Content Materials1

8/13/2019 Content Materials1

1/40

1

CHAPTER 1

INTRODUCTION

1. 1 CLOUD COMPUTING

Cloud computing provides its user with many capabilities like accessing a

large number of applications without the need for having a license, purchasing,

installing or downloading any of these applications. It also reduces both running and

installation costs of computers and software as there is no need to have any

infrastructure. Users can access information anywhere; all they need is to connect to

a network (usually the Internet). Cloud computing offers company an increased

storage than traditional storage systems.

1.1.1 Cloud Deployment Models

Deploying cloud computing can differ depending on requirements, and the

following four deployment models have been identifi ed, each with specific

characteristics that support the needs of the services and users of the clouds in

particular ways:

Private Cloud: The cloud infrastructure has been deployed, and is maintained and

operated only for a specific organization. The cloud may be hosted within the

organization or externally and is managed internally or by a third-party. This model

does not benefit from the less hands-on management, nor from the economic

advantages that make cloud computing such an intriguing concept.

Public Cloud: The cloud infrastructure is made available to the public on a

commercial basis by a cloud service provider. This enables a consumer to develop

and deploy a service in the cloud with very little financial implications compared to

the capital expenditure requirements normally associated with other deployment

options.

Community Cloud: The cloud infrastructure is shared among a number of

organizations with similar interests and requirements. It can be managed internally or

by a third party and hosted within the organization or externally. The costs are shared

among fewer users than a public cloud. Hence a community cloud benefits from


2/40

2

medium costs as a result of a sharing policy. By means of comparison, with the

private cloud the costs increase alongside the level of expertise needed.

Hybrid cloud: It is a combination of two or more clouds (private, community or

public) that remain unique entities but are bound together, offering the benefits of

multiple deployment models. By utilizing “hybrid cloud” architecture, companies

and individuals are able to obtain degrees of fault tolerance combined with locally

immediate usability without being entirely dependent on third party services. Hybrid

Cloud architecture requires both on-premises resources and off-site (remote) server

based cloud infrastructure. Hybrid clouds lack the flexibility, security and certainty

of in-house applications. However, they provide the flexibility of in-houseapplications with the fault tolerance and scalability of cloud based services.

1.1.2 Cloud Computing Service Delivery Models

Cloud computing providers offer three fundamental service models:

Infrastructure as a Service (Iaas) : Cloud computing providers offer physical and

virtual computers, extra storage networking devices etc. The virtual machines are run

by hypervisors that is organized into pools and controlled by operational support

systems. It is cloud users responsibilities to install operating system images on the

virtual machines as well as their application software.

Fig1.1. Service Models of Cloud Computing.


3/40

3

Platform as a Service (Paas) : It refers to computing platforms such as web

servers, databases operating systems and programming environments, where the

cloud user uses a software or platforms offers by CSP.

Software as a Service (SaaS) : Cloud users can use software that is already

installed and running on the cloud infrastructure. Thus, eliminating the need of

installing and running the software on their own computers. Additionally, the need

for software maintenance and support is eliminated.

1.1.3 Cloud Security Attacks

Cloud computing involves three parties: Cloud Customer or user, Cloud

Service Provider CSP and Cloud network (usually the Internet that can be consideredas the transmission media of the cloud) as illustrated in figure 1.2.

Fig1.2 The three parties of cloud computing

There are many security threats at different levels, such as threats at Cloud

Service Provider CSP level, network Level and user/host level. These threats must be

dealt with since it is necessary to keep the cloud up and running continuously. In this

section we will study different types of attacks at different levels and the ways to

reduce their damage of effect.

1.2 INTRUDER

An Intruder is a person who attempts to gain unauthorized access to a system,

to damage that system, or to disturb data on that system. The term "intruders"

compromises more than just human attackers who manage to gain access to

computer resources although the resource was not meant to be used by them in the

first place. Apart from these human attackers who are popularly called "hackers",

intruders can be computer programs that seem to be useful, but contain secret

functionality to invade a system or a resource. . Programs containing viruses can act


4/40

4

as intruders too. Unauthorized intrusion into a computer system or network is one of

the most serious threats to computer security.

1.2.1 Types of Intruders

One of the two most publicized threats to security is the intruder (the other is

viruses), often referred to as a hacker or cracker Anderson [ANDE80] identified

three classes of intruders:

Masquerader : An individual who is not authorized to use the computer and

who penetrates a system’s access controls to exploit a legitimate user’s account

Misfeasor : A legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but misuseshis or her privileges

Examples of Intrusion:

Performing a remote root compromise of an e-mail server Defacing a Web server Guessing and cracking passwords Copying a database containing credit card numbers Viewing sensitive data, including payroll records and medical information without authorization Running a packet sniffer on a workstation to capture usernames and passwords Using a permission error on an anonymous FTP server to distribute pirated software and music files Dialing into an unsecured modem and gaining internal network access Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password Using an unattended, logged-in workstation without permission

1.3 INTRUSION DETECTION

Inevitably, the best intrusion prevention system will fail. A system’s second

line of defense is intrusion detection, and this has been the focus of much research in

recent years. This interest is motivated by a number of considerations, including the

following:


5/40

5

If an intrusion is detected quickly enough, the intruder can be identified andrejected from the system before any damage is done or any data are

compromised. Even if the detection is not sufficiently timely to preempt the

intruder, the sooner that the intrusion is detected, the less the amount of

damage and the more quickly that recovery can be achieved.

An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.

Intrusion detection enables the collection of information about intrusiontechniques that can be used to strengthen the intrusion prevention facility.

Intrusion detection is based on the assumption that the behavior of the intruderdiffers from that of a legitimate user in ways that can be quantified. Ofcourse, we

cannot expect that there will be a crisp, exact distinction between an attack by an

intruder and the normal use of resources by an authorized user. Rather, we must

expect that there will be some overlap.

Fig 1.3 Profiles of Behavior of Intruders and Authorized Users

Figure1.3 suggests, in very abstract terms, the nature of the task confronting

the designer of an intrusion detection system. Although the typical behavior of an


6/40

6

intruder differs from the typical behavior of an authorized user, there is an overlap in

these behaviors.Thus, a loose interpretation of intruder behavior, which will catch

more intruders, will also lead to a number of “false positives,” or authorized users

identified as intruders. On the other hand, an attempt to limit false positives by a tight

interpretation of intruder behavior will lead to an increase in false negatives, or

intruders not identified as intruders. Thus, there is an element of compromise and art

in the practice of intrusion detection.


7/40

7

CHAPTER 2

LITERATURE SURVEY

1. The paper entitled:” A Scalable Approach to Attack Graph Generation “

Year: 2006

Authors: Xinming Ou, Wayne F. Boyer, Miles A. McQueen

Attack graphs are important tools for analyzing security vulnerabilities in

enterprise networks. Previous work on attack graphs has not provided an account of

the scalability of the graph generating process, and there is often a lack of logical

formalism in the representation of attack graphs, which results in the attack graph

being difficult to use and understand by human beings. This paper presents a new

approach to represent and generate attack graphs. We propose logical attack graphs,

which directly illustrate logical dependencies among attack goals and configuration

information.

Advantages:

It clearly specifies the causality relations between system configurationinformation and an attacker’s potential privileges.

Improved scalability

2. The paper entitled:” BotSniffer: Detecting Botnet Command and Control

Channels in Network Traffic “

Year: 2008

Authors: Guofei Gu, Junjie Zhang, and Wenke Lee

Botnets are now recognized as one of the most serious security threats. In

contrast to previous malware, botnets have the characteristic of a command and

control (C&C) channel. Botnets also often use existing common protocols, e.g.,

HTTP. This makes the detection of botnet C&C a challenging problem. In this paper,

we propose an approach that uses network-based anomaly detection to identify

botnet C&C channels in a local area network without any prior knowledge of

signatures or C&C server addresses. This detection approach can identify both the


8/40

8

C&C servers and infected hosts in the network. Our approach is based on the

observation that, because of the pre-programmed activities related to C&C.

Advantages:

It has very promising detection accuracy Very low false positive rate.

3. The paper entitled:” A New Alert Correlation Algorithm Based on Attack

Graph “

Year: 2011

Authors: Sebastian Roschke, Feng Cheng, and Christoph MeinelIntrusion Detection Systems (IDS) have been proposed for years as an

efficient security Measure. The problem of false positive alerts is a well known

problem for many IDS. The number of false positive alerts increases as a single event

may be detected and reported multiple times by different involved sensors. In this

paper, an AG based correlation algorithm is proposed. The algorithm consists of a

mapping of alerts to AG nodes, the alert aggregation function, a function for building

an alert dependency graph, and a function for finding suspicious subsets using the

Floyd-Warshall algorithm and the diameter value. The algorithm is implemented and

tested based on real data.

Advantages:

This can improve the filtering without getting inaccurate in the results.

4. The paper entitled:” Securing Cloud Servers against Flooding Based DDoZ

Attacks “

Year: 2012

Authors: Niraj Suresh Katkamwar, Atharva Girish Puranik and Purva Deshpande

Distributed denial-of-service (DDoS) attacks pose a serious threat to network

security. There have been a lot of methodologies and tools devised to detect DDoS

attacks and reduce the damage they cause. Still, most of the methods cannot

simultaneously achieve

Efficient detection with a small number of false alarms Real-time transfer of packets.


9/40

9

The DDoS attacks can be classified into following three main categories:

Bandwidth Attacks Protocol Attacks Software VulnerabilityIn this paper, we have used a distance-based DDoS technique which uses a

simple but effective exponential smoothing technique to predict the mean value of

distance in the next time period. The proposed technique relies on MMSE to support

efficient traffic arrival rate prediction for separated traffic. We tested the technique in

the Internet-like network implemented on NS2 with over 100 nodes.

Advantages: The technique is effective. It can detect DDoS attacks with high detection rate. Low false positive rate.

5. The paper entitled:” Detecting Spam Zombies by Monitoring Outgoing

Messages “

Year: 2012Authors: Zhenhai Duan, Peng Chen, Fernando Sanchez,

In this paper, we developed an effective spam zombie detection system

named SPOT by monitoring outgoing messages in a network. SPOT was designed

based on a simple and powerful statistical tool named Sequential Probability Ratio

Test to detect the compromised machines that are involved in the spamming

activities. SPOT has bounded false positive and false negative error rates. we will

develop three spam zombie detection algorithms. The first one is SPOT, which

utilizes the Sequential Probability Ratio Test. The other two spam zombie detection

algorithms are developed based on the number of spam messages and the percentage

of spam messages sent from an internal machine.

Advantages:

It minimizes the number of required observations to detect a spam zombie.


10/40

10

CHAPTER 3

SYSTEM ANALYSIS

3.1 EXISTING SYSTEM

In a cloud system, the attack is occurred in the cloud server. So, we can’t find

out the hacking process. All the systems are lost the data's under the server. The

transaction will be delay. Such attacks are more effective in the cloud environment

because cloud users usually share computing resources. e.g., being connected

through the same switch, sharing with the same data storage and file systems, even

with potential attackers.

Disadvantage

Not accuracy in the attack detection from attackers. No detection and prevention in virtual network environment.

3.2 PROPOSED SYSTEM

In this project we proposed Network Intrusion detection and Countermeasure

sElection in virtual network systems (NICE) to establish a defense-in-depth intrusion

detection framework. For better attack detection, NICE incorporates attack graph

analytical procedures into the intrusion detection processes. We must note that the

design of NICE does not intend to improve any of the existing intrusion detection

algorithms, indeed NICE employs a reconfigurable virtual networking approach to

detect and counter the attempts to compromise VMs, thus preventing zombie VMs.

Advantage

The alert attack graph approach using to detect and prevent the attack bycorrelating attack behavior and also suggests effective countermeasures.

We devise NICE, a new multiphase distributed network intrusion detectionand prevention framework in a virtual networking

environment that captures and inspects the hackers details and it is stored inVM profiling.


11/40

11

CHAPTER 4

SYSTEM SPECIFICATION

4.1 HARDWARE REQUIREMENTS

Processor - Pentium – IV

Speed - 3.0 GHz

RAM - 512 MB

Hard Disk - 80 GB

Keyboard - Windows Standard Keyboard

Mouse - Two or Three Button Mouse

Monitor - SVGA

4.2 SOFTWARE REQUIREMENTS

Operating System - Windows 7 or Windows XP

Software tool - Cygwin


12/40

12

CHAPTER 5

SOFTWARE DESCRIPTION

5.1 About NS-2

NS-2 is an open-source simulation tool running on Unix-like operating

systems . It is a discreet event simulator targeted at networking research and provides

substantial support for simulation of routing, multicast protocols and IP protocols,

such as UDP, TCP, RTP and SRM over wired, wireless and satellite networks. It has

many advantages that make it a useful tool, such as support for multiple protocols

and the capability of graphically detailing network traffic. Additionally, NS-2

supports several algorithms in routing and queuing. LAN routing and broadcasts are

part of routing algorithms. Queuing algorithm includes fair queuing, deficit round

robin and FIFO.

5.2 NS 2 Architecture

Fig.5.1 NS-2 Architecture


13/40

13

5.3 Features Of NS-2

Some of the features of NS-2 are as follows:

Multiple interface support added

Static Routing implemented for wireless nodes

Co Channel interference added

Adaptive data rate support for 802.11

BPSK Modulation Scheme Added

Directional Antenna support added (More radiation pattern added in

TENS1.2)

Channel Number made configurable

Addition of ARP entries through script

2-p protocol for point to point link added

Several MAC parameters like RTS Threshold, Capture threshold made

configurable


14/40

14

CHAPTER 6

PROJECT DESCRIPTION

6.1 ARCHITECTURE

Fig 6.1 NICE architecture within one cloud server cluster.

6.1.1 NICE-A

NICE-A is a software agent implemented in each cloud server connected to

the control center through a dedicated and isolated secure channel, which is separated

from the normal data packets using Open Flow tunneling or VLAN approaches. It is

a Network-based Intrusion Detection System (NIDS) agent installed in either Dom0

or DomU in each cloud server. It scans the traffic going through Linux bridges that

control all the traffic among VMs and in/out from the physical cloud servers.


15/40

15

6.1.2 VM Profiling

Virtual machines in the cloud can be profiled to get precise information about

their state, services running, open ports, and so on. One major factor that counts

toward a VM profile is its connectivity with other VMs. An attacker can use port-

scanning program to perform an intense examination of the network to look for open

ports on any VM. So information about any open ports on a VM and the history of

opened ports plays a significant role in determining how vulnerable the VM is. All

these factors combined will form the VM profile. They are maintained in a database

and contain comprehensive information about vulnerabilities, alert, and traffic.

The data comes from: Attack graph generator : While generating the attack graph, every

detected vulnerability is added to its corresponding VM entry in the

database.

NICE-A : The alert involving the VM will be recorded in the VM profile database.

Network controller : The traffic patterns involving the VM are based onfive tuples (source MAC address, destination MAC address, source IP

address, destination IP address, protocol) We can have traffic pattern,

where packets emanate from a single IP and are delivered to multiple

destination IP addresses, and vice versa.

6.1.3 Attack Analyzer

The major functions of NICE system are performed by attack analyzer, which

includes procedures such as attack graph construction and update, alert correlation,

and countermeasure selection. The process of constructing and utilizing the SAG

consists of three phases: Information gathering, attack graph construction, and

potential exploit path analysis. With this information, attack paths can be modeled

using SAG. Each node in the attack graph represents an exploit by the attacker. Each

path from an initial node to a goal node represents a successful attack. NICE attack

graph is constructed based on

the following information:

Cloud system information Virtual network topology and configuration information


16/40

16

Vulnerability informationThe attack analyzer also handles alert correlation and analysis operations. This

component has two major functions:

constructs ACG provides threat information

6.1.4 Workflow of attack Analyzer

Fig 6.2 Workflow of attack analyzer

1. After receiving an alert from NICE-A, alert analyzer matches the alert in theACG.

2. If the alert already exists in the graph and it is a known attack (i.e., matchingthe attack signature), the attack analyzer performs countermeasure selection

procedure and then notifies network controller immediately to deploy

countermeasure or mitigation actions.


17/40

17

3. If the alert is new, attack analyzer will perform alert correlation and analysisand updates ACG and SAG. This algorithm correlates each new alert to a

matching alert correlation set (i.e., in the same attack scenario).

4. A selected countermeasure is applied by the network controller based on theseverity of evaluation results.

5. If the alert is a new vulnerability and is not present in the NICE attack graph,the attack analyzer adds it to attack graph and then reconstructs it.

6.1.5 Network Controller

The network controller is a key component to support the programmable

networking capability to realize the virtual network reconfiguration feature based onOpenFlow protocol. In NICE, within each cloud server there is a software switch,

which is used as the edge switch for VMs to handle traffic in and out from VMs. The

network controller is responsible for collecting network information of current

OpenFlow network and provides input to the attack analyzer to construct attack

graphs network controller is able to discover the network connectivity information

from OVS and OFS. This information includes current data paths on each switch and

detailed flow information associated with these paths, such as TCP/IP and MAC

header. The network flow and topology change information will be automatically

sent to the controller and then delivered to attack analyzer to reconstruct attack

graphs.

Another important function of the network controller is to assist the attack

analyzer module. Network controller is also responsible for applying the

countermeasure from attack analyzer. If a severe alert is triggered and identifies

some known attacks, or a VM is detected as a zombie, the network controller will

block the VM immediately.


18/40


19/40

19

Open trace file and activate it:

set tracefd [open wireless.tr w]

$ns_ trace-all $tracefd

Create topography and channel:

set topo [new Topography]

$topo load_flatgrid 500 500

set chan [new $val(chan)]

Create the GOD object (General Operations Director):

create-god $val(nn)

Creating the nodes

After setting the configuration options, the nodes are created:

for {set i 0} {$i < $val(nn) } {incr i}

{

set node_($i) [$ns_ node ]

$node_($i) random-motion 0

}

Example:

set node_(0) [$ns node]

$node_(0) set X_ 1155

$node_(0) set Y_ 794

$node_(0) set Z_ 0.0

$ns initial_node_pos $node_(0) 75


20/40

20

Fig 7.1 Network Formation

7.1.2 Data RoutingA router is a device that forwards data packets between computer networks,

creating an overlay internetwork.

Routing is the process of selecting best paths in a network along which to

send network traffic.

In this module source node sends a data packets to destination, through the

shortest channel. The wireless channel is act as medium for transferring the data

information.

The shortest path problem is the problem of finding a path between two

vertices (or nodes) in a graph such that the sum of the weights of its constituent

edges is minimized.

A routing protocol specifies how routers communicate with each other,

disseminating information that enables them to select routes between any

two nodes on a computer network. Routing algorithms determine the specific choice


21/40

21

of route. Each router has a priori knowledge only of networks attached to it directly.

A routing protocol shares this information first among immediate neighbors, and

then throughout the network.

7.1.3 Network Controller

The traffic patterns involving the VM are based on five tuples (source MAC

address, destination MAC address, source IP address, destination IP address,

protocol). We can have traffic pattern, where packets emanate from a single IP and

are delivered to multiple destination IP addresses, and vice versa. The network

controller is a key component to support the programmable networking capability to

realize the virtual network reconfiguration feature based on Open Flow protocol. The

communication between cloud servers is handled by physical Open Flow-capable

Switch. The network controller is responsible for collecting network information of

current Open Flow network and provides input to the attack analyzer to construct

attack graphs.

7.1.4 Control Center

Control center connected to software switches on each cloud server. NICE-A

is a software agent implemented in each cloud server connected to the control center

through a dedicated and isolated secure channel, which is separated from the normal

data packets using Open Flow tunneling or VLAN approaches. The network

controller is responsible for deploying attack countermeasures based on decisions

made by the attack analyzer.

7.1.5 Graph Design Based Result

Graph is an essential part of display a result, so we plot a graph to show a

various result comparison with packets, throughput, energy efficient, malicious node

detection analysis.

exec ./xgraph ENERGY.tr TRAFFIC.tr BANDWIDTH.tr -geometry 800x400

-t "PERFORMACE ANALYSIS ON QOS PARAMETERS" -x "NETWORKAREA"

-y "PACKETDELIVERY RATIO" -bg white &


22/40

22

7.2 ALGORITHM USED7.2.1 Alert Correlation Algorithm

Alert Correlation algorithm is followed for every alert detected and returns

one or more paths Si. For every alert ac that is received from the IDS, it is added to

ACG if it does not exist. For this new alert ac, the corresponding vertex in the SAG

is found by using function mapðacÞ. For this vertex in SAG, alert related to its parent

vertex of type NC is then correlated with the current alert ac. This creates a new set

of alerts that belong to a path Si in ACG or splits out a new path Siþ1 from Si with

subset of Si before the alert a and appends ac to Siþ1. In the end of this algorithm,

the ID of ac will be added to alert attribute of the vertex in SAG. It returns a set of

attack paths S in ACG.

Alert Correlation Algorithm

Require: alert ac, SAG, ACG

1: if (ac is a new alert) then

2: create node ac in ACG

3: n1 vc 2 mapðacÞ

4: for all n2 2 parentðn1Þ do

5: create edge (n2:alert; ac)

6: for all Si containing a do

7: if a is the last element in Si then

8: append ac to Si

9: else

10: create path Siþ1 ¼ fsubsetðSi; aÞ; acg

11: end if

12: end for

13: add ac to n1:alert

14: end for

15: end if

16: return S


23/40

23

7.2.2 Countermeasure Selection Algorithm

Input to the algorithm is an alert, attack graph G, and a pool of

countermeasures CM. The algorithm starts by selecting the node valet that

Corresponds to the alert generated by a NICE-A. Before selecting the

countermeasure, we count the distance of valet to the target node. If the distance is

greater than a threshold value, we do not perform countermeasure selection but

update the ACG to keep track of alerts in the system. For the source node valet, all

the reachable nodes (includingthe source node) are collected into a set T . Because

the alert is generated only after the attacker has performed the action, we set the

probability of vAlert to 1 and calculate the new probabilities for all of its child

(downstream) nodes in the set T. Now, for all t 2 T the applicable countermeasures in

CM are selected and new probabilities are calculated according to the effectiveness

of the selected countermeasures. The change in probability of target node gives the

benefit for the applied countermeasure. In the next double for-loop, we compute the

Return of Investment (ROI) for each benefit of the applied countermeasure. The

countermeasure which when applied on a node gives the least value of ROI, is

regarded as the optimal countermeasure. Finally, SAG and ACG are also updated

before terminating the algorithm. The complexity of Algorithm 2 is OðjV j _ jCMjÞ,

where jV j is the number of vulnerabilities and jCMj represents the number of

countermeasures.

Countermeasure Selection Algorithm

Require: Alert;GðE; V Þ; CM

1: Let vAlert ¼ Source node of the Alert2: if Distance to TargetðvAlertÞ > threshold then

3: Update ACG

4: return

5: end if

6: Let T ¼ DescendantðvAlertÞ [ vAlert

7: Set PrðvAlertÞ ¼ 1

8: Calculate_Risk_Prob(T)


24/40

24

9: Let benefit½jTj; jCMj_ ¼ ;

10: for each t 2 T do

11: for each cm 2 CM do

12: if cm: conditionðtÞ then

13: PrðtÞ ¼ PrðtÞ _ ð1 _ cm: effectivenessÞ

14: Calculate_Risk_Prob(DescendantðtÞ)

15: benefit½t; cm_ ¼ _Prðtarget nodeÞ. (7)

16: end if

17: end for

18: end for19: Let ROI½jTj; jCMj_ ¼ ;

20: for each t 2 T do

21: for each cm 2 CM do

22: ROI½t; cm_ ¼ benefit½t;cm_

cost: cmþintrusiveness:cm . (8)

23: end for

24: end for

25: Update SAG and Update ACG

26: return Select Optimal CMðROIÞ


25/40

25

CHAPTER 8

RESULTS

NETWORK FORMATION


26/40

26

START THE NICE PROCESS

SERVER PROCESS UTILIZATION


27/40

27

VIRSUS ENTER INTO THE CLOUD SERVER2

VIRUS INFECTS THE CLOUD SERVER2


28/40


29/40

29

VIRUS REMOVED FROM THE CLOUD SERVER2

PERFORMANCE ANALYSIS OF QOS PARAMETERS


30/40


31/40

31

APPENDIX I

SAMPLE CODING

set val(chan) Channel/WirelessChannel ;# channel type

set val(prop) Propagation/TwoRayGround ;# radio-propagation model

set val(netif) Phy/WirelessPhy ;# network interface type

set val(mac) Mac/802_11 ;# MAC type

set val(ifq) Queue/DropTail/PriQueue ;# interface queue type

set val(ll) LL ;# link layer type

set val(ant) Antenna/OmniAntenna ;# antenna model

set val(ifqlen) 50 ;# max packet in ifq

set val(nn) 33 ;# number of mobilenodes

set val(rp) NICE ;# routing protocol

set val(rp) AMRIS ;# Link repairing protocol

set val(x) 1500 ;# X dimension of topography

set val(y) 1500 ;# Y dimension of topographyset val(stop) 10.0 ;# time of simulation end

set ns [new Simulator]

set topo [new Topography]

$topo load_flatgrid $val(x) $val(y)

create-god $val(nn)

set tracefile [open out.tr w]

$ns trace-all $tracefile

set namfile [open out.nam w]

$ns namtrace-all $namfile

$ns namtrace-all-wireless $namfile $val(x) $val(y)

set chan [new $val(chan)];#Create wireless channel$ns node-config -llType $val(ll)

\-macType $val(mac) \ -ifqType $val(ifq) \-ifqLen $val(ifqlen) \ -antType $val(ant)

\ -propType $val(prop) \-phyType $val(netif) \ -channel $chan \ -adhocRouting


32/40


33/40

33





$node_(5) set X_ 358





$node_(6) set X_ 192$node_(6) set Y_ 524




$node_(7) set X_ 1275















$node_(10) set X_ 1126

$node_(10) set Y_ 723

$node_(10) set Z_ 0.0


34/40

34



$node_(11) set X_ 630

$node_(11) set Y_ 515

$node_(11) set Z_ 0.0


$ns at 0.0 "$ns trace-annotate \" NICE Process started.....\""

$ns at 1.0 "$ns trace-annotate \" SERVER PROCESS UTILIZATION.....\""

$ns at 3.7 "$ns trace-annotate \" VIRUS INFECTS THE SERVER2 SO THE

PROCESS IS VERY SLOW.....\""$ns at 5.0 "$ns trace-annotate \" NICE AGENT REPORTS TO CONTROL

CENTER.....\""

$ns at 7.2 "$ns trace-annotate \" ATTACK ANALYZER COUNTERMEASURES

THE PROBLEM.....\""

proc NICE {malicious_node}

{

if(node_(31).rt_upd=true)

{

update_routing_table


35/40

35

select route (msg*data)

}

else

{

update routing_table "";

}

}

proc controlmeasure {input skey}

{

upvar $skey keyint n,e,d,p,q,u,m1,m2,h,m;

if

{

[bitsize $key(n)] < [bitsize $input]

}

{

puts "keysize [bitsize $key(n)] must be greater than text [bitsize

nput]/$input" select risk_probality

# e - public exponent

}

if {![info exists key(p)]}

{

return [rsa_slow_decrypt $input key]

}

else

{

# m1 = c ^ (d mod (p-1)) mod p

set m1 [powm $input [fdiv_r $key(d) [sub_ui $key(p) 1]] $key(p)]

# m2 = c ^ (d mod (q-1)) mod q

set m2 [powm $input [fdiv_r $key(d) [sub_ui $key(q) 1]] $key(q)]

# h = u * ( m2 - m1 ) mod q

set h [sub $m2 $m1]


36/40

36

if {[cmp_si $h 0] < 0}

set h [add $h $key(q)]

}

set h [fdiv_r [mul $key(u) $h] $key(q)]

# m = m2 + h * p

set m [add $m1 [mul $h $key(p)]]

key =m1*m2/m

return $m

}

proc encrypt_packet {ptext pkey} {upvar $pkey key

set plen [binary format I [string length $ptext]]

set md5 [binary format H32 [::md5::md5 $ptext]] # encrypt a packet

# packet format: [md5][length][payload][padding]

set ptext ${md5}${plen}$ptext

return [encrypt $ptext key]

encrypt m*h;

}

}

set udp8 [$ns create-connection UDP $node_(27) LossMonitor $node_(26) 0]

$udp8 set fid_ 1

$udp8 set class_ 1

set cbr7 [$udp8 attach-app Traffic/CBR]

$cbr7 set packetSize_ 512

$cbr7 set interval_ .05

$ns at 1.0 "$cbr7 start"

#$ns at 4.1 "$cbr7 stop"


$udp9 set fid_ 1

$udp9 set class_ 1




37/40


38/40

38



$ns at 7.5 "$cbr10 stop"


$udp11 set fid_ 1

$udp11 set class_ 1




$ns at 5.0 "$cbr10 start"$ns at 7.0 "$cbr10 stop"


$udp11 set fid_ 1

$udp11 set class_ 1







$udp11 set fid_ 1

$udp11 set class_ 1







$udp10 set fid_ 1

$udp10 set class_ 1




39/40

39




$udp11 set fid_ 1

$udp11 set class_ 1





proc finish {}{

global ns tracefile namfile

$ns flush-trace

close $tracefile

close $namfile

exec ./xgraph ENERGY.tr TRAFFIC.tr BANDWIDTH.tr -geometry 800x400

-t "PERFORMACE ANALYSIS ON QOS PARAMETERS" -x

"NETWORKAREA" -y "PACKETDELIVERY RATIO" -bg white &

exec ./nam out.nam &

exit 0

}

for {set i 0} {$i < $val(nn) } { incr i }

{

$ns at $val(stop) "\$node_($i) reset"

source z.tcl

}

$ns at $val(stop) "$ns nam-end-wireless $val(stop)"

$ns at $val(stop) "finish"

$ns at $val(stop) "puts \"done\" ; $ns halt"

$ns run


40/40

REFERENCES

[1] X. Ou, W.F. Boyer, and M.A. McQueen, “A Scalable Approach to Attack Graph

Generation,” Proc. 13th ACM Conf. Computer and Comm. Security (CCS ’06), pp.

336-345, 2006.

[2] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and

Control Channels in Network Traffic,” Proc. 15th Ann. Network and Distributed

Sytem Security Symp. (NDSS ’08), Feb. 2008.

[3] S. Roschke, F. Cheng, and C. Meinel, “A New Alert Correlation Algorithm

Based on Attack Graph,” Proc. Fourth Int’l Conf. Computational Intelligence in

Security for Information Systems, pp. 58-67, 2011

[4] Niraj Suresh Katkamwar, Atharva Girish Puranik and Purva Deshpande,

“Securing Cloud Servers against Flooding Based DDoZ Attacks,”International

Journal of Application or Innovation in Engineering & Management (IJAIEM),Nov.

2012.

[5] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker,

“Detecting Spam Zombies by Monitoring Outgoing Messages,” IEEE Trans.

Dependable and Secure Computing, vol. 9, no. 2, pp. 198-210, Apr. 2012.

[6] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee,

D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “A View of Cloud Computing,”

ACM Comm., vol. 53, no. 4, pp. 50-58, Apr. 2010.

[7] Nidal M. Turab, Anas Abu Taleb Shadi R. Masadeh, “CLOUD COMPUTING

CHALLENGES AND SOLUTIONS,” International Journal of Computer Networks

Content Materials1

Documents

Transcript of Content Materials1