International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 3, Issue 1, January February 2014 ISSN 2278-6856

Network-based IDS for Distributed Denial of Service Attacks

Dileep Kumar G1, Dr CV Guru Rao2, Dr Manoj Kumar Singh3and Mohammed Kemal4
1

Research Scholar, Faculty of Computer Science, Jawaharlal Nehru Technological University, Hyderabad, AP, India 2 Professor, Department of Computer Science and Engineering, SR Engineering College, Warangal, AP, India 3 Asst Professor, Department of Computing, Adama Science & Technology University, Adama, Ethiopia 4 Asst Professor, Department of Computing, Adama Science & Technology University, Adama, Ethiopia

Abstract:

Intrusion detection has grown to be crucial activity of Information Security process. Intrusion detection is the method of monitoring the events occurring in a computer network or system and analyzing them for signs of possible attacks, that happen to be violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. An Intrusion Detection System (IDS) is software that automates the intrusion detection process. Intrusion Detection Systems (IDS) are primarily centered on identifying possible incidents, logging details about them. An intrusion detection system detects various kinds of malicious network traffic and computer usage that cannot be detected by a conventional firewall. The principle notion of this paper would be to design and develop the Intrusion Detection System for detecting DDoS Attacks in the network using Jpcap library in Java Programming language.

Keywords: DDoS Attacks, Intrusion Detection, Jpcap, Information Security.

1. INTRODUCTION
Intrusion detection (ID) is can be a rapidly evolving and changing technology. Intrusion detection systems first appeared during the early 1980s. In 1980, Anderson proposed that audit trails ought to be accustomed to monitor threats [1]. The significance of such data had not been understood during those times and all sorts of the possible system security procedures were devoted to denying having access to sensitive data from an unauthorized source. Latter, Dorothy [2] proposed the thought of intrusion detection being a way to the problem of providing a feeling of security in computers. The majority of the early intrusion detection work ended as studies. Intrusion detection is thus a rather infantile field of computers. It is merely in the past few years that considerable resources happen to be put in research and rise in intrusion detection. An intrusion can be an intentional violation with the security policy of the system which is known penetrations. In accordance with Bace, Intrusion detection is the procedure of monitoring the events occurring inside a computer network or system and analyzing them for signs of possible attacks, which happen to be violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices [3]. Intrusion detection systems make reference Volume 3, Issue 1 January February 2014

to those systems which happen to be created to monitor an attackers activity to ascertain when the attacker is exhibiting unexpected behavior. Incidents have numerous causes, for instance malware (e.g., worms, spyware), attackers gaining unauthorized entry to systems from the internet and from authorized users of systems who misuse their privileges or seek to gain additional privileges for which they arent authorized. Although a lot of incidents are malicious in nature, numerous others are will not be; for instance, someone might mistype the address of a computer and accidentally seek to hook up to some other system without authorization. An Intrusion Detection System (IDS) can be a system which is liable for detecting inappropriate, anomalous, or other data that could be considered unauthorized occurring on the network [4]. An IDS captures and monitors all traffic, irrespective of whether its permitted or not. In line with the contents, at either the IP or application level, an alert is generated. The principal goal of intrusion detection system is to detect and protect the availability, confidentiality and integrity of critical networked information systems. The aim of an intrusion detection system is to offer data security and ensure continuity of services given by a network [5]. For instance, IDS could detect when an attacker has successfully compromised a system by exploiting vulnerability within the system and also report the incident to security administrators, who could quickly initiate incident response actions to attenuate the harm caused by the attack. There are numerous kinds of IDS technologies that are differentiated primarily with the types of events that they can recognize and the methodologies that they use to identify attacks. Along with monitoring and analyzing events to recognize undesirable activity, all sorts of IDS technologies typically perform the subsequent functions: Recording information associated with observed events. Notifying security administrators of important observed events. Producing reports. One attribute of IDS technologies is they cannot provide completely accurate detection. When an IDS incorrectly identifies benign activity to be malicious, a false positive has occurred. When an IDS ceases to identify malicious Page 47

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 3, Issue 1, January February 2014 ISSN 2278-6856
activity, a false negative has occurred. Its not necessarily possible to get rid of all false positives and negatives. In generally, lowering the occurrences of one boots the occurrences of the other. Many organizations tend to decrease false negatives at the expense of increasing false positives. Altering the configuration associated with an IDS to enhance its detection accuracy is recognized as tuning. Most IDS technologies also provide features that catch up on for using common evasion techniques. Evasion is modifying the format or timing of malicious activity making sure that its appearance changes nevertheless its effect is the similar. Attackers use evasion strategies to seek to prevent IDPS technologies from detecting their attacks. For instance, an attacker could encode text characters in the particular way, realizing that the target understands the encoding and hoping that any monitoring IDS usually will not. Most IDS technologies can overcome common evasion techniques by duplicating special processing performed through the targets. When the IDS is able to see the activity just like that the target would, then evasion techniques will usually be unsuccessful at hiding attacks. The paper is organized the following: Section II presents different approaches to intrusion detection. Section III presents summary of the proposed system. Section VI is definitely the system implementation and Section V presents the Experimental Results. profiles that represent the standard behavior of things like users, hosts, network connections, or applications. The profiles are produced by monitoring the characteristics of typical activity during a period of time. A preliminary profile is generated during a period of time sometimes termed as training period. Profiles for anomaly-based detection may either be static or dynamic. Once generated, a static profile is unchanged unless the IDPS is specifically given to generate a new profile. A dynamic profile is adjusted constantly to supplement events are observed. Because networks and systems change over time, the related measures of normal behavior also change; a static profile could eventually become inaccurate, so that it needs to be regenerated periodically. Dynamic profiles do not possess this issue, however are vulnerable to evasion attempts from attackers. For instance, an attacker is capable of doing small amounts of malicious activity occasionally, after which slowly boost the frequency and volume of activity. When the rate of change is sufficiently slow, the IDS could imagine the malicious activity is common behavior and can include it in its profile. Malicious activity may additionally also be observed by an IDS as it builds its initial profiles. The key benefit of anomaly-based detection methods is they can be quite good at detecting previously unknown threats. 2.3 Stateful Protocol Analysis Stateful protocol analysis is the procedure of comparing predetermined profiles of generally accepted definitions of benign protocol activity for every protocol state against observed events to recognize deviations. Unlike anomalybased detection, which uses host or network-specific profiles, Stateful protocol analysis depends on vendordeveloped universal profiles that specify how particular protocols should and should really not be used. The Stateful in its name implies that the IDS is competent at understanding and tracking the condition of network, transport, and application protocols which have a notion of state. Stateful protocol analysis can identify unexpected sequences of commands, for instance issuing the identical command repeatedly or issuing a command without first issuing a command where it is dependent. Another state tracking feature of Stateful protocol analysis is the fact that for protocols that perform authentication, the IDS is able to keep an eye on of the authenticator useful for each session, and record the authenticator employed for suspicious activity. This really is helpful when investigating an incident. Some IDPSs also can make use of the authenticator information to define acceptable activity differently for multiple classes of users or specific users. The main drawback to Stateful protocol analysis methods is they are extremely resource-intensive due to the complexity from the analysis and also the overhead involved with performing state tracking for most Page 48

2. DIFFERENT METHODS TO INTRUSION DETECTION

To set the scene for this paper, we start with a short overview of IDS technologies which use many methodologies to detect incidents including: signaturebased, anomaly-based, and Stateful protocol analysis, respectively. Most IDS technologies use multiple detection methodologies, either separately or integrated, to produce more broad and accurate detection [6]. 2.1 Signature-Based Detection A signature is usually a pattern that corresponds with a known threat. Signature-based detection is the procedure of comparing signatures against observed events to recognize possible incidents [7]. Signature-based detection is extremely good at detecting known threats but largely ineffective at detecting previously unknown threats, threats disguised using evasion techniques, and several variants of known threats. For instance, if an attacker modified the malware in the last example to employ a filename of freepics2.exe, a signature trying to find freepics.exe may not match it. 2.2 Anomaly-Based Detection Anomaly-based detection is the procedure of comparing definitions of what activity is recognized as normal against observed events to recognize significant deviations [7]. An IDS using anomaly-based detection has Volume 3, Issue 1 January February 2014

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 3, Issue 1, January February 2014 ISSN 2278-6856
simultaneous sessions. Another serious issue is the fact that Stateful protocol analysis methods cannot detect attacks that dont violate the characteristics of generally acceptable protocol behavior, for instance performing many benign actions in the short time to result in a denial of service. One more issue is that the protocol model used by an IDS might conflict considering that the protocol is implemented particularly versions of specific applications and operating systems, or how different client and server implementations from the protocol interact. There exist many intrusion detection systems worldwide. Sobirey site presents over ninety intrusion detection systems [8]. Some are proprietary (free or commercial) while others are open source. Commercial intrusion detection systems fit in with specialized societies in network security, for instance Cisco System, Computer Associates, Intrusion.com, Network Associates, etc. A few of existing open source intrusion detection systems are HIDS OSSEC, HIDS Samhain, NIDS Snort, NIDS BRO, IDS Prelude.

Figure 1: The IDS Process In this particular system, the Jpcap Sniffer captures the packets which flow into and out of the system. Jpcap is an open source library for capturing and sending network packets from Java applications [9]. The packet capturing function is accomplished via Jpcap which offers a Java API to the popular C packet capture library called pcap. While Jpcap is just not a complete conversion of the popular C pcap library yet, it lets you do supply the basic functionality we want. The system extracts IP features and stores them in Individual databases. The packets from a particular Slave machine is monitored and also checked. Whenever the packets Count crosses the threshold value, the system generates the alert and stores the log in the database. The threshold is a reconfigurable value, which is used to point the maximum allowable value. The GUI displays the user the defined rules and the attack logs. Furthermore, it also provides facilities for starting and stopping capturing the packets, clearing attack logs, adding new rule to the store and deleting existing rule from the store. The system implements the subsequent types of DDoS attacks. Flood Attacks: UDP Flood, ICMP Flood Amplification Attacks: Smurf, Fraggle Protocol Exploit Attack: SYN Flood Malformed Packet Attacks: IP Address, IP Packet Option The MySQL is employed as being the relational database management system [10]. It really is used in the work to implement a relational database that stores information regarding captured packets and generated alarms once an intrusion is detected on the network. The implemented database has four databases tables: TCPCapture table is needed to record information regarding captured TCP packets, UDPCapture table is used to record information about UDP Packets, the table ICMPCapture is record information about captured ICMP packets and DDoSAlerts can be used record different detected intrusions. Page 49

3 PROPOSED SYSTEM
In this particular section we present the main contributions of the paper. The goal of the proposed system is to detect certain well-known DDoS attacks on the host system and display warnings towards the user as well as store information concerning the IP addresses, ports and the number of times the attack has occurred as well as permit the traffic depending on that information. The system frames certain rules considering the input given by the user. After that it allows traffic inwards or outwards based on the rules. IDS Process The system administrator requests for link to the proposed network intrusion detection system. The system is disconnected after three unsuccessful tests. The subsequent sequences need to be accomplished: the system presents the login/authentification form, the administrator enters his/her login and password, the system checks the login as well as password, the system allows the administrator to have an entry to the proposed network intrusion detection or the system doesnt permit the administrator after three unsuccessful tests. Once the authentication occurs successfully, the graphical interface of the network intrusion detection system proposed is posted. The subsequent steps must be then accomplished: selection of the network interface followed by the network packets capturing process, capturing network packets and analyzing specifically of the aforesaid packets, alarms generation the moment an intrusion is detected, querying the database, recording of the alarm & packets. Volume 3, Issue 1 January February 2014

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 3, Issue 1, January February 2014 ISSN 2278-6856 4 IMPLEMENTATION
We implemented the IDS in Java Programming language while using the Jpcap library which is in line with the following 5 steps. 1. Listening to the network and capturing the packets: As of this first step, a sniffer is developed using Jpcap library discussed in section III. In an Ethernet network, each system features a network card containing its own physical address. The network card examines each packet on the network and catches it once meant to the host system. One withdraws with this package the different layers like Ethernet, IP, TCP, UDP etc. to forward information it has to the application. Whenever a network card is configured in the promiscuous mode, all packets are captured without having to be out from the traffic. The sniffer thus remains implemented using the Jpcap library through the following steps: seeking and printing all network interfaces on the victim machine using method JpcapCaptor.getDeviceList(), selecting of the network interface to get used by the sniffer, activating of the network interface onto the promiscuous mode using method JpcapCaptor.openDevice(), starting the packets capturing process through the interface PacketReceiver. 2. Decoding the packets: Packet decoding process is also based on the Jpcap library. The decoder receives one by one all of the packets from the sniffer and finds their category (TCP, UDP, ICMP, etc.) by comparing these to different available classes within the Jpcap library namely IPPacket, TCPPacket, UDPPacket, ICMPPacket, etc. For instance, if the concerned packet is TCP, the decoder collects its source and destination addresses, source and destination ports, data field and TCP flag. 3. Detecting specific attacks: The IDS system has routines to detect various kinds of attacks such as TCP Attack, ICMP Flood, UDP Flood, IP Address, IP Packet Option, Smurf Attacks and Fraggle Attacks. 4. Output module: This module is executed once an attack is detected. It offers two distinct modes. The first is an alarm that informs about intrusion detection. The second mode uses one table in the database for recording attacks through a graphical user interface.

The below fig. 3 presents the GUI of Intrusion Detection System which includes features listing Network Devices, Starting the Packet Capturing process, Stopping the Packet Capturing process, shows the captured packets features, and finally displays all captured packets by showing their Packet#, Captured Time, Source IP & Port, Destination IP & Port, Packet Count and type of Packet.

The below fig. 4 shows the Alert generated when the TCP Flood attack has occurred.

Whenever the Attack threshold is reached, the Log is made in the database DDoSAlerts having its Count value. When there is attack feature matches with attack features in the database i.e. Same Source & Destination, the count is updated. The below fig. 5 presents the Log reports of attacks.

5 EXPERIMENTAL RESULTS
Within this Section, we present the GUI of DDoS IDS. The authentication process of the administrator is shown in below fig. 2. The 3 unsuccessful attempts results the login process to be fail.

Volume 3, Issue 1 January February 2014

Page 50

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 3, Issue 1, January February 2014 ISSN 2278-6856 6 CONCLUSIONS AND FURTHER WORK
The IDS is made to provide the basic detection techniques in order to secure the systems contained in the networks that are directly or indirectly attached to the internet. The Network Administrator needs to ensure sure that his network is out of danger. This software doesnt completely shield network from Intruders, but IDS helps the Network Administrator to find crooks on the internet or in the network whose purpose is to bring your network to some breach point and making it prone to attacks. The current system doesnt provide facilities for Intrusion Protection which facilitates for blocking or allowing particular IP, range of IPs or a subnet IPs by making use relevant rule on the Operating System. We are going to give attention to this in the foreseeable future. We designed the IDS was created in such a way that it could be reused effortlessly. It will likely be easy to increase the number of attacks to the system in later on as a result of the high end flexibility and extensibility given using the design of the system. The IDS is written completely in platform independent language Java. The current system has become tested only on Windows7 however it can be used and tested on several other systems which run on different Operating systems and which fulfill the requirements and pre-requisites for the IDS system. The system could be enhanced by incorporating techniques corresponding to the future works here: The current system just displays the log information but doesnt employ any strategies to analyze the knowledge present in the log records and extract it. The system could be extended by Data Mining techniques to analyze the information within the log records which might assist in efficient making decisions. The current system only detects the known attacks. This could be extended by intelligence involved with it to be able to gain knowledge on its own by analyzing the growing traffic and learning new Intrusion Patterns. The existing system operates on an individual host machine and isnt a distributed application. This can be extended to make it a distributed application where different modules of the same system running on different machines may interact with each other thus providing distributed detection and protection for all those machines on which the system is running. [4] B. Mukherjee et al., Network intrusion detection IEEE Network, vol. 8, no. 3, pp. 2641, 1994. [5] K. Ramamohanarao et al., The curse of ease of access to the internet 3rd International Conference on Information Systems Security. [6] N. Bashah et al., World Academy of Science, Engineering and Technology. World Academy of Science, 2005. [7] J. Mirkovic and P. Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms ACM SIGCOMM Computer Communications Review(CCR), vol. 34, no. 2, April 2004, pp 39-54. [8] M. Sobirey. (2011, Jan.) Intrusion detection systems. [Online]. Available:http://wwwrnks.informatik.tu-cottbus.de/sobirey/ids.html [9] K. Fujii. (2007, Jan.) Jpcap tutorial. [Online]. Available:http://netresearch.ics.uci.edu/kfujii/Jpcap/d oc/tutorial/index.html [10] C. Thibaud, MySQL 5: installation, mise en oeuvre, administration et programmation. Edition Eyrolles, 2006.

AUTHORS
Dileep Kumar G received the B.Tech. degree in Computer Science & Engineering from JSN College of Engineering&Technology, Kaghaznagar, AP, India and the M.Tech degree in Software Engineering from Ramappa Engineering College, Warangal, AP, India. Currently he is an Assistant Professor in the Department of Computer Science &Engineering, SR Engineering College, Warangal, India. He is pursuing Ph.D in Computer Science from Jawaharlal Nehru Technological University, Hyderabad, AP, India. His research interests include Network Security, Data Mining and Mobile Adhoc Networks.

References
[1] J. P. Anderson, Computer security threat monitoring and surveillance, Fort Washington, Pennsylvania, James P Anderson Co, Tech. Rep., 1980. [2] D. Denning, An intrusion-detection model IEEE Transaction on Software Engineering, vol. 13, no. 2, pp. 222232, 1997. [3] R. G. Bace, Intrusion Detection. Technical Publising, 1995. Volume 3, Issue 1 January February 2014

Dr CV Guru Rao received the B.E degree in Electronics & Communications Engineering from VR Siddhartha Engineering College, Vijayawada, India and the M.Tech degree in Electronics Instrumentation from Regional Engineering College, Warangal, India. He is a Doctorate holder in Computer Science & Engineering from Indian Institute of Technology, Kharagpur, India. With 30 years of teaching experience, currently he is working as Professor& Head in the Department of Computer Science & Engineering, SR Engineering College, Warangal, India.

Page 51