A DETAILED STUDY ON ANOMALY BASED INTRUSION DETECTION

SYSTEM

A Project report submitted in partial fulfillment of the requirements for

the award of the degree of

BACHELOR OF TECHNOLOGY

IN

COMPUTER SCIENCE ENGINEERING

submitted by

K.SHARMILA 316126510145

M.J.SARIKA 316126510153

M.MOUNIKA 316126510175

G.PRUDHVI 316126510194

UNDER THE GUIDANCE OF

DR. V.USHABALA

ASSISTANT PROFESSOR

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

ANIL NEERUKONDA INSTITUTE OF TECHNOLOGY AND SCIENCES

(UGC AUTONOMOUS)

(Affiliated to AU, Approved by AICTE and Accredited by NBA & NAAC with ‘A’ Grade)

Sangivalasa, Bheemili mandal, Visakhapatnam dist.(A.P)

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

ANIL NEERUKONDA INSTITUTE OF TECHNOLOGY AND SCIENCES

1

(UGC AUTONOMOUS)

(Affiliated to AU, Approved by AICTE and Accredited by NBA & NAAC with ‘A’ Grade)

Sangivalasa, Bheemili mandal, Visakhapatnam dist.(A.P)

BONAFIDE CERTIFICATE

This is to certify that the project report entitled “A DETAILED STUDY ON ANOMALY

BASED INTRUSION DETECTION SYSTEM” submitted by K.SHARMILA

(316126510145), M.J.SARIKA (316126510153), M.SRI MOUNIKA(316126510175),

G.PRUDHVI (316126510194) in partial fulfillment of the requirements for the award of the

degree of Bachelor of Technology in Computer Science Engineering of Anil Neerukonda

Institute of technology and sciences (A), Visakhapatnam is a record of bonafide work carried

out under my guidance and supervision.

Dr. R. SIVARANJANI Dr. V. USHABALA

HEAD OF THE DEPARTMENT SUPERVISOR

COMPUTER SCIENCE AND COMPUTER SCIENCE AND

ENGG. ENGG.

ANITS ANITS

2

DECLARATION

We, K.SHARMILA, M.J.SARIKA, M.SRI MOUNIKA ,G.PRUDHVI, of

final semester B.Tech., in the department of Computer Science and Engineering from

ANITS, Visakhapatnam, hereby declare that the project work entitled A DETAILED

STUDY ON ANOMALY BASED INTRUSION DETECTION SYSTEM is

carried out by us and submitted in partial fulfillment of the requirements for the award

of Bachelor of Technology in Computer Science Engineering , under Anil

Neerukonda Institute of Technology & Sciences(A) during the academic year 2016-

2020 and has not been submitted to any other university for the award of any kind of

degree.

K.SHARMILA 316126510145

M.J.SARIKA 316126510153

M. SRI MOUNIKA 316126510175

G.PRUDHVI 316126510194

3

ACKNOWLEDGEMENT

We would like to express our deep gratitude to our project guide DR.V.USHA BALA

Assistant Professor, Department of Computer Science and Engineering, ANITS, for his/her

guidance with unsurpassed knowledge and immense encouragement. We are grateful to

DR.R.SIVARANJANI, Head of the Department, Computer Science and Engineering, for

providing us with the required facilities for the completion of the project work.We also thank

our project coordinator Mr.B.MAHESH,, Assistant Professor,Department of Computer

Science and Engineering,ANITS.

We are very much thankful to the Principal and Management, ANITS, Sangivalasa, for

their encouragement and cooperation to carry out this work.

We express our thanks to all teaching faculty of the Department of CSE, whose suggestions

during reviews helped us in accomplishment of our project. We would like to thank all non-

teaching staff(programmer name) of the Department of CSE, ANITS for providing great

assistance in accomplishment of our project.

We would like to thank our parents, friends, and classmates for their encouragement

throughout our project period. At last but not the least, we thank everyone for supporting us

directly or indirectly in completing this project successfully.

K.SHARMILA 316126510145

M.J.SARIKA 316126510153

M. SRI MOUNIKA 316126510175

G.PRUDHVI 316126510194

4

ABSTRACT

Attacks on the internet keep on increasing and it causes harm to our security system. In order

to minimize these threats, It is necessary to have a security system that has the ability to

detect these attacks and analyze them. This is where an intrusion detection system comes into

the picture. Intrusion detection system (IDS) monitors and collects data from a target system

that should be protected, processes and correlates the gathered initiates responses when

evidence of an intrusion is detected We need to suggest a proactive technique that helps to

monitor and take necessary action depending upon the behavior of the network. Our main

goal is to detect a method to protect our data from malicious activity.

Keywords: Intrusion, Intrusion Detection System, Attack, Wormhole Attack, Blackhole

Attack.

5

TABLE OF CONTENTS

ABSTRACT 5

KEYWORDS 5

LIST OF FIGURES 8

LIST OF ABBREVIATIONS 9

1.INTRODUCTION 10-12

1.1Introduction 10-12

1.2 Problem Statement 12

2.LITERATURE SURVEY 13-25

2.1Introduction 13-22

2.1.1 A distributed algorithm for scheduling the activation of 22

links in a self-organizing,mobile,radio networks

2.1.2 A performance comparison of multi-hop wireless adhoc 22-23

network routing protocols

2.1.3 A survey of mobility models for adhoc network research 23

2.1.4 Continuous all KNN queerying in smartphone networks 24

2.1.5 Parallelizing itinerary-based KNN query processing in 24-25

wireless sensor networks

2.2 Existing System 25

3.METHODOLOGY 26-27

3.1Proposed System 26

3.1.1Architecture 27

6

4.EXPERIMENTAL ANALYSIS AND RESULTS 28-69

4.1System Configuration 28

4.1.1Software Requirements 28

4.1.2Hardware Requirements 28

4.2Sample Code 29-66

4.3Screenshots 67

4.4Experimental Analysis 68-69

5.CONCLUSION AND FUTURE WORK 70

REFERENCES 71

APPENDIX 71

7

LIST OF FIGURES

Figure Number

Figure Name

Page NO

3.1 System Architecture 27

4.3.1 CreatingAdhoc network 67

4.4.1 Comparison of packet

overhead

68

4.4.2 Comparison of end delay 68

4.4.3 Comparison of

throughput

69

4.4.4 Comparison of PDR 69

8

LIST OF ABBREVIATIONS

IDS Intrusion Detection

System

HIDS Host based Intrusion

Detection System

TCL Tool Command

Language

NS2 Network Simulator

OTCL Object Oriented Tool

Command Language

MANET Mobile Adhoc-

Networks

9

1.INTRODUCTION

1.1 INTRODUCTION

An Intrusion Detection System (IDS) monitors and collects data from a target

system that should be protected, processes and correlates the gathered information, and

initiates responses when evidence of an intrusion is detected. Depending on their source of

input, IDSs can be classified into Host-based Intrusion Detection System (HIDS), Network-

based Intrusion Detection System (NIDS) and Hybrid Intrusion Detection System. Network-

based intrusion detection system collects input data by monitoring network traffic. Host-

based intrusion detection system collects input data from the host it monitors. Hybrid

Intrusion detection system collects input data from both of network traffic and hosts its

monitors. “Anomaly” detection and “Misuse” detection are two main techniques that HIDS

use. Anomaly detection refers to intrusions that can be detected based on anomalous

behaviour and use of computer resources. Anomaly detection usually uses methods of

statistical analysis methodology, artificial neural network technology, data mining

technology, an artificial immune technology. Misuse intrusion detection refers to the

detection of intrusions by precisely defining them ahead of time and watching for their

occurrences. Misuse intrusion detection usually use methods of expert system, TCP/IP

protocol analysis, and pattern matching. In this paper, we designed and implemented a host-

based intrusion detection system, which uses pattern matching and BP neural network as its

detection methods. Firstly, the HIDS uses log files as its primary sources of information, and

through three steps of pre-decoding log file, decoding log file, and analysis log file, it can

effectively identify various intrusions. Secondly, based on BP neural network analysis

technology and through establishment of system behaviour characteristics profile in advance,

the HIDS can identify intrusions by comparison with threshold. Experiment results show that

the HIDS can effectively improve the efficiency and accuracy of intrusion detection.

In an increasingly interconnected environment, information is exposed to a wide

variety of risks. So we have to provide security to the information. Information security is not

all about securing information from unauthorized access, it is basically the practice of

preventing unauthorized access, use, disclosure, modification. Implementing, maintaining

and updating information security in an organization becomes a challenge. We need

10

information security to reduce the risk to a level that is acceptable to the business. The

proposed system mainly protects the information from unauthorized access. It protects the

information from modification and destruction. The objectives of Information Security are

CIA (confidentiality, integrity, availability). Information that is provided can be in any form.

Information from social media, data on your laptops or computers, etc. are examples of

information security.

Any malicious activity present in a system or in a network can be detected by an

Intrusion Detection System. Set of rules are defined to prevent the intrusion with the help of

IDS.

This set of rules generates alert messages or signals while detecting the intrusion in a system

or a network. IDS is mainly classified into Host-Based Intrusion Detection System (HIDS),

Network Intrusion Detection System (NIDS) based on the type of the systems the IDS

protects. Signature Based Intrusion Detection System, Anomaly Based Intrusion Detection

System are classified based on the method of working. HIDS analyses the incoming and

outgoing packets from a system. This also monitors the operating system of the computer.

NIDS monitors traffic on an individual network by continuously performing traffic analysis

and then comparing it with detected or known attacks in the library. However IDS monitors

mischievous activities, they might also generate False Alarms. Therefore the rate of False

Alarms should be less when an IDS is implemented.

Detection of an intrusion starts where the firewall ends. Preventing unauthorized access is not

in our hands. An intruder never leaves an opportunity to intrude into the network and cause

damage to others information which leads to no privacy. These attacks are being increased

every day.

Thus an intrusion detection system is needed to avoid such attacks. Many types of attacks can

be detected with this intrusion detection system hence an intrusion detection system that has

been designed or implemented needs to work efficiently to detect the attacks.

Log files record the behaviour of the computer system and aim at recording the

action of the operating system, applications, and use behaviours. Log file is widely used for

system debugging, monitoring, and security detection. Log system is particularly important in

intrusion detection and log file analysis tools have become an indispensable tool for daily

inspection and maintenance of the system running. In general, log analysis-based HIDS

11

includes the following several parts: collection of log file data, pre recording of log file,

decoding of log file, analysis of log file and report events.

The HIDS combines two approaches of misuse detection and anomaly detection.

Monitoring the log file, once the log changes, log monitor will send events to the log analyser

immediately. Generally, we need to monitor three kinds of event logs: application log,

security log and system log. We can add three XML nodes in the following configuration file.

The node “local file” represents the local file when system initialization. The node “location”

represents the file pathing the disk. The node “log format” represents what type of the log.

Log type includes event log, firewall log, SQL log and so on. In this way, when initializing

the HIDS, it will automatically load the above log files that need to be monitored. When

finished the initialization work, the HIDS will open a demon, and the demon will check every

log file to find whether there are changes in the log file. If there really exists change, then the

demon will report to the log.

1.2: PROBLEM STATEMENT

There is enormous need for an efficient system that successfully detects and suggests a

method to prevent the intrusions that occur across the network with a cost effective

implementation, so as to ensure security to our data.

To accomplish this we need to implement an IDS - Intrusion Detection System

12

2.LITERATURE SURVEY

2.1 INTRODUCTION

The system that has been proposed is implemented on NS2 Tool.

NS2 Tool:

NS2 is a distinct event simulator focused on networking research. NS2 imparts

considerable

support for simulation of routing protocols over wired and wireless networks. Insures

perspective, NS2 is an OTcl interpreter that takes an OTcl script as input and produces a trace

file as output. There are two sets of languages in NS2 (C++ and OTcl) [10]. C++ is utilized

for creation of objects to maintain speed and efficiency. OTcl is utilized as a front-end to

setup the simulator and to configure the objects. The common procedure for generating a

simulation can be classified into various steps.

They are

•Topology definition

•Node and link configuration

•Execution

•Performance analysis

•Graphical Visualization (X graphs)

1. Transreceiver

It consists of a Transmitter as well as receiver configuration, which act as a manet node.

2. TCP

Transmission control protocol is the responsibility for communication. The Transmission

Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It

originated in the initial network implementation in which it complemented the Internet

Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP.

13

3. CBR (Constant bit rate)

Constant bitrate (CBR) is a term used in telecommunications, relating to the quality of

service. Compare with variable bitrate. When referring to codecs, constant bit rate encoding

means that the rate at which a codec's output data should be consumed is constant.

4. Trust value generation

It gives the data trust, node trust, functional trust and recommendation trust for each

communication.

5. Trust based credit value assigner

It receives all trust values and assigns a credit value for a particular node and communication.

6. Data and traffic analyser

It analyses the size and content of the data and traffic in the network.

Network simulator 2.28 (NS2)

Ns-2 is a packet-level simulator and essentially a centric discrete event scheduler to schedule

the events such as packet and timer expiration. Centric event schedulers cannot accurately

emulate “events handled at the same time” in the real world, that is, events are handled one

by one. This is not a serious problem in most network simulations, because the events here

are often transitory. Beyond the event scheduler, ns-2 implements a variety of network

components and protocols. Notably, the wireless extension, derived from CMU Monarch

Project, has 2 assumptions simplifying the physical world: Nodes do not move significantly

over the length of time they transmit or receive a packet. This assumption holds only for

mobile nodes of high-rate and low-speed. Consider a node with the sending rate of 10Kbps

and moving speed of 10m/s, during its receiving a packet of 1500B, the node moves 12m.

Thus, the surrounding can change significantly and cause reception failure. Node velocity is

insignificant compared to the speed of light. In particular, none of the provided propagation

models include Doppler effects, although they could.

Structure of NS-2:Create the event scheduler

14

• Turn on tracing

• Create network

• Setup routing

• Insert errors

• Create transport connection

• Create traffic

Functionalities NS-ALLINONE

C++/OTcl Linkage

Root of ns-2 object hierarchy

bind (): link variable values between

Tcl Object- C++ and OTcl

Command (): link OTcl methods to C++ implementations

TclClass

Create an OTcl object, and create a linkage between the OTcl object and C++ Object

TclC++ - methods to access Tcl interpreter

Tcl Command - Standalone global commands

Embedded Tcl -ns script initialization

Mobile networking in NS-ALLINONE2.28

A mobile ad-hoc network (MANET) is a kind of wireless ad-hoc network, and is a self-

configuring network of mobile routers (and associated hosts) connected by wireless links –

the union of which form an arbitrary topology. The routers are free to move randomly and

organize themselves arbitrarily; thus, the network’s wireless topology may change rapidly

15

and unpredictably. Such a network may operate in a standalone fashion, or may be connected

to the larger Internet.

Mobile ad-hoc networks became a popular subject for research as laptops and 802.11/Wi-Fi

wireless networking became widespread in the mid- to late 1990s. Many of the academic

papers evaluate protocols and abilities assuming varying degrees of mobility within a

bounded space, usually with all nodes within a few hops of each other, and usually with

nodes sending data at a constant rate. Different protocols are then evaluated based on the

packet drop rate, the overhead introduced by the routing protocol, and other measures.

In the next generation of wireless communication systems, there will be a need for the

rapid deployment of independent mobile users. Significant examples include establishing

survivable, efficient, dynamic communication for emergency/rescue operations, disaster

relief efforts, and military networks. Such network scenarios cannot rely on centralized and

organized connectivity, and can be conceived as applications of Mobile Ad Hoc Networks. A

MANET is an autonomous collection of mobile users that communicate over relatively

bandwidth constrained wireless links. Since the nodes are mobile, the network topology may

change rapidly and unpredictably over time. The network is decentralized; where all network

activity including discovering the topology and delivering messages must be executed by the

nodes.

The set of applications for MANETs is diverse, ranging from small, static networks

that are constrained by power sources, to large-scale, mobile, highly dynamic networks. The

design of network protocols for these networks is a complex issue. Regardless of the

application, MANETs need efficient distributed algorithms to determine network

organization, link scheduling, and routing. However, determining viable routing paths and

delivering messages in a decentralized environment where network topology fluctuates is not

a well-defined problem.

How to start TCL scripts?

We can write Tcl scripts in any text editor like joe or emacs. First of all, we need to create a

simulator object. This is done with the command set ns [new Simulator] Now we open a file

16

for writing that is going to be used for the nam trace data. Set nf [open out.nam w] $ns

namtrace-all $nf the first line opens the file 'out.nam' for writing and gives it the file handle

'nf'. In the second line we tell the simulator object that we created above to write all

simulation data that is going to be relevant for nam into this file. The next step is to add a

'finish' procedure that closes the trace file and starts nam.

Network components

The root of the hierarchy is the Tcl Object class that is the super class of all OTcl library

objects (scheduler, network components, timers and the other objects including NAM related

ones).

As an ancestor class of Tcl Object, NsObject class is the super class of all basic network

component objects that handle packets, which may compose compound network objects such

as nodes and links. The basic network components are further divided into two subclasses,

Connector and Classifier, based on the number of the possible output data paths.

The basic network objects that have only one output data path are under the Connector class,

and switching objects that have possible multiple output data paths are under the Classifier

class.

Packet

A NS packet is composed of a stack of headers, and an optional data space. A packet header

format is initialized when a Simulator object is created, where a stack of all registered (or

possibly useable) headers, such as the common header that is commonly used by any objects

as needed, IP header, TCP header, RTP header (UDP uses RTP header) and trace header, is

defined, and the offset of each header in the stack is recorded.

What this means is that whether or not a specific header is used, a stack composed of

all registered headers is created when a packet is allocated by an agent, and a network object

can access any header in the stack of a packet it processes using the corresponding offset

value.

17

The advantages of networking

Networks allow computers, and hence their users, to be connected together. They also

allow for the easy sharing of information and resources, and cooperation between the devices

in other ways. Some of the major benefits.

1.Connectivity and Communication

Networks connect computers and the users of those computers. Individuals within a

building or work group can be connected into LAN.

2.Data Sharing

One of the most important uses of networking is to allow the sharing of data. True

networking allows thousands of employees to share data much more easily and quickly.

3.Hardware Sharing

Networks facilitate the sharing of hardware devices. For example, instead of giving each

of 10 employees in a department an expensive color printer, one printer can be placed on the

network for everyone to share.

4.Internet Access

The Internet is itself an enormous network. The significance of the Internet on modern

society is hard to exaggerate, especially for technical fields.

5.Internet Access Sharing

Small computer networks allow multiple users to share a single Internet connection.

Special hardware devices allow the bandwidth of the connection to be easily allocated to

various individuals as they need it.

6.Data Security and Management

In a business environment, a network allows the administrators to much better

manage the company's critical data. Instead of having this data spread over dozens or even

hundreds of small computers in a haphazard fashion as their users create it.

Link

A link is another major compound object in NS. When a user creates a link using a duplex-

link member function of a Simulator object, two simplex links in both directions are created.

One thing to note is that an output queue of a node is actually implemented as a part of

18

simplex link object. Packets dropped from a queue are passed to the Delay object that

simulates the link delay, and packets dropped at a queue are sent to a Null Agent and are

freed there. Finally, the TTL object calculates Time to live parameters for each packet

received and updates the TTL field of the packet.

Starting NS

NS starts with the command ns (assuming that we are in the directory with the ns executable,

or that were path points to that directory), where is the name of a Tcl script file which defines

the simulation scenario (i.e. the topology and the events). We could also just start ns without

any arguments and enter the Tcl commands in the Tcl shell, but that is definitely less

comfortable. Everything else depends on the Tcl script. The script might create some output,

it might write a trace file or it might start nam to visualize the simulation.

Starting NAM

We can either start nam with the command 'nam<nam-file>' where '<nam-file>' is the name

of a nam trace file that was generated by ns, or we can execute it directly out of the Tcl

simulation script for the simulation which we want to visualize. Below we can see a

screenshot of a nam window where the most important functions are being explained.

TOOLS

Existing tools for intrusion detection system:

NS2,OSSEC,SNORT

NS2: The intrusion detection is evaluated by simulation in presence of nodes that can take

different attacks. It is capable of detecting a false information attack using statistical

techniques and can also detect other types of attacks. Many intrusion detection systems have

been proposed and most of them are routing protocols like route guard etc. It resides in each

node and is based on overhearing. Through overhearing each node can detect the malicious

action of its report and other nodes. If the node is overhearing itself then it is malicious and

then it causes a serious impact on network performance. Its ability to discover the malicious

nodes which can partition the network by falsely reporting the nodes and proceed to protect

the network.

19

OSSEC: It is one among the simplest open source applications. It's an incredibly efficient

processor, but it doesn't have a user interface when it involves log data. It organizes your log

files and uses anomaly based intrusion detection and it offers log file detection methods and

scan for unauthorized changes could specifically cause issues.

SNORT: It is an open source NIDS application. It is also used in packet sniffing and logging

functionality. It allows predefined rules for snort are available on the website. The rule set

includes both anomaly and signature based detection systems .

BLACK HOLE ATTACK

In computer networking, a packet drop attack or blackhole attack is a

type of denial-of-service attack in which a router that is supposed to relay packets instead

discards them. This usually occurs from a router becoming compromised from a number of

different causes. One cause mentioned in research is through a denial-of-service attack on the

router using a known DDoS tool. Because packets are routinely dropped from a lossy

network, the packet drop attack is very hard to detect and prevent.

The malicious router can also accomplish this attack selectively, e.g. by dropping packets for

a particular network destination, at a certain time of the day, a packet every n packets or

every t seconds, or a randomly selected portion of the packets. This is rather called a

greyhound attack. If the malicious router attempts to drop all packets that come in, the attack

can actually be discovered fairly quickly through common networking tools such as

traceroute. Also, when other routers notice that the compromised router is dropping all traffic,

they will generally begin to remove that router from their forwarding tables and eventually no

traffic will flow to the attack. However, if the malicious router begins dropping packets on a

specific time period or over every n packets, it is often harder to detect because some traffic

still flows across the network.

The packet drop attack can be frequently deployed to attack wireless ad hoc networks.

Because wireless networks have a much different architecture than that of a typical wired

network, a host can broadcast that it has the shortest path towards a destination. By doing

this, all traffic will be directed to the host that has been compromised, and the host is able to

drop packets at will. Also over mobile ad hoc networks, hosts are specifically vulnerable to

20

collaborative attacks where multiple hosts will become compromised and deceive the other

hosts on the network.

WORMHOLE ATTACK

This is a type of network layer attack which is carried out using more than one malicious

node. The nodes used to carry out this attack are superior to normal nodes and are able to

establish better communication channels over long ranges. The idea behind this attack is to

forward the data from one compromised node to another malicious node at the other end of

the network through a tunnel. As a result the other nodes in the WSN can be tricked into

believing that they are closer to other nodes than they really are which can cause problems in

the routing algorithm.Also the compromised nodes may temper with the data packets.

Wormhole attack can also be combined with sinkhole attack to make it more effective.

Wormhole attack can be classified under 3 main categories:

Open Wormhole:

In this case the data packets are first sent from the source to a wormhole which

tunnels them to the other wormhole that transmits them to the destination.The other

nodes in the network are ignored and not used for data transfer.

Half-open Wormhole:

In this case the data packets are sent from the source to a wormhole which directly

transmits them to the destination.

Closed Wormhole:

In this case the data packets are directly transferred from the source to the destination

in a single hop making them fictitious neighbours.

21

2.1.1 D. J. Baker and J.Wieselthier, ``A distributed algorithm for

scheduling the activation of links in a self-organizing, mobile, radio

network,'' in Proc.ICC, 1982, pp. 2F6.1_2

ABSTRACT:In our previous work, we proposed few updated data dissemination methods to

refresh old replicas efficiently in mobile ad hoc networks. These methods disseminate

updated data items every time when owners of original data items update the items or every

time two mobile hosts are newly connected with each other and this causes heavy traffic in

the entire network. In this paper, we assume applications that periodically execute read

operations with strict dead-lines to data items and propose few alternative updated data

dissemination methods. These methods reduce the trafficfor data dissemination while keeping

a high success ratio for read operation.

2,1.2 J. Broch, D. A. Maltz, D. B. Johnson, Y.-C. Hu, and J. Jetcheva, ``A

performance comparison of multi-hop wireless ad hoc network routing

protocols,''.

ABSTRACT:The Efficient routing protocols can provide significant benefits to mobile ad

hoc networks, in terms of both performance and reliability. Many routing protocols for such

networks have been proposed so far. Amongst the most popular ones are Ad hoc On-demand

Distance Vector (AODV), Destination-Sequenced Distance-Vector Routing protocol

(DSDV), Dynamic Source Routing Protocol (DSR), and Optimum Link State Routing

(OLSR). Despite the popularity of those protocols, research efforts have not focused much on

evaluating their performance when applied to variable bit rate (VBR). In this paper we

present our observations regarding the performance comparison of the above protocols for

VBR in mobile ad hoc networks (MANETs). We perform extensive simulations, using an

NS-2 simulator. Our studies have shown that reactive protocols perform better than proactive

protocols. Further DSR has performed well for the performance parameters namely delivery

ratio and routing overload while AODV performed better in terms of average delay.

22

2.1.3 T. Camp, J. Boleng, and V. Davies, ``A survey of mobility models for

ad hoc network research,''Wireless Commun. Mobile Comput., vol. 2,no. 5,

pp. 483_502, 2002.

ABSTRACT:In the performance evaluation of a protocol for an ad hoc network, the protocol

should be tested under realistic conditions including, but not limited to, a sensible

transmission range, limited buffer space for the storage of messages, representative data

traffic models, and realistic movements of the mobile users (i.e., a mobility model). This

paper is a survey of mobility models that are used in the simulations of ad hoc networks. We

describe several mobility models that represent mobile nodes whose movements are

independent of each other (i.e., entity mobility models) and several mobility models that

represent mobile nodes whose movements are dependent on each other (i.e., group mobility

models). The goal of this paper is to present a number of mobility models in order to offer

researchers more informed choices when they are deciding upon a mobility model to use in

their performance evaluations. Lastly, we present simulation results that illustrate the

importance of choosing a mobility model in the simulation of an ad hoc network protocol.

Specifically, we illustrate how the performance results of an ad hoc network protocol

drastically change as a result of changing the mobility model simulated.

2.1.4 Chatzimilioudis, D. Zeinalipour-Yazti,W.-C. Lee, and M. D.

Dikaiakos,``Continuous all k-nearest-neighbour querying in smartphone

networks,'' inProc. IEEE MDM, Jul. 2012, pp. 79_88.

ABSTRACT:Continuous nearest neighbour (CNN) search, which retrieves the nearest

neighbours corresponding to every point in a given query line segment, is important for

location-based services such as vehicular navigation and tourist guides. It is infeasible to

answer aCNN search by issuing a traditional nearest neighbour query at every point of the

line segment due to the large number of queries generated and the overhead on bandwidth.

Algorithms have been proposed recently to support CNN search in the traditional client-

server systems but not in the environment of wireless data broadcast, where uplink

communication channels from mobile devices to the server are not available. In this paper,

we develop a generalized search algorithm for continuous k-nearest neighbours based

23

onHilbert Curve Index In wireless data broadcast systems. A performance evaluation is

conducted to compare the proposed search algorithms with an algorithm based on R-tree Air

Index. The result shows that the Hilbert Curve Index-based algorithm is more energy efficient

than the R-tree-based algorithm.

2.1.5 T.-Y. Fu, W.-C. Peng, and W.-C. Lee, ``Parallelizing itinerary-based

KNNquery processing in wireless sensor networks,''IEEE Trans. Knowl.

DataEng., vol. 22, no. 5, pp. 711_729, May 2010.

ABSTRACT:Wireless sensor networks (WSN) is a key enabling technique for achieving the

vision of the Internet of Things. In many applications of WSN such as environmental

monitoring and vehicle tracking, they may be required to launch spatial queries for collecting

and gathering sensory data for achieving certain goals. One such query is the $$K$$ K

nearest neighbour (KNN) query, which aims to collect sensory data from k sensor nodes

nearest to a certain query location. Techniques, namely the itinerary-based KNN query

algorithms, are recently developed for facilitating KNN queries. Generally, these techniques

propagate queries and collect data along a predetermined itinerary. However, query accuracy

and boundary expansion are two challenges that are not well addressed. To mitigate these

issues, in this paper, we propose a novel KNN query algorithm based on grid division routing

in the setting of skewness distribution, where the itinerary is formed based on the

connectivity of adjacent grid cells centers. This technique can achieve better query accuracy

and cause less energy consumption by executing the query concurrently in subregions.

Besides, the void region problem is well addressed based on the proximity of neighbour grid

cells. Experiment result shows that our technique performs better in several aspects including

query accuracy, data redundancy, and energy efficiency.

2.2 EXISTING SYSTEM

Log files record the behaviour of the computer system and aim at recording the action of

the operating system, applications, and use behaviours. Log file is widely used for system

debugging, monitoring, and security detection. Log system is particularly important in

intrusion detection and log file analysis tools have become an indispensable tool for daily

inspection and maintenance of the system running.In general, log analysis-based HIDS

includes the following several parts: collection of log file data, pre recording of log file,

decoding of log file, analysis of log file and report events

24

3.METHODOLOGY

3.1 PROPOSED SYSTEM

The HIDS combines two approaches of misuse detection and anomaly detection. Monitoring

the log file, once the log changes, log monitor will send events to the log analyzer

immediately. Generally, we need to monitor three kinds of event logs: application log,

security log and system log. We can add three XML nodes in the following configuration file.

The node “local file” represents the local file when system initialization. The node “location”

represents the file path in the disk. The node “log_ format” represents what type of the log.

Log type includes event log, firewall log, SQL log and so on. In this way, when initialize the

HIDS, it willautomatically load the above log files that need to be monitored. When finished

the initialization work, the HIDS will open a demon, and the demon will check every log file

to find whether there are changes in the log file. If there really exits change, then the demon

will report to the log analyzer. Monitoring the use of system resources, and sends the status of

the system resources utilization to get system resources analyser at regular time. The

connector is responsible for receiving messages from log monitor and system resources

monitor, and sending these messages to log analyser and system resources analyser.

Receiving events from the log monitor, match with the rule base to determine whether there

is invasion, if there is invasion occurrence, report to the active response unit. Receiving

events from the system resources monitor, to calculate whether the abnormal state of current

resources use and thus to determine whether the status is invaded, if it finds there is invasion,

report to the active response unit. Receiving events from the log analyser and system

resources analyser, decided to perform what kind of operation. Usually, the normal

operations include notifying users, auditing, disconnecting from network and so

on.Recording the entire process of intrusion detection, andthe attack situation, prepare for use

when necessary.

25

3.1.1 ARCHITECTURE

Log Monitor:

It maps and visualizes devices dependency to optimize the bandwidth and traffic.

Connector: Networks connect computers and therefore the users of these computers.

Individuals within a building or work group are often connected into LAN. Trace file that

was generated by ns, or we will execute it directly out of the Tcl simulation script for the

simulation which we would like to see . Below we will see a screenshot of a nam window

where the foremost important functions are being explained.

Log analyser: It is the process of monitoring the events occurring in a computer or network

and analysing them for signs and violations or imminent threats of the security.

Audit Database: It is a database of information that can be with a web interface. Data about

the network is inserted with a script and it can be configured to scan your network and device

immediately.

Active response unit: The intrusion detection monitors for attacks and provides information

services and IDS actively stops the threat. It can be configured to scan your network and

devices automatically.

Figure 3.1: System Architecture

26

4.EXPERIMENTAL ANALYSIS AND RESULTS

4.1 SYSTEM CONFIGURATION

4.1.1 SOFTWARE REQUIREMENTS

Operating System : Linux

Simulation Tool : NS2

Documentation : Ms-Office

4.1.2 HARDWARE REQUIREMENTS

CPU type : Intel Pentium 4

Clock speed : 3.0 GHz

Ram size : 512 MB

Hard disk capacity : 80 GB

Monitor type : 15 Inch color monitor

KeyBoard type : Internet keyboard

CD -drive type : 52xmax

27

4.2 SAMPLE CODE

set val(chan) Channel/WirelessChannel

set val(prop) Propagation/TwoRayGround

set val(netif) Phy/WirelessPhy

set val(mac) Mac/802_11

set val(ifq) Queue/DropTail/PriQueue

set val(ll) LL

set val(ant) Antenna/OmniAntenna

set val(x) 400 ;# X dimension of the topography

set val(y) 400 ;# Y dimension of the topography

set val(ifqlen) 50 ;# max packet in ifq

set val(seed) 0.0

set val(adhocRouting) AODV

set val(nn) 25 ;# how many nodes are simulated

set val(cp) cbr

set val(sc) scen

set val(stop) 10.0 ;# simulation time

set val(traffic) tcp

set val(rxPower) 0.60175 ;#Potencia recepción en W

set val(txPower) 0.50175 ;#Potencia transmisión en W

set val(energymodel) EnergyModel ;

set val(initialenergy) 50 ;# Initial energy in Joules

set val(sleeppower) 0.00005 ;#sleep power W 15 uA =I*I*R=11.25*10E-9

W

28

#

==================================================================

===

# Main Program

#

==================================================================

===

Mac/802_15_4 wpanCmd verbose

Mac/802_15_4 wpanNam namStatus on

#

# Initialize Global Variables

#

# create simulator instance

set ns_ [new Simulator]

# setup topography object

set topo [new Topography]

# create trace object for ns and nam

set tracefd [open wireless-out.tr w]

set namtrace [open wireless-out.nam w]

$ns_ trace-all $tracefd

29

$ns_ namtrace-all-wireless $namtrace $val(x) $val(y)

# define topology

$topo load_flatgrid $val(x) $val(y)

#

# Create God

#

set god_ [create-god $val(nn)]

#

# define how node should be created

#

#global node setting

$ns_ node-config -adhocRouting $val(adhocRouting) \

-llType $val(ll) \

-macType $val(mac) \

-ifqType $val(ifq) \

-ifqLen $val(ifqlen)\

-antType $val(ant) \

-propType $val(prop) \

-phyType $val(netif) \

-channelType $val(chan) \

30

-topoInstance $topo \

-agentTrace ON \

-routerTrace ON \

-macTrace ON

# Energy Config to all nodes

#$ns_ node-config -energyModel EnergyModel \

#-initialEnergy $val(initialenergy) \

# -txPower $val(txPower) \

#-rxPower $val(rxPower) \

#-idlePower 0.5 \

#-sensePower 0.0175\

#-sleeppower

#

# Create the specified number of nodes [$val(nn)] and "attach" them

# to the channel.

for {set i 0} {$i < $val(nn) } {incr i} {

set node_($i) [$ns_ node]

$node_($i) random-motion 0 ;# disable random motion

$node_($i) set n_type_ 3

}

$node_(0) set X_ 162.891987155549

31

$node_(0) set Y_ 330.062653124573

$node_(0) set Z_ 0.000000000000

$node_(1) set X_ 490.141445840108

$node_(1) set Y_ 303.390205978687

$node_(1) set Z_ 0.000000000000

$node_(2) set X_ 366.597345388552

$node_(2) set Y_ 285.045804378001

$node_(2) set Z_ 0.000000000000

$node_(3) set X_ 375.434557942298

$node_(3) set Y_ 65.037490023253

$node_(3) set Z_ 0.000000000000

$node_(4) set X_ 100.651888471933

$node_(4) set Y_ 200.999064507849

$node_(4) set Z_ 0.000000000000

$node_(5) set X_ 250.447602254595

$node_(5) set Y_ 300.572449388697

$node_(5) set Z_ 0.000000000000

$node_(6) set X_ 108.255880864622

$node_(6) set Y_ 84.360259002758

32

$node_(6) set Z_ 0.000000000000

$node_(7) set X_ 520.022513386952

$node_(7) set Y_ 79.601955031326

$node_(7) set Z_ 0.000000000000

$node_(8) set X_ 400.505636882310

$node_(8) set Y_ 366.164946663731

$node_(8) set Z_ 0.000000000000

$node_(9) set X_ 650.602720883062

$node_(9) set Y_ 175.285815188533

$node_(9) set Z_ 0.000000000000

$node_(10) set X_ 550.769209352321

$node_(10) set Y_ 175.469788838578

$node_(10) set Z_ 0.000000000000

$node_(11) set X_ 440.554012762204

$node_(11) set Y_ 141.229856334582

$node_(11) set Z_ 0.000000000000

$node_(12) set X_ 610.714803612949

$node_(12) set Y_ 301.185534602634

33

$node_(12) set Z_ 0.000000000000

$node_(13) set X_ 622.875451109860

$node_(13) set Y_ 63.556895758918

$node_(13) set Z_ 0.000000000000

$node_(14) set X_ 0.573192188336

$node_(14) set Y_ 130.371975801273

$node_(14) set Z_ 0.000000000000

$node_(15) set X_ 330.423309654009

$node_(15) set Y_ 200.077977391011

$node_(15) set Z_ 0.000000000000

$node_(16) set X_ 50.094578660017

$node_(16) set Y_ 308.896767907433

$node_(16) set Z_ 0.000000000000

$node_(17) set X_ 550.729619959314

$node_(17) set Y_ 362.975147203270

$node_(17) set Z_ 0.000000000000

$node_(18) set X_ 195.324546016638

$node_(18) set Y_ 200.532816382783

34

$node_(18) set Z_ 0.000000000000

$node_(19) set X_ 225.407694870792

$node_(19) set Y_ 100.976161733047

$node_(19) set Z_ 0.000000000000

$node_(20) set X_ 108.805461586345

$node_(20) set Y_ 0.403581363136

$node_(20) set Z_ 0.000000000000

$node_(21) set X_ 75.192849108044

$node_(21) set Y_ 394.599718193696

$node_(21) set Z_ 0.000000000000

$node_(22) set X_ 440.603011809622

$node_(22) set Y_ 235.134542858225

$node_(22) set Z_ 0.000000000000

$node_(23) set X_ 250.021643078072

$node_(23) set Y_ 376.842426981596

$node_(23) set Z_ 0.000000000000

$node_(24) set X_ 451.563393009171

$node_(24) set Y_ 3.322296117208

$node_(24) set Z_ 0.000000000000

35

$ns_ at 1.0 "$node_(0) setdest 20.0 18.0 4.717402816103"

$ns_ at 2.0 "$node_(1) setdest 20.0 18.0 3.384378246020"

$ns_ at 3.0 "$node_(2) setdest 20.0 18.0 1.541978544726"

$ns_ at 2.0 "$node_(4) setdest 20.0 18.0 1.592003003493"

$ns_ at 1.0 "$node_(5) setdest 20.0 18.0 1.592003003493"

$ns_ at 2.0 "$node_(6) setdest 20.0 18.0 1.0"

$ns_ at 3.0 "$node_(7) setdest 20.0 18.0 1.0"

$ns_ at 4.0 "$node_(8) setdest 20.0 18.0 1.541978544726"

$ns_ at 2.0 "$node_(9) setdest 20.0 18.0 1.0"

$ns_ at 1.0 "$node_(10) setdest 20.0 18.0 3.384378246020"

$ns_ at 3.0 "$node_(11) setdest 20.0 18.0 1.0"

$ns_ at 1.0 "$node_(12) setdest 20.0 18.0 4.039409901061"

$ns_ at 2.0 "$node_(13) setdest 20.0 18.0 1.0"

$ns_ at 4.0 "$node_(14) setdest 20.0 18.0 3.384378246020"

$ns_ at 3.0 "$node_(15) setdest 20.0 18.0 1.541978544726"

$ns_ at 2.0 "$node_(16) setdest 20.0 18.0 7.0"

$ns_ at 3.0 "$node_(17) setdest 20.0 18.0 1.0"

$ns_ at 4.0 "$node_(18) setdest 20.0 18.0 1.592003003493"

$ns_ at 3.0 "$node_(19) setdest 20.0 18.0 1.0"

$ns_ at 2.0 "$node_(20) setdest 20.0 18.0 3.384378246020"

$ns_ at 1.0 "$node_(21) setdest 20.0 18.0 1.0"

36

$ns_ at 1.0 "$node_(22) setdest 20.0 18.0 1.0"

$ns_ at 2.0 "$node_(23) setdest 20.0 18.0 1.0"

$ns_ at 3.0 "$node_(24) setdest 25.0 20.0 3.384378246020"

$ns_ at 0.20 "$ns_ trace-annotate \"Intrusion Detection with Data Fusion \" "

$ns_ at 0.30 "$ns_ trace-annotate \"Using SYMMETRIC CRYPTOGRAPHY TECHNIQUE

\" "

$ns_ at 1.00 "$node_(0) add-mark m1 green circle"

$ns_ at 1.01 "$node_(0) label \"SENDER1\""

$ns_ at 1.10 "$node_(23) add-mark m1 blue circle"

$ns_ at 1.11 "$node_(23) label \"RECEIVER1\""

$ns_ at 1.20 "$node_(19) add-mark m1 green circle"

$ns_ at 1.21 "$node_(19) label \"SENDER2\""

$ns_ at 1.30 "$node_(20) add-mark m1 blue circle"

$ns_ at 1.36 "$node_(20) label \"RECEIVER2\""

$ns_ at 1.40 "$node_(15) add-mark m1 green circle"

$ns_ at 1.41 "$node_(15) label \"SENDER3\""

$ns_ at 1.50 "$node_(11) add-mark m1 blue circle"

$ns_ at 1.51 "$node_(11) label \"RECEIVER3\""

$ns_ at 1.60 "$node_(13) add-mark m1 green circle"

37

$ns_ at 1.61 "$node_(13) label \"SENDER4\""

$ns_ at 1.70 "$node_(9) add-mark m1 blue circle"

$ns_ at 1.71 "$node_(9) label \"RECEIVER4\""

$ns_ at 1.80 "$node_(4) add-mark m1 green circle"

$ns_ at 1.81 "$node_(4) label \"SENDER5\""

$ns_ at 1.80 "$node_(8) add-mark m1 blue circle"

$ns_ at 1.81 "$node_(8) label \"RECEIVER5\""

$ns_ at 2.20 "$node_(21) add-mark m1 red square"

$ns_ at 2.21 "$node_(21) label \"wormhole attack\""

$ns_ at 2.30 "$node_(24) add-mark m1 red square"

$ns_ at 2.31 "$node_(24) label \"blackhole attack\""

$ns_ at 2.33 "$node_(1) add-mark m1 red square"

$ns_ at 2.34 "$node_(1) label \"man in the middle\""

#$ns_ at 2.31 $node_(24) label-color [red] ;

$ns_ at 2.40 "$ns_ trace-annotate \"Create Mobile Adhoc Network \" "

$ns_ at 2.40 "$ns_ trace-annotate \"Starting Data Fusion \" "

set tcp [new Agent/TCP]

$tcp set class_ 1

38

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.05

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(0) $tcp

$ns_ attach-agent $node_(23) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 2.50 "$ftp start"

$ns_ at 3.00 "$ftp stop"

\" "

$ns_ at 3.01 "$ns_ trace-annotate \"SENDER1 COMMUNICATE WITH RECEIVER1

$ns_ at 3.02 "$node_(23) add-mark m3 blue circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.03

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(0) $tcp

$ns_ attach-agent $node_(16) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 2.50 "$ftp start"

39

$ns_ at 3.00 "$ftp stop"

$ns_ at 3.01 "$ns_ trace-annotate \"DEVICE 16 HACKING THE MESSAGE OF

SENDER1 \" "

$ns_ at 3.02 "$node_(16) add-mark m3 YELLOW circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.05

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(19) $tcp

$ns_ attach-agent $node_(20) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 3.10 "$ftp start"

$ns_ at 3.60 "$ftp stop"

\" "

$ns_ at 3.61 "$ns_ trace-annotate \"SENDER2 COMMUNICATE WITH RECEIVER2

$ns_ at 3.62 "$node_(20) add-mark m3 blue circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.03

40

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(19) $tcp

$ns_ attach-agent $node_(14) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 3.10 "$ftp start"

$ns_ at 3.60 "$ftp stop"

$ns_ at 3.61 "$ns_ trace-annotate \"DEVICE 14 HACKING THE MESSAGE OF

SENDER2 \" "

$ns_ at 3.62 "$node_(14) add-mark m3 YELLOW circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.05

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(15) $tcp

$ns_ attach-agent $node_(11) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 3.70 "$ftp start"

$ns_ at 4.20 "$ftp stop"

\" "

$ns_ at 4.21 "$ns_ trace-annotate \"SENDER3 COMMUNICATE WITH RECEIVER3

41

$ns_ at 4.22 "$node_(11) add-mark m3 blue circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.03

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(15) $tcp

$ns_ attach-agent $node_(22) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 3.70 "$ftp start"

$ns_ at 4.20 "$ftp stop"

$ns_ at 4.21 "$ns_ trace-annotate \"DEVICE 22 HACKING THE MESSAGE OF

SENDER3 \" "

$ns_ at 4.22 "$node_(22) add-mark m3 YELLOW circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.05

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(13) $tcp

42

$ns_ attach-agent $node_(9) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 4.30 "$ftp start"

$ns_ at 4.80 "$ftp stop"

\" "

$ns_ at 4.81 "$ns_ trace-annotate \"SENDER4 COMMUNICATE WITH RECEIVER4

$ns_ at 4.82 "$node_(9) add-mark m3 blue circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.03

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(13) $tcp

$ns_ attach-agent $node_(10) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 4.30 "$ftp start"

$ns_ at 4.80 "$ftp stop"

$ns_ at 4.81 "$ns_ trace-annotate \"DEVICE 10 HACKING THE MESSAGE OF

SENDER4 \" "

$ns_ at 4.82 "$node_(10) add-mark m3 YELLOW circle"

43

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.05

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(4) $tcp

$ns_ attach-agent $node_(8) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 5.10 "$ftp start"

$ns_ at 5.50 "$ftp stop"

\" "

$ns_ at 5.51 "$ns_ trace-annotate \"SENDER5 COMMUNICATE WITH RECEIVER5

$ns_ at 5.52 "$node_(8) add-mark m3 blue circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.03

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(4) $tcp

$ns_ attach-agent $node_(14) $sink

44

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 5.10 "$ftp start"

$ns_ at 5.50 "$ftp stop"

$ns_ at 5.51 "$ns_ trace-annotate \"DEVICE 14 HACKING THE MESSAGE OF

SENDER5 \" "

$ns_ at 5.52 "$node_(14) add-mark m3 YELLOW circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.03

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(15) $tcp

$ns_ attach-agent $node_(17) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 5.53 "$ftp start"

$ns_ at 5.54 "$ftp stop"

$ns_ at 5.55 "$ns_ trace-annotate \"DEVICE 17 HACKING THE MESSAGE OF

SENDER6 \" "

$ns_ at 5.58 "$node_(17) add-mark m3 YELLOW circle"

$ns_ at 5.60 "$ns_ trace-annotate \"IDS watches all the Transmission\" "

45

$ns_ at 5.60 "$ns_ trace-annotate \"To Identify the Attackers in the network \" "

$ns_ at 6.10 "$ns_ trace-annotate \"wormhole attack start identify the hackers \" "

$ns_ at 6.12 "$node_(16) add-mark m4 red square"

$ns_ at 6.12 "$node_(16) label \"intruder1\""

$ns_ at 6.14 "$node_(14) add-mark m4 red square"

$ns_ at 6.14 "$node_(14) label \"intruder2\""

$ns_ at 6.20 "$ns_ trace-annotate \"blackhole attack start identify the hackers \" "

$ns_ at 6.22 "$node_(10) add-mark m4 red square"

$ns_ at 6.22 "$node_(10) label \"intruder4\""

$ns_ at 6.24 "$node_(22) add-mark m4 red square"

$ns_ at 6.24 "$node_(22) label \"intruder5\""

$ns_ at 6.26 "$node_(17) add-mark m4 red square"

$ns_ at 6.26 "$node_(17) label \"intruder6\""

$ns_ at 6.40 "$ns_ trace-annotate \"IDS-1 start deleting the hackers \" "

$ns_ at 6.45 "$node_(16) label-at up"

$ns_ at 6.50 "$node_(14) label-at up"

$ns_ at 6.70 "$ns_ trace-annotate \"IDS-2 start deleting the hackers \" "

$ns_ at 6.75 "$node_(10) label-at up"

46

$ns_ at 6.80 "$node_(22) label-at up"

$ns_ at 6.85 "$node_(17) label-at up"

$ns_ at 7.0 "$ns_ trace-annotate \"ALL THE HACKERS ARE IDENTIFIED AND

DELETING BY THE IDS \" "

$ns_ at 7.5 "$ns_ trace-annotate \"Data Fusion START WITH OUT HACKERS..... \" "

$ns_ at 7.10 "$node_(5) add-mark m1 green circle"

$ns_ at 7.11 "$node_(5) label \"SENDER6\""

$ns_ at 7.20 "$node_(2) add-mark m1 blue circle"

$ns_ at 7.21 "$node_(2) label \"RECEIVER6\""

$ns_ at 7.30 "$node_(18) add-mark m1 green circle"

$ns_ at 7.31 "$node_(18) label \"SENDER7\""

$ns_ at 7.40 "$node_(6) add-mark m1 blue circle"

$ns_ at 7.41 "$node_(6) label \"RECEIVER7\""

$ns_ at 7.50 "$node_(7) add-mark m1 green circle"

$ns_ at 7.51 "$node_(7) label \"SENDER8\""

$ns_ at 7.60 "$node_(3) add-mark m1 blue circle"

$ns_ at 7.61 "$node_(3) label \"RECEIVER8\""

$ns_ at 7.65 "$node_(12) add-mark m1 purple square"

$ns_ at 7.67 "$node_(12) label \" IDS\""

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.05

47

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(5) $tcp

$ns_ attach-agent $node_(2) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 7.70 "$ftp start"

$ns_ at 8.00 "$ftp stop"

\" "

$ns_ at 8.01 "$ns_ trace-annotate \"SENDER7 COMMUNICATE WITH RECEIVER7

$ns_ at 8.02 "$node_(2) add-mark m3 blue circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.05

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(18) $tcp

$ns_ attach-agent $node_(6) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 8.10 "$ftp start"

$ns_ at 8.40 "$ftp stop"

\" "

$ns_ at 8.41 "$ns_ trace-annotate \"SENDER8 COMMUNICATE WITH RECEIVER8

48

$ns_ at 8.42 "$node_(6) add-mark m3 blue circle"

set tcp [new Agent/TCP]

$tcp set class_ 1

Agent/TCP set packetSize_ 512

Agent/TCP set interval_ 0.05

set sink [new Agent/TCPSink]

$ns_ attach-agent $node_(7) $tcp

$ns_ attach-agent $node_(3) $sink

$ns_ connect $tcp $sink

set ftp [new Application/FTP]

$ftp attach-agent $tcp

$ns_ at 8.50 "$ftp start"

$ns_ at 8.80 "$ftp stop"

\" "

$ns_ at 8.81 "$ns_ trace-annotate \"SENDER9 COMMUNICATE WITH RECEIVER9

$ns_ at 8.82 "$node_(3) add-mark m3 blue circle"

$ns_ at 8.90 "$ns_ trace-annotate \"SNIFFER WATCHING THE TRANMISSION \"

"

$ns_ at 8.95 "$ns_ trace-annotate \"THERE IS NO HACKER \" "

$ns_ at 9.00 "$ns_ trace-annotate \"INTRUSION DETECTION EVALUATED \" "

#---------------------------------Read over all file------------------------

49

proc readoverall { } {

global s d node ns sink

set ii 0

set p1_ii 0

set p2_ii 0

set p3_ii 0

#open overall and store in array

set ov [open overall r]

set x($ii) $s

incr ii

while { [gets $ov data] >= 0 } {

set x($ii) $data

incr ii }

close $ov

set x($ii) $d

incr ii

#open path-1 and store in array

set p1 [open path1 r]

50

while { [gets $p1 data] >= 0 } {

set p1_x($p1_ii) $data

incr p1_ii }

close $p1

#open path-2 and store in array

set p2 [open path2 r]

while { [gets $p2 data] >= 0 } {

set p2_x($p2_ii) $data

set p2_ii [expr $p2_ii +1] }

close $p2

#open path-3 and store in array

set p3 [open path3 r]

while { [gets $p3 data] >= 0 } {

set p3_x($p3_ii) $data

set p3_ii [expr $p3_ii +1] }

close $p3

set rr 0

#move Intruder(Black_hole) between receiver1 and sender1 (if sender and receiver are same

path)

51

if {$rr == 0 } {

for { set dd 0 } { $dd < $p1_ii } {incr dd } {

if { $p1_x($dd) == $ne_nd } {

for {set k 0 } {$k <$p1_ii } {incr k} {

if { $p1_x($k) == $sne_nd } {

set rr 1

set p 1

}

}

}

}

for { set dd 0 } {$dd<$p2_ii } {incr dd } {

if { $p2_x($dd) == $ne_nd } {

for {set k 0 } {$k <$p2_ii } {incr k} {

if { $p2_x($k) == $sne_nd } {

set rr 1

set p 2

}

}

}

52

}

for { set dd 0 } {$dd<$p3_ii } {incr dd } {

if { $p3_x($dd) == $ne_nd } {

for {set k 0 } {$k <$p3_ii } {incr k} {

if { $p3_x($k) == $sne_nd } {

set rr 1

set p 3

}

}

}

}

if { $rr == 1 } {

set xx [expr int([$node($ne_nd) set X_])]

set yy [expr int([$node($ne_nd) set Y_])]

set nx [expr int([$node($sne_nd) set X_])]

set ny [expr int([$node($sne_nd) set Y_])]

set xz [expr int(($nx + $xx)/2)]

set yz [expr int(($ny + $yy)/2)]

set de [expr int(sqrt(pow(($xx-$nx),2)+pow(($yy-$ny),2)))]

if { $de <= 250 } {

53

$ns at 11.9 "$node(21) setdest $xz $yz [expr 5*$min]"

if { $sne_nd == $s || $ne_nd== $s} {

set jcbr [attach-CBR-traffic $node($sne_nd) $sink($ne_nd) 8 0.001]

$ns at 12.15 "$jcbr start"

$ns at 12.16 "$jcbr stop"

} elseif { $sne_nd == $d || $ne_nd== $d} {

set jcbr [attach-CBR-traffic $node($sne_nd) $sink($ne_nd) 8 0.001]

$ns at 12.17 "$jcbr start"

$ns at 12.18 "$jcbr stop"

} else {

set jcbr [attach-CBR-traffic $node($sne_nd) $sink($ne_nd) 8 0.001]

$ns at 12.16 "$jcbr start"

$ns at 12.17 "$jcbr stop"

}

return $p

} else { set rr 0 }

}

}

54

if { $rr==0 } {

#move Intruder(worm_hole) between receiver2 and sender2 (if sender and receiver are same

path )

for { set dd 0 } {$dd<$p1_ii } {incr dd } {

if { $p1_x($dd) == $ne_nd } {

for {set k 0 } {$k <$p1_ii } {incr k} {

if { $p1_x($k) == $tne_nd } {

set rr 1

set p 1

}

}

}

}

for { set dd 0 } {$dd<$p2_ii } {incr dd } {

if { $p2_x($dd) == $ne_nd } {

for {set k 0 } {$k <$p2_ii } {incr k} {

if { $p2_x($k) == $tne_nd } {

set rr 1

set p 2

}

55

}

}

}

for { set dd 0 } {$dd<$p3_ii } {incr dd } {

if { $p3_x($dd) == $ne_nd } {

for {set k 0 } {$k <$p3_ii } {incr k} {

if { $p3_x($k) == $tne_nd } {

set rr 1

set p 3

}

}

}

}

if { $rr == 1 } {

set xx [expr int([$node($ne_nd) set X_])]

set yy [expr int([$node($ne_nd) set Y_])]

set nx [expr int([$node($tne_nd) set X_])]

set ny [expr int([$node($tne_nd) set Y_])]

56

set xz [expr int(($nx + $xx)/2)]

set yz [expr int(($ny + $yy)/2)]

set de [expr int(sqrt(pow(($xx-$nx),2)+pow(($yy-$ny),2)))]

if { $de <= 250 } {

$ns at 11.9 "$node(24) setdest $xz $yz [expr 5*$min]"

if { $ne_nd == $s || $tne_nd== $s} {

set jcbr [attach-CBR-traffic $node($ne_nd) $sink($tne_nd) 8 0.001]

$ns at 12.15 "$jcbr start"

$ns at 12.16 "$jcbr stop"

} elseif { $ne_nd == $d || $tne_nd== $d} {

set jcbr [attach-CBR-traffic $node($ne_nd) $sink($tne_nd) 8 0.001]

$ns at 12.17 "$jcbr start"

$ns at 12.18 "$jcbr stop"

} else {

set jcbr [attach-CBR-traffic $node($ne_nd) $sink($tne_nd) 8 0.001]

$ns at 12.16 "$jcbr start"

$ns at 12.17 "$jcbr stop"

}

57

return $p

} else { set rr 0 }

}

}

#move Intruder(man in_middle) between receiver4 and sender4 (if sender and receiver are

same path )

if { $rr == 0 } {

for { set dd 0 } {$dd<$p1_ii } {incr dd } {

if { $p1_x($dd) == $sne_nd } {

for {set k 0 } {$k <$p1_ii } {incr k} {

if { $p1_x($k) == $tne_nd } {

set rr 1

set p 1

}

}

}

}

58

for { set dd 0 } {$dd<$p2_ii } {incr dd } {

if { $p2_x($dd) == $sne_nd } {

for {set k 0 } {$k <$p2_ii } {incr k} {

if { $p2_x($k) == $tne_nd } {

set rr 1

set p 2

}

}

}

}

for { set dd 0 } {$dd<$p3_ii } {incr dd } {

if { $p3_x($dd) == $sne_nd } {

for {set k 0 } {$k <$p3_ii } {incr k} {

if { $p3_x($k) == $tne_nd } {

set rr 1

set p 3

}

}

}

}

59

if { $rr == 1 } {

set xx [expr int([$node($sne_nd) set X_])]

set yy [expr int([$node($sne_nd) set Y_])]

set nx [expr int([$node($tne_nd) set X_])]

set ny [expr int([$node($tne_nd) set Y_])]

set xz [expr int(($nx + $xx)/2)]

set yz [expr int(($ny + $yy)/2)]

set de [expr int(sqrt(pow(($xx-$nx),2)+pow(($yy-$ny),2)))]

if { $de <= 250 } {

$ns at 11.9 "$node(1) setdest $xz $yz [expr 5*$min]"

if { $sne_nd == $s || $tne_nd== $s} {

set jcbr [attach-CBR-traffic $node($sne_nd) $sink($tne_nd) 8 0.001]

$ns at 12.15 "$jcbr start"

$ns at 12.16 "$jcbr stop"

} elseif { $sne_nd == $d || $tne_nd== $d} {

set jcbr [attach-CBR-traffic $node($sne_nd) $sink($tne_nd) 8 0.001]

60

$ns at 12.17 "$jcbr start"

$ns at 12.18 "$jcbr stop"

} else {

set jcbr [attach-CBR-traffic $node($sne_nd) $sink($tne_nd) 8 0.001]

$ns at 12.16 "$jcbr start"

$ns at 12.17 "$jcbr stop"

}

return $p

} else { set rr 0 }

}

}

}

#node move code $ns_ at 3.1 "$node_(3) setdest 390.0 230.0 50.0"

#

61

# Define node movement model

#

#puts "Loading connection pattern..."

#source $val(cp)

#

# Define traffic model

#

#puts "Loading scenario file..."

#source $val(sc)

# Define node initial position in nam

for {set i 0} {$i < $val(nn)} {incr i} {

# 20 defines the node size in nam, must adjust it according to your scenario

# The function must be called after mobility model is define

$ns_ initial_node_pos $node_($i) 30

}

#$ns_ at 1.1 "$node_(15) add-mark m1 brown circle"

#nam window comments

#

# Tell nodes when the simulation ends

62

#

#~~~~~~~~~~~~~~~~~~~~~~~~~` Finish Procedure to exec NAM

Window~~~~~~~~~~~~~~~~~~~~~~~~~~~

#log-energy

#finishing process

proc finish {} {

global ns_ tracefd namtrace

close $tracefd

close $namtrace

#exec awk -f graph.awk wireless-out.tr > efficiency

exec xgraph -P throughput.xg &

exec xgraph -P pdr.xg &

exec xgraph -P datarate.xg &

exec xgraph -p end-enddelay.Exist end-enddelay.prop &

exec xgraph -p packetoverhead.Exist packetoverhead.prop &

exec nam wireless-out.nam &

}

$ns_ at $val(stop).0001 "finish"

63

$ns_ at $val(stop).0002 "puts \"NS EXITING...\" ; $ns_ halt"

puts "Starting Simulation..."

$ns_ run

4.3 SCREENSHOTS

Figure 4.3.1:Creating Adhoc Network

64

4.4 EXPERIMENTAL ANALYSIS

Figure 4.4.1:Comparison of packet overhead of the proposed with the existing system

Figure 4.4.2:Comparison of end delay of the proposed with the existing system

65

Figure 4.4.3: Comparison of throughput of the proposed with the existing system.

Figure 4.4.4:Comparison of PDR of the proposed with the existing sytem

66

5.CONCLUSION AND FUTURE WORK

To the best of the authors’ knowledge, this paper demonstrates, for the first time, that it

is possible to create simple and effective Gaussian based models of the shortest path

distribution in scale-free network topologies by accounting for the number of nodes only. The

accuracy of the proposed models has been further investigated by considering real Internet

network topologies, learned from reference data sets. This work represents a strong

advancement of the state of the art because currently available approaches require a case-by-

case fitting to catch the properties of the network scenario of interest. For future works, we

plan to apply this approach to other distributions, such as Weibull, in order to achieve even

better accuracy.

67

REFERENCES:

[1] J.P Anderson, “Computer Security Threat Monitoring andSurveillance”, Technical report,

James P Anderson Co., FortWashington, Pennsylvania, April 1980.

[2] Dorothy Denning, “An Intrusion Detection Model”, IEEETransactions on Software

Engineering, February 1987, pp.2- 222.

[3] G. Vigna and C. Kruegel, “Host-based Intrusion Detection Systems,”in The Handbook of

Information Security, Volume III, John Wiley &Sons, December 2005.

[4] Sandeep Kumar, Eugene H. Spaffor, “An application of PatternMatching in Intrusion

Detection”, Technical report 94-013,PurdueUniversity, Department of computer sciences,

March 1994.

[5] Daniel B. Cid, OSSEC[OL] , 2008, http://www.ossec.net.

[6] Andrew Hay,Daniel Cid, Rory Bray, Log Analysis using OSSEC[M],Syngress, 2007.

[7] Russell, S. and P. Norvig, 2003, Artificial Intelligence: A ModernApproach[M], 2nd Edn,

Prentice Hall, Inc.

[8] Yen, J.C. and J.I. Guo, 2002, “The design and realization of a chaotic neural signal

security system”, Pattern Recognition and ImageAnalysis (Advances in Mathematical Theory

and Applications), 12,pp.70-79.

[9] Lian, S., G. Chen, A. Cheung and Z. Wang, 2004. A chaotic-neural network-based

encryption algorithm for JPEG2000 encoder images.Advances in Neural Networks, Intl.

Symp. Neural NetworksProc., Part II, Lecture Notes in Computer Science, 3174,pp.627-632.

APPENDIX:

Later we implemented our project in the OSSEC tool.

68

69