaces. The other interface is set to the default channel, as seen in Figure 2. While the underlying character of the network is a mesh topology, due to channel assignment, a relaying network is created. To dynamically assign the channels when a new node is deployed, several messages are exchanged

16

PREVIOUS
New Node

NEW
New Node

LAST

ACK

ACK

SWITCH TO CHANNEL X

Channel Switch

Channel Switch

ACK

Resu e OLSR

Resu e OLSR

ACK

ACK

'i59.) Pa$ et 'low

9.!

MODU/E DE&CRIPTION The modules contained in this pro%ect are as follows+ istributed detection. a) 1ulticast the packet to detect the intruder. 1atching the =ist of events.

17

 1ulticast the intruder to the neighboring nodes. #ending data to destination. 9.!.1 DI&TRI4UTED DETECTION The basic idea is to set up a monitor at each node in the network to produce e2i#en$es and to share them among all the nodes .!n evidence is a set of relevant information about the network state ! monitor can be thought of as an instance of the ethereal network packet sniffer+ 't captures the traffic and displays the detailed information on it.For each captured packet 9thereal displays a complete view of packet headers (i.e. from 9thernet to the application level) and payload and add some general statistics as the timestamp, frame number and length in bytes. For our purposes we>ll look at the 9thernet level header, and as we>re focusing on 4-3.22 frames we>ll consider source, destination and /##'d addresses, se$uence number, frame type and subtype and the 0etry flag. Together with the captured packets, we add relevant statistics collected by the device driver, like counters for transmission retries and for frames received with wrong F;# (other papersFPG use different statistics as signal strength and carrier sensing time), and packet transmission time. We built in this way a list of events at each node. 9vents are the single transmitted packet or the times in which the channel is idle, which can be inferred from the timestamp of the packets and the packet transmission times. The combination of different list of events leads to the better understanding of what happened in the network, in particular in distinguishing the %amming attacks and channel failures, where packets are sent by one peer and never received by other peer. /oth the channel failure and a %amming attack make the F;# check of the packet fail, thus the packet in transit will be incorrectly received and dropped, incrementing the Adropped framesM counter in the device driver at the receiver. The difference between the 3 cases is the amount of incorrectly received frames at the receiver. #uppose if the receiving station is under %amming network, where the packets which pass through the %amming area get scrambled. The monitor placed at the sender>s side will see the number of frames sent on the channel and the monitor at the receiver end won>t see anything received correctly, and will keep on increasing the incorrectly received frames counter. The sender will retry the

18

transmission a number of times and all these retransmissions will be dropped as well, incrementing the counter. We are able to detect the attack by combining what both monitors saw, as a single one is not able to do the same+ the receiver>s evidences (no packets received and counter updated) are in fact not enough to distinguish the attack. For the receiver, receiving incorrect frames can happen for various reasons+ frames from stations at the limit of the radio range, frames from neighbor networks or noisy channel are all examples of this. 'f the counter is not updated, then staying idle without having transmissions aimed at it or experiencing a device failure is undistinguished from being under attack. 7n the other side, the transmitter cannot tell if the other peer is out of range given the retransmissions only.

9.!.! DETECT THE INTRUDER The initial process is the training process where the source sends the packet with events to all the nodes in the network to detect the intruder. This process is known as multicasting. /efore sending the packets to all nodes, the source node initiates the timestamp for the packets. This training process is stored as an initial event list C2 in the source node. 0eceivers receive the packets which contain the timestamp and send appropriate !;Q replies. 0eceivers store the received packets in their event list. !fter receiving all the packets from source<initiator receiver sends the reply !;Q by using multicast method. 'ntruder detection is done by checking the received !;Q packets for anomalies. This is done by the matching algorithm. 9.!.) MATCHIN7 THE /I&T O' EVENT& The basic algorithm to match two lists of events is as follows+ we start from the first list and for every event (packet or channel idle) we try to find a matching event on the second list that is, given a packet we look for it on the second list. !s we don>t have cheaters into play for now, what we find is that for every packet on the first list we find it on the second one if the network worked fine, else we find a channel idle event if some problem (%amming or malfunctioning) happened. ;ontinuing the example above, we>d have transmitted packets on the first event list and channel idle (together with a high number of dropped packets) on the second one. We can find unmatched events on the second list at the end (for example if the

19

first node was %ammed), so we swap the 3 lists and run the matching algorithm again. The final output is a single list of events which combines the two. 8amming and channel failure have the same basic signature (which is packets transmitted and never received), but differentiate on their position in the event list. ! few packets disappearing here and there are index of channel failures, while a se$uence of disappearing packets is considered as %amming. ! large number of non"consecutive channel failures are index of bad Io#. #ince all nodes participate in the detection process, we extend it in order to match multiple lists. The idea is to merge one list at a time with the result of the previous merge. 'n other words, we merge lists C2 and C3, and then we match the result with list CN, until we processed every list. We obtain in this way an aggregated list of all events which happened in the network in a given time frame. We have to notice here that a node might not overhear the traffic of every other node because of range. We supposed that each node has relevant information to offer, but this is not always true. The key feature here is that the monitoring system is distributed. ! single station alone cannot tell if it is experiencing an attack or %ust a temporary network failure, and cooperation among all nodes is re$uired for the nodes to understand what is going on. The event lists are shared among all nodes in the network. !ll nodes send their evidences to every other node in the network. 5art in the protocol. 9very node executes the matching algorithm to generate the aggregated event list to have a clear view of what happened in the network in the given time frame. 9.!.. MU/TICA&T THE INTRUDER TO THE NEI7H4OURIN7 NODE&

The matching algorithm will invoke after receiving reply events from the network. 't compares events from the other nodes with that of the initiator. 'f anyone from the received !;Q packets is not matched, then that particular node is the intruder to be found. :ow that the intruder is detected the address of the intruder is sent to the entire network by multicasting. :eighbor nodes receive the '5 address of the intruder and store it in the event lists to prevent future attacks from that node in the network. The multicasting of the intruder address is done source.

20

9.!.9 &ENDIN7 DATA TO THE DE&TINATION The data send process is done by splitting the chosen text file into packets for transmission. The data send process is invoked after the source finds out an intruder free path. 'n the case of %amming<network malfunction, the source waits till the network is restored, starts the training process to find the intruders and if any detected, selects a path free from intrusion. The path selection is done by the ynamic #ource 0outing 5rotocol ( #0). The source sends the data directly to the destination through the Rsafe> path. intrusion. The control flow and se$uence of events of the pro%ect is described in the diagram below. estination receives the data in the form of packets and checks for anomalies to detect any loss of data in the data due to

'i59.. Intrusion Detection System flow chart

21

9.) PROTOCO/& U&ED 9.).1 D0NAMIC &OURCE ROUTIN7 :D&R; PROTOCO/ ynamic #ource 0outing 5rotocol is a simple and efficient, reactive 7n"demand routing protocol used in multihop wireless adhoc network. #0 makes #0 the network self"organi&ing and self configuring. Two important mechanisms in through the net work using these mechanisms. future use. 0oute discovery is the mechanism by which a node # wishing to send a packet to destination node obtains a source route to . 0oute discovery is used . only when # attempts to send a packet to using a source route to longer use its route to it happens to know to and does not already know a route to

are 0oute discovery and 0oute maintenance. :odes discover and maintain routes #0 uses source routing, which allows routing of packets to be loop free and allows caching of routes in nodes for

0oute maintenance is the mechanism by which node # is able to detect, while , if the network topology has changed such that it can no because a link along the route no longer works. When route , or can invoke route discovery again to find a new route. .

maintenance indicates a source route is broken # can attempt to use any other route 0oute maintenance is used only when # is actually sending packets to

22

CHAPTER < &0&TEM IMP/EMENTATION The system design components are described below. <.1 7UI Co,(onents The .U' components are 8/utton, 8=abel, 8TextField, 8Text!rea, 8Tabbed5ane, 8#croll5ane, and ;ontainer. 8/utton is used to send, clear, hopcount, process, store, back, generate to dataset, receive, !dd ' # 9ntry and 1ore #ystems. 8=abel is used to display the To, From, 5ort, 'ntermediate #ystem :o., 'ntermediate #ystem :ames, #end data, 0eceived ata, source '5, estination '5, 9nter new rules in dataset. 8TextField, it gets the '5 addresses, 5ort number, 'ntermediate #ystem :o., 'ntermediate #ystem :ames from the user. 8Text!rea, it is used to send the data and to receive the data. 8Tabbed5ane, in the development environment, there are two 8Tabbed5ane are used. 7ne is anomalous tab and normal tab.

C/A&& 8/utton 8label

DE&CRIPTION 5ush /utton implementation 't displays the area for a short text string. ! label does not react to input events. !s a result, it cannot get the keyboard focus.

8TextField

't is a lightweight component that allows the editing of a single line of text.

8Text!rea

't is a multi"line area that displays plain text.

8Tabbed5ane

! component that lets the user switch between icon. a group of components by clicking on a tab with a given title and<or

8#croll5ane

5rovides a scrollable view of a lightweight

23

component. ;ontainer ;omponents added to a container are tracked in a list. The order of the list will define index the is components' specified when front"to"back adding a stacking order within the container. 'f no component to a container, it will be added to the end of the list. Table S.2 8ava #wing class description

<.! Detaile# Des$ri(tion 'n the user s$reen, the user enters the estination host name. The screen

contains five buttons. The buttons are resort, browse, close and two clear buttons. While clicking the browse button, it will open another frame. 'n this, enter the text file to be sent. 'n this frame, there are two buttons. The buttons are open and cancel. The O(en button is used to select the text file. The ;ancel button is used to exit the file selection process. The 9ntire frame is a 7pen File ialog box. While clicking t"e sen# button, the #ource name is displayed in the routing table and the destination *ost name is verified and displayed as destination in the routing table. While clicking the clear button, it is used to clear the 8TextField and the 8Text!rea. !fter the Trainin5 (ro$ess, the resort button will change to the #end button and the coherent nodes message box will display the coherent<neighboring nodes of the source. 't displays the source '5 address, estination '5 address, the port number, the message and the intermediate system names also. 'n the Data sen# process, it contains 0outing table with role play of each node. /rowse button is used to add the text files to the data send process. The 'ntruder is already detected by the Training process and the alternate intruder free path is detected by the matching algorithm.

24

The Pat" #is(la- bo* displays the correct intruder free Rsafe> paths after the training process. The user can select the appropriate safe path for sending the data if multiple safe paths are available. The 'ntru#er Te*t fiel# highlights once an intruder is found and this is done by checking the no. of packets received from the coherent nodes. 'f any node reduces the no. of reply packets below the re$uired limit it is automatically flagged as the intruder as malicious behavior always consumes or swallows up packets. The intruder field displays that specific node which is the intruder and this is multicast to all nodes in the network. The data flows within the modules are illustrated in the following data flow diagram. TRAINING PROCESS: &TEP 16

IDS-N D!

Source send request to Intermediate node

IDS-N D!

Intermediate node forward request to destination

IDS-N D!

!"ent #enerat e

!"ent #enerate

!"ent #enerat e

$ist #enerate % recei"e from intermediate node

$ist #enerate & recei"e % forward t'e mer#ed (ist

$ist #enerate % forward to intermediat e node

Source

Intermediate node

Destinatin

25

&TEP !6

IDS-N D! *+datin# t'e ,oute ta-(e )a(idatin# mer#ed (ist Distri-utin# intruder (ist if intruder find Source
Fig S.2 DATA SEND PROCESS: ata Flow for Training process

&TEP61

IDS-N D! !"ent .enerat e

Source sends data to

IDS-N D! !"ent .enerate

Intermediate node forward data to destination

IDS-N D! !"ent #enerate

$ist #enerates % recei"es from intermediate &TEP6 ! node Source

Intermediate node t'rou#' +at'

$ist #enerates& recei"e % forward t'e mer#ed (ist Intermediate node

$ist #enerates % forward to intermediate node

Destination

26

IDS-N D! *+datin# t'e ,oute ta-(e if intruder find

)a(idatin# mer#ed (ist

Distri-utin# intruder (ist if intruder find Source

Fig S.3 ata Flow iagram for ata #end process.

27

CHAPTER = &0&TEM TE&TIN7 Testing is a process, in which software must be tested to uncover as many errors as possible before delivery to the customer. .oal of the testing process is to design a series of test cases that have a high likelihood of finding errors. The main ob%ective of testing in software development cycle includes the following things. ! secondary benefit of testing is that it demonstrates that the software appears to be working as stated in the specifications. 2. Testing is a process of executing a program with the intent of finding an error. 3. ! good test is one that has a high probability of finding an undiscovered error. N. ! successful test is one that uncovers an as yet undiscovered error. =.1 TE&TIN7 T0PE& Testing should systematically uncover different classes of errors in a minimum amount of time and with a minimum amount of effort. The data collected through testing can also provide an indication of the software>s reliability and $uality. /ut, testing cannot show absence of defectTit can only show that software defects are present. Testing is of different types and each one has its impact on the developed software in a different way. They are unit testing, integration testing, system testing and acceptance testing. UNIT TE&TIN76 't comprises o f a set of tests performed by an individual programmer prior to integration of unit into larger system. 9ach and every module is tested for its correctness. Finally, all the modules are linked and tested for its integration. INTE7RATION TE&TIN76 't is a systematic techni$ue for constructing the program structure while conducting tests and detecting errors concerned with the program interface. The ob%ect is to take unit tested modules and build a program structure that has been dictated by design.

28

&0&TEM TE&TIN76 't is conducted at the stage of implementation, which is aimed at ensuring that the system works accurately and efficiently before live operation comments. 't makes a logical assumption that if all parts of the system are correct, the goal will be achieved successfully. ACCEPTANCE TE&TIN76 't is the formal testing that is conducted to

determine whether or not the system satisfies its acceptance criteria.

=.!

&AMP/E TE&T CA&E

=.!.1 User Interfa$e testin5

Test

$ase

5rou(

i#entifi$ation

U#90 ':T90F!;9 Functions Tested 'nclude /uttons to #elect o 0esort ;lear #end /rowse ;lose

'un$tions to be teste#

o o o o

Testin5 a((roa$"

Testing whether the buttons are navigating to the correct pages and producing the proper results. !nd the text fields are accepting the correct data.

Pass>'ail $riteria In#i2i#ual test $ases

The buttons should navigate to the correct pages and should produce the correct results. Test $ase 16 Test $ase i#entifier+ 0esort /utton In(ut ?16 User enters a valid *ost :ame and clicks resort to start the training packet process. E*(e$te# out(ut11+ 0outing table initiali&ation with display of role played by coherent nodes in network.

29

E*(e$te# out(ut"!E 0esort button ;hanges to #end /utton In(ut1!+ User enters an invalid *ost name or leaves the *ost name field blank. E*(e$te# out(ut1!6 for reentry. En2iron,ent6 8ava, Windows 5latform. Pre$e#en$e an# #e(en#en$ies6 This test case has to perform at first itself. This test case has no isplay an error message and ask

dependencies. Test $ase !6 Test Case I#entifier+ /rowse /utton In(ut ?16 User enters valid *ost name of node in network. E*(e$te# out(ut116 ;licking on /rowse button, opens a file selection dialog box. E*(e$te# out(ut11.16 #elected file is of text type and is displayed in #end ata field before sending it. In(ut?!6 User enters the invalid *ost name and selects invalid file. E*(e$te# out(ut1!6 for reentry. En2iron,ent o 8ava, Windows 5latform. isplay an error message and ask

Pre$e#en$e an# #e(en#en$ies o This test case has to perform at first itself. This test case has no dependencies.

Test $ase )6 Test Case I#entifier+ #end /utton In(ut6 User selects the specified button.

30

E*(e$te# out(ut o The data is split as packets and sent to the destination node. :o. of 5ackets and destination node>s receipt of those packets is shown in the routing table.

En2iron,ent o 8ava, Windows 5latform

Pre$e#en$e an# #e(en#en$ies o This test case has to perform at first itself. This test case has no dependencies.

Test $ase )6 Test Case I#entifier+ ;lear /utton In(ut6 User selects the specified button. E*(e$te# out(ut o !ll data in the #end ata and *ost name fields are deleted and cleared. En2iron,ent o 8ava, Windows 5latform

Pre$e#en$e an# #e(en#en$ies This test case has to perform at first itself. This test case has no dependencies

Table =.1 User Interfa$e testin5 =.!.! Mo#ule Testin5

Test $ase 5rou( i#entifi$ation

1atching !lgorithm and 1ulticasting of

ata packets.

'un$tions to beFunctions Tested 'nclude the main functions for

31

teste# Testin5 a((roa$" Pass>'ail $riteria

o o

1ulticast#ocket ;omparator

Testing whether the packets are multicast to all the nodes. ;omparing and detection of packets received to find anomaly by use of matching algorithm. The matching algorithm should detect anomaly in packets received. !ll nodes should receive training packets and destination node should receive re$uest packets from source in 0eceived ata text box.

In#i2i#ual $ases

test

Test $ase i#entifier+ ;omparator In(ut116 0eceive the packets and compare with initial event list. E*(e$te# out(ut 11 o The 5rogram should display coherent nodes and their role as source or destination or intermediate in the routing table.

In(ut1!6 0eceive reduced packet number from unassigned node. E*(e$te# out(ut 1!6 o The 5rogram should display unassigned node as intruder and show intruder free path in 5ath table.

En2iron,ent o 8ava, Windows 5latform.

Pre$e#en$e an# #e(en#en$ies6 This test can be done after the training process.

Table =.! Mo#ule testin5

32

CHAPTER @ CONC/U&ION AND 'UTURE WOR3 @.1 CONC/U&ION The istributed 'ntrusion detection system proposed here detects intrusion by

distributed collection of relevant information from the nodes and is also capable of detecting %amming attacks. We also suggested a commercial use of the system, in order to provide a better service to customers+ however, this use allows cheaters to come into play. !nyway, their impact is limited+ we showed that the operator cannot lower the $uality of service under a certain threshold (as without such a system), otherwise unhappy users will take over and get a pay back. We also showed that cheating users cannot push too muchE otherwise the system will go towards the total shutdown. We achieve two goals+ we detect more attacks and force the operator to give a decent service. We allow cheaters to come into play, but their impact is self" limiting as a working network is needed for them to play. 7ne interesting scenario to analy&e would be with cheaters who don>t care about the service, thus don>t stop cheating when Io# gets too low. This might be a sabotage attack from a rival provider to get more market shares. 't would also be interesting to add trust and user reputation mechanisms to the system, to improve the matching algorithm

@.!

'UTURE WOR3

To,orrowAs ID& ue to the inability of :' # to see all the traffic on switched 9thernet, many companies are now turning to *ost"based ' # (second generation). These products can use far more efficient intrusion detection techni$ues such as heuristic rules and analysis. epending on the sophistication of the sensor, it may also learn and establish user profiles as part of its behavioral database. ;harting what is normal behavior on the network would be accomplished over a period of time. #trength ! strong ' # #ecurity 5olicy is the *9!0T of commercial ' # 5rovides worthwhile information about malicious network traffic

33

;an be programmed to minimi&e damage ! useful tool for ones :etwork #ecurity !rmory *elp identify the source of the incoming probes or attacks ;an collect forensic evidence, which could be used to identify intruders #imilar to a security BcameraB or a Bburglar alarmB !lert security personnel that someone is picking the BlockB !lerts security personnel that a :etwork 'nvasion maybe in progress When well configured, provides a certain BpeaceB of mind 5art of a Total efense #trategy infrastructure

APPENDI8 1 &AMP/E CODE package com.gts.src..U'E import import import import import import import import import import import import import import import import import com.gts.src.=ogic.*ello0eceiverE com.gts.src.=ogic.1ulticstE com.gts.src.=ogic.7perationsE com.gts.src.=ogic.0eceiverE com.gts.src.=ogic.0e$uestE com.gts.src.=ogic.#enderE com.gts.src.=ogic.TimerE %ava.io.DE %ava.util.6ectorE %avax.swing.DE %avax.swing.table.!bstractTable1odelE %avax.swing.table. efaultTable1odelE %avax.swing.table.Table;olumnE %avax.swing.table.Table1odelE %ava.awt.DE %ava.awt.event.!ction9ventE %ava.awt.event.!ction=istenerE

public class esign extends 8Frame implements !ction=istener U 0eceiver receiverE Timer timerE public static 8TextField destinationE public static Text!rea data,recievedata,msgE public static 8=abel msgl,destinationVl,senddataVl,recievedataVl,intrudVl,pathVlE public static 8/utton send,browse,close,clears,cleardE

34

public static 8Table tableE public static efaultTable1odel data1odelE public static #tring receivetext@BBE public static #tring se@B#end ataB,re@B0eceived ataBE 8#croll5ane scrollpaneE public static =ist pathE public static #tring destnode@BBE <DDDDDDDDDDDDDDDDDDDDDDD constructor DDDDDDDDDDDD< esign() U try U #tring inf @ Bcom.sun.%ava.swing.plaf.windows.Windows=ook!ndFeelBE << U'1anager.set=ook!ndFeel(inf)E W catch (9xception e) U e.print#tackTrace()E W ;ontainer c@get;ontent5ane()E c.set=ayout(new .rid=ayout(2,3))E c.add(create=eft())E c.add(create0ight())E set#i&e(4--,O4-)E setTitle(B' #"17:'T70B)E set6isible(true)E receiver@new 0eceiver()E timer@new Timer()E W <DDDDDDDDDDDDDDDDDDDDDDD Used to create left part DDDDDDDDDDD< public 85anel create=eft() U 85anel panel @ new 85anel()E panel.set=ayout(null)E panel.set/order(/orderFactory.createTitled/order(BB))E destinationVl@ new 8=abel(B estinationB)E destinationVl.set/ounds(N-,,-,2--,3O)E panel.add(destinationVl)E destination @ new 8TextField(2O)E destination.set/ounds(22-,,-,2--,3O)E panel.add(destination)E cleard@new 8/utton(B;learB)E cleard.set/ounds(N--,,3,SO,3N)E panel.add(cleard)E cleard.add!ction=istener(this)E

35

senddataVl @ new 8=abel(B ataB)E senddataVl.set/ounds(N-,X-,2--,2O)E panel.add(senddataVl)E data@ new Text!rea(O,N-)E data.set/ounds(N-,23-,NN-,2P-)E panel.add(data)E recievedataVl @ new 8=abel(B;oherent :odesB)E recievedataVl.set/ounds(N-,N2O,2S-,2O)E panel.add(recievedataVl)E recievedata@ new Text!rea(O,N-)E recievedata.set/ounds(N-,NNO,32-,2,-)E panel.add(recievedata)E send@new 8/utton(B0esortB)E send.set/ounds(2O,O--,4-,3P)E panel.add(send)E send.add!ction=istener(this)E browse@new 8/utton(B/rowseB)E browse.set/ounds(2-X,O--,4-,3P)E panel.add(browse)E browse.add!ction=istener(this)E close@new 8/utton(B;loseB)E close.set/ounds(3-3,O--,4-,3P)E panel.add(close)E close.add!ction=istener(this)E clears@new 8/utton(B;learB)E clears.set/ounds(3XP,O--,4-,3P)E panel.add(clears)E clears.add!ction=istener(this)E return panelE W <DDDDDDDDDDDDDDDDDDDDDDD Used to create right part DDDDDDDDDDDDD< public 85anel create0ight() U 85anel com @ new 85anel()E 85anel down @ new 85anel()E 85anel panel @ new 85anel()E 85anel inter@new 85anel()E msg@new Text!rea(O,O-)E com.set=ayout(new .rid=ayout(N,2))E panel.set/order(/orderFactory.createTitled/order(BB))E data1odel @ new efaultTable1odel()E

36

table @ new 8Table(data1odel)E data1odel.add;olumn(B#ourceB)E data1odel.add;olumn(B estinationB)E data1odel.add;olumn(B'5B)E data1odel.add;olumn(B75B)E data1odel.add;olumn(B0oleB)E data1odel.set;olumn;ount(O)E <<data1odel.set0ow;ount(2-)E scrollpane @ new 8#croll5ane(table)E panel.add(scrollpane)E down.set=ayout(null)E inter.set=ayout(null)E msg.set/ounds(2-,2P,N4-,X-)E msgl @ new 8=abel(B1essageB)E msgl.set/ounds(2-,-,2--,2O)E inter.add(msgl)E inter.add(msg)E intrudVl @ new 8=abel(B'ntruderB)E intrudVl.set/ounds(N-,-,NO-,2O)E intrudVl.setForeground(new ;olor(333,N4,23))E down.add(intrudVl)E pathVl @ new 8=abel(B5athB)E pathVl.set/ounds(N-,NO,2--,2O)E down.add( pathVl)E path@ new =ist()E path.set/ounds(N-,OO,NN-,X-)E down.add(path)E com.add(panel)E com.add(inter)E com.add(down)E return comE W public static void set'ntruder(#tring text) U #ystem.out.println(Bntruder setting """""""""""""""""""" in sourceB L text L BYtB)E intrudVl.setText(B'ntruder + BLtext)E W <DDDDDDDDDDDDDDDDDDDDDDD Used when browse button pressed DDDDDDDDDDDDD< public static void browseFile() U data.setText(BB)E 8File;hooser chooser @ new 8File;hooser()E int return6al @ chooser.show7pen ialog(null)E

37

if(return6al @@ 8File;hooser.!550769V75T'7:) U try U #tring op@BBE int d@-E File'nput#tream cont@new File'nput#tream(new File(chooser.get#electedFile().get!bsolute5ath()))E while((d@cont.read())Z@"2) op@opL(char)dE data.setText(data.getText()Lop)E cont.close()E W catch(9xception e2) U e2.print#tackTrace()E W W data.set9ditable(false)E W <DDDDDDDDDDDDDDDDDDDDDDD used when Training process DDDDDDDDDDDDDD< public static void send!ction() U boolean k@falseE k@7perations.validation(destination.getText())E if(k) U destnode@destination.getText()E #ender.send#ource0e$uest(destination.getText())E W else 87ption5ane.show1essage ialog(null,B5lease 9nter the *ostnameB,B'nformationZB,87ption5ane.':F701!T'7:V19##!.9)E W <DDDDDDDDDDDDDDDDDDDDDDD DDDDDDDDDDDDD< public static void send ata() U used when packet sending process

W <DDDDDDDDDDDDDDDDDDDDDDD used when set the destination receive text DDDDDDDDDDDDDD< public static void set#tring(#tring receive) U receivetext@receivetextLreceiveE data.setText(receivetext)E W <DDDDDDDDDDDDDDDDDDDDDDD used when announcing message DDDDDDDDDD< public static void message(#tring mesg) U

38

msg.setText(msg.getText()LBYnBLmesg)E <<87ption5ane.show1essage ialog(null,mesg,B'nformationZB,87ption5a ne.':F701!T'7:V19##!.9)E W public static void set8ta22(#tring s,#tring f) U if(f.e$uals(BemptyB)) U recievedata.setText(s)E W else U recievedata.append(s)E W W <DDDDDDDDDDDDDDDDDDDDDDD used when assigning path in list DDDDDDDDDDDDDD< public static void set5ath(7b%ectFG msg) U int alert@path.get'tem;ount()E path.remove!ll()E 7perations.paths.clear()E for(int i@-Ei[msg.lengthEiLL) U 7perations.paths.add(msgFiG)E path.add((#tring)msgFiG)E path.select(-)E #ystem.out.println(Bpath setting BL(#tring)msgFiG)E W if(path.get'tem;ount()?-) U send.setText(B#endB)E W else U if(alert?-) U message(BThere is no safe pathB)E send.setText(B0esortB)E if(7perations.new5ath!vail()) U message(BTraining 5rocess #tarts for fresh nodeB)E send!ction()E W else U message(BThere is no safe covering nodeB)E W W W

39

W <DDDDDDDDDDDDDDDDDDDDDDD used when event occurr DDDDDDDDDDDDD< public void action5erformed(!ction9vent e) U if(e.get#ource()@@browse) U if(senddataVl.getText().e$uals(se)) browseFile()E W if(e.get#ource()@@send) U senddataVl.setText(se)E if(send.getText().e$uals(B0esortB)) U send!ction()E destination.set9ditable(false)E W else U send ata()E W W if(e.get#ource()@@close) U #ystem.exit(-)E W if(e.get#ource()@@clears) U data.set9ditable(true)E data.setText(BB)E if(senddataVl.e$uals(re)) receivetext@BBE W if(e.get#ource()@@cleard) U #ystem.out.println(Bdest clearB)E destination.set9ditable(true)E destination.setText(BB)E path.remove!ll()E send.setText(B0esortB)E W W <DDDDDDDDDDDDDDDDDDDDDDD program starting area DDDDDDDDDDD< public static void main(#tring argFG) U new esign()E new 7perations()E 7perations.clean()E

40

new *ello0eceiver()E new 1ulticst()E W W

41

APPENDI8 ! &CREEN &HOT& T"e basi$ 7UI of ID&1Monitor

42

Multi$astin5 to #ete$t intru#er

43

Intru#er #ete$te# b- t"e sen#er

44

Intru#er #ete$te# b- t"e re$ei2er

45

&en#in5 #ata to t"e #estination

46

RE'ERENCE& 2. !ime 1 and ;alandriello . (3--O). A istributed monitoring of WiFi ;hannelM. 3. /ellardo 8 and #avage # (3--N). A4-3.22 denial .;, U#!. of service attacks+real6ulnerabilities and practical solutionsM. 'n proceedings of the 22 th U#9:'K security symposium, pages2O"24, Washington N. *erbert #childt A8ava 3 the ;omplete 0eferenceM. ,. 0aya 1 and 8acobson 1 . A0eputation based WiFi deploymentM. O. #'.17/'=9 1ob.comput.commun. S. #hannon ;.9. and W. Weaver A! system to P. 'n '999 4-3.22M. 4. #teven *ol&ner AThe 8ava 3 /lack /ookM. X. \hang H, =ee W and *uang H. A'ntrusion detection techni$ues for 2-. 1obile wireless networksM. Web resour$es6 www.ethereal.org etect greedy behavior

47