Error Detection Technique in Network Security with respect to Decoy Computer System Prof. Tarannum S. Shaikh Assistant Professor of Master of Computer Application Department,A.C.Patil College of Engineering,Kharghar-410210,Navi Mumbai,Maharashtra tarannumshaikh527@gmail.com Mst. Jay Mahapadi Student of Master of Computer Application Department,A.C.Patil College of Engineering, Kharghar-410210,Navi Mumbai,Maharashtra jay.mahapadi@gmail.com Abstract—Error control describes how the network handles and detects. In this paper, I present on an overview of error control regarding error detection and error correction with respect to decoy system. Error control happens in data link layer. I mainly discuss the type of error detection mechanisms that is used to detect the errors and how the errors will be corrected so the receiver can extract the real data.Decoy Systems, also known as deception systems, honey-pots or tar-pits, are phony components setup to entice unauthorized users by presenting numerous system vulnerabilities, while attempting to restrict unauthorized access to network information systems. At the end of this paper, the conclusion is presented. I. INTRODUCTION Environmental interference and physical defects in the communication medium can cause random bit errors during data transmission. Error coding is a method of detecting and correcting these errors to ensure information is transferred intact from its source to its destination. Error coding is used for fault tolerant computing in computer memory, magnetic and optical data storage media, satellite and deep space communications, network communications, cellular telephone networks, and almost any other form of digital data communication. Error coding uses mathematical formulas to encode data bits at the source into longer bit words for transmission. The "code word" can then be decoded at the destination to retrieve the information. The extra bits in the code word provide redundancy that, according to the coding scheme used, will allow the destination to use the decoding process to determine if the communication medium introduced errors and in some cases correct them so that the data need not be retransmitted. Different error coding schemes are chosen depending on the types of errors expected, the communication medium's expected error rate, and whether or not data retransmission is possible. Faster processors and better communications technology make more complex coding schemes, with better error detecting and correcting capabilities, possible for smaller embedded systems, allowing for more robust communications. However, tradeoffs between bandwidth and coding overhead, coding complexity and allowable coding delay between transmissions, must be considered for each application. Even if we know what type of errors can occur, we can’t simple recognize them. We can do this simply by comparing this copy received with another copy of intended transmission. In this mechanism the source data block is send twice. The receiver compares them with the help of a comparator and if those two blocks differ, a request for retransmission is made. To achieve forward error correction, three sets of the same data block are sent and majority decision selects the correct block. These methods are very inefficient and increase the traffic two or three times. Fortunately there are more efficient error detection and correction codes. There are two basic strategies for dealing with errors. One way is to include enough redundant information (extra bits are introduced into the data stream at the transmitter on a regular and logical basis) along with each block of data sent to enable the receiver to deduce what the transmitted character must have been. The other way is to include only enough redundancy to allow the receiver to deduce that error has occurred, but not which error has occurred and the receiver asks for a retransmission. Decoys are typically thought of as larger - scale, lower fidelity systems intended to change thestatistical success rate of tactical attacks. For example, Deception ToolKit, DWALL, the InvisibleRouter, HoneyD, and Responder are designed to produce large number s of deceptive services ofdifferent characteristics that dominate a search space. The basic idea is to fill the search space ofthe attacker’s intelligence effort with decoys so that detection and differentiation of real targetsbecomes difficult or expensive. In this approach, the attacker seeking to find a target does a typical sweep of an address space looking for some set of services of interest. II. ERROR DETECTION TECHNIQUES There are many reasons such as noise, cross-talk etc., which may help data to get corrupted during transmission. The upper layers work on some generalized view of network architecture and are not aware of actual hardware data processing.Hence, the upper layers expect error-free transmission between the systems. Most of the applications would not function expectedly if they receive erroneous data. Applications such as voice and video may not be that affected and with some errors they may still function well. There are number of error detection techniques I will discuss parity check, checksums and CRC checks Thus if the probability of a single bit being is error is 10-6, then theprobability of an error in an 8-bit pattern (7 + parity) is about 8 x 10-6 and the probabilityof a double error is about 3 x 10-11 which is quite small.An additional issue is that in some circumstances when an error does occur, it occursin a clump - i.e. groups of bits may get corrupted together. Thus if the probability of one bitbeing corrupted is P (small) then the probability of two successive bits being corrupted is notP2, but something much larger, maybe even approaching P. A way around that is to “matrix the check as follows D11 D21 D31 D41 P1 D12 D22 D32 D42 P2 D13 D23 D33 D44 P3 D14 D24 D34 D44 P4 D15 D25 D35 D45 P5 Table1 : Parity check matrix 2.1 Parity The most common method for detectingbits error with asynchronous character and characterorientedsynchronous transmission is parity bit method.There are two types of parity check schemes: even andodd parity checks [9]. With the even parity check, theredundant bit is chosen so that an even number of bits areset to one in the transmitted bit string of N+r bits, where is the bit that used to be the even parity check and N is the bit that is transmitted by the transmitter of thenetwork. The receiver re-computes the parity of eachreceived bits from the transmitter and discard the stringswith the invalid parity. The parity scheme is always usedif 7-bits character is exchanged. If there are 7-bits that aretransmitted by the transmitter and parity check are usedto detect the error, the eight bit is often the parity bit. Parity is the simplest form of error checking. It adds one bit to the pattern and thenrequires that the modulo-2 sum of all the bits of the pattern and the parity bit have a definedanswer. The answer is 0 for even parity and 1 for odd parity. An alternative way of makingthe same statement is that odd(even) parity constrains there to be an odd(even) number of“1"s in the pattern plus parity bit. Parity bits are sufficient to catch all single errors in the pattern plus parity bit as thiswill change a single 1 to a 0 or vice versa and therefore upset the parity calculation. Arepeat of the parity calculation at any time will reveal this problem. However the system willnot catch any double errors (except the trivial case of two errors on the same bit) and thesewill be flagged as valid. For example a pattern of 0110100 becomes 00110100 with the addition of a parity bitand enforcement of odd parity. A single error would (for example) change the pattern to00110000 which has the wrong parity. However a further error to 10110000 looks OK - butis in fact wrong.The length of pattern which each parity bit “guards” should be as long as possible sothat the parity bit takes up the least amount of extra storage, but not so long that a doubleerror becomes likely. In this matrix the parity bits P1-P5 are computed through the columns whereas the data iscorrupted (for whatever reason) by rows. In this case a “burst error” of D22, D23 willproduce parity errors on recalculation for bits P2 and P3 whereas a double error in row twowould “fool” the system if parity were computed in rows. Performance of Parity Check Parity check mechanismcan detect all single-bit errors. It can also detectburst errors only if the total number of errors ineach data unit is odd/even (based on paritycheck used). For example, even parity checkmechanism cannot detect errors where the total numberof hits changed is even. If any two bits change intransmission, the changes cancel each other and the dataunit will pass a parity check even though the data unit isdamaged. The same holds true for any further evennumber of errors. 2.2 CRC Checks Cyclic Redundancy Check is the most powerful and easy toimplement technique. Unlike checksum scheme, which is based on addition, CRC is based on binary division. In CRC, a sequence of redundant bits, called cyclic redundancy check bits, are appended to the end of data unit so that the resulting data unit becomes exactly divisible by a second, predetermined binary number. At the destination, the incoming data unit is divided by the same number. If at this step there is no remainder, the data unit is assumed to be correct and is therefore accepted. A remainder indicates that the data unit has been damaged in transit and therefore must be rejected. The generalized technique can be explained as follows. Unlike parity check which is based on the submission ofthe binary, CRC is based on the binary division. In CRC,instead of adding bits to achieve a desired parity, asequence of redundant bits, called the CRC or the CRCremainder, is appended to the end of a data unit so thatthe resulting data unit becomes exactly divisible by asecond. On the destination side, the incoming data thebinary data is divided by the same number to be comparedon the source side. Means that, if the remainder of thedivision is same as the value on the added CRC when thedata was transmit, the data will be accepted, otherwise theunmatched reminderproduced on the destination after theCRC is indicates the data unit has been damage during the transmission of data. If a k bit message is to be transmitted, the transmitter generates an r-bit sequence, known as Frame Check Sequence (FCS) so that the (k+r) bits are actually being transmitted. Now this r-bit FCS is generated by dividing the original number, appended by r zeros, by a predetermined number. This number, which is (r+1) bit in length, can also be considered as the coefficients of a polynomial, called Generator Polynomial. The remainder of this division process generates the r-bit FCS. On receiving the packet, the receiver divides the (k+r) bit frame by the same predetermined number and if it produces no remainder, it can be assumed that no error has occurred during the transmission. Operations at both the sender and receiver end are shown below receiver side. At the receiver side, the data string and the CRC value is divided by the same value of divisor in the sender part. Then the remainder of this division determines either the received data bit string that to be accepted or not. If the remainder is zero, then the data will be accepted or else it will be rejected. Fig 2 : CRC in sender side. Fig 3 : CRC in receiver side. Fig1 : Basic scheme for Cyclic Redundancy Checking Figure-2 shows the calculation for the CRC in the sender, as shown, the added of the data plus extra zero that is added to the data string and divided with the divisor. The remainder of the division will be the value of CRC that will replace the data plus extra zeros at the receiver side. Figure-3 shows the calculation for the CRC in the The redundancy bits used by CRC are derived by dividing the data unit by a predetermined divisor; the remainder is the CRC. To be valid, a CRC must satisfy two conditions: It must have exactly one less bit than the divisor and appending it to the end of the data string must make the resulting bit sequence exactly divisible by the divisor. The transmitter can generate the CRC by using a feedback shift register circuit. The same circuit can also be used at the receiving end to check whether any error has occurred. All the values can be expressed as polynomials of a dummy variable X. For example, for P = 11001 the corresponding polynomial is X4+X3+1. A polynomial is selected to have at least the following properties: o It should not be divisible by X. o It should not be divisible by (X+1). bits, called the checksum field. The extended data unit is transmitted across the network. So if the sum of the data segments is T, the checksum will be –T. The first condition guarantees that all burst errors of a length equal to the degree of polynomial are detected. The second condition guarantees that all burst errors affecting an odd number of bits are detected. CRC process can be expressed as XnM(X)/P(X) = Q(X) + R(X) / P(X) Performance of CRC CRC has a very good performancein detecting single-bit errors, double errors, an oddnumber of errors and burst errors. They can easily beimplemented in hardware and software. They areespecially fast when implemented in hardware. This hasmade CRC a good candidate for many networks. 2.3 Checksum The checksum method which is a very simple method based on adding up all the words that are transmitted and then transmit them including the complement result of that sum. Like the parity check and CRC, the checksum is based on the concept ofredundancy. A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, it's assumed that the complete transmission was received. Checksum is a calculated value that is used to determine the integrity of data. Checksum serves as a unique identifier for the data (a file, a text string, or a hexadecimal string). If the data changes then so does the checksum value. This makes it easy to verify the integrity of the data. To test data integrity, the sender of the data calculates checksum value by taking the sum of the binary data transmitted. When receiving the data, the receiver can perform the same calculation on the data and compare it with the checksum value provided by the sender. If the two values match, the receiver has a high degree of confidence that the data was received correctly. Checksum value is also called hash value. The data that is calculated can be a file, a text string, or a hexadecimal string. In checksum error detection scheme, the data is divided into k segments each of m bits. In the sender’s end the segments are added using 1’s complement arithmetic to get the sum. The sum is complemented to get the checksum. As shown in Figure 4, in the sender, the checksum generator subdivides the data unit into equal segments of n bits (usually 16). These segments are added using ones complement arithmetic in such a way that the total is also n bits long. That total (sum) is then complemented and appended to the end of the original data unit as redundancy Fig 4 : Checksum operation The receiver performs the same calculation on the received data and compares the result with the receivedchecksum. If the result is 0, the receiver keeps the transmitted data; otherwise, the receiver knows that anerror occurred discards the transmitted data.The checksum detects all errors involving an oddnumber of bits as well as most errors involving an evennumber of bits. The checksum segment is sent along with the data segments as shown in Fig. 5. At the receiver’s end, all received segments are added using 1’s complement arithmetic to get the sum. The sum is complemented. If the result is zero, the received data is accepted; otherwise discarded, as shown in Fig. 6. Fig 5 : Sender’s end for the calculation of the checksum Fig 6 : Receiving end forcalculation of the checksum Performance of Checksum The checksum detects all errors involving an odd number of bits. It also detects most errors involving even number of bits. The traditional checksum uses a small number of bits (16) to detect errors in a message of any size (sometimes thousands of bits). However, it is not as strong as the CRC in errorchecking capability. For example, if the value of one word is incremented and the value of another word is decremented by the same amount, the two errors cannot be detected because the sum and checksum remain the same. Also if the values of several words are incremented but the total change is a multiple of 65535, the sum and the checksum does not change, which means the errors are not detected. III. DECOY COMPUTER SYSTEM The use of deception, or decoys, plays a valuable role in the protection of systems, networks,and information. Decoys are constructs which containdata that appears valuable but is in fact spurious. Since authentic users will have a naturalfamiliarity with their working environment, they are capable of remembering which resourcesare real and which are fabricated. They will have no need, therefore, to access inauthenticdecoys that contain no truly useful data. Adversaries without a thorough knowledge of a target system, on the other hand, will have difficulty differentiating decoys from desirable data. After the number of decoy accessevents pass a certain threshold, an organization can respond by enacting more restrictivesecurity measures and launching an investigation into the account which caused the alertsto occur. Monitoring access to decoy _les and content can thus provide protection againstcyberattacks in a practical and cost effective fashion. Decoy technology also addresses the asymmetry that currently exists with respect to responding to different types of security violations after they have already occurred. In thecase of data integrity breaches, recovery mechanisms have been developed that allow administrators to \roll back" systems to a checkpointed state that existed prior to when themalicious event took place. Similarly, attacks against the availability of computer networkscan be thwarted by increasing the amount of redundant resources that are deployed. Previously, there was no such solution for reacting to attacks against system confidentiality afterthe fact, however. Decoys can serve this role by providing a mechanism through which datacan be tracked after an adversary has already absconded with it. Computers whose primary function is to attract the attention of malicious actors are oftencalled honeypots." Entire networks of such spurious machines are known as honeynets." These systems are usually constructed in a way such that they appear as though they arean unassuming component of a larger network architecture. In reality, however, they failto contain any useful data and are cordoned o_ from network resources which are actuallyvalued. Honeypots and honeynets can be quite effective when used to detect external threats.Their applicability towards defending against attacks originating from within an organizationis limited, though. This is due to the fact that this class of adversaries typically alreadyhave the knowledge that is required to access the portion of a network where legitimatedata resides. Furthermore, honeypots offer no utility after a successful attack has alreadyoccurred. Decoys are typically thought of as larger - scale, lower fidelity systems intended to change thestatistical success rate of tactical attacks. For example, Deception ToolKit, DWALL, the InvisibleRouter, HoneyD and Responder are designed to produce large number s of deceptive services ofdifferent characteristics that dominate a search space. The basic idea is to fill the search space ofthe attacker’s intelligence effort with decoys so that detection and differentiation of real targetsbecomes difficult or expensive. In this approach, the attacker seeking to find a target does atypical sweep of an address space looking for some set of services of interest. A decoy system wants to be compromised. Once an intruder comes in, it can track activity, figure out what data is being targeted and be a foundation for incident response and network forensics.The decoy network, in effect, can send off alarm bells – alerts – that an attack is under way. And protect the actual network from attack, by taking its brunt. The unauthorized user’s keystrokes get captured and sent to a system log. Bogus files can be spirited away, with no harm done. Etc. The decoy network becomes a sensor and a prosecution system. It’s relatively simple, the journal notes, to put an extra interface on a firewall to control communications with the intruder. And programmable toolkits can even make it look like the system is vulnerable to attack, when a hacker starts a probe.Such systems are not considered traps, legally, because there is no advertising of the decoy network. Hackers must take it upon themselves to find it and infiltrate it. Properties of Decoys In order to design decoys that are as effective as possible, it is also beneficial to analyzethem in a more general sense by considering characteristics that are independent of a particular context.A “perfectly believable decoy” would precisely conform to all of these guidelines, though practical restrictions prevent this from occurring in most situations. Although there exists some overlap between these traits, it is also worth noting that they are not completely orthogonal. For example, believability and differentiability are in contention to some extent. Believability One of a decoy's primary functions is to be believable. Upon inspection, a decoy shouldappear authentic and trustworthy. In the absence of any additional information, it shouldbe impossible to discern a spurious decoy from authentic data. For example, a decoy taxdocument should contain all of the same fields as one that is actually in use, and each of its fields should be populated with realistic values. Believability can be formalized via the following thought experiment. Consider a pool of files, some of which contain real data and some of which are fabricated decoys. Select a decoy file and real piece of data from this pool, and present it to an adversary. The selected decoycan be considered perfectly believable if this attacker has an equal probability of selectingthe decoy and the legitimate document.This characteristic is of critical importance to externally observable features of decoys. Delectability Delectabilitydescribes the ability of decoysto notify their owner when they have been accessed. An ideal decoy system would issue analert each and every time a decoy is accessed, but technical challenges, including networkavailability and variability between software platforms, mean that this may not always bepossible in practice.Deploying multiple overlapping decoy monitors that operate at different system levelscan help mitigate the possibility of an attacker accessing a decoy while remaining undetected. Features of the decoy documents themselves can be leveraged to equip them withembedded alert code. Monitoring software can be placed in the operating system to detectpredetermined tokens placed within decoys when they are opened. Further, operating system auditing can be enabled to record decoy interactions. In order to check for document exfiltration, software can be placed on network equipment to check for such tokens as well.Finally, the content of decoy documents can also serve as an alert system. For example,credentials for spurious accounts can be placed within a decoy. Since there is no reason thata legitimate user would ever access these accounts, any activity they exhibit would send astrong signal of malicious intent. Variability Although a decoy distribution system should strive to make its fake documents seem asauthentic as possible, it would certainly be undesirable if precisely the same well-crafted decoy file were placed repeatedly throughout a given system or network. This would greatly simplify the task of distinguishing between legitimate data and the planted decoys that serve as monitors. In general, there should be as much variability between decoy documents as there exists in the pool of documents that they are intended to detect. That is, the task of identifying a decoy should not be reducible to identifying a particular invariant that exists between all generated decoys. A different way to conceptualize variability is to consider the task of an adversary whowishes to extract information from a system while remaining undetected. Assume thatthe attacker has been able to discern which documents that have been accessed thus far areauthentic and which are traps. With a collection of \perfectly variable" decoys, this adversarywould still be unable to discern future decoy material from real data with a probabilitygreater than one half. Previous decoy knowledge, therefore, should not impact the task ofidentifying future decoys. Note the relationship that exists between the trait of variabilityand the believability characteristic. Variability among decoys essentially means that decoysshould remain believable even after the presence of other decoys has been revealed. Stealth While it is clearly desirable that every decoy access event be perceptible to the owners of a system, care must be taken lest the alarms that accomplish this arouse suspicion. An overt mechanism for issuing alert beacons would provide adversaries with an obvious signal that an element contains a trap, which completely violates the property of decoy variability. The messages that are transmitted by decoys must therefore be as subtle and covert as possible. Raising an alert that decoy content has been accessed necessarily involves taking some action, however. Even if precautions are taken, there is always the possibility that this act will be perceptible to a malicious actor. It is therefore also desirable to trigger beacon events as early as possible to prevent their interception. For example, alerts for _le based decoys should be raised as soon as they are accessed and prior to any content being displayed, if feasible. This would eliminate the possibility of a decoy being recognized and discarded before the decoy system has an opportunity to detect that is has been accessed. Non-interference This property is the first to describe how decoys should coexist with legitimate users whoare not masquerading with assumed credentials. An optimal masquerader detection network would not affect the habits of typical users in any way. By inserting decoy material into anoperating environment, however, we introduce the possibility that this data will confuse usersor otherwise hinder their ability to complete their everyday tasks. It is therefore desirablefor decoys to demonstrate the property of non-interference by not obstructing the behaviourof normal users. If a file system is populated with decoy documents that serve as intrusion sensors, forexample, the probability that the file system's primary owner is able to access a particularstandard document should remain the same as it was prior to the introduction of the decoycontent. Similarly, introducing decoy applications to a mobile device's operating systemshould not impact a user's ability to access real applications as they normally would. IV. CONCLUSION Decoy computer system and error detection methods have been discussed in this paper. There are different ways to detect error. But not all the methods of error detection can detect error accurately and effectively. Every method has its own specialty, advantage and its own mechanism to detect error. Parity check is simple and can detect all single-bit error. CRC has a very good performance in detecting single-bit errors, double errors, an odd number of errors, and burst errors while checksum is not efficient as the CRC in error detection when the two words are incremented with the same amount, the two errors cannot be detected because the sum and checksum remain the same. Decoys represent a drastic departure from existing security solutions in several important ways. By placing content that is spurious yet believable and enticing in the path of potential adversaries, decoys serve as a potent last line of defence against attacks. Decoy content can be proactively seeded throughout a system to defend against potential attacks, or fed to an adversary once malicious activity has been detected. Furthermore, by tracking decoy material, violations of confidentiality can be addressed after they have occurred. This is a capability that alternative security measures are not capable of offering. Decoys can be integrated as useful components of any full featured security solution and will only increase in prominence as threats against computer systems continue to grow. With all this factors error detection techniques can be used with decoy computer systems. ACKNOWLEDGMENT I would gratefully and sincerely appreciate my supervisor: Assistant Prof. Tarannum Shaikh. Her inspiring guidance, rich experience and sustained encouragement enabled me to develop an intensive understanding of my research area. Without the generous help of my supervisor, this work would not have been possible. I am honored to have Prof. Tarannum Shaikh from A.C.Patil College as my opponent. I thank her for her kind support and helpful suggestions during the discussions in my MCA. REFERENCES 1. AfiqahAzahari, RaedAlsaqour, Mueen Uddin and Mohammed Al-Hubaishi "Review Of Error Detection Of Data Link LayerIn Computer Network" January 2014 2. L. L. Peterson and B. S. Davie. 2007. Computer networks: a systems approach 3. Andrew S. Tanenbaum, David “Computer Networks” Fifth Edition 4. Saad Mneimneh detection” 5. Kurose, J.F. and Ross K.W., "Computer Networking: A Top-Down Approach Featuring the Internet", Third Edition, 2005 6. M. Ben Salem and S. Stolfo. Decoy Document Deployment for Effective Masquerade Attack Detection, 2011. 7. Jonathan Voris, Jill Jermyn, Angelos D. Keromytis, and Salvatore J. Stolfo "Bait and Snitch: Defending Computer Systems withDecoys" 8. B. Bowen and S. Hershkop and A. Keromytis and S. Stolfo. "Baiting Inside AttackersUsing Decoy Documents" 9. Kellep A. CharlesDecoy Systems:A New Player in Network Security and Computer Incident Response “Computer J. Wetherall Networks Error 10. Y. Park and S. Stolfo. Software Decoys for Insider Threat.2012 11. B. M. Bowen, V. P. Kemerlis, P. Prabhu, A. D. Keromytis, and S. J. Stolfo. Automatingthe injection of believable decoys to detect snooping, 2010. 12. Fred Cohen "The Use of Techniques:Honeypots and Decoys" Deception