International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 8- August 2013
Protection of Different Agent with Improved Ids Detection
L.Gomathi
Associate Professor
Muthayammal College of Arts&science
K.Priya
Muthayammal College of Arts&science
for more than a third of all malicious behavior on the Internet
Abstract
in 2011 [1]. The main goal of these attacks is literally to deny
To prevent network infrastructure from malicious
some or all legitimate users access to a particular Internet
traffic, such as DDoS attack and scanning, source filtering is
service, harming the service as a whole. In the extreme case,
widely used in the network. There are different ways to store
when the attack is aimed at the core Internet infrastructure
the filters, e.g., a blacklist of source addresses. Among them,
(e.g., attacks on the root DNS servers [2]), the whole Internet
TCAM-based is used as the de facto, because of its wire speed
could be jeopardized. There is a clear need for comprehensive,
performance. Unfortunately, TCAM is a scarce resource
cheap, and easily deployable DoS protection mechanisms.
because it’s limited by small capacity, high power
Attackers
consumption and high cost. There are chances like a data
vengeance, or simple malice) and the goal of a DoS attack
distributor had given his sensitive data to a set of trusted
could be achieved in many ways. Thus, there is a wide variety
agents. These agents can be called as third parties. There are
of attack methods available [3] and a growing number of
chances that some of the data is leaked and found in an
proposed defense mechanisms to stop or mitigate them. Many
unauthorized place. This situation is called IDS. In existing
of the proposed DoS defenses are both clever and potentially
case, the method called watermarking is using to identify the
effective [4]. However, the most common question with DoS
leakage. Or also uses the technique like injecting fake data
defenses is how to deploy them. Some defenses require
that appears to be realistic in the data.
I propose data
deployment in core routers [5], but the tier 1 ASes that own
allocation
probability of
these routers have little incentive to do so. The economic
identifying leakages. In enhancement work I include the
model of all transit providers, including tier 1 providers,
investigation of agent guilt models that capture leakage
consists of charging for the amounts of forwarded traffic.
scenarios.
Thus, such providers are extremely cautious with any kind of
strategies
that
improve
the
KEYWORDS: DDoS, Filtering, IP, Traffic Analysis,
Clustering, Classification, Internet Security
may
have
different
motivations
(extortion,
filtering, as they risk the loss of money or even customers. In
addition, unless fully deployed by every major ISP, core
defenses generally provide very limited protection.
A major threat to the reliability of Internet services is
1.Introduction
As the Internet grows, malicious users continue to
find intelligent and insidious ways to attack it. Many types of
attacks happen every day, but one particular kind denial-ofservice (DoS) attacks remain the most common, accounting
ISSN: 2231-5381
the growth in stealthy and coordinated attacks, such as scans,
worms and distributed denial-of-service (DDoS) attacks.
While intrusion detection systems (IDSs) provide the ability to
detect a wide variety of attacks, traditional IDSs focus on
http://www.ijettjournal.org
Page 3531
International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 8- August 2013
monitoring a single subnetwork. This limits their ability to
algorithms such as swarm intelligent technique. Giriraj
detect coordinated attacks in a scalable and accurate manner,
Chauhan and Sukumar Nandi [5] proposed a QoS aware on
since they lack the ability to correlate evidence from multiple
demand routing protocol that uses signal stability as the
subnetworks. An important challenge for intrusion detection
routing criteria along with other QoS metrics. Xiapu Luo et al
research is how to efficiently correlate evidence from multiple
[6] have presented the important problem of detecting pulsing
subnetworks.
Collaborative intrusion detection systems
denial of service (PDoS) attacks which send a sequence of
(CIDSs) aim to address this research challenge. A CIDS
attack pulses to reduce TCP throughput. Xiaoxin Wu et al [7]
consists of a set of individual IDSs coming from different
proposed a DoS mitigation technique that uses digital
network administrative domains or organizations, which
signatures to verify legitimate packets, and drop packets that
cooperate to detect coordinated attacks. Each IDS reports any
do not pass the verification Ping. S.A.Arunmozhi and
alerts of suspicious behaviour that it has collected from its
Y.Venkataramani [8] proposed a defense scheme for DDoS
local monitored network, then the CIDS correlates these alerts
attack in which they use MAC layer information like
to
multiple
frequency of RTD/CTS packet, sensing a busy channel and
subnetworks. A key component of a CIDS is the alert
number of RTS/DATA retransmission. Jae-Hyun Jun, Hyunju
correlation algorithm, which clusters similar incidents
Oh, and Sung-Ho Kiminvestigation scheme in which they use
observed by different IDSs, prioritises these incidents, and
entropy-based detection mechanism against DDoS attacks in
identifies false alerts generated by individual IDSs. The
order to guarantee the transmission of normal traffic and
problem of alert correlation (also known as event correlation)
prevent the flood of abnormal traffic. Qi Chen, Wenmin Lin,
is an active area of research. A key issue is how to improve
Wanchun Dou, Shui Yu [10] proposed a Confidence-Based
the scalability of alert correlation while still maintaining the
Filtering method (CBF) to detect DDoS attack in cloud
expressiveness
found.
computing environment. In which anomaly detection is used
Singledimensional correlation schemes have been widely
and normal profile of network is formed at non attack period
studied due to their simplicity,
and CBF is used to detect the attacker at attack period.
identify
coordinated
of
the
attacks
patterns
that
that
but
affect
can
be
they lack the
expressiveness to characterize many types of attack behaviors.
3. Methods
For example, such schemes can correlate alerts pertaining to
the same source addresses, but cannot discriminate between
To train and evaluate our detection system, overall
different types of behaviour. More sophisticated schemes use
we used about 10 months of data collected through the ISC
multi-dimensional correlation to identify patterns in events.
Security Information Exchange4 from June 2010 to March
2. RELATED WORK
2011. We used about four months of data (from June 2010 to
The new DOS attack, called Ad Hoc Flooding
Attack(AHFA), can result in denial of service when used
against on-demand routing protocols for mobile ad hoc
networks, such as AODV & DSR. Wei-Shen Lai et al [3] have
proposed a scheme to monitor the traffic pattern in order to
alleviate distributed denial of service attacks. Shabana
Mehfuz1 et al [4] have proposed a new secure power-aware
ant routing algorithm (SPA-ARA) for mobile ad hoc networks
September 2010) to build a labeled dataset, which we will
refer to as LDS. We used LDS for two purposes: (1) for
estimating the accuracy of the Classifier module through 10fold cross validation; and (2) to train FluxBuster’s Classifier
module
before
deployment.
After
training,
used
approximately one additional month of data for a preliminary
validation of the system and parameter tuning, and finally we
deployed and evaluated.
that is inspired from ant colony optimization (ACO)
ISSN: 2231-5381
we
http://www.ijettjournal.org
Page 3532
International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 8- August 2013
A practical deployment scenario is that of a single
network under the same administrative authority, such as an
ISP or a campus network. The operator can use our algorithms
to install filters at a single edge router or at several routers, in
order to optimize the use of its resources and to defend against
an attack in a cost-efficient way. Our distributed algorithm
may also be useful, not only for a routers within the same ISP,
but also, in the future, when different ISPs start cooperating
against common enemies. ACLs vs. firewall rules. Our
algorithms may also be applicable in a different context: to
configure firewall rules to protect public-access networks,
such as university campus networks or web-hosting networks.
Fig:3. Cids percentage of load subscriptions.
Unlike routers where TCAM puts a hard limit on the number
of ACLs, there is no hard limit on the number of firewall
5. Conclusion
rules, in software; however, there is still an incentive to
minimize their number and thus 13 any associated
performance penalty [22]. There is a body of work on firewall
rule management and (mis)configuration [23], which aims at
detecting anomalies such as the existence of multiple firewall
rules that match the same packet, or the existence of a rule
that will never match packets flowing through a specific
firewall. In contrast, we focus on resource allocation: given a
blacklist and a whitelist as input to the problem, our goal is to
optimally select which prefixes to filter so as to optimize an
appropriate objective subject to the constraints.
In a perfect world, there would be no need to hand
over sensitive data to agents that may unknowingly or
maliciously leak it. And even if, hand over sensitive data, in a
perfect world, distributor could watermark each object so that
distributor could trace its origins with absolute certainty.
However, in many cases, Distributor must indeed work with
agents that may not be 100 percent trusted, and may not be
certain if a leaked object came from an agent or from some
other source, since certain data cannot admit watermarks. In
spite of these difficulties, i have shown that it is possible to
assess the likelihood that an agent is responsible for a leak,
4. Result and Analysis
based on the overlap of his data with the leaked data and the
The proposed two-stage alert correlation scheme
data of other agents, and based on the probability that objects
equipped with the probabilistic threshold estimation achieves
can be “guessed” by other means. This model is relatively
significant advantage in detection rate over a naive threshold
simple, but I believe that it captures the essential trade-offs.
selection scheme for stealthy attack scenarios. The 98%
The algorithms I have presented implement a variety of data
confidence interval scheme gains a high Detection Rate
distribution strategies that can improve the distributor’s
without significant increase in the number of messages
chances of identifying a leaker. I have shown that distributing
exchanged. Our results demonstrate that by using this
objects judiciously can make a significant difference in
probabilistic confidence limit to estimate the local support
identifying guilty agents, especially in cases where there is
threshold in our two-stage architecture, we are able to capture
large overlap in the data that agents must receive.
most of the variation between different sub networks during a
stealthy scan.
ISSN: 2231-5381
REFERENCES
http://www.ijettjournal.org
Page 3533
International Journal of Engineering Trends and Technology (IJETT) – Volume 4 Issue 8- August 2013
[1] Trustwave SpiderLabs, “The Web hacking incident
[14] R. Govindan and H. Tangmunarunkit, “Heuristics for
database. Semiannual report. July to December 2010,” 2011.
Internet map discovery,” in Proceedings of INFOCOM, vol. 3,
[2] R. Naraine, “Massive DDoS attack hit DNS root servers,”
2000, pp. 1371–1380.
InternetNews.com,
October
2002,
http:
//www.esecurityplanet.com/trends/article.php/1486981/
Massive-DDoS-Attack-Hit-DNS-Root-Servers.htm.
[3] J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack
and DDoS defense mechanisms,” ACM SIGCOMM Computer
L.Gomathi received her BCA degree from
Communication Review, vol. 34, no. 2, pp. 39–53, 2004.
[4] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of
university of Amman Arts & Science College and MCA
networkbased defense mechanisms countering the DoS and
degree from Bharathidasan University. She has completed her
DDoS problems,” ACM Computing Surveys (CSUR), vol. 39,
M.Phil at Periyar University. She is having 7 Yrs of
no. 1, 2007.
experience in collegiate teaching and She is a Head of the
[5] E. Kline, M. Beaumont-Gay, J. Mirkovic, and P. Reiher,
department of computer applications in Muthayammal college
“RAD: Reflector attack defense using message authentication
of Arts and Science affiliated by Periyar University.
codes,” in Proceedings of Annual Computer Security
Applications Conference (ASAC), 2009, pp. 269–278.
[6] P. Ferguson and D. Senie, “Network ingress filtering:
Defeating denial of service attacks which employ IP source
address spoofing,” RFC 2827, May 2000.
K.Priya, received her UG & PG-Trinity
college for women. Her Area of interest is Data Mining.
[7] R. Beverly and S. Bauer, “The spoofer project: Inferring
the extent of source address filtering on the internet,” in
Proceedings of USENIX SRUTI, 2005, pp. 53–59.
[8] Y. Rekhter, T. Li, and S. Hares, “A Border Gateway
Protocol 4 (BGP-4),” RFC 4271, January 2006.
[9] C. Partridge, T. Mendez, and W. Milliken, “Host
Anycasting Service,” RFC 1546, November 1993.
[10] H. Ballani and P. Francis, “Towards a global IP anycast
service,” in Proceedings of SIGCOMM, vol. 35, no. 4, August
2005, pp. 301–312.
[11] D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina,
“Generic Routing Encapsulation (GRE),” RFC 2784, March
2000.
[12] J. Mirkovic and E. Kissel, “Comparative evaluation of
spoofing defenses,” IEEE Transactions on Dependable and
Secure Computing, pp. 218–232, 2009.
[13] J. Postel, “Internet Protocol,” RFC 791, September 1981.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 3534