Copyright © 2002 OPNET Technologies, Inc. 1

Session 1540: Case Studies – New Directions in Wireless Modeling

Session 1341: Case Studies – Network Security Research & Development

Moderator: Bryan ClineOPNET Technologies, Inc.

Copyright © 2002 OPNET Technologies, Inc. 2

Session 1540: Case Studies – New Directions in Wireless Modeling

Network Intrusion Simulation Using OPNET

Shabana Razak, Mian Zhou, Sheau-Dong Lang*

University of Central Florida

and National Center for Forensic Science*

Copyright © 2002 OPNET Technologies, Inc. 3

Session 1540: Case Studies – New Directions in Wireless Modeling

Simulation of Network Intrusion • Identify intrusion activities

• Evaluate effectiveness of IDS (Intrusion Detection System)

• Analyze network performance degradation due to IDS overhead

• Study issues related to simulation efficiency

Copyright © 2002 OPNET Technologies, Inc. 4

Session 1540: Case Studies – New Directions in Wireless Modeling

Our Approach to Intrusion Simulation

• Use MIT/Lincoln Lab’s TCPDUMP files

pre-process data source to extract packet inter-arrival times, duration of source data, a list of IP addresses

• Build a network model corresponding to the extracted IP addresses, and a firewall node

• Use OPNET to simulate source data, including intrusion detection using the firewall

Copyright © 2002 OPNET Technologies, Inc. 5

Session 1540: Case Studies – New Directions in Wireless Modeling

Example: Simulation of DOSNuke Attack

• It is a denial-of-service attack which sends Out-Of-Band data (MSG_OOB) to port 139 (NetBIOS), crashing a Windows NT system

• The attack’s signature contains a NetBIOS handshake followed by NetBIOS packets with the “urg” flag set

• The packet format of our OPNET simulation contains only the IP addresses, port numbers, and the flags

Copyright © 2002 OPNET Technologies, Inc. 6

Session 1540: Case Studies – New Directions in Wireless Modeling

DOSNuke Simulation: Network Model

The network model contains 10 virtual PCs (PC0 is hacker, PC1 is victim), and a firewall that filters packets to/from the victim

Copyright © 2002 OPNET Technologies, Inc. 7

Session 1540: Case Studies – New Directions in Wireless Modeling

DOSNuke Simulation: Packet Generator

Node structure of the packet generator

The attribute panel of the packet generator, with scripted packet inter-arrival times calculated from pre-processing the source data

Copyright © 2002 OPNET Technologies, Inc. 8

Session 1540: Case Studies – New Directions in Wireless Modeling

DOSNuke Simulation: Statistics of packet rates at firewall

Packet rates at the firewall that filters the DOSNuke attack packets, clearly showing initial and 3 later peaks

Copyright © 2002 OPNET Technologies, Inc. 9

Session 1540: Case Studies – New Directions in Wireless Modeling

Example: Simulation of ProcessTable Attack

Number of distinct port connections directed at the victim, clearly showing rapid increases during 3 time intervals

Copyright © 2002 OPNET Technologies, Inc. 10

Session 1540: Case Studies – New Directions in Wireless Modeling

Efficiency of intrusion simulation using OPNET

OPNET Simulation Time

0

2

4

6

8

10

12

30 60 70 80 90 100 114

Time duration of source data in seconds

OP

NE

T s

imu

lati

on

tim

e in

seco

nd

s

Simulation runs on a Pentium 4 PC, 1.5 GHz CPU and 256 MB RAM

Simulation time for ProcessTable attack with the durations of data file ranging from 30 to 114 seconds, and a total of 5525 packets (approx. linear growth)

Copyright © 2002 OPNET Technologies, Inc. 11

Session 1540: Case Studies – New Directions in Wireless Modeling

Conclusion and Further Research

• Our work demonstrated several applications of intrusion simulation using OPNET:

Detecting intrusions by displaying and identifying patterns of suspicious data packets Analyzing network performance and the intrusion detection overhead Evaluating the effectiveness of the IDS

• Further challenges include improving simulation efficiency, pre-processing source data using filtering strategies