network intrusion detection and node recovery using dynamic path routing
TRANSCRIPT
NETWORK INTRUSION DETECTION AND NODE
RECOVERY USING DYNAMIC PATH ROUTING
A PROJECT REPORT
Submitted by
NISHANTH G. (21910205066)
SUDHARSHAN N. (21910205102)
SURYA KRISHNAN R. (21910205107)
in partial fulfillment for the award of the degree
of
BACHELOR OF TECHNOLOGY
in
INFORMATION TECHNOLOGY
SRI VENKATESWARA COLLEGE OF ENGINEERING
SRIPERUMBUDUR – 602105
ANNA UNIVERSITY: CHENNAI 600 025
MARCH 2014ANNA UNIVERSITY: CHENNAI 600 025
BONAFIDE CERTIFICATE
Certified that this project report “NETWORK INTRUSION DETECTION AND
NODE RECOVERY USING DYNAMIC PATH ROUTING” is the bonafide work of
“Nishanth G. (21910205066), Sudharshan N. (21910205102), Surya
Krishnan R. (21910205107)”who carried out the project work under my
supervision. Certified further, that to the best of my knowledge the work reported herein
does not form part of any other project report or dissertation on the basis of which a
degree or award was conferred on an earlier occasion on this or any other candidate.
SIGNATURE SIGNATURE
Dr. D. Balasubramanian, Ph.D., Ms. Saktheeswari R, B.Tech.HEAD OF THE DEPARTMENT ASSISTANT PROFESSOR
Dept. of Information Technology, SUPERVISOR
Sri Venkateswara College of Engineering, Dept. of Information Technology,
Sriperumbudur-602105 Sri Venkateswara College of Engineering,
Sriperumbudur-602105
Place: Chennai
Date:
INTERNAL EXAMINER EXTERNAL EXAMINER
ACKNOWLEDGEMENT
We thank our Principal Dr. M Sivanandham, Ph.D., Sri Venkateswara College of
Engineering, for his support to work in this project.
We express our sincere thanks to Dr. D Balasubramanian, Ph.D., Professor and
Head, Department of Information Technology, Sri Venkateswara College of Engineering,
giving us an opportunity to work on the project and for his valuable guidance.
We express our deep sense of gratitude and respect to our guide, Ms. Saktheeswari
R, B.Tech Assistant Professor, for encouraging us with innovative ideas and suggestions
throughout the project.
We express our heartfelt gratitude to Mr. Praveen Jeyaraj, CEO, Propeltree
Technologies Ltd., and his colleagues, for their constant support and invaluable guidance
throughout the project.
We express our in depth thanks to Mrs. D Jayanthi, M.E., Assistant Professor and
Project Co-coordinator, for her continual support and assistance throughout the project.
Last but not the least, we would also like to thank all the staff members of the
department, our parents and friends for their inspiration , co-operation and
encouragement in motivating us to successfully complete this project.
ABSTRACT
Privacy threat is one of the critical issues in multihop wired networks, where attacks
such as traffic analysis and flow tracing can be easily launched by a malicious adversary
due to the open wired medium. Network coding has the potential to thwart these attacks
since the coding/mixing operation is encouraged at intermediate nodes. However, the
simple deployment of network coding cannot achieve the goal once enough packets are
collected by the adversaries. On the other hand, the coding/mixing nature precludes the
feasibility of employing the existing privacy-preserving techniques, such as Onion Routing.
In this paper, we propose a novel network coding based privacy-preserving scheme
against traffic analysis in multihop wired network , anonymous node recovery and dynamic
path routing. With homomorphic encryption, the proposed scheme offers significant
privacy-preserving features, packet flow untraceability and message content confidentiality,
for efficiently thwarting the traffic analysis attacks. Anonymous node recovery approach is
increase the performance of the network to identifying the malicious node in the network, if
the malicious node is identified the DPR select the alternate path to send the packets on
adversary nodes. Moreover, the proposed scheme keeps the random coding feature.
Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the
proposed scheme.
TABLE OF CONTENTS
CHAPTER NO. TITLE PAGE NO.
ABSTRACT i
LIST OF FIGURES v
LIST OF ABBREVIATIONS vi
1 INTRODUCTION 1
1.1 GENERAL
1.2 NETWORK INTRUSION DETECTION
1.3 ROUTING PROTOCOL BASICS
1.4 EXISTING SYSTEM
1.5 PROPOSED SYSTEM
1.6 SYSTEM SPECIFICATION
1.6.1 Hardware Requirements
1.6.2 Software Requirements
1.6.3 Libraries
1.7 SOFTWARE DESCRIPTIONS
1.7.1 Java Programming Language
1.7.2 JDBC
1.7.3 Networking
1.8 SUMMARY
1
2
2
3
4
5
5
5
5
6
6
7
7
10
2 LITERATURE SURVEY
2.1 INTRODUCTION
2.2 LITERATURE SURVEY
2.3 SUMMARY
11
11
11
16
3 SYSTEM DESIGN
3.1 INTRODUCTION
3.2 ARCHITECTURE OF THE PROPOSED
SYSTEM
3.3 OVERIVIEW OF THE PROPOSED SYSTEM
3.3.1 Network Topology
3.3.2 Network Intrusion Detection and
Prevention
17
17
17
19
19
20
20
3.3.3 Node Recovery
3.3.4 Source Anonymity
3.3.5 Dynamic Path Routing
3.4 SUMMARY
20
21
21
4 NETWORK TOPOLOGY
4.1 INTRODUCTION
4.2 NETWORK IMPLEMENTATION
4.3 RESULTS
4.4 SUMMARY
22
23
23
25
25
5 NETWORK INTRUSION DETECTION AND PREVENTION5.1 INTRODUCTION
5.2 ENCRYPTION ALGORITHM
5.2.1 Digital Signature Algorithm
5.3 EVIDENCE COLLECTION
5.4 RISK ASSESSMENT
5.5 EXPERIMENTS AND RESULTS
5.6 SUMMARY
26
27
27
29
31
31
32
32
6 NODE RECOVERY
6.1 INTRODUCTION
6.2 NODE RECOVERY
6.3 ROUTING TABLE RECOVERY
6.4 INTRUSION NODE RECOVERY SYSTEM
6.5 SUMMARY
33
34
34
35
35
36
7 SOURCE ANONYMITY
7.1 INTRODUCTION
37
38
7.2 HOMOMORPHIC ENCRYPTION
7.3 DATA FLOW DIAGRAM
7.4 SUMMARY
38
40
41
8 DYNAMIC PATH ROUTING
8.1 INTRODUCTION
8.2 PATH DETERMINATION
8.3 SUMMARY
42
43
43
44
9 RESULTS AND DISCUSSIONS
9.1 INTRODUCTION
9.2 EXPERIMENTAL SETUPS
9.3 RESULTS AND OUTPUT
9.4 SUMMARY
45
45
45
47
50
10 CONCLUSIONS AND FUTURE WORKS
10.1 Conclusions
10.2 Future Works
51
51
5111 REFERENCES 52
CHAPTER 1
INTRODUCTION
1.1 INTRODUCTION
Wireless and wired networks, such as Wi-Fi, LAN, MAN etc.… , have been widely
deployed in the access network area due to their benefits such as convenience, mobility, and
low cost. However, they still suffer from their inherent shortcomings such as limited radio
coverage, poor system reliability, as well as lack of security and privacy. Multi-hop
Wireless Networks (MWNs) are regarded as such a promising solution for extending the
radio coverage range of the existing wireless networks. System reliability can be improved
through multi-path packet forwarding, which is feasible in MWNs. However, there exist
many security and privacy issues in MWNs. Due to the open-air wireless transmission,
MWNs suffer from various kinds of attacks, such as eavesdropping, data
modification/injection, and node compromising; these attacks may breach the security
properties of MWNs, including confidentiality, integrity, and authenticity. In addition, some
advanced attacks, such as traffic analysis and flow tracing, can also be launched to
compromise the privacy of users, including source anonymity and traffic secrecy. In this
paper, we focus on the privacy preservation issue, i.e., how to prevent traffic analysis/flow
tracing and achieve source anonymity in MWNs.
1.2 NETWORK INTRUSION DETECTION
The conventional approach to secure a computer or network system is to build a
“protective shield” around it. Outsiders who need to enter the system must identify and
authenticate themselves commonly known as the identification and the authentication
problem. The shield should also prevent the leakage of information from the protected
domain. A secure computer or network system should provide the following services – data
confidentiality, data integrity and assurance against denial-of-service. Intrusion detection is
a new approach for providing a sense of security in existing computers and data networks,
while allowing them to operate in their current “open” mode. Network Anomaly Detection
and Intrusion Reporter is an automated expert system that streamlines and supplements the
manual audit record review performed by the single-sign-on.
1.3 ROUTING PROTOCOL BASICS
All dynamic routing protocols are built around an algorithm. A routing algorithm must,
at a minimum, specify the following:
A procedure for passing reachability information about networks to other routers
A procedure for receiving reachability information from other routers
A procedure for determining optimal routes based on the reachability information it
has and for recording this information in a route table
A procedure for reacting to, compensating for, and advertising topology changes in
an internetwork
A few issues common to any routing protocol are path determination, metrics, convergence, and load balancing.
1.4 EXISTING SYSTEM
Due to the open wireless medium, MWNs are susceptible to various attacks, such as
eavesdropping, data modification/injection, and node compromising. These attacks may
breach the security of MWNs, including confidentiality, integrity, and authenticity.
Network coding was first introduced. Subsequently, two key techniques, random coding
and linear coding, further promote the development of network coding technologies.
In Existing System we used privacy-preserving techniques, such as Onion Routing, in
network coding enabled networks. Network coding has the potential to thwart traffic
analysis attacks since the coding/mixing operation is encouraged at intermediate nodes. The
simple deployment of network coding cannot achieve the goal once enough packets are
collected by the adversaries.
The following are the disadvantages of the existing system,
1. It is very challenging to efficiently thwart traffic analysis/ flow tracing attacks and
provide privacy protection in MWNs.
2. Existing privacy-preserving solutions, such as proxy based schemes may either require a
series of trusted forwarding proxies or result in severe performance degradation in practice.
3. However, they still suffer inherent shortcomings such as limited radio coverage, poor
system reliability, and lack of security and privacy.
1.5 PROPOSED SYSTEM
In this project, we focus on the privacy issue, i.e., how to prevent traffic analysis/flow
tracing and achieve source anonymity in MWNs. Another example is the event reporting in
networks, where flow tracing can help attackers to identify the location of concerned
events, by applying digital signatures to message packets, which are efficient in
communication and applying the key management for security. In the proposed protocols,
secret keys and pairing parameters are distributed and preloaded in all nodes by the server
initially. Among all privacy properties, source anonymity is of special interest in MWNs.
Source anonymity refers to communicating through a network without revealing the
identity or location of source nodes.
In addition, a malicious adversary to compromise user’s privacy, including source
anonymity and traffic secrecy can also launch some advanced attacks, such as traffic
analysis and flow tracing. Other Advantages are:
1. Secure communication.
2. More reliability
3. Packet flow intractability
1.6 SYSTEM SPECIFICATION
1.6.1 HARDWARE REQUIREMENTS
PROCESSOR : PENTIUM IV 2.6 GHz, Intel Core 2 Duo.
RAM : 2 GB DD RAM
MONITOR : 15” COLOR
HARD DISK : 40 GB
1.6.2 SOFTWARE REQUIREMENTS
Netbeans version 7
MySql
Java (Jdk 1.6.0 and above)
Windows 7 or Linux
1.6.3 LIBRARIES
Bouncy castle library
OpenCV library
1.7 SOFTWARE DESCRIPTIONS
1.7.1 Java Programming Language
The Java programming language is a high-level language that is platform independent
and interoperable across the operating system. With most programming languages, you
either compile or interpret a program so that you can run it on your computer. The Java
programming language is unusual in that a program is both compiled and interpreted.
With the compiler, first you translate a program into an intermediate language called
Java byte codes —the platform-independent codes interpreted by the interpreter on the Java
platform. The interpreter parses and runs each Java byte code instruction on the computer.
Compilation happens just once; interpretation occurs each time the program is executed.
The following figure Fig 5.1 illustrates how this works.
Fig 1.1: Working of Java Program
1.7.2 JDBC
In an effort to set an independent database standard API for Java; Sun
Microsystems developed Java Database Connectivity, or JDBC. JDBC offers a generic SQL
database access mechanism that provides a consistent interface to a variety of RDBMSs.
This consistent interface is achieved through the use of “plug-in” database connectivity
modules, or drivers.
Fig 1.2: Organization of Java API`s
1.7.3 Networking:
1.7.3.1 TCP/IP stack
The TCP/IP Stack Is Shorter Than the OSI One. TCP is a connection-oriented protocol;
UDP (User Datagram Protocol) is a connectionless protocol.
1.7.3.2 IP Datagram’s
The IP layer provides a connectionless and unreliable delivery system. It
considers each datagram independently of the others. Any association between datagram
must be supplied by the higher layers. The IP layer supplies a checksum that includes its
own header. The header includes the source and destination addresses. The IP layer handles
routing through an Internet. It is also responsible for breaking up large datagram into
smaller ones for transmission and reassembling them at the other end.
1.7.3.3 TCP
TCP supplies logic to give a reliable connection-oriented protocol above IP. It
provides a virtual circuit that two processes can use to communicate.
1.7.3.4 Internet Addresses
In order to use a service, you must be able to find it. The Internet uses an
address scheme for machines so that they can be located. The address is a 32 bit integer
which gives the IP address. This encodes a network ID and more addressing. The network
ID falls into various classes according to the size of the network address.
1.7.3.5 Network Address
Class A uses 8 bits for the network address with 24 bits left over for other
addressing. Class B uses 16 bit network addressing. Class C uses 24 bit network addressing
and class D uses all 32.
1.7.3.6 Host Address
The 8 bits are finally used for host addresses within our subnet. This places a limit of
256 machines that can be on the subnet.
1.7.4.7 Total Address
The 32 bit address is usually written as 4 integers separated by dots.
Fig 1.3: Representation of Total IP Address
1.7.3.8 Port Addresses
A service exists on a host, and is identified by its port. This is a 16 bit number. To
send a message to a server, you send it to the port for that service of the host that it is
running on. This is not location transparency! Certain of these ports are "well known".
1.7.3.9 Sockets
A socket is a data structure maintained by the system to handle network connections.
A socket is created using the call socket. It returns an integer that is like a file descriptor. In
fact, under Windows, this handle can be used with Read File and Write File functions.
#include <sys/types.h>
#include <sys/socket.h>
int socket(int family, int type, int protocol);
Here "family" will be AF_INET for IP communications, protocol will be zero, and
type will depend on whether TCP or UDP is used. Two processes wishing to communicate
over a network create a socket each. These are similar to two ends of a pipe - but the actual
pipe does not yet exist.
1.8 SUMMARY
Thus the above chapter gives an overview of the limitations of the existing system and the
advantages of the proposed system with regards to virtual network systems. It also specifies
the working of the system regards to System specifications and technology being used with
the proposed system.
CHAPTER 2
LITERATURE SURVEY
2.1 INTRODUCTIONThe chapter explains the basic working of the various reference papers in use.
2.2 LITERATURE SURVEY
Proxy-based schemes include Crowds ["Crowds: Anonymity for Web Transactions",]
by M. K. Reiter and A. D. Rubin
In this paper we introduce a system called Crowds for protecting users' anonymity on the
world-wide-web. Crowds, named for the notion of “blending into a crowd,” operates by
grouping users into a large and geographically diverse group (crowd) that collectively
issues requests on behalf of its members. Web servers are unable to learn the true source of
a request because it is equally likely to have originated from any member of the crowd, and
even collaborating crowd members cannot distinguish the originator of a request from a
member who is merely forwarding the request on behalf of another.
We describe the design, implementation, security, performance, and scalability of our
system. Our security analysis introduces degrees of anonymity as an important tool for
describing and proving anonymity properties. The common characteristic of these schemes
is they employ one or more network nodes to issue service requests on behalf of the
originator. In Crowds, servers and crowd members cannot distinguish the originator of a
service request, since it equally likely originates from any of the crowd.
Chaum’s mix based schemes include MorphMix ["Introducing MorphMix: Peer-to-
Peer based Anonymous Internet Usage with Collusion Detection"] by M. Rennhard
and B. Plattner
Traditional mix-based systems are composed of a small set of static, well known, and
highly reliable mixes. To resist traffic analysis attacks at a mix, cover traffic must be used,
which results in significant bandwidth overhead. End-to-end traffic analysis attacks are
even more difficult to counter because there are only a few entry-and exit-points in the
system. Static mix networks also suffer from scalability problems and in several countries,
institutions operating a mix could be targeted by legal attacks. In this paper, we introduce
MorphMix, a system for peer-to-peer based anonymous Internet usage. Each MorphMix
node is a mix and anyone can easily join the system.
We believe that MorphMix overcomes or reduces several drawbacks of static mix
networks. In particular, we argue that our approach offers good protection from traffic
analysis attacks without employing cover traffic. But MorphMix also introduces new
challenges. One is that an adversary can easily operate several malicious nodes in the
system and try to break the anonymity of legitimate users by getting full control over their
anonymous paths. To counter this attack, we have developed a collusion detection
mechanism, which allows to identify compromised paths with high probability before they
are being used. The common feature of these schemes is to employ techniques such as
shaping which divides messages into a number of fixed-sized chunks, and mixing which
caches incoming messages and then forwards them in a randomized order.
Mixminion: Design of a Type III Anonymous Remailer Protocol by G. Danezis, R.
Dingledine, and N. Mathewson
We present Mixminion, a message-based anonymous remailerprotocol with secure
single-use reply blocks. Mix nodes cannot distinguish Mixminion forward messages from
reply messages, so forward and reply messages share the same anonymity set. We add
directory servers that allow users to learn public keys and performance statistics of
participating remailers, and we describe nymservers that provide long-term pseudonyms
using single-use reply blocks as a primitive. Our design integrates link encryption between
remailers to provide forward anonymity.
Mixminion works in a real-world environment, requires little synchronization or
coordination between nodes, and protects against known anonymity-breaking attacks as
well as or better than other systems with similar design parameters. If an adversary records
the input and output batches of a mix and then replays a message, that message's decryption
will remain the same. Thus an attacker can completely break the security of the mix-net [7].
Mixmaster 2.0 offered replay prevention by keeping a list of recent message IDs. But
because it expired old entries to keep the list short, the adversary simply has to wait until
the mix has forgotten a message and replay it. To block timestamp attacks, clients randomly
add or subtract a few days from the timestamp. But this approach may still be open to
statistical attacks;. Mixminion instead counters replays by introducing key rotation: a
message is addressed to a given key, and after the key changes no messages to the old key
will be accepted, so the mix can forget about all the messages addressed to old keys. The
number of IDs a node needs to remember between key rotations is not too great a burden.
Onion-based schemes include Onion Routing ["Onion Routing for Anonymous and
Private Internet Connections"] by D. Goldschlag, M. Reed, and P. Syverson
Preserving privacy means not only hiding the content of messages, but also hiding
who is talking to whom (traffic analysis). Much like a physical envelope, the simple
application of cryptography within a packet-switched network hides the messages being
sent, but can reveal who is talking to whom, and how often. Onion Routing is a general-
purpose infrastructure for private communication over a public network 8, 9, 4. It provides
anonymous connections that are strongly resistant to both eavesdropping and traffic
analysis. The connections are bidirectional, near real-time, and can be used for both
connection-based and connectionless traffic. Onion Routing interfaces with off the shelf
software and systems through specialized proxies, making it easy to integrate into existing
systems. Prototypes have been running since July 1997. As of this article's publication, the
prototype network is processing more than 1 million Web connections per month from
more than six thousand IP addresses in twenty countries and in all six main top-level
domains. The common feature of this Downloaded from engine.lib.uwaterloo.ca on of 28 -
24 - kind of schemes is the chaining technique, which chains onion routers together to
forward messages hop by hop to the intended recipient. The characteristic of this technique
is that every intermediate onion router only knows about the router directly in front of and
behind itself, respectively, which can protect user privacy if one or even several
intermediate onion routers are compromised. Network coding has privacy-preserving
features, such as shaping, buffering, and mixing. However, network coding suffers from
two primary types of attacks, pollution attacks and entropy attacks. Untrusted nodes or
adversaries through injecting polluted messages or modifying disseminated messages can
launch pollution attacks, which is fatal to the whole network due to the rapid propagation of
pollution. In entropy attacks, adversaries forge non-innovative packets that are linear
combinations of “stale” ones, thus reducing the overall network throughput. To secure
network coding, some solutions have been proposed and they can be divided into two
categories according to different theoretical bases. Information theory based schemes can
only detect or filter out polluted messages at sinks, not at forwarders.
A parallel technique for improving the performance of signature-based network
intrusion detection system
Nowadays, organizations discover that it is essential to protect their valuable
information and internal resources from unauthorized access like deploying firewall.
Firewall could prevent unauthorized access, but it cannot monitor network attacks. Another
network security tool such as intrusion detection system is necessary to perform network
activities monitoring. With the recent trend of high-speed networks, a large volume of data
should be analyzed and processed with high-speed infrastructure. To promote the
performance of network intrusion detection system and reduce the processing time of the
traffic, present studies on network intrusion detection system for high-speed network focus
on parallel techniques as an alternative. In this paper, a kind of parallelism is proposed to
improve the performance of signature based intrusion detection system. Consequently, the
performance of the system will be improved.
Packet Classification Algorithms: From Theory to Practice
During the past decade, the packet classification problem has been widely studied to
accelerate network applications such as access control, traffic engineering and intrusion
detection. In our research, we found that although a great number of packet classification
algorithms have been proposed in recent years, unfortunately most of them stagnate in
mathematical analysis or software simulation stages and few of them have been
implemented in commercial products as a generic solution. To fill the gap between theory
and practice, in this paper, we propose a novel packet classification algorithm named
HyperSplit. Compared to the well-known HiCuts and HSM algorithms, HyperSplit achieves
superior performance in terms of classification speed, memory usage and preprocessing
time. The practicability of the proposed algorithm is manifested by two facts in our test:
HyperSplit is the only algorithm that can successfully handle all the rule sets; HyperSplit is
also the only algorithm that reaches more than 6Gbps throughput on the Octeon3860 multi-
core platform when tested with 64-byte Ethernet packets against 10K ACL rules.
2.3 SUMMARY
This section provides an overview about the basic information regarding the
algorithms and techniques used in the reference network intrusion detection, source
encoding, digital signature services and virtual network systems.
CHAPTER 3
SYSTEM DESIGN
3.1 INTRODUCTION
By exploring the issue of high computational and communication overhead difficulty
in classical homomorphic hash function by carefully analyzing different types of overhead,
and propose methods to help reducing both the computational and communication cost, and
provide provable security and dynamic path routing on wired network system. In this
project, we focus on the privacy issue, i.e., how to prevent traffic analysis/flow tracing and
achieve source anonymity in MWNs.
3.2 ARCHITECTURE OF THE INTRUSION DETECTION SYSTEM
Fig 3.1 explains the architecture diagram for the Intrusion Detection and Recovery
System. The diagram includes a source node, set of intermediary nodes, server node, hacker
node, recovery node. The server node will act as a solitary administrator which defines and
selects the path that is short. The intermediary nodes will act as a packet transfer node
which is a part MWN’s. The hacker node is considered to be an external system that access
the MWN’s using the victims IP address and its port number.
Fig 3.1 Architecture Diagram for the System
1,3,4 – Intermediary nodes that are part of routing tables
2 – The node is also an intermediary node that is assumed to be hacked by the
hacker node.
The proposed MWN system implements AES algorithm and DSA to counteract the
network intrusion. Selecting the intermediate nodes, the sender has to prepare the message
content that is sent to receiver.
Consider that a source has h messages, say 1, , h x " x , to be sent out. The source
first prefixes h unit vectors to the h messages, respectively. After tagging, the source can
choose a random LEV and then perform a linear encoding operation on these messages.
Thus, one LEV will generate an encoded message with the GEV (which is equal to
the LEV temporarily) tagged. To offer confidentiality for the tags, homomorphic encryption
operations are employed on these tags.
After performing sink encoding, We have to encrypt the global encoding vector using
homomorphic encryption technique. Homomorphic Encryption Functions (HEFs) have the
property of homomorphism.
In the module find the shortest path on the network (using Dijikstra). We find the
malicious attacked nodes in the network using recovery mechanism. After decoding is
performed, the receiver will receive the information in original with more secure and
reliable manner.
3.3 OVERVIEW OF PROPOSED SYSTEM
The proposed system creates a network topology for the purpose prototyping the
original system, it implements the AES algorithm and digital signature algorithm to prevent
the system from attacks. The system also implements a type of intrusion detection algorithm
and a way to recover from such attacks. The system also dynamically calculates path in the
prototyped network topology. The proposed system includes the following modules that
were implemented are briefed below.
3.3.1 Network Topology
A bus network topology was created a router was used. The topology included the
required number of intermediary nodes. The function of a router is only to provide
switching facilities to move the message from one node to another node until they reach
their destinations.
A packet splitting algorithm was implemented. The encrypted messages split into multiples
of packets. Selecting the intermediate nodes, the sender has to prepare the message content
that is sent to receiver.
3.3.2 Network Intrusion Detection and Prevention
The system was secured encryption standards so that most of the intruders are
prevented from accessing the packets that were transferred across the intermediary nodes.
The system will not only prevent the intruder it will also detect the acts of intrusion.
3.3.3 Node Recovery
A node can fail for many reasons, but a handful of checks can cover the most glaring
problems. The system implements those checking protocols to recover from the failed
nodes by constantly pinging the node to be recovered.
3.3.4 Source Anonymity
Homomorphic encryption is being implemented to provide several layers of
encryption. The anonymity is provided by onion routing a form of encryption which allows
specific types of computations to be carried out on cipher text and generate an encrypted
result which, when decrypted, matches the result of operations performed on the plaintext.
3.3.5 Dynamic Path Routing
When a node has been compromised by an intrusion, the data does not hold integrity
anymore. This calls for the need for dynamic routing protocol that maintains the standard of
path determination. In the module find the shortest path on the network (using Dijikstra).
3.4 SUMMARY
The chapter includes the architecture diagram and system design for the proposed
system. The above chapter briefly introduces the various modules that are being
implemented across the system.
CHAPTER 4
NETWORK TOPOLOGY
4.1 INTRODUCTION
The topology included the required number of intermediary nodes. The function of a
router is to provide switching facilities to move the message from one node to another node
until they reach their destinations. The encrypted messages split into multiples of packets
and sent to the nodes.
4.2 NETWORK TOPOLOGY IMPLEMENTATION
A, B, C, D, E, and F are all end nodes and 1 through 7 are all routers. Each end-node
is attached to a router by a link. The end-nodes are actual computers.
Fig 4.1 Network Topology for the
system.
The function of a router is only to
provide switching facilities to
move the message from one node to another node until they
reach their destinations. For instance,
message is transmitted from source node A to
destination node D through routers 4, 5, and 3.
B
A
C
D
E
F
1
23
45
6
7Router
End-nodelink
Dynamic Routing: In dynamic routing, the routes are calculated when they are
needed. The routes are not predetermined. Advantages are that they are more efficient,
inherently more fault-tolerant. The general architecture diagram for the transactions
between the clients and server in a network is demonstrated in Fig 4.1. Often clients and
servers communicate over a computer network on separate hardware, but both client and
server may reside in the same system.
Fig 4.2: Connection between client and server.
As shown in Fig 4.2 A server host runs one or more server programs which share
their resources with clients. A client does not share any of its resources, but requests a
server's content or service function. Clients therefore initiate communication sessions with
servers which await incoming requests.
4.3 RESULTS:
The experiments consists of the topology that was tested every intermediary nodes
know to which node they are directly connected.
Consider the following example,
Network Next-Hop Router
192.168.1.0 Directly connected
192.168.2.0 Directly connected
192.168.3.0 Directly connected
192.168.4.0 B, C
192.168.5.0 B, C
192.168.6.0 B, C
192.168.7.0 B, C
Table 4.1: Each router knows about its directly connected networks from its assigned
addresses and masks.
4.4 SUMMARY
The network topology thus created can be implemented to include the necessary
intermediary nodes that will also include all the required routers needed by the proposed
system.
CHAPTER 5
NETWORK INTRUSION DETECTION AND PREVENTION
5.1 INTRODUCTION
The implementation of network intrusion detection consists of the following module
1. Encryption Algorithm
2. Evidence collection
3. Risk assessment
5.2 ENCRYPTION ALGORITHM
The encryption algorithm implemented here uses the RSA algorithm along with AES
to provide the homomorphic encryption. The algorithm implementation was given by the
company and the figure below shows the pseudo-code applied by the company. The
following example explains the working of the algorithm for a simple plaintext cipher text
pair.
Advanced Encryption Standard (AES)
AES is based on a design principle known as a substitution-permutation network, and
is fast in both software and hardware. Unlike its predecessor DES, AES does not use
a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and
a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified
with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128
and a maximum of 256 bits.
AES operates on a 4×4 column-major order matrix of bytes, termed the state,
although some versions of Rijndael have a larger block size and have additional columns in
the state. Most AES calculations are done in a special finite field.
Fig 5.1: Block Diagram for the working of AES
The key size used for an AES cipher specifies the number of repetitions of
transformation rounds that convert the input, called the plaintext, into the final output,
called the ciphertext. The numbers of cycles of repetition are as follows:
10 cycles of repetition for 128-bit keys.
12 cycles of repetition for 192-bit keys.
14 cycles of repetition for 256-bit keys.
Each round consists of several processing steps, each containing four similar but different
stages, including one that depends on the encryption key itself. A set of reverse rounds are
applied to transform ciphertext back into the original plaintext using the same encryption
key.
5.2.1 DIGITAL SIGNATURE ALGORITHM
The Digital Signature Algorithm (DSA) is a Federal Information Processing
Standard for digital signatures. It was proposed by the National Institute of Standards and
Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS) and
adopted as FIPS 186 in 1993. Four revisions to the initial specification have been released:
FIPS 186-1 in 1996,FIPS 186-2 in 2000, FIPS 186-3 in 2009, and FIPS 186-4 in 2013.
Key Generation
Key generation has two phases. The first phase is a choice of algorithm parameters which may be shared between
different users of the system, while the second phase computes public and private keys for a single user.
Parameter generation
Choose an approved cryptographic hash function H. In the original DSS, H was
always SHA-1, but the stronger SHA-2 hash functions are approved for use in the
current DSS. The hash output may be truncated to the size of a key pair.
Decide on a key length L and N. This is the primary measure of the cryptographic
strength of the key. The original DSS constrained L to be a multiple of 64 between 512
and 1024 (inclusive). NIST 800-57 recommends lengths of 2048 (or 3072) for keys with
security lifetimes extending beyond 2010 (or 2030), using correspondingly
longer N. FIPS 186-3 specifies L and N length pairs of (1024,160), (2048,224),
(2048,256), and (3072,256).
Choose an N-bit prime q. N must be less than or equal to the hash output length.
Choose an L-bit prime modulus p such that p–1 is a multiple of q.
Choose g, a number whose multiplicative order modulo p is q. This may be done by
setting g = h(p–1)/q mod p for some arbitrary h (1 < h < p−1), and trying again with a
different h if the result comes out as 1. Most choices of h will lead to a usable g;
commonly h=2 is used.
The algorithm parameters (p, q, g) may be shared between different users of the system.
Per-user keys
Given a set of parameters, the second phase computes private and public keys for a single user:
Choose x by some random method, where 0 < x < q. Calculate y = gx mod p. Public key is (p, q, g, y). Private Key is x.
Signing
Let be the hashing function and the message:Generate a random per-message value where
Calculate In the unlikely case that , start again with a different random Calculate In the unlikely case that , start again with a different random The signature is
5.3 EVIDENCE COLLECTION
Intrusion Detection System (IDS) gives an attack alert with a confidence value, an the
n Routing Table Change Detector (RTCD) runs to figure out how many changes on routing t
able are caused by the attack.The RTCD is added to the server module and receiver module
which access the Routing table of the path of data transmission to detect any acts of
intrusion.
5.4 RISK ASSESSMENT
Alert confidence from IDS and the routing table changing information would be furth
erconsidered as independent evidences for risk calculation and combined with the extended
information. Risk of countermeasures are calculated as well during a risk assessment phase.
Based on the risk of attacks and the risk of countermeasures, the entire risk of an attack coul
d be figured out.
5.5 EXPERIMENTS AND RESULTS
The experimental setup gives the working of the DSA in the proposed system and how it
works in the environment.
Key Size: [8]
Generated prime numbers p and q p: [139] q: [151]
The public key is the pair (N, E) which will be published.
N: [20989] E: [1423]
The private key is the pair (N, D) which will be kept private.
N: [20989] D: [17587]
Please enter message (plaintext): vinoth
Ciphertext: [193C 4A9E 44 90D 3DA8 F18]
6460 19102 68 2317 15784 3864 big [Ljava.math.BigInteger;@1d9dc39
D: [17587] N: [20989]
Recovered plaintext: [vinoth]
5.6 SUMMARY
The chapter explains the encryption algorithm(AES), DSA, Evidence Collection for
intrusion detection and risk assessment to take necessary actions.
CHAPTER 6
NODE RECOVERY
6.1 INTRODUCTION
A node can fail for many reasons, but a handful of checks can cover the most glaring
problems. Check for file system consistency, faulty memory, fully functional network
connections, etc. When a failed node comes back up, ensure that it has the same node name
as before it crashed.
6.2 NODE RECOVERY
During the recovery process hinted handoff will kick in and update the data on the
recovered node with updates accepted from other nodes in the cluster. When a node has
been compromised by an intrusion, the data does not hold integrity anymore. Therefore
there is a temporary failure of the compromised node that has to be dealt with. This calls for
a selection of an alternate path to the destination for transmitting the packets as intended.
The path selection has to be dynamic and from the routing table to avoid and prevent
malleability. The intruder will not leave the node, its data and parameters undisturbed, as
his sole purpose of attacking a node would go in vein.
This alternate path would not be the first choice for transmission of the packets, so
the original path must be restored. This calls for the node to be recovered. Once the server
gets to know that the attributes and methods related to the node are modified, it confirms
that there has been an unwanted intrusion. The server restores the entire set of parameters
related to the node as per the requirements demanded for the transmission of the packets in
the network.
6.3 ROUTING TABLE RECOVERY
To local routing table recovery and global routing recovery. Local routing recoveryis
performed by victim nodes that detect the attack and automatically recover its own routing t
able.Global routing recovery involves with sending recovered routing messages by victim n
odes and updating their routing table based on corrected routing information in real time by
other nodes in MANET.
Node isolationmay be the most intuitive way to prevent further attacks from being lau
nched by malicious nodes. To perform a node isolation response, the neighbors of the malici
ous node ignore the malicious node by neither forwarding packets through it nor accepting a
ny packets from it.
6.4 INTRUSION NODE RECOVERY SYSTEM
The proposed system also tries to recover the attacked node by using a node recovery
system as explained below. The server constantly pings the attacked node to get the ports
that are active with the attacked node. The server then instructs the attacked node to disable
ports that are possibly used by the intruder to attack the system. The decision is made based
on various parameters that can be significant to the intruder and the type of intrusion. After
the port is disabled the server sends a test packet to check if the node has been recovered as
shown in Fig 6.1. If the node has not recovered the sever continues pinging the attacked
node based on Additive increase and multiplicative decrease methods between the time
intervals.
Fig 6.1: Working of Node Recovery System.
6.5 SUMMARY
The node recovery system thus described takes care of handful of techniques to
recover. The chapter also defines the routing table recovery process being carried out.
Port Disabled
Constantly pings
CHAPTER 7
SOURCE ANONYMITY
7.1 INTRODUCTION
The proposed system provides a method of homomorphic encryption that provides
anonymity between the intermediary nodes. No intermediary nodes know about the origin
of the packets. An onion routing algorithm provides such anonymity.
7.2 HOMOMORPHIC ENCRYPTION
Homomorphic encryption is a form of encryption which allows specific types of
computations to be carried out on cipher text and generate an encrypted result which, when
decrypted, matches the result of operations performed on the plaintext.
Key generation
RSA involves a public key and a private key. The public key can be known by everyone
and is used for encrypting messages. Messages encrypted with the public key can only be
decrypted in a reasonable amount of time using the private key. The keys for the RSA
algorithm are generated the following way:
1. Choose two distinct prime numbers p and q.
For security purposes, the integers p and q should be chosen at random, and
should be of similar bit-length. Prime integers can be efficiently found using
a primarily test.
2. Compute n = p.q
n is used as the modulus for both the public and private keys. Its length,
usually expressed in bits, is the key length.
3. Compute φ(n) = φ(p)φ(q) = (p − 1)(q − 1), where φ is Euler's totient function.
4. Choose an integer e such that 1 < e <φ(n) and gcd(e, φ(n)) = 1; i.e., e and φ(n) are co-
prime.
e is released as the public key exponent.
e having a short bit-length and small Hamming weight results in more efficient
encryption – most commonly 216 + 1 = 65,537. However, much smaller values
of e (such as 3) have been shown to be less secure in some settings.
5. Determine d as d ≡ e−1 (mod φ(n)); i.e., d is the multiplicative inverse of e (modulo
φ(n)).
This is more clearly stated as: solve for d given d⋅e ≡ 1 (mod φ(n))
This is often computed using the extended Euclidean algorithm. Using the
pseudocode in the Modular integers section, inputs a and n correspond
to e and φ(n), respectively.
d is kept as the private key exponent.
The public key consists of the modulus n and the public (or encryption) exponent e.
The private key consists of the modulus n and the private (or decryption) exponent d,
which must be kept secret. p, q, and φ(n) must also be kept secret because they can be
used to calculate d.
A routing onion (or just onion) represented by Fig 3.2 is a data structure formed by
'wrapping' a plaintext message with successive layers of encryption, such that each layer
can be 'unwrapped' (decrypted) like the layer of an onion by one intermediary in a
succession of intermediaries, with the original plaintext message only being viewable by at
most
1. The sender
2. The last intermediary (the exit node)
3. The recipient
Fig 7.1: Representation of Homomorphic encryption.
7.3 DATA FLOW DIAGRAM
The diagram depicts the client’s access to the server and the transmission path is
determined by dynamic path routing. The consecutive updating of the routing table provides
an advantage of seeking an alternative path in case of any discrepancies. This points out that
the nodes through which data passes can be compromised due to unwanted intrusions.
Fig 7.2 Data Flow Diagram for the Homomorphic Encryption
7.4 SUMMARY
The chapter explains how source anonymity is achieved using the Homomorphic
encryption. It also provides a detail explanation of how the encryption works. The
encryption makes the proposed system source anonymous.
CHAPTER 8
DYNAMIC PATH ROUTING
8.1 INTRODUCTION
Multipath routing protocols enables the use of multiple alternate path. Dynamic
routing attempts to solve the problem of multiple paths in the network when a node fails the
system has to recover from the attack by calculating the shortest path again with the
attacked node isolated.
8.2 PATH DETERMINATION
All networks within an internetwork must be connected to a router, and wherever a
router has an interface on a network that interface must have an address on the network.
This address is the originating point for reachability information.
As shown in Fig 4.1 and Table 4.1 Router A knows about networks 192.168.1.0,
192.168.2.0, and 192.168.3.0 because it has interfaces on those networks with
corresponding addresses and appropriate address masks. Likewise, router B knows about
192.168.3.0, 192.168.4.0, 192.168.5.0, and 192.186.6.0; router C knows about 192.168.6.0,
192.168.7.0, and 198.168.1.0. Each interface implements the data link and physical
protocols of the network to which it is attached, so the router also knows the state of the
network (up or down).
At first glance, the information-sharing procedure seems simple. Look at router A:
1. Router A examines its IP addresses and associated masks and deduces that it is
attached to networks 192.168.1.0, 192.186.2.0, and 192.168.3.0.
2. Router A enters these networks into its route table, along with some sort of flag
indicating that the networks are directly connected.
3. Router A places the information into a packet: "My directly connected networks are
192.168.1.0, 192.186.2.0, and 192.168.3.0."
4. Router A transmits copies of these route information packets, or routing updates, to
routers B and C.
5. Routers B and C, having performed the same steps, have sent updates with their
directly connected networks to A. Router A enters the received information into its
route table, along with the source address of the router that sent the update packet.
Router A now knows about all the networks, and it knows the addresses of the routers
to which they are attached.
8.3 SUMMARY
Thus the above chapter provides the dynamic path routing of the proposed system with
required algorithms and contains the formula used. It also explains how the routing
algorithm works
CHAPTER 9
RESULTS AND DISCUSSION
9.1 INTRODUCTION
The chapter discusses the various results that were observed in our proposed system. The
chapter explains how the system works along with its screenshots to give a better
understanding of the proposed system.
9.2 EXPERIMENTAL SETUPS
The various tables that are needed by the system are run over SQL server. The screenshots below shows the various tables the database MANET contains.
Fig 9.1 Table schema for MsgDetails
Fig 9.2 Table schema for Password
Fig 9.3: Table schema for Routing
Fig 9.4 Table schema for packet splitting
9.3 RESULTS AND OUTPUT
Fig 9.5: Represents the connected servers, clients and receivers.
Fig 9.6
Represents an intermediary node A.
Fig 9.7: Represents another intermediary node B
Fig 9.8:
Represents the server node where encryption and decryption algorithm are implemented.
Fig 9.9: Represents the receiver node after the file is received.
Fig 9.10 : Represents the server node after all the nodes have been connected
Fig 9.11: Represents an evidence collection to intrusion response.
9.4 SUMMARYThis chapter gives the output screens for the proposed system it also includes the
experimental setups that were made to the system. The outputs were verified and found to be efficient.
CHAPTER 10
CONCLUSION AND FUTURE WORK
10.1 CONCLUSIONS
Thus we provides an overview about the basic information regarding the algorithms
and techniques used in the reference network intrusion detection, source encoding, digital
signature services and virtual network systems. Various paper has been reviewed
accordingly and were implemented in the new system, the new system can now act as
network intrusion detection and node recovery system using dynamic path routing. The
system is secure and efficient across medium sized network.
10.2 FUTURE WORKS
The future enhancement can include to mitigate all of the possible network intrusion
methods which has been known. The proposed system can recover nodes using agents
running on each of the node to improve performance it can use push methodology instead
of the pull methodology used in this system.
CHAPTER 11
REFERENCES1. Huang Lu, Jie Li, Mohsen Guizani, “Secure and Efficient Data Transmission for
Cluster-based Wireless Sensor Networks” in IEEE transactions on parallel and
distributed system, 2013.
2. M. K. Reiter and A. D. Rubin. "Crowds: Anonymity for Web Transactions", in
AT&T Labs Research .
3. Shiri, F.I., Shanmugam, B, Idris, N.B. “A parallel technique for improving the
performance of signature-based network intrusion detection system” in
Communication Software and Networks (ICCSN), 2011 IEEE 3rd International
Conference.
4. G. Danezis, R. Dingledine, and N. Mathewson “Mixminion: Design of a Type III
Anonymous Remailer Protocol” in Proc. IEEE International Symposium security and
privacy , 2003.
5. D. Goldschlag, M. Reed, and P. Syverson "Onion Routing for Anonymous and
Private Internet Connections" in Communications of the ACM, vol. 42, num. 2,
February 1999.
6. Yaxuan Qi, Lianghong Xu, Baohua Yang , Yibo Xue, “Packet Classification
Algorithms: From Theory to Practice” in INFOCOM 2009, IEEE.
LIST OF FIGURES
FIGURE NO FIGURE NAME PAGE NO
Fig 1.1 Working of Java Program 6Fig 1.2: Organization of Java API`s 7Fig 1.3: Representation of Total IP Address 9Fig 3.1 Architecture Diagram for the System 18Fig 4.1 Network Topology for the system 23Fig 4.2 Connection between client and server 24Fig 5.1 Block Diagram for the working of AES 28Fig 6.1 Working of Node Recovery System 36Fig 7.1 Representation of Homomorphic encryption 40Fig 7.2 Data Flow Diagram for the Homomorphic
Encryption 41Fig 9.1 Table schema for MsgDetails 45Fig 9.2 Table schema for Password 46Fig 9.3 Table schema for Routing 46Fig 9.4 Table schema for packet splitting 47Fig 9.5 Represents the connected servers,
clients and receivers 47Fig 9.6 Represents an intermediary node A 48Fig 9.7: Represents another intermediary node B 48Fig 9.8 Represents the server node where
encryption and decryption 49Fig 9.9 Represents the receiver node after the
file is received 49Fig 9.10 Represents the server node after all
the nodes have been connected 50Fig 9.11 Represents an evidence collection to
intrusion response 50
LIST OF ABBREVIATIONS
MWN’s Multihop Wireless Networks
JDK Java Development Kit
JDBC Java DataBase Connectivity
SQL Structured Query Language
DB Database
TCP Transmission Control Protocol
IP Internet Protocol
DPR Dynamic Path Routing
AES Advanced Encryption Standard
DSA Digital Signature Algorithm
IDS Intrusion Detection Standard