a detailed study on anomaly based intrusion detection
TRANSCRIPT
A DETAILED STUDY ON ANOMALY BASED INTRUSION DETECTION
SYSTEM
A Project report submitted in partial fulfillment of the requirements for
the award of the degree of
BACHELOR OF TECHNOLOGY
IN
COMPUTER SCIENCE ENGINEERING
submitted by
K.SHARMILA 316126510145
M.J.SARIKA 316126510153
M.MOUNIKA 316126510175
G.PRUDHVI 316126510194
UNDER THE GUIDANCE OF
DR. V.USHABALA
ASSISTANT PROFESSOR
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
ANIL NEERUKONDA INSTITUTE OF TECHNOLOGY AND SCIENCES
(UGC AUTONOMOUS)
(Affiliated to AU, Approved by AICTE and Accredited by NBA & NAAC with ‘A’ Grade)
Sangivalasa, Bheemili mandal, Visakhapatnam dist.(A.P)
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
ANIL NEERUKONDA INSTITUTE OF TECHNOLOGY AND SCIENCES
1
(UGC AUTONOMOUS)
(Affiliated to AU, Approved by AICTE and Accredited by NBA & NAAC with ‘A’ Grade)
Sangivalasa, Bheemili mandal, Visakhapatnam dist.(A.P)
BONAFIDE CERTIFICATE
This is to certify that the project report entitled “A DETAILED STUDY ON ANOMALY
BASED INTRUSION DETECTION SYSTEM” submitted by K.SHARMILA
(316126510145), M.J.SARIKA (316126510153), M.SRI MOUNIKA(316126510175),
G.PRUDHVI (316126510194) in partial fulfillment of the requirements for the award of the
degree of Bachelor of Technology in Computer Science Engineering of Anil Neerukonda
Institute of technology and sciences (A), Visakhapatnam is a record of bonafide work carried
out under my guidance and supervision.
Dr. R. SIVARANJANI Dr. V. USHABALA
HEAD OF THE DEPARTMENT SUPERVISOR
COMPUTER SCIENCE AND COMPUTER SCIENCE AND
ENGG. ENGG.
ANITS ANITS
2
DECLARATION
We, K.SHARMILA, M.J.SARIKA, M.SRI MOUNIKA ,G.PRUDHVI, of
final semester B.Tech., in the department of Computer Science and Engineering from
ANITS, Visakhapatnam, hereby declare that the project work entitled A DETAILED
STUDY ON ANOMALY BASED INTRUSION DETECTION SYSTEM is
carried out by us and submitted in partial fulfillment of the requirements for the award
of Bachelor of Technology in Computer Science Engineering , under Anil
Neerukonda Institute of Technology & Sciences(A) during the academic year 2016-
2020 and has not been submitted to any other university for the award of any kind of
degree.
K.SHARMILA 316126510145
M.J.SARIKA 316126510153
M. SRI MOUNIKA 316126510175
G.PRUDHVI 316126510194
3
ACKNOWLEDGEMENT
We would like to express our deep gratitude to our project guide DR.V.USHA BALA
Assistant Professor, Department of Computer Science and Engineering, ANITS, for his/her
guidance with unsurpassed knowledge and immense encouragement. We are grateful to
DR.R.SIVARANJANI, Head of the Department, Computer Science and Engineering, for
providing us with the required facilities for the completion of the project work.We also thank
our project coordinator Mr.B.MAHESH,, Assistant Professor,Department of Computer
Science and Engineering,ANITS.
We are very much thankful to the Principal and Management, ANITS, Sangivalasa, for
their encouragement and cooperation to carry out this work.
We express our thanks to all teaching faculty of the Department of CSE, whose suggestions
during reviews helped us in accomplishment of our project. We would like to thank all non-
teaching staff(programmer name) of the Department of CSE, ANITS for providing great
assistance in accomplishment of our project.
We would like to thank our parents, friends, and classmates for their encouragement
throughout our project period. At last but not the least, we thank everyone for supporting us
directly or indirectly in completing this project successfully.
K.SHARMILA 316126510145
M.J.SARIKA 316126510153
M. SRI MOUNIKA 316126510175
G.PRUDHVI 316126510194
4
ABSTRACT
Attacks on the internet keep on increasing and it causes harm to our security system. In order
to minimize these threats, It is necessary to have a security system that has the ability to
detect these attacks and analyze them. This is where an intrusion detection system comes into
the picture. Intrusion detection system (IDS) monitors and collects data from a target system
that should be protected, processes and correlates the gathered initiates responses when
evidence of an intrusion is detected We need to suggest a proactive technique that helps to
monitor and take necessary action depending upon the behavior of the network. Our main
goal is to detect a method to protect our data from malicious activity.
Keywords: Intrusion, Intrusion Detection System, Attack, Wormhole Attack, Blackhole
Attack.
5
TABLE OF CONTENTS
ABSTRACT 5
KEYWORDS 5
LIST OF FIGURES 8
LIST OF ABBREVIATIONS 9
1.INTRODUCTION 10-12
1.1Introduction 10-12
1.2 Problem Statement 12
2.LITERATURE SURVEY 13-25
2.1Introduction 13-22
2.1.1 A distributed algorithm for scheduling the activation of 22
links in a self-organizing,mobile,radio networks
2.1.2 A performance comparison of multi-hop wireless adhoc 22-23
network routing protocols
2.1.3 A survey of mobility models for adhoc network research 23
2.1.4 Continuous all KNN queerying in smartphone networks 24
2.1.5 Parallelizing itinerary-based KNN query processing in 24-25
wireless sensor networks
2.2 Existing System 25
3.METHODOLOGY 26-27
3.1Proposed System 26
3.1.1Architecture 27
6
4.EXPERIMENTAL ANALYSIS AND RESULTS 28-69
4.1System Configuration 28
4.1.1Software Requirements 28
4.1.2Hardware Requirements 28
4.2Sample Code 29-66
4.3Screenshots 67
4.4Experimental Analysis 68-69
5.CONCLUSION AND FUTURE WORK 70
REFERENCES 71
APPENDIX 71
7
LIST OF FIGURES
Figure Number
Figure Name
Page NO
3.1 System Architecture 27
4.3.1 CreatingAdhoc network 67
4.4.1 Comparison of packet
overhead
68
4.4.2 Comparison of end delay 68
4.4.3 Comparison of
throughput
69
4.4.4 Comparison of PDR 69
8
LIST OF ABBREVIATIONS
IDS Intrusion Detection
System
HIDS Host based Intrusion
Detection System
TCL Tool Command
Language
NS2 Network Simulator
OTCL Object Oriented Tool
Command Language
MANET Mobile Adhoc-
Networks
9
1.INTRODUCTION
1.1 INTRODUCTION
An Intrusion Detection System (IDS) monitors and collects data from a target
system that should be protected, processes and correlates the gathered information, and
initiates responses when evidence of an intrusion is detected. Depending on their source of
input, IDSs can be classified into Host-based Intrusion Detection System (HIDS), Network-
based Intrusion Detection System (NIDS) and Hybrid Intrusion Detection System. Network-
based intrusion detection system collects input data by monitoring network traffic. Host-
based intrusion detection system collects input data from the host it monitors. Hybrid
Intrusion detection system collects input data from both of network traffic and hosts its
monitors. “Anomaly” detection and “Misuse” detection are two main techniques that HIDS
use. Anomaly detection refers to intrusions that can be detected based on anomalous
behaviour and use of computer resources. Anomaly detection usually uses methods of
statistical analysis methodology, artificial neural network technology, data mining
technology, an artificial immune technology. Misuse intrusion detection refers to the
detection of intrusions by precisely defining them ahead of time and watching for their
occurrences. Misuse intrusion detection usually use methods of expert system, TCP/IP
protocol analysis, and pattern matching. In this paper, we designed and implemented a host-
based intrusion detection system, which uses pattern matching and BP neural network as its
detection methods. Firstly, the HIDS uses log files as its primary sources of information, and
through three steps of pre-decoding log file, decoding log file, and analysis log file, it can
effectively identify various intrusions. Secondly, based on BP neural network analysis
technology and through establishment of system behaviour characteristics profile in advance,
the HIDS can identify intrusions by comparison with threshold. Experiment results show that
the HIDS can effectively improve the efficiency and accuracy of intrusion detection.
In an increasingly interconnected environment, information is exposed to a wide
variety of risks. So we have to provide security to the information. Information security is not
all about securing information from unauthorized access, it is basically the practice of
preventing unauthorized access, use, disclosure, modification. Implementing, maintaining
and updating information security in an organization becomes a challenge. We need
10
information security to reduce the risk to a level that is acceptable to the business. The
proposed system mainly protects the information from unauthorized access. It protects the
information from modification and destruction. The objectives of Information Security are
CIA (confidentiality, integrity, availability). Information that is provided can be in any form.
Information from social media, data on your laptops or computers, etc. are examples of
information security.
Any malicious activity present in a system or in a network can be detected by an
Intrusion Detection System. Set of rules are defined to prevent the intrusion with the help of
IDS.
This set of rules generates alert messages or signals while detecting the intrusion in a system
or a network. IDS is mainly classified into Host-Based Intrusion Detection System (HIDS),
Network Intrusion Detection System (NIDS) based on the type of the systems the IDS
protects. Signature Based Intrusion Detection System, Anomaly Based Intrusion Detection
System are classified based on the method of working. HIDS analyses the incoming and
outgoing packets from a system. This also monitors the operating system of the computer.
NIDS monitors traffic on an individual network by continuously performing traffic analysis
and then comparing it with detected or known attacks in the library. However IDS monitors
mischievous activities, they might also generate False Alarms. Therefore the rate of False
Alarms should be less when an IDS is implemented.
Detection of an intrusion starts where the firewall ends. Preventing unauthorized access is not
in our hands. An intruder never leaves an opportunity to intrude into the network and cause
damage to others information which leads to no privacy. These attacks are being increased
every day.
Thus an intrusion detection system is needed to avoid such attacks. Many types of attacks can
be detected with this intrusion detection system hence an intrusion detection system that has
been designed or implemented needs to work efficiently to detect the attacks.
Log files record the behaviour of the computer system and aim at recording the
action of the operating system, applications, and use behaviours. Log file is widely used for
system debugging, monitoring, and security detection. Log system is particularly important in
intrusion detection and log file analysis tools have become an indispensable tool for daily
inspection and maintenance of the system running. In general, log analysis-based HIDS
11
includes the following several parts: collection of log file data, pre recording of log file,
decoding of log file, analysis of log file and report events.
The HIDS combines two approaches of misuse detection and anomaly detection.
Monitoring the log file, once the log changes, log monitor will send events to the log analyser
immediately. Generally, we need to monitor three kinds of event logs: application log,
security log and system log. We can add three XML nodes in the following configuration file.
The node “local file” represents the local file when system initialization. The node “location”
represents the file pathing the disk. The node “log format” represents what type of the log.
Log type includes event log, firewall log, SQL log and so on. In this way, when initializing
the HIDS, it will automatically load the above log files that need to be monitored. When
finished the initialization work, the HIDS will open a demon, and the demon will check every
log file to find whether there are changes in the log file. If there really exists change, then the
demon will report to the log.
1.2: PROBLEM STATEMENT
There is enormous need for an efficient system that successfully detects and suggests a
method to prevent the intrusions that occur across the network with a cost effective
implementation, so as to ensure security to our data.
To accomplish this we need to implement an IDS - Intrusion Detection System
12
2.LITERATURE SURVEY
2.1 INTRODUCTION
The system that has been proposed is implemented on NS2 Tool.
NS2 Tool:
NS2 is a distinct event simulator focused on networking research. NS2 imparts
considerable
support for simulation of routing protocols over wired and wireless networks. Insures
perspective, NS2 is an OTcl interpreter that takes an OTcl script as input and produces a trace
file as output. There are two sets of languages in NS2 (C++ and OTcl) [10]. C++ is utilized
for creation of objects to maintain speed and efficiency. OTcl is utilized as a front-end to
setup the simulator and to configure the objects. The common procedure for generating a
simulation can be classified into various steps.
They are
•Topology definition
•Node and link configuration
•Execution
•Performance analysis
•Graphical Visualization (X graphs)
1. Transreceiver
It consists of a Transmitter as well as receiver configuration, which act as a manet node.
2. TCP
Transmission control protocol is the responsibility for communication. The Transmission
Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It
originated in the initial network implementation in which it complemented the Internet
Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP.
13
3. CBR (Constant bit rate)
Constant bitrate (CBR) is a term used in telecommunications, relating to the quality of
service. Compare with variable bitrate. When referring to codecs, constant bit rate encoding
means that the rate at which a codec's output data should be consumed is constant.
4. Trust value generation
It gives the data trust, node trust, functional trust and recommendation trust for each
communication.
5. Trust based credit value assigner
It receives all trust values and assigns a credit value for a particular node and communication.
6. Data and traffic analyser
It analyses the size and content of the data and traffic in the network.
Network simulator 2.28 (NS2)
Ns-2 is a packet-level simulator and essentially a centric discrete event scheduler to schedule
the events such as packet and timer expiration. Centric event schedulers cannot accurately
emulate “events handled at the same time” in the real world, that is, events are handled one
by one. This is not a serious problem in most network simulations, because the events here
are often transitory. Beyond the event scheduler, ns-2 implements a variety of network
components and protocols. Notably, the wireless extension, derived from CMU Monarch
Project, has 2 assumptions simplifying the physical world: Nodes do not move significantly
over the length of time they transmit or receive a packet. This assumption holds only for
mobile nodes of high-rate and low-speed. Consider a node with the sending rate of 10Kbps
and moving speed of 10m/s, during its receiving a packet of 1500B, the node moves 12m.
Thus, the surrounding can change significantly and cause reception failure. Node velocity is
insignificant compared to the speed of light. In particular, none of the provided propagation
models include Doppler effects, although they could.
Structure of NS-2:Create the event scheduler
14
• Turn on tracing
• Create network
• Setup routing
• Insert errors
• Create transport connection
• Create traffic
Functionalities NS-ALLINONE
C++/OTcl Linkage
Root of ns-2 object hierarchy
bind (): link variable values between
Tcl Object- C++ and OTcl
Command (): link OTcl methods to C++ implementations
TclClass
Create an OTcl object, and create a linkage between the OTcl object and C++ Object
TclC++ - methods to access Tcl interpreter
Tcl Command - Standalone global commands
Embedded Tcl -ns script initialization
Mobile networking in NS-ALLINONE2.28
A mobile ad-hoc network (MANET) is a kind of wireless ad-hoc network, and is a self-
configuring network of mobile routers (and associated hosts) connected by wireless links –
the union of which form an arbitrary topology. The routers are free to move randomly and
organize themselves arbitrarily; thus, the network’s wireless topology may change rapidly
15
and unpredictably. Such a network may operate in a standalone fashion, or may be connected
to the larger Internet.
Mobile ad-hoc networks became a popular subject for research as laptops and 802.11/Wi-Fi
wireless networking became widespread in the mid- to late 1990s. Many of the academic
papers evaluate protocols and abilities assuming varying degrees of mobility within a
bounded space, usually with all nodes within a few hops of each other, and usually with
nodes sending data at a constant rate. Different protocols are then evaluated based on the
packet drop rate, the overhead introduced by the routing protocol, and other measures.
In the next generation of wireless communication systems, there will be a need for the
rapid deployment of independent mobile users. Significant examples include establishing
survivable, efficient, dynamic communication for emergency/rescue operations, disaster
relief efforts, and military networks. Such network scenarios cannot rely on centralized and
organized connectivity, and can be conceived as applications of Mobile Ad Hoc Networks. A
MANET is an autonomous collection of mobile users that communicate over relatively
bandwidth constrained wireless links. Since the nodes are mobile, the network topology may
change rapidly and unpredictably over time. The network is decentralized; where all network
activity including discovering the topology and delivering messages must be executed by the
nodes.
The set of applications for MANETs is diverse, ranging from small, static networks
that are constrained by power sources, to large-scale, mobile, highly dynamic networks. The
design of network protocols for these networks is a complex issue. Regardless of the
application, MANETs need efficient distributed algorithms to determine network
organization, link scheduling, and routing. However, determining viable routing paths and
delivering messages in a decentralized environment where network topology fluctuates is not
a well-defined problem.
How to start TCL scripts?
We can write Tcl scripts in any text editor like joe or emacs. First of all, we need to create a
simulator object. This is done with the command set ns [new Simulator] Now we open a file
16
for writing that is going to be used for the nam trace data. Set nf [open out.nam w] $ns
namtrace-all $nf the first line opens the file 'out.nam' for writing and gives it the file handle
'nf'. In the second line we tell the simulator object that we created above to write all
simulation data that is going to be relevant for nam into this file. The next step is to add a
'finish' procedure that closes the trace file and starts nam.
Network components
The root of the hierarchy is the Tcl Object class that is the super class of all OTcl library
objects (scheduler, network components, timers and the other objects including NAM related
ones).
As an ancestor class of Tcl Object, NsObject class is the super class of all basic network
component objects that handle packets, which may compose compound network objects such
as nodes and links. The basic network components are further divided into two subclasses,
Connector and Classifier, based on the number of the possible output data paths.
The basic network objects that have only one output data path are under the Connector class,
and switching objects that have possible multiple output data paths are under the Classifier
class.
Packet
A NS packet is composed of a stack of headers, and an optional data space. A packet header
format is initialized when a Simulator object is created, where a stack of all registered (or
possibly useable) headers, such as the common header that is commonly used by any objects
as needed, IP header, TCP header, RTP header (UDP uses RTP header) and trace header, is
defined, and the offset of each header in the stack is recorded.
What this means is that whether or not a specific header is used, a stack composed of
all registered headers is created when a packet is allocated by an agent, and a network object
can access any header in the stack of a packet it processes using the corresponding offset
value.
17
The advantages of networking
Networks allow computers, and hence their users, to be connected together. They also
allow for the easy sharing of information and resources, and cooperation between the devices
in other ways. Some of the major benefits.
1.Connectivity and Communication
Networks connect computers and the users of those computers. Individuals within a
building or work group can be connected into LAN.
2.Data Sharing
One of the most important uses of networking is to allow the sharing of data. True
networking allows thousands of employees to share data much more easily and quickly.
3.Hardware Sharing
Networks facilitate the sharing of hardware devices. For example, instead of giving each
of 10 employees in a department an expensive color printer, one printer can be placed on the
network for everyone to share.
4.Internet Access
The Internet is itself an enormous network. The significance of the Internet on modern
society is hard to exaggerate, especially for technical fields.
5.Internet Access Sharing
Small computer networks allow multiple users to share a single Internet connection.
Special hardware devices allow the bandwidth of the connection to be easily allocated to
various individuals as they need it.
6.Data Security and Management
In a business environment, a network allows the administrators to much better
manage the company's critical data. Instead of having this data spread over dozens or even
hundreds of small computers in a haphazard fashion as their users create it.
Link
A link is another major compound object in NS. When a user creates a link using a duplex-
link member function of a Simulator object, two simplex links in both directions are created.
One thing to note is that an output queue of a node is actually implemented as a part of
18
simplex link object. Packets dropped from a queue are passed to the Delay object that
simulates the link delay, and packets dropped at a queue are sent to a Null Agent and are
freed there. Finally, the TTL object calculates Time to live parameters for each packet
received and updates the TTL field of the packet.
Starting NS
NS starts with the command ns (assuming that we are in the directory with the ns executable,
or that were path points to that directory), where is the name of a Tcl script file which defines
the simulation scenario (i.e. the topology and the events). We could also just start ns without
any arguments and enter the Tcl commands in the Tcl shell, but that is definitely less
comfortable. Everything else depends on the Tcl script. The script might create some output,
it might write a trace file or it might start nam to visualize the simulation.
Starting NAM
We can either start nam with the command 'nam<nam-file>' where '<nam-file>' is the name
of a nam trace file that was generated by ns, or we can execute it directly out of the Tcl
simulation script for the simulation which we want to visualize. Below we can see a
screenshot of a nam window where the most important functions are being explained.
TOOLS
Existing tools for intrusion detection system:
NS2,OSSEC,SNORT
NS2: The intrusion detection is evaluated by simulation in presence of nodes that can take
different attacks. It is capable of detecting a false information attack using statistical
techniques and can also detect other types of attacks. Many intrusion detection systems have
been proposed and most of them are routing protocols like route guard etc. It resides in each
node and is based on overhearing. Through overhearing each node can detect the malicious
action of its report and other nodes. If the node is overhearing itself then it is malicious and
then it causes a serious impact on network performance. Its ability to discover the malicious
nodes which can partition the network by falsely reporting the nodes and proceed to protect
the network.
19
OSSEC: It is one among the simplest open source applications. It's an incredibly efficient
processor, but it doesn't have a user interface when it involves log data. It organizes your log
files and uses anomaly based intrusion detection and it offers log file detection methods and
scan for unauthorized changes could specifically cause issues.
SNORT: It is an open source NIDS application. It is also used in packet sniffing and logging
functionality. It allows predefined rules for snort are available on the website. The rule set
includes both anomaly and signature based detection systems .
BLACK HOLE ATTACK
In computer networking, a packet drop attack or blackhole attack is a
type of denial-of-service attack in which a router that is supposed to relay packets instead
discards them. This usually occurs from a router becoming compromised from a number of
different causes. One cause mentioned in research is through a denial-of-service attack on the
router using a known DDoS tool. Because packets are routinely dropped from a lossy
network, the packet drop attack is very hard to detect and prevent.
The malicious router can also accomplish this attack selectively, e.g. by dropping packets for
a particular network destination, at a certain time of the day, a packet every n packets or
every t seconds, or a randomly selected portion of the packets. This is rather called a
greyhound attack. If the malicious router attempts to drop all packets that come in, the attack
can actually be discovered fairly quickly through common networking tools such as
traceroute. Also, when other routers notice that the compromised router is dropping all traffic,
they will generally begin to remove that router from their forwarding tables and eventually no
traffic will flow to the attack. However, if the malicious router begins dropping packets on a
specific time period or over every n packets, it is often harder to detect because some traffic
still flows across the network.
The packet drop attack can be frequently deployed to attack wireless ad hoc networks.
Because wireless networks have a much different architecture than that of a typical wired
network, a host can broadcast that it has the shortest path towards a destination. By doing
this, all traffic will be directed to the host that has been compromised, and the host is able to
drop packets at will. Also over mobile ad hoc networks, hosts are specifically vulnerable to
20
collaborative attacks where multiple hosts will become compromised and deceive the other
hosts on the network.
WORMHOLE ATTACK
This is a type of network layer attack which is carried out using more than one malicious
node. The nodes used to carry out this attack are superior to normal nodes and are able to
establish better communication channels over long ranges. The idea behind this attack is to
forward the data from one compromised node to another malicious node at the other end of
the network through a tunnel. As a result the other nodes in the WSN can be tricked into
believing that they are closer to other nodes than they really are which can cause problems in
the routing algorithm.Also the compromised nodes may temper with the data packets.
Wormhole attack can also be combined with sinkhole attack to make it more effective.
Wormhole attack can be classified under 3 main categories:
Open Wormhole:
In this case the data packets are first sent from the source to a wormhole which
tunnels them to the other wormhole that transmits them to the destination.The other
nodes in the network are ignored and not used for data transfer.
Half-open Wormhole:
In this case the data packets are sent from the source to a wormhole which directly
transmits them to the destination.
Closed Wormhole:
In this case the data packets are directly transferred from the source to the destination
in a single hop making them fictitious neighbours.
21
2.1.1 D. J. Baker and J.Wieselthier, ``A distributed algorithm for
scheduling the activation of links in a self-organizing, mobile, radio
network,'' in Proc.ICC, 1982, pp. 2F6.1_2
ABSTRACT:In our previous work, we proposed few updated data dissemination methods to
refresh old replicas efficiently in mobile ad hoc networks. These methods disseminate
updated data items every time when owners of original data items update the items or every
time two mobile hosts are newly connected with each other and this causes heavy traffic in
the entire network. In this paper, we assume applications that periodically execute read
operations with strict dead-lines to data items and propose few alternative updated data
dissemination methods. These methods reduce the trafficfor data dissemination while keeping
a high success ratio for read operation.
2,1.2 J. Broch, D. A. Maltz, D. B. Johnson, Y.-C. Hu, and J. Jetcheva, ``A
performance comparison of multi-hop wireless ad hoc network routing
protocols,''.
ABSTRACT:The Efficient routing protocols can provide significant benefits to mobile ad
hoc networks, in terms of both performance and reliability. Many routing protocols for such
networks have been proposed so far. Amongst the most popular ones are Ad hoc On-demand
Distance Vector (AODV), Destination-Sequenced Distance-Vector Routing protocol
(DSDV), Dynamic Source Routing Protocol (DSR), and Optimum Link State Routing
(OLSR). Despite the popularity of those protocols, research efforts have not focused much on
evaluating their performance when applied to variable bit rate (VBR). In this paper we
present our observations regarding the performance comparison of the above protocols for
VBR in mobile ad hoc networks (MANETs). We perform extensive simulations, using an
NS-2 simulator. Our studies have shown that reactive protocols perform better than proactive
protocols. Further DSR has performed well for the performance parameters namely delivery
ratio and routing overload while AODV performed better in terms of average delay.
22
2.1.3 T. Camp, J. Boleng, and V. Davies, ``A survey of mobility models for
ad hoc network research,''Wireless Commun. Mobile Comput., vol. 2,no. 5,
pp. 483_502, 2002.
ABSTRACT:In the performance evaluation of a protocol for an ad hoc network, the protocol
should be tested under realistic conditions including, but not limited to, a sensible
transmission range, limited buffer space for the storage of messages, representative data
traffic models, and realistic movements of the mobile users (i.e., a mobility model). This
paper is a survey of mobility models that are used in the simulations of ad hoc networks. We
describe several mobility models that represent mobile nodes whose movements are
independent of each other (i.e., entity mobility models) and several mobility models that
represent mobile nodes whose movements are dependent on each other (i.e., group mobility
models). The goal of this paper is to present a number of mobility models in order to offer
researchers more informed choices when they are deciding upon a mobility model to use in
their performance evaluations. Lastly, we present simulation results that illustrate the
importance of choosing a mobility model in the simulation of an ad hoc network protocol.
Specifically, we illustrate how the performance results of an ad hoc network protocol
drastically change as a result of changing the mobility model simulated.
2.1.4 Chatzimilioudis, D. Zeinalipour-Yazti,W.-C. Lee, and M. D.
Dikaiakos,``Continuous all k-nearest-neighbour querying in smartphone
networks,'' inProc. IEEE MDM, Jul. 2012, pp. 79_88.
ABSTRACT:Continuous nearest neighbour (CNN) search, which retrieves the nearest
neighbours corresponding to every point in a given query line segment, is important for
location-based services such as vehicular navigation and tourist guides. It is infeasible to
answer aCNN search by issuing a traditional nearest neighbour query at every point of the
line segment due to the large number of queries generated and the overhead on bandwidth.
Algorithms have been proposed recently to support CNN search in the traditional client-
server systems but not in the environment of wireless data broadcast, where uplink
communication channels from mobile devices to the server are not available. In this paper,
we develop a generalized search algorithm for continuous k-nearest neighbours based
23
onHilbert Curve Index In wireless data broadcast systems. A performance evaluation is
conducted to compare the proposed search algorithms with an algorithm based on R-tree Air
Index. The result shows that the Hilbert Curve Index-based algorithm is more energy efficient
than the R-tree-based algorithm.
2.1.5 T.-Y. Fu, W.-C. Peng, and W.-C. Lee, ``Parallelizing itinerary-based
KNNquery processing in wireless sensor networks,''IEEE Trans. Knowl.
DataEng., vol. 22, no. 5, pp. 711_729, May 2010.
ABSTRACT:Wireless sensor networks (WSN) is a key enabling technique for achieving the
vision of the Internet of Things. In many applications of WSN such as environmental
monitoring and vehicle tracking, they may be required to launch spatial queries for collecting
and gathering sensory data for achieving certain goals. One such query is the $$K$$ K
nearest neighbour (KNN) query, which aims to collect sensory data from k sensor nodes
nearest to a certain query location. Techniques, namely the itinerary-based KNN query
algorithms, are recently developed for facilitating KNN queries. Generally, these techniques
propagate queries and collect data along a predetermined itinerary. However, query accuracy
and boundary expansion are two challenges that are not well addressed. To mitigate these
issues, in this paper, we propose a novel KNN query algorithm based on grid division routing
in the setting of skewness distribution, where the itinerary is formed based on the
connectivity of adjacent grid cells centers. This technique can achieve better query accuracy
and cause less energy consumption by executing the query concurrently in subregions.
Besides, the void region problem is well addressed based on the proximity of neighbour grid
cells. Experiment result shows that our technique performs better in several aspects including
query accuracy, data redundancy, and energy efficiency.
2.2 EXISTING SYSTEM
Log files record the behaviour of the computer system and aim at recording the action of
the operating system, applications, and use behaviours. Log file is widely used for system
debugging, monitoring, and security detection. Log system is particularly important in
intrusion detection and log file analysis tools have become an indispensable tool for daily
inspection and maintenance of the system running.In general, log analysis-based HIDS
includes the following several parts: collection of log file data, pre recording of log file,
decoding of log file, analysis of log file and report events
24
3.METHODOLOGY
3.1 PROPOSED SYSTEM
The HIDS combines two approaches of misuse detection and anomaly detection. Monitoring
the log file, once the log changes, log monitor will send events to the log analyzer
immediately. Generally, we need to monitor three kinds of event logs: application log,
security log and system log. We can add three XML nodes in the following configuration file.
The node “local file” represents the local file when system initialization. The node “location”
represents the file path in the disk. The node “log_ format” represents what type of the log.
Log type includes event log, firewall log, SQL log and so on. In this way, when initialize the
HIDS, it willautomatically load the above log files that need to be monitored. When finished
the initialization work, the HIDS will open a demon, and the demon will check every log file
to find whether there are changes in the log file. If there really exits change, then the demon
will report to the log analyzer. Monitoring the use of system resources, and sends the status of
the system resources utilization to get system resources analyser at regular time. The
connector is responsible for receiving messages from log monitor and system resources
monitor, and sending these messages to log analyser and system resources analyser.
Receiving events from the log monitor, match with the rule base to determine whether there
is invasion, if there is invasion occurrence, report to the active response unit. Receiving
events from the system resources monitor, to calculate whether the abnormal state of current
resources use and thus to determine whether the status is invaded, if it finds there is invasion,
report to the active response unit. Receiving events from the log analyser and system
resources analyser, decided to perform what kind of operation. Usually, the normal
operations include notifying users, auditing, disconnecting from network and so
on.Recording the entire process of intrusion detection, andthe attack situation, prepare for use
when necessary.
25
3.1.1 ARCHITECTURE
Log Monitor:
It maps and visualizes devices dependency to optimize the bandwidth and traffic.
Connector: Networks connect computers and therefore the users of these computers.
Individuals within a building or work group are often connected into LAN. Trace file that
was generated by ns, or we will execute it directly out of the Tcl simulation script for the
simulation which we would like to see . Below we will see a screenshot of a nam window
where the foremost important functions are being explained.
Log analyser: It is the process of monitoring the events occurring in a computer or network
and analysing them for signs and violations or imminent threats of the security.
Audit Database: It is a database of information that can be with a web interface. Data about
the network is inserted with a script and it can be configured to scan your network and device
immediately.
Active response unit: The intrusion detection monitors for attacks and provides information
services and IDS actively stops the threat. It can be configured to scan your network and
devices automatically.
Figure 3.1: System Architecture
26
4.EXPERIMENTAL ANALYSIS AND RESULTS
4.1 SYSTEM CONFIGURATION
4.1.1 SOFTWARE REQUIREMENTS
Operating System : Linux
Simulation Tool : NS2
Documentation : Ms-Office
4.1.2 HARDWARE REQUIREMENTS
CPU type : Intel Pentium 4
Clock speed : 3.0 GHz
Ram size : 512 MB
Hard disk capacity : 80 GB
Monitor type : 15 Inch color monitor
KeyBoard type : Internet keyboard
CD -drive type : 52xmax
27
4.2 SAMPLE CODE
set val(chan) Channel/WirelessChannel
set val(prop) Propagation/TwoRayGround
set val(netif) Phy/WirelessPhy
set val(mac) Mac/802_11
set val(ifq) Queue/DropTail/PriQueue
set val(ll) LL
set val(ant) Antenna/OmniAntenna
set val(x) 400 ;# X dimension of the topography
set val(y) 400 ;# Y dimension of the topography
set val(ifqlen) 50 ;# max packet in ifq
set val(seed) 0.0
set val(adhocRouting) AODV
set val(nn) 25 ;# how many nodes are simulated
set val(cp) cbr
set val(sc) scen
set val(stop) 10.0 ;# simulation time
set val(traffic) tcp
set val(rxPower) 0.60175 ;#Potencia recepción en W
set val(txPower) 0.50175 ;#Potencia transmisión en W
set val(energymodel) EnergyModel ;
set val(initialenergy) 50 ;# Initial energy in Joules
set val(sleeppower) 0.00005 ;#sleep power W 15 uA =I*I*R=11.25*10E-9
W
28
#
==================================================================
===
# Main Program
#
==================================================================
===
Mac/802_15_4 wpanCmd verbose
Mac/802_15_4 wpanNam namStatus on
#
# Initialize Global Variables
#
# create simulator instance
set ns_ [new Simulator]
# setup topography object
set topo [new Topography]
# create trace object for ns and nam
set tracefd [open wireless-out.tr w]
set namtrace [open wireless-out.nam w]
$ns_ trace-all $tracefd
29
$ns_ namtrace-all-wireless $namtrace $val(x) $val(y)
# define topology
$topo load_flatgrid $val(x) $val(y)
#
# Create God
#
set god_ [create-god $val(nn)]
#
# define how node should be created
#
#global node setting
$ns_ node-config -adhocRouting $val(adhocRouting) \
-llType $val(ll) \
-macType $val(mac) \
-ifqType $val(ifq) \
-ifqLen $val(ifqlen)\
-antType $val(ant) \
-propType $val(prop) \
-phyType $val(netif) \
-channelType $val(chan) \
30
-topoInstance $topo \
-agentTrace ON \
-routerTrace ON \
-macTrace ON
# Energy Config to all nodes
#$ns_ node-config -energyModel EnergyModel \
#-initialEnergy $val(initialenergy) \
# -txPower $val(txPower) \
#-rxPower $val(rxPower) \
#-idlePower 0.5 \
#-sensePower 0.0175\
#-sleeppower
#
# Create the specified number of nodes [$val(nn)] and "attach" them
# to the channel.
for {set i 0} {$i < $val(nn) } {incr i} {
set node_($i) [$ns_ node]
$node_($i) random-motion 0 ;# disable random motion
$node_($i) set n_type_ 3
}
$node_(0) set X_ 162.891987155549
31
$node_(0) set Y_ 330.062653124573
$node_(0) set Z_ 0.000000000000
$node_(1) set X_ 490.141445840108
$node_(1) set Y_ 303.390205978687
$node_(1) set Z_ 0.000000000000
$node_(2) set X_ 366.597345388552
$node_(2) set Y_ 285.045804378001
$node_(2) set Z_ 0.000000000000
$node_(3) set X_ 375.434557942298
$node_(3) set Y_ 65.037490023253
$node_(3) set Z_ 0.000000000000
$node_(4) set X_ 100.651888471933
$node_(4) set Y_ 200.999064507849
$node_(4) set Z_ 0.000000000000
$node_(5) set X_ 250.447602254595
$node_(5) set Y_ 300.572449388697
$node_(5) set Z_ 0.000000000000
$node_(6) set X_ 108.255880864622
$node_(6) set Y_ 84.360259002758
32
$node_(6) set Z_ 0.000000000000
$node_(7) set X_ 520.022513386952
$node_(7) set Y_ 79.601955031326
$node_(7) set Z_ 0.000000000000
$node_(8) set X_ 400.505636882310
$node_(8) set Y_ 366.164946663731
$node_(8) set Z_ 0.000000000000
$node_(9) set X_ 650.602720883062
$node_(9) set Y_ 175.285815188533
$node_(9) set Z_ 0.000000000000
$node_(10) set X_ 550.769209352321
$node_(10) set Y_ 175.469788838578
$node_(10) set Z_ 0.000000000000
$node_(11) set X_ 440.554012762204
$node_(11) set Y_ 141.229856334582
$node_(11) set Z_ 0.000000000000
$node_(12) set X_ 610.714803612949
$node_(12) set Y_ 301.185534602634
33
$node_(12) set Z_ 0.000000000000
$node_(13) set X_ 622.875451109860
$node_(13) set Y_ 63.556895758918
$node_(13) set Z_ 0.000000000000
$node_(14) set X_ 0.573192188336
$node_(14) set Y_ 130.371975801273
$node_(14) set Z_ 0.000000000000
$node_(15) set X_ 330.423309654009
$node_(15) set Y_ 200.077977391011
$node_(15) set Z_ 0.000000000000
$node_(16) set X_ 50.094578660017
$node_(16) set Y_ 308.896767907433
$node_(16) set Z_ 0.000000000000
$node_(17) set X_ 550.729619959314
$node_(17) set Y_ 362.975147203270
$node_(17) set Z_ 0.000000000000
$node_(18) set X_ 195.324546016638
$node_(18) set Y_ 200.532816382783
34
$node_(18) set Z_ 0.000000000000
$node_(19) set X_ 225.407694870792
$node_(19) set Y_ 100.976161733047
$node_(19) set Z_ 0.000000000000
$node_(20) set X_ 108.805461586345
$node_(20) set Y_ 0.403581363136
$node_(20) set Z_ 0.000000000000
$node_(21) set X_ 75.192849108044
$node_(21) set Y_ 394.599718193696
$node_(21) set Z_ 0.000000000000
$node_(22) set X_ 440.603011809622
$node_(22) set Y_ 235.134542858225
$node_(22) set Z_ 0.000000000000
$node_(23) set X_ 250.021643078072
$node_(23) set Y_ 376.842426981596
$node_(23) set Z_ 0.000000000000
$node_(24) set X_ 451.563393009171
$node_(24) set Y_ 3.322296117208
$node_(24) set Z_ 0.000000000000
35
$ns_ at 1.0 "$node_(0) setdest 20.0 18.0 4.717402816103"
$ns_ at 2.0 "$node_(1) setdest 20.0 18.0 3.384378246020"
$ns_ at 3.0 "$node_(2) setdest 20.0 18.0 1.541978544726"
$ns_ at 2.0 "$node_(4) setdest 20.0 18.0 1.592003003493"
$ns_ at 1.0 "$node_(5) setdest 20.0 18.0 1.592003003493"
$ns_ at 2.0 "$node_(6) setdest 20.0 18.0 1.0"
$ns_ at 3.0 "$node_(7) setdest 20.0 18.0 1.0"
$ns_ at 4.0 "$node_(8) setdest 20.0 18.0 1.541978544726"
$ns_ at 2.0 "$node_(9) setdest 20.0 18.0 1.0"
$ns_ at 1.0 "$node_(10) setdest 20.0 18.0 3.384378246020"
$ns_ at 3.0 "$node_(11) setdest 20.0 18.0 1.0"
$ns_ at 1.0 "$node_(12) setdest 20.0 18.0 4.039409901061"
$ns_ at 2.0 "$node_(13) setdest 20.0 18.0 1.0"
$ns_ at 4.0 "$node_(14) setdest 20.0 18.0 3.384378246020"
$ns_ at 3.0 "$node_(15) setdest 20.0 18.0 1.541978544726"
$ns_ at 2.0 "$node_(16) setdest 20.0 18.0 7.0"
$ns_ at 3.0 "$node_(17) setdest 20.0 18.0 1.0"
$ns_ at 4.0 "$node_(18) setdest 20.0 18.0 1.592003003493"
$ns_ at 3.0 "$node_(19) setdest 20.0 18.0 1.0"
$ns_ at 2.0 "$node_(20) setdest 20.0 18.0 3.384378246020"
$ns_ at 1.0 "$node_(21) setdest 20.0 18.0 1.0"
36
$ns_ at 1.0 "$node_(22) setdest 20.0 18.0 1.0"
$ns_ at 2.0 "$node_(23) setdest 20.0 18.0 1.0"
$ns_ at 3.0 "$node_(24) setdest 25.0 20.0 3.384378246020"
$ns_ at 0.20 "$ns_ trace-annotate \"Intrusion Detection with Data Fusion \" "
$ns_ at 0.30 "$ns_ trace-annotate \"Using SYMMETRIC CRYPTOGRAPHY TECHNIQUE
\" "
$ns_ at 1.00 "$node_(0) add-mark m1 green circle"
$ns_ at 1.01 "$node_(0) label \"SENDER1\""
$ns_ at 1.10 "$node_(23) add-mark m1 blue circle"
$ns_ at 1.11 "$node_(23) label \"RECEIVER1\""
$ns_ at 1.20 "$node_(19) add-mark m1 green circle"
$ns_ at 1.21 "$node_(19) label \"SENDER2\""
$ns_ at 1.30 "$node_(20) add-mark m1 blue circle"
$ns_ at 1.36 "$node_(20) label \"RECEIVER2\""
$ns_ at 1.40 "$node_(15) add-mark m1 green circle"
$ns_ at 1.41 "$node_(15) label \"SENDER3\""
$ns_ at 1.50 "$node_(11) add-mark m1 blue circle"
$ns_ at 1.51 "$node_(11) label \"RECEIVER3\""
$ns_ at 1.60 "$node_(13) add-mark m1 green circle"
37
$ns_ at 1.61 "$node_(13) label \"SENDER4\""
$ns_ at 1.70 "$node_(9) add-mark m1 blue circle"
$ns_ at 1.71 "$node_(9) label \"RECEIVER4\""
$ns_ at 1.80 "$node_(4) add-mark m1 green circle"
$ns_ at 1.81 "$node_(4) label \"SENDER5\""
$ns_ at 1.80 "$node_(8) add-mark m1 blue circle"
$ns_ at 1.81 "$node_(8) label \"RECEIVER5\""
$ns_ at 2.20 "$node_(21) add-mark m1 red square"
$ns_ at 2.21 "$node_(21) label \"wormhole attack\""
$ns_ at 2.30 "$node_(24) add-mark m1 red square"
$ns_ at 2.31 "$node_(24) label \"blackhole attack\""
$ns_ at 2.33 "$node_(1) add-mark m1 red square"
$ns_ at 2.34 "$node_(1) label \"man in the middle\""
#$ns_ at 2.31 $node_(24) label-color [red] ;
$ns_ at 2.40 "$ns_ trace-annotate \"Create Mobile Adhoc Network \" "
$ns_ at 2.40 "$ns_ trace-annotate \"Starting Data Fusion \" "
set tcp [new Agent/TCP]
$tcp set class_ 1
38
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.05
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(0) $tcp
$ns_ attach-agent $node_(23) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 2.50 "$ftp start"
$ns_ at 3.00 "$ftp stop"
\" "
$ns_ at 3.01 "$ns_ trace-annotate \"SENDER1 COMMUNICATE WITH RECEIVER1
$ns_ at 3.02 "$node_(23) add-mark m3 blue circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.03
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(0) $tcp
$ns_ attach-agent $node_(16) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 2.50 "$ftp start"
39
$ns_ at 3.00 "$ftp stop"
$ns_ at 3.01 "$ns_ trace-annotate \"DEVICE 16 HACKING THE MESSAGE OF
SENDER1 \" "
$ns_ at 3.02 "$node_(16) add-mark m3 YELLOW circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.05
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(19) $tcp
$ns_ attach-agent $node_(20) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 3.10 "$ftp start"
$ns_ at 3.60 "$ftp stop"
\" "
$ns_ at 3.61 "$ns_ trace-annotate \"SENDER2 COMMUNICATE WITH RECEIVER2
$ns_ at 3.62 "$node_(20) add-mark m3 blue circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.03
40
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(19) $tcp
$ns_ attach-agent $node_(14) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 3.10 "$ftp start"
$ns_ at 3.60 "$ftp stop"
$ns_ at 3.61 "$ns_ trace-annotate \"DEVICE 14 HACKING THE MESSAGE OF
SENDER2 \" "
$ns_ at 3.62 "$node_(14) add-mark m3 YELLOW circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.05
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(15) $tcp
$ns_ attach-agent $node_(11) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 3.70 "$ftp start"
$ns_ at 4.20 "$ftp stop"
\" "
$ns_ at 4.21 "$ns_ trace-annotate \"SENDER3 COMMUNICATE WITH RECEIVER3
41
$ns_ at 4.22 "$node_(11) add-mark m3 blue circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.03
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(15) $tcp
$ns_ attach-agent $node_(22) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 3.70 "$ftp start"
$ns_ at 4.20 "$ftp stop"
$ns_ at 4.21 "$ns_ trace-annotate \"DEVICE 22 HACKING THE MESSAGE OF
SENDER3 \" "
$ns_ at 4.22 "$node_(22) add-mark m3 YELLOW circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.05
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(13) $tcp
42
$ns_ attach-agent $node_(9) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 4.30 "$ftp start"
$ns_ at 4.80 "$ftp stop"
\" "
$ns_ at 4.81 "$ns_ trace-annotate \"SENDER4 COMMUNICATE WITH RECEIVER4
$ns_ at 4.82 "$node_(9) add-mark m3 blue circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.03
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(13) $tcp
$ns_ attach-agent $node_(10) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 4.30 "$ftp start"
$ns_ at 4.80 "$ftp stop"
$ns_ at 4.81 "$ns_ trace-annotate \"DEVICE 10 HACKING THE MESSAGE OF
SENDER4 \" "
$ns_ at 4.82 "$node_(10) add-mark m3 YELLOW circle"
43
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.05
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(4) $tcp
$ns_ attach-agent $node_(8) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 5.10 "$ftp start"
$ns_ at 5.50 "$ftp stop"
\" "
$ns_ at 5.51 "$ns_ trace-annotate \"SENDER5 COMMUNICATE WITH RECEIVER5
$ns_ at 5.52 "$node_(8) add-mark m3 blue circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.03
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(4) $tcp
$ns_ attach-agent $node_(14) $sink
44
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 5.10 "$ftp start"
$ns_ at 5.50 "$ftp stop"
$ns_ at 5.51 "$ns_ trace-annotate \"DEVICE 14 HACKING THE MESSAGE OF
SENDER5 \" "
$ns_ at 5.52 "$node_(14) add-mark m3 YELLOW circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.03
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(15) $tcp
$ns_ attach-agent $node_(17) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 5.53 "$ftp start"
$ns_ at 5.54 "$ftp stop"
$ns_ at 5.55 "$ns_ trace-annotate \"DEVICE 17 HACKING THE MESSAGE OF
SENDER6 \" "
$ns_ at 5.58 "$node_(17) add-mark m3 YELLOW circle"
$ns_ at 5.60 "$ns_ trace-annotate \"IDS watches all the Transmission\" "
45
$ns_ at 5.60 "$ns_ trace-annotate \"To Identify the Attackers in the network \" "
$ns_ at 6.10 "$ns_ trace-annotate \"wormhole attack start identify the hackers \" "
$ns_ at 6.12 "$node_(16) add-mark m4 red square"
$ns_ at 6.12 "$node_(16) label \"intruder1\""
$ns_ at 6.14 "$node_(14) add-mark m4 red square"
$ns_ at 6.14 "$node_(14) label \"intruder2\""
$ns_ at 6.20 "$ns_ trace-annotate \"blackhole attack start identify the hackers \" "
$ns_ at 6.22 "$node_(10) add-mark m4 red square"
$ns_ at 6.22 "$node_(10) label \"intruder4\""
$ns_ at 6.24 "$node_(22) add-mark m4 red square"
$ns_ at 6.24 "$node_(22) label \"intruder5\""
$ns_ at 6.26 "$node_(17) add-mark m4 red square"
$ns_ at 6.26 "$node_(17) label \"intruder6\""
$ns_ at 6.40 "$ns_ trace-annotate \"IDS-1 start deleting the hackers \" "
$ns_ at 6.45 "$node_(16) label-at up"
$ns_ at 6.50 "$node_(14) label-at up"
$ns_ at 6.70 "$ns_ trace-annotate \"IDS-2 start deleting the hackers \" "
$ns_ at 6.75 "$node_(10) label-at up"
46
$ns_ at 6.80 "$node_(22) label-at up"
$ns_ at 6.85 "$node_(17) label-at up"
$ns_ at 7.0 "$ns_ trace-annotate \"ALL THE HACKERS ARE IDENTIFIED AND
DELETING BY THE IDS \" "
$ns_ at 7.5 "$ns_ trace-annotate \"Data Fusion START WITH OUT HACKERS..... \" "
$ns_ at 7.10 "$node_(5) add-mark m1 green circle"
$ns_ at 7.11 "$node_(5) label \"SENDER6\""
$ns_ at 7.20 "$node_(2) add-mark m1 blue circle"
$ns_ at 7.21 "$node_(2) label \"RECEIVER6\""
$ns_ at 7.30 "$node_(18) add-mark m1 green circle"
$ns_ at 7.31 "$node_(18) label \"SENDER7\""
$ns_ at 7.40 "$node_(6) add-mark m1 blue circle"
$ns_ at 7.41 "$node_(6) label \"RECEIVER7\""
$ns_ at 7.50 "$node_(7) add-mark m1 green circle"
$ns_ at 7.51 "$node_(7) label \"SENDER8\""
$ns_ at 7.60 "$node_(3) add-mark m1 blue circle"
$ns_ at 7.61 "$node_(3) label \"RECEIVER8\""
$ns_ at 7.65 "$node_(12) add-mark m1 purple square"
$ns_ at 7.67 "$node_(12) label \" IDS\""
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.05
47
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(5) $tcp
$ns_ attach-agent $node_(2) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 7.70 "$ftp start"
$ns_ at 8.00 "$ftp stop"
\" "
$ns_ at 8.01 "$ns_ trace-annotate \"SENDER7 COMMUNICATE WITH RECEIVER7
$ns_ at 8.02 "$node_(2) add-mark m3 blue circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.05
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(18) $tcp
$ns_ attach-agent $node_(6) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 8.10 "$ftp start"
$ns_ at 8.40 "$ftp stop"
\" "
$ns_ at 8.41 "$ns_ trace-annotate \"SENDER8 COMMUNICATE WITH RECEIVER8
48
$ns_ at 8.42 "$node_(6) add-mark m3 blue circle"
set tcp [new Agent/TCP]
$tcp set class_ 1
Agent/TCP set packetSize_ 512
Agent/TCP set interval_ 0.05
set sink [new Agent/TCPSink]
$ns_ attach-agent $node_(7) $tcp
$ns_ attach-agent $node_(3) $sink
$ns_ connect $tcp $sink
set ftp [new Application/FTP]
$ftp attach-agent $tcp
$ns_ at 8.50 "$ftp start"
$ns_ at 8.80 "$ftp stop"
\" "
$ns_ at 8.81 "$ns_ trace-annotate \"SENDER9 COMMUNICATE WITH RECEIVER9
$ns_ at 8.82 "$node_(3) add-mark m3 blue circle"
$ns_ at 8.90 "$ns_ trace-annotate \"SNIFFER WATCHING THE TRANMISSION \"
"
$ns_ at 8.95 "$ns_ trace-annotate \"THERE IS NO HACKER \" "
$ns_ at 9.00 "$ns_ trace-annotate \"INTRUSION DETECTION EVALUATED \" "
#---------------------------------Read over all file------------------------
49
proc readoverall { } {
global s d node ns sink
set ii 0
set p1_ii 0
set p2_ii 0
set p3_ii 0
#open overall and store in array
set ov [open overall r]
set x($ii) $s
incr ii
while { [gets $ov data] >= 0 } {
set x($ii) $data
incr ii }
close $ov
set x($ii) $d
incr ii
#open path-1 and store in array
set p1 [open path1 r]
50
while { [gets $p1 data] >= 0 } {
set p1_x($p1_ii) $data
incr p1_ii }
close $p1
#open path-2 and store in array
set p2 [open path2 r]
while { [gets $p2 data] >= 0 } {
set p2_x($p2_ii) $data
set p2_ii [expr $p2_ii +1] }
close $p2
#open path-3 and store in array
set p3 [open path3 r]
while { [gets $p3 data] >= 0 } {
set p3_x($p3_ii) $data
set p3_ii [expr $p3_ii +1] }
close $p3
set rr 0
#move Intruder(Black_hole) between receiver1 and sender1 (if sender and receiver are same
path)
51
if {$rr == 0 } {
for { set dd 0 } { $dd < $p1_ii } {incr dd } {
if { $p1_x($dd) == $ne_nd } {
for {set k 0 } {$k <$p1_ii } {incr k} {
if { $p1_x($k) == $sne_nd } {
set rr 1
set p 1
}
}
}
}
for { set dd 0 } {$dd<$p2_ii } {incr dd } {
if { $p2_x($dd) == $ne_nd } {
for {set k 0 } {$k <$p2_ii } {incr k} {
if { $p2_x($k) == $sne_nd } {
set rr 1
set p 2
}
}
}
52
}
for { set dd 0 } {$dd<$p3_ii } {incr dd } {
if { $p3_x($dd) == $ne_nd } {
for {set k 0 } {$k <$p3_ii } {incr k} {
if { $p3_x($k) == $sne_nd } {
set rr 1
set p 3
}
}
}
}
if { $rr == 1 } {
set xx [expr int([$node($ne_nd) set X_])]
set yy [expr int([$node($ne_nd) set Y_])]
set nx [expr int([$node($sne_nd) set X_])]
set ny [expr int([$node($sne_nd) set Y_])]
set xz [expr int(($nx + $xx)/2)]
set yz [expr int(($ny + $yy)/2)]
set de [expr int(sqrt(pow(($xx-$nx),2)+pow(($yy-$ny),2)))]
if { $de <= 250 } {
53
$ns at 11.9 "$node(21) setdest $xz $yz [expr 5*$min]"
if { $sne_nd == $s || $ne_nd== $s} {
set jcbr [attach-CBR-traffic $node($sne_nd) $sink($ne_nd) 8 0.001]
$ns at 12.15 "$jcbr start"
$ns at 12.16 "$jcbr stop"
} elseif { $sne_nd == $d || $ne_nd== $d} {
set jcbr [attach-CBR-traffic $node($sne_nd) $sink($ne_nd) 8 0.001]
$ns at 12.17 "$jcbr start"
$ns at 12.18 "$jcbr stop"
} else {
set jcbr [attach-CBR-traffic $node($sne_nd) $sink($ne_nd) 8 0.001]
$ns at 12.16 "$jcbr start"
$ns at 12.17 "$jcbr stop"
}
return $p
} else { set rr 0 }
}
}
54
if { $rr==0 } {
#move Intruder(worm_hole) between receiver2 and sender2 (if sender and receiver are same
path )
for { set dd 0 } {$dd<$p1_ii } {incr dd } {
if { $p1_x($dd) == $ne_nd } {
for {set k 0 } {$k <$p1_ii } {incr k} {
if { $p1_x($k) == $tne_nd } {
set rr 1
set p 1
}
}
}
}
for { set dd 0 } {$dd<$p2_ii } {incr dd } {
if { $p2_x($dd) == $ne_nd } {
for {set k 0 } {$k <$p2_ii } {incr k} {
if { $p2_x($k) == $tne_nd } {
set rr 1
set p 2
}
55
}
}
}
for { set dd 0 } {$dd<$p3_ii } {incr dd } {
if { $p3_x($dd) == $ne_nd } {
for {set k 0 } {$k <$p3_ii } {incr k} {
if { $p3_x($k) == $tne_nd } {
set rr 1
set p 3
}
}
}
}
if { $rr == 1 } {
set xx [expr int([$node($ne_nd) set X_])]
set yy [expr int([$node($ne_nd) set Y_])]
set nx [expr int([$node($tne_nd) set X_])]
set ny [expr int([$node($tne_nd) set Y_])]
56
set xz [expr int(($nx + $xx)/2)]
set yz [expr int(($ny + $yy)/2)]
set de [expr int(sqrt(pow(($xx-$nx),2)+pow(($yy-$ny),2)))]
if { $de <= 250 } {
$ns at 11.9 "$node(24) setdest $xz $yz [expr 5*$min]"
if { $ne_nd == $s || $tne_nd== $s} {
set jcbr [attach-CBR-traffic $node($ne_nd) $sink($tne_nd) 8 0.001]
$ns at 12.15 "$jcbr start"
$ns at 12.16 "$jcbr stop"
} elseif { $ne_nd == $d || $tne_nd== $d} {
set jcbr [attach-CBR-traffic $node($ne_nd) $sink($tne_nd) 8 0.001]
$ns at 12.17 "$jcbr start"
$ns at 12.18 "$jcbr stop"
} else {
set jcbr [attach-CBR-traffic $node($ne_nd) $sink($tne_nd) 8 0.001]
$ns at 12.16 "$jcbr start"
$ns at 12.17 "$jcbr stop"
}
57
return $p
} else { set rr 0 }
}
}
#move Intruder(man in_middle) between receiver4 and sender4 (if sender and receiver are
same path )
if { $rr == 0 } {
for { set dd 0 } {$dd<$p1_ii } {incr dd } {
if { $p1_x($dd) == $sne_nd } {
for {set k 0 } {$k <$p1_ii } {incr k} {
if { $p1_x($k) == $tne_nd } {
set rr 1
set p 1
}
}
}
}
58
for { set dd 0 } {$dd<$p2_ii } {incr dd } {
if { $p2_x($dd) == $sne_nd } {
for {set k 0 } {$k <$p2_ii } {incr k} {
if { $p2_x($k) == $tne_nd } {
set rr 1
set p 2
}
}
}
}
for { set dd 0 } {$dd<$p3_ii } {incr dd } {
if { $p3_x($dd) == $sne_nd } {
for {set k 0 } {$k <$p3_ii } {incr k} {
if { $p3_x($k) == $tne_nd } {
set rr 1
set p 3
}
}
}
}
59
if { $rr == 1 } {
set xx [expr int([$node($sne_nd) set X_])]
set yy [expr int([$node($sne_nd) set Y_])]
set nx [expr int([$node($tne_nd) set X_])]
set ny [expr int([$node($tne_nd) set Y_])]
set xz [expr int(($nx + $xx)/2)]
set yz [expr int(($ny + $yy)/2)]
set de [expr int(sqrt(pow(($xx-$nx),2)+pow(($yy-$ny),2)))]
if { $de <= 250 } {
$ns at 11.9 "$node(1) setdest $xz $yz [expr 5*$min]"
if { $sne_nd == $s || $tne_nd== $s} {
set jcbr [attach-CBR-traffic $node($sne_nd) $sink($tne_nd) 8 0.001]
$ns at 12.15 "$jcbr start"
$ns at 12.16 "$jcbr stop"
} elseif { $sne_nd == $d || $tne_nd== $d} {
set jcbr [attach-CBR-traffic $node($sne_nd) $sink($tne_nd) 8 0.001]
60
$ns at 12.17 "$jcbr start"
$ns at 12.18 "$jcbr stop"
} else {
set jcbr [attach-CBR-traffic $node($sne_nd) $sink($tne_nd) 8 0.001]
$ns at 12.16 "$jcbr start"
$ns at 12.17 "$jcbr stop"
}
return $p
} else { set rr 0 }
}
}
}
#node move code $ns_ at 3.1 "$node_(3) setdest 390.0 230.0 50.0"
#
61
# Define node movement model
#
#puts "Loading connection pattern..."
#source $val(cp)
#
# Define traffic model
#
#puts "Loading scenario file..."
#source $val(sc)
# Define node initial position in nam
for {set i 0} {$i < $val(nn)} {incr i} {
# 20 defines the node size in nam, must adjust it according to your scenario
# The function must be called after mobility model is define
$ns_ initial_node_pos $node_($i) 30
}
#$ns_ at 1.1 "$node_(15) add-mark m1 brown circle"
#nam window comments
#
# Tell nodes when the simulation ends
62
#
#~~~~~~~~~~~~~~~~~~~~~~~~~` Finish Procedure to exec NAM
Window~~~~~~~~~~~~~~~~~~~~~~~~~~~
#log-energy
#finishing process
proc finish {} {
global ns_ tracefd namtrace
close $tracefd
close $namtrace
#exec awk -f graph.awk wireless-out.tr > efficiency
exec xgraph -P throughput.xg &
exec xgraph -P pdr.xg &
exec xgraph -P datarate.xg &
exec xgraph -p end-enddelay.Exist end-enddelay.prop &
exec xgraph -p packetoverhead.Exist packetoverhead.prop &
exec nam wireless-out.nam &
}
$ns_ at $val(stop).0001 "finish"
63
$ns_ at $val(stop).0002 "puts \"NS EXITING...\" ; $ns_ halt"
puts "Starting Simulation..."
$ns_ run
4.3 SCREENSHOTS
Figure 4.3.1:Creating Adhoc Network
64
4.4 EXPERIMENTAL ANALYSIS
Figure 4.4.1:Comparison of packet overhead of the proposed with the existing system
Figure 4.4.2:Comparison of end delay of the proposed with the existing system
65
Figure 4.4.3: Comparison of throughput of the proposed with the existing system.
Figure 4.4.4:Comparison of PDR of the proposed with the existing sytem
66
5.CONCLUSION AND FUTURE WORK
To the best of the authors’ knowledge, this paper demonstrates, for the first time, that it
is possible to create simple and effective Gaussian based models of the shortest path
distribution in scale-free network topologies by accounting for the number of nodes only. The
accuracy of the proposed models has been further investigated by considering real Internet
network topologies, learned from reference data sets. This work represents a strong
advancement of the state of the art because currently available approaches require a case-by-
case fitting to catch the properties of the network scenario of interest. For future works, we
plan to apply this approach to other distributions, such as Weibull, in order to achieve even
better accuracy.
67
REFERENCES:
[1] J.P Anderson, “Computer Security Threat Monitoring andSurveillance”, Technical report,
James P Anderson Co., FortWashington, Pennsylvania, April 1980.
[2] Dorothy Denning, “An Intrusion Detection Model”, IEEETransactions on Software
Engineering, February 1987, pp.2- 222.
[3] G. Vigna and C. Kruegel, “Host-based Intrusion Detection Systems,”in The Handbook of
Information Security, Volume III, John Wiley &Sons, December 2005.
[4] Sandeep Kumar, Eugene H. Spaffor, “An application of PatternMatching in Intrusion
Detection”, Technical report 94-013,PurdueUniversity, Department of computer sciences,
March 1994.
[5] Daniel B. Cid, OSSEC[OL] , 2008, http://www.ossec.net.
[6] Andrew Hay,Daniel Cid, Rory Bray, Log Analysis using OSSEC[M],Syngress, 2007.
[7] Russell, S. and P. Norvig, 2003, Artificial Intelligence: A ModernApproach[M], 2nd Edn,
Prentice Hall, Inc.
[8] Yen, J.C. and J.I. Guo, 2002, “The design and realization of a chaotic neural signal
security system”, Pattern Recognition and ImageAnalysis (Advances in Mathematical Theory
and Applications), 12,pp.70-79.
[9] Lian, S., G. Chen, A. Cheung and Z. Wang, 2004. A chaotic-neural network-based
encryption algorithm for JPEG2000 encoder images.Advances in Neural Networks, Intl.
Symp. Neural NetworksProc., Part II, Lecture Notes in Computer Science, 3174,pp.627-632.
APPENDIX:
Later we implemented our project in the OSSEC tool.
68