Content Materials1
-
Upload
sasikumar-petchiappan -
Category
Documents
-
view
227 -
download
0
Transcript of Content Materials1
-
8/13/2019 Content Materials1
1/40
1
CHAPTER 1
INTRODUCTION
1. 1 CLOUD COMPUTING
Cloud computing provides its user with many capabilities like accessing a
large number of applications without the need for having a license, purchasing,
installing or downloading any of these applications. It also reduces both running and
installation costs of computers and software as there is no need to have any
infrastructure. Users can access information anywhere; all they need is to connect to
a network (usually the Internet). Cloud computing offers company an increased
storage than traditional storage systems.
1.1.1 Cloud Deployment Models
Deploying cloud computing can differ depending on requirements, and the
following four deployment models have been identifi ed, each with specific
characteristics that support the needs of the services and users of the clouds in
particular ways:
Private Cloud: The cloud infrastructure has been deployed, and is maintained and
operated only for a specific organization. The cloud may be hosted within the
organization or externally and is managed internally or by a third-party. This model
does not benefit from the less hands-on management, nor from the economic
advantages that make cloud computing such an intriguing concept.
Public Cloud: The cloud infrastructure is made available to the public on a
commercial basis by a cloud service provider. This enables a consumer to develop
and deploy a service in the cloud with very little financial implications compared to
the capital expenditure requirements normally associated with other deployment
options.
Community Cloud: The cloud infrastructure is shared among a number of
organizations with similar interests and requirements. It can be managed internally or
by a third party and hosted within the organization or externally. The costs are shared
among fewer users than a public cloud. Hence a community cloud benefits from
-
8/13/2019 Content Materials1
2/40
2
medium costs as a result of a sharing policy. By means of comparison, with the
private cloud the costs increase alongside the level of expertise needed.
Hybrid cloud: It is a combination of two or more clouds (private, community or
public) that remain unique entities but are bound together, offering the benefits of
multiple deployment models. By utilizing “hybrid cloud” architecture, companies
and individuals are able to obtain degrees of fault tolerance combined with locally
immediate usability without being entirely dependent on third party services. Hybrid
Cloud architecture requires both on-premises resources and off-site (remote) server
based cloud infrastructure. Hybrid clouds lack the flexibility, security and certainty
of in-house applications. However, they provide the flexibility of in-houseapplications with the fault tolerance and scalability of cloud based services.
1.1.2 Cloud Computing Service Delivery Models
Cloud computing providers offer three fundamental service models:
Infrastructure as a Service (Iaas) : Cloud computing providers offer physical and
virtual computers, extra storage networking devices etc. The virtual machines are run
by hypervisors that is organized into pools and controlled by operational support
systems. It is cloud users responsibilities to install operating system images on the
virtual machines as well as their application software.
Fig1.1. Service Models of Cloud Computing.
-
8/13/2019 Content Materials1
3/40
3
Platform as a Service (Paas) : It refers to computing platforms such as web
servers, databases operating systems and programming environments, where the
cloud user uses a software or platforms offers by CSP.
Software as a Service (SaaS) : Cloud users can use software that is already
installed and running on the cloud infrastructure. Thus, eliminating the need of
installing and running the software on their own computers. Additionally, the need
for software maintenance and support is eliminated.
1.1.3 Cloud Security Attacks
Cloud computing involves three parties: Cloud Customer or user, Cloud
Service Provider CSP and Cloud network (usually the Internet that can be consideredas the transmission media of the cloud) as illustrated in figure 1.2.
Fig1.2 The three parties of cloud computing
There are many security threats at different levels, such as threats at Cloud
Service Provider CSP level, network Level and user/host level. These threats must be
dealt with since it is necessary to keep the cloud up and running continuously. In this
section we will study different types of attacks at different levels and the ways to
reduce their damage of effect.
1.2 INTRUDER
An Intruder is a person who attempts to gain unauthorized access to a system,
to damage that system, or to disturb data on that system. The term "intruders"
compromises more than just human attackers who manage to gain access to
computer resources although the resource was not meant to be used by them in the
first place. Apart from these human attackers who are popularly called "hackers",
intruders can be computer programs that seem to be useful, but contain secret
functionality to invade a system or a resource. . Programs containing viruses can act
-
8/13/2019 Content Materials1
4/40
4
as intruders too. Unauthorized intrusion into a computer system or network is one of
the most serious threats to computer security.
1.2.1 Types of Intruders
One of the two most publicized threats to security is the intruder (the other is
viruses), often referred to as a hacker or cracker Anderson [ANDE80] identified
three classes of intruders:
Masquerader : An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s account
Misfeasor : A legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but misuseshis or her privileges
Examples of Intrusion:
Performing a remote root compromise of an e-mail server Defacing a Web server Guessing and cracking passwords Copying a database containing credit card numbers Viewing sensitive data, including payroll records and medical information without authorization Running a packet sniffer on a workstation to capture usernames and passwords Using a permission error on an anonymous FTP server to distribute pirated software and music files Dialing into an unsecured modem and gaining internal network access Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password Using an unattended, logged-in workstation without permission
1.3 INTRUSION DETECTION
Inevitably, the best intrusion prevention system will fail. A system’s second
line of defense is intrusion detection, and this has been the focus of much research in
recent years. This interest is motivated by a number of considerations, including the
following:
-
8/13/2019 Content Materials1
5/40
5
If an intrusion is detected quickly enough, the intruder can be identified andrejected from the system before any damage is done or any data are
compromised. Even if the detection is not sufficiently timely to preempt the
intruder, the sooner that the intrusion is detected, the less the amount of
damage and the more quickly that recovery can be achieved.
An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.
Intrusion detection enables the collection of information about intrusiontechniques that can be used to strengthen the intrusion prevention facility.
Intrusion detection is based on the assumption that the behavior of the intruderdiffers from that of a legitimate user in ways that can be quantified. Ofcourse, we
cannot expect that there will be a crisp, exact distinction between an attack by an
intruder and the normal use of resources by an authorized user. Rather, we must
expect that there will be some overlap.
Fig 1.3 Profiles of Behavior of Intruders and Authorized Users
Figure1.3 suggests, in very abstract terms, the nature of the task confronting
the designer of an intrusion detection system. Although the typical behavior of an
-
8/13/2019 Content Materials1
6/40
6
intruder differs from the typical behavior of an authorized user, there is an overlap in
these behaviors.Thus, a loose interpretation of intruder behavior, which will catch
more intruders, will also lead to a number of “false positives,” or authorized users
identified as intruders. On the other hand, an attempt to limit false positives by a tight
interpretation of intruder behavior will lead to an increase in false negatives, or
intruders not identified as intruders. Thus, there is an element of compromise and art
in the practice of intrusion detection.
-
8/13/2019 Content Materials1
7/40
7
CHAPTER 2
LITERATURE SURVEY
1. The paper entitled:” A Scalable Approach to Attack Graph Generation “
Year: 2006
Authors: Xinming Ou, Wayne F. Boyer, Miles A. McQueen
Attack graphs are important tools for analyzing security vulnerabilities in
enterprise networks. Previous work on attack graphs has not provided an account of
the scalability of the graph generating process, and there is often a lack of logical
formalism in the representation of attack graphs, which results in the attack graph
being difficult to use and understand by human beings. This paper presents a new
approach to represent and generate attack graphs. We propose logical attack graphs,
which directly illustrate logical dependencies among attack goals and configuration
information.
Advantages:
It clearly specifies the causality relations between system configurationinformation and an attacker’s potential privileges.
Improved scalability
2. The paper entitled:” BotSniffer: Detecting Botnet Command and Control
Channels in Network Traffic “
Year: 2008
Authors: Guofei Gu, Junjie Zhang, and Wenke Lee
Botnets are now recognized as one of the most serious security threats. In
contrast to previous malware, botnets have the characteristic of a command and
control (C&C) channel. Botnets also often use existing common protocols, e.g.,
HTTP. This makes the detection of botnet C&C a challenging problem. In this paper,
we propose an approach that uses network-based anomaly detection to identify
botnet C&C channels in a local area network without any prior knowledge of
signatures or C&C server addresses. This detection approach can identify both the
-
8/13/2019 Content Materials1
8/40
8
C&C servers and infected hosts in the network. Our approach is based on the
observation that, because of the pre-programmed activities related to C&C.
Advantages:
It has very promising detection accuracy Very low false positive rate.
3. The paper entitled:” A New Alert Correlation Algorithm Based on Attack
Graph “
Year: 2011
Authors: Sebastian Roschke, Feng Cheng, and Christoph MeinelIntrusion Detection Systems (IDS) have been proposed for years as an
efficient security Measure. The problem of false positive alerts is a well known
problem for many IDS. The number of false positive alerts increases as a single event
may be detected and reported multiple times by different involved sensors. In this
paper, an AG based correlation algorithm is proposed. The algorithm consists of a
mapping of alerts to AG nodes, the alert aggregation function, a function for building
an alert dependency graph, and a function for finding suspicious subsets using the
Floyd-Warshall algorithm and the diameter value. The algorithm is implemented and
tested based on real data.
Advantages:
This can improve the filtering without getting inaccurate in the results.
4. The paper entitled:” Securing Cloud Servers against Flooding Based DDoZ
Attacks “
Year: 2012
Authors: Niraj Suresh Katkamwar, Atharva Girish Puranik and Purva Deshpande
Distributed denial-of-service (DDoS) attacks pose a serious threat to network
security. There have been a lot of methodologies and tools devised to detect DDoS
attacks and reduce the damage they cause. Still, most of the methods cannot
simultaneously achieve
Efficient detection with a small number of false alarms Real-time transfer of packets.
-
8/13/2019 Content Materials1
9/40
9
The DDoS attacks can be classified into following three main categories:
Bandwidth Attacks Protocol Attacks Software VulnerabilityIn this paper, we have used a distance-based DDoS technique which uses a
simple but effective exponential smoothing technique to predict the mean value of
distance in the next time period. The proposed technique relies on MMSE to support
efficient traffic arrival rate prediction for separated traffic. We tested the technique in
the Internet-like network implemented on NS2 with over 100 nodes.
Advantages: The technique is effective. It can detect DDoS attacks with high detection rate. Low false positive rate.
5. The paper entitled:” Detecting Spam Zombies by Monitoring Outgoing
Messages “
Year: 2012Authors: Zhenhai Duan, Peng Chen, Fernando Sanchez,
In this paper, we developed an effective spam zombie detection system
named SPOT by monitoring outgoing messages in a network. SPOT was designed
based on a simple and powerful statistical tool named Sequential Probability Ratio
Test to detect the compromised machines that are involved in the spamming
activities. SPOT has bounded false positive and false negative error rates. we will
develop three spam zombie detection algorithms. The first one is SPOT, which
utilizes the Sequential Probability Ratio Test. The other two spam zombie detection
algorithms are developed based on the number of spam messages and the percentage
of spam messages sent from an internal machine.
Advantages:
It minimizes the number of required observations to detect a spam zombie.
-
8/13/2019 Content Materials1
10/40
10
CHAPTER 3
SYSTEM ANALYSIS
3.1 EXISTING SYSTEM
In a cloud system, the attack is occurred in the cloud server. So, we can’t find
out the hacking process. All the systems are lost the data's under the server. The
transaction will be delay. Such attacks are more effective in the cloud environment
because cloud users usually share computing resources. e.g., being connected
through the same switch, sharing with the same data storage and file systems, even
with potential attackers.
Disadvantage
Not accuracy in the attack detection from attackers. No detection and prevention in virtual network environment.
3.2 PROPOSED SYSTEM
In this project we proposed Network Intrusion detection and Countermeasure
sElection in virtual network systems (NICE) to establish a defense-in-depth intrusion
detection framework. For better attack detection, NICE incorporates attack graph
analytical procedures into the intrusion detection processes. We must note that the
design of NICE does not intend to improve any of the existing intrusion detection
algorithms, indeed NICE employs a reconfigurable virtual networking approach to
detect and counter the attempts to compromise VMs, thus preventing zombie VMs.
Advantage
The alert attack graph approach using to detect and prevent the attack bycorrelating attack behavior and also suggests effective countermeasures.
We devise NICE, a new multiphase distributed network intrusion detectionand prevention framework in a virtual networking
environment that captures and inspects the hackers details and it is stored inVM profiling.
-
8/13/2019 Content Materials1
11/40
11
CHAPTER 4
SYSTEM SPECIFICATION
4.1 HARDWARE REQUIREMENTS
Processor - Pentium – IV
Speed - 3.0 GHz
RAM - 512 MB
Hard Disk - 80 GB
Keyboard - Windows Standard Keyboard
Mouse - Two or Three Button Mouse
Monitor - SVGA
4.2 SOFTWARE REQUIREMENTS
Operating System - Windows 7 or Windows XP
Software tool - Cygwin
-
8/13/2019 Content Materials1
12/40
12
CHAPTER 5
SOFTWARE DESCRIPTION
5.1 About NS-2
NS-2 is an open-source simulation tool running on Unix-like operating
systems . It is a discreet event simulator targeted at networking research and provides
substantial support for simulation of routing, multicast protocols and IP protocols,
such as UDP, TCP, RTP and SRM over wired, wireless and satellite networks. It has
many advantages that make it a useful tool, such as support for multiple protocols
and the capability of graphically detailing network traffic. Additionally, NS-2
supports several algorithms in routing and queuing. LAN routing and broadcasts are
part of routing algorithms. Queuing algorithm includes fair queuing, deficit round
robin and FIFO.
5.2 NS 2 Architecture
Fig.5.1 NS-2 Architecture
-
8/13/2019 Content Materials1
13/40
13
5.3 Features Of NS-2
Some of the features of NS-2 are as follows:
Multiple interface support added
Static Routing implemented for wireless nodes
Co Channel interference added
Adaptive data rate support for 802.11
BPSK Modulation Scheme Added
Directional Antenna support added (More radiation pattern added in
TENS1.2)
Channel Number made configurable
Addition of ARP entries through script
2-p protocol for point to point link added
Several MAC parameters like RTS Threshold, Capture threshold made
configurable
-
8/13/2019 Content Materials1
14/40
14
CHAPTER 6
PROJECT DESCRIPTION
6.1 ARCHITECTURE
Fig 6.1 NICE architecture within one cloud server cluster.
6.1.1 NICE-A
NICE-A is a software agent implemented in each cloud server connected to
the control center through a dedicated and isolated secure channel, which is separated
from the normal data packets using Open Flow tunneling or VLAN approaches. It is
a Network-based Intrusion Detection System (NIDS) agent installed in either Dom0
or DomU in each cloud server. It scans the traffic going through Linux bridges that
control all the traffic among VMs and in/out from the physical cloud servers.
-
8/13/2019 Content Materials1
15/40
15
6.1.2 VM Profiling
Virtual machines in the cloud can be profiled to get precise information about
their state, services running, open ports, and so on. One major factor that counts
toward a VM profile is its connectivity with other VMs. An attacker can use port-
scanning program to perform an intense examination of the network to look for open
ports on any VM. So information about any open ports on a VM and the history of
opened ports plays a significant role in determining how vulnerable the VM is. All
these factors combined will form the VM profile. They are maintained in a database
and contain comprehensive information about vulnerabilities, alert, and traffic.
The data comes from: Attack graph generator : While generating the attack graph, every
detected vulnerability is added to its corresponding VM entry in the
database.
NICE-A : The alert involving the VM will be recorded in the VM profile database.
Network controller : The traffic patterns involving the VM are based onfive tuples (source MAC address, destination MAC address, source IP
address, destination IP address, protocol) We can have traffic pattern,
where packets emanate from a single IP and are delivered to multiple
destination IP addresses, and vice versa.
6.1.3 Attack Analyzer
The major functions of NICE system are performed by attack analyzer, which
includes procedures such as attack graph construction and update, alert correlation,
and countermeasure selection. The process of constructing and utilizing the SAG
consists of three phases: Information gathering, attack graph construction, and
potential exploit path analysis. With this information, attack paths can be modeled
using SAG. Each node in the attack graph represents an exploit by the attacker. Each
path from an initial node to a goal node represents a successful attack. NICE attack
graph is constructed based on
the following information:
Cloud system information Virtual network topology and configuration information
-
8/13/2019 Content Materials1
16/40
16
Vulnerability informationThe attack analyzer also handles alert correlation and analysis operations. This
component has two major functions:
constructs ACG provides threat information
6.1.4 Workflow of attack Analyzer
Fig 6.2 Workflow of attack analyzer
1. After receiving an alert from NICE-A, alert analyzer matches the alert in theACG.
2. If the alert already exists in the graph and it is a known attack (i.e., matchingthe attack signature), the attack analyzer performs countermeasure selection
procedure and then notifies network controller immediately to deploy
countermeasure or mitigation actions.
-
8/13/2019 Content Materials1
17/40
17
3. If the alert is new, attack analyzer will perform alert correlation and analysisand updates ACG and SAG. This algorithm correlates each new alert to a
matching alert correlation set (i.e., in the same attack scenario).
4. A selected countermeasure is applied by the network controller based on theseverity of evaluation results.
5. If the alert is a new vulnerability and is not present in the NICE attack graph,the attack analyzer adds it to attack graph and then reconstructs it.
6.1.5 Network Controller
The network controller is a key component to support the programmable
networking capability to realize the virtual network reconfiguration feature based onOpenFlow protocol. In NICE, within each cloud server there is a software switch,
which is used as the edge switch for VMs to handle traffic in and out from VMs. The
network controller is responsible for collecting network information of current
OpenFlow network and provides input to the attack analyzer to construct attack
graphs network controller is able to discover the network connectivity information
from OVS and OFS. This information includes current data paths on each switch and
detailed flow information associated with these paths, such as TCP/IP and MAC
header. The network flow and topology change information will be automatically
sent to the controller and then delivered to attack analyzer to reconstruct attack
graphs.
Another important function of the network controller is to assist the attack
analyzer module. Network controller is also responsible for applying the
countermeasure from attack analyzer. If a severe alert is triggered and identifies
some known attacks, or a VM is detected as a zombie, the network controller will
block the VM immediately.
-
8/13/2019 Content Materials1
18/40
-
8/13/2019 Content Materials1
19/40
19
Open trace file and activate it:
set tracefd [open wireless.tr w]
$ns_ trace-all $tracefd
Create topography and channel:
set topo [new Topography]
$topo load_flatgrid 500 500
set chan [new $val(chan)]
Create the GOD object (General Operations Director):
create-god $val(nn)
Creating the nodes
After setting the configuration options, the nodes are created:
for {set i 0} {$i < $val(nn) } {incr i}
{
set node_($i) [$ns_ node ]
$node_($i) random-motion 0
}
Example:
set node_(0) [$ns node]
$node_(0) set X_ 1155
$node_(0) set Y_ 794
$node_(0) set Z_ 0.0
$ns initial_node_pos $node_(0) 75
-
8/13/2019 Content Materials1
20/40
20
Fig 7.1 Network Formation
7.1.2 Data RoutingA router is a device that forwards data packets between computer networks,
creating an overlay internetwork.
Routing is the process of selecting best paths in a network along which to
send network traffic.
In this module source node sends a data packets to destination, through the
shortest channel. The wireless channel is act as medium for transferring the data
information.
The shortest path problem is the problem of finding a path between two
vertices (or nodes) in a graph such that the sum of the weights of its constituent
edges is minimized.
A routing protocol specifies how routers communicate with each other,
disseminating information that enables them to select routes between any
two nodes on a computer network. Routing algorithms determine the specific choice
-
8/13/2019 Content Materials1
21/40
21
of route. Each router has a priori knowledge only of networks attached to it directly.
A routing protocol shares this information first among immediate neighbors, and
then throughout the network.
7.1.3 Network Controller
The traffic patterns involving the VM are based on five tuples (source MAC
address, destination MAC address, source IP address, destination IP address,
protocol). We can have traffic pattern, where packets emanate from a single IP and
are delivered to multiple destination IP addresses, and vice versa. The network
controller is a key component to support the programmable networking capability to
realize the virtual network reconfiguration feature based on Open Flow protocol. The
communication between cloud servers is handled by physical Open Flow-capable
Switch. The network controller is responsible for collecting network information of
current Open Flow network and provides input to the attack analyzer to construct
attack graphs.
7.1.4 Control Center
Control center connected to software switches on each cloud server. NICE-A
is a software agent implemented in each cloud server connected to the control center
through a dedicated and isolated secure channel, which is separated from the normal
data packets using Open Flow tunneling or VLAN approaches. The network
controller is responsible for deploying attack countermeasures based on decisions
made by the attack analyzer.
7.1.5 Graph Design Based Result
Graph is an essential part of display a result, so we plot a graph to show a
various result comparison with packets, throughput, energy efficient, malicious node
detection analysis.
exec ./xgraph ENERGY.tr TRAFFIC.tr BANDWIDTH.tr -geometry 800x400
-t "PERFORMACE ANALYSIS ON QOS PARAMETERS" -x "NETWORKAREA"
-y "PACKETDELIVERY RATIO" -bg white &
-
8/13/2019 Content Materials1
22/40
22
7.2 ALGORITHM USED7.2.1 Alert Correlation Algorithm
Alert Correlation algorithm is followed for every alert detected and returns
one or more paths Si. For every alert ac that is received from the IDS, it is added to
ACG if it does not exist. For this new alert ac, the corresponding vertex in the SAG
is found by using function mapðacÞ. For this vertex in SAG, alert related to its parent
vertex of type NC is then correlated with the current alert ac. This creates a new set
of alerts that belong to a path Si in ACG or splits out a new path Siþ1 from Si with
subset of Si before the alert a and appends ac to Siþ1. In the end of this algorithm,
the ID of ac will be added to alert attribute of the vertex in SAG. It returns a set of
attack paths S in ACG.
Alert Correlation Algorithm
Require: alert ac, SAG, ACG
1: if (ac is a new alert) then
2: create node ac in ACG
3: n1 vc 2 mapðacÞ
4: for all n2 2 parentðn1Þ do
5: create edge (n2:alert; ac)
6: for all Si containing a do
7: if a is the last element in Si then
8: append ac to Si
9: else
10: create path Siþ1 ¼ fsubsetðSi; aÞ; acg
11: end if
12: end for
13: add ac to n1:alert
14: end for
15: end if
16: return S
-
8/13/2019 Content Materials1
23/40
23
7.2.2 Countermeasure Selection Algorithm
Input to the algorithm is an alert, attack graph G, and a pool of
countermeasures CM. The algorithm starts by selecting the node valet that
Corresponds to the alert generated by a NICE-A. Before selecting the
countermeasure, we count the distance of valet to the target node. If the distance is
greater than a threshold value, we do not perform countermeasure selection but
update the ACG to keep track of alerts in the system. For the source node valet, all
the reachable nodes (includingthe source node) are collected into a set T . Because
the alert is generated only after the attacker has performed the action, we set the
probability of vAlert to 1 and calculate the new probabilities for all of its child
(downstream) nodes in the set T. Now, for all t 2 T the applicable countermeasures in
CM are selected and new probabilities are calculated according to the effectiveness
of the selected countermeasures. The change in probability of target node gives the
benefit for the applied countermeasure. In the next double for-loop, we compute the
Return of Investment (ROI) for each benefit of the applied countermeasure. The
countermeasure which when applied on a node gives the least value of ROI, is
regarded as the optimal countermeasure. Finally, SAG and ACG are also updated
before terminating the algorithm. The complexity of Algorithm 2 is OðjV j _ jCMjÞ,
where jV j is the number of vulnerabilities and jCMj represents the number of
countermeasures.
Countermeasure Selection Algorithm
Require: Alert;GðE; V Þ; CM
1: Let vAlert ¼ Source node of the Alert2: if Distance to TargetðvAlertÞ > threshold then
3: Update ACG
4: return
5: end if
6: Let T ¼ DescendantðvAlertÞ [ vAlert
7: Set PrðvAlertÞ ¼ 1
8: Calculate_Risk_Prob(T)
-
8/13/2019 Content Materials1
24/40
24
9: Let benefit½jTj; jCMj_ ¼ ;
10: for each t 2 T do
11: for each cm 2 CM do
12: if cm: conditionðtÞ then
13: PrðtÞ ¼ PrðtÞ _ ð1 _ cm: effectivenessÞ
14: Calculate_Risk_Prob(DescendantðtÞ)
15: benefit½t; cm_ ¼ _Prðtarget nodeÞ. (7)
16: end if
17: end for
18: end for19: Let ROI½jTj; jCMj_ ¼ ;
20: for each t 2 T do
21: for each cm 2 CM do
22: ROI½t; cm_ ¼ benefit½t;cm_
cost: cmþintrusiveness:cm . (8)
23: end for
24: end for
25: Update SAG and Update ACG
26: return Select Optimal CMðROIÞ
-
8/13/2019 Content Materials1
25/40
25
CHAPTER 8
RESULTS
NETWORK FORMATION
-
8/13/2019 Content Materials1
26/40
26
START THE NICE PROCESS
SERVER PROCESS UTILIZATION
-
8/13/2019 Content Materials1
27/40
27
VIRSUS ENTER INTO THE CLOUD SERVER2
VIRUS INFECTS THE CLOUD SERVER2
-
8/13/2019 Content Materials1
28/40
-
8/13/2019 Content Materials1
29/40
29
VIRUS REMOVED FROM THE CLOUD SERVER2
PERFORMANCE ANALYSIS OF QOS PARAMETERS
-
8/13/2019 Content Materials1
30/40
-
8/13/2019 Content Materials1
31/40
31
APPENDIX I
SAMPLE CODING
set val(chan) Channel/WirelessChannel ;# channel type
set val(prop) Propagation/TwoRayGround ;# radio-propagation model
set val(netif) Phy/WirelessPhy ;# network interface type
set val(mac) Mac/802_11 ;# MAC type
set val(ifq) Queue/DropTail/PriQueue ;# interface queue type
set val(ll) LL ;# link layer type
set val(ant) Antenna/OmniAntenna ;# antenna model
set val(ifqlen) 50 ;# max packet in ifq
set val(nn) 33 ;# number of mobilenodes
set val(rp) NICE ;# routing protocol
set val(rp) AMRIS ;# Link repairing protocol
set val(x) 1500 ;# X dimension of topography
set val(y) 1500 ;# Y dimension of topographyset val(stop) 10.0 ;# time of simulation end
set ns [new Simulator]
set topo [new Topography]
$topo load_flatgrid $val(x) $val(y)
create-god $val(nn)
set tracefile [open out.tr w]
$ns trace-all $tracefile
set namfile [open out.nam w]
$ns namtrace-all $namfile
$ns namtrace-all-wireless $namfile $val(x) $val(y)
set chan [new $val(chan)];#Create wireless channel$ns node-config -llType $val(ll)
\-macType $val(mac) \ -ifqType $val(ifq) \-ifqLen $val(ifqlen) \ -antType $val(ant)
\ -propType $val(prop) \-phyType $val(netif) \ -channel $chan \ -adhocRouting
-
8/13/2019 Content Materials1
32/40
-
8/13/2019 Content Materials1
33/40
33
$node_(4) set Y_ 617
$node_(4) set Z_ 0.0
$ns initial_node_pos $node_(4) 35
set node_(5) [$ns node]
$node_(5) set X_ 358
$node_(5) set Y_ 524
$node_(5) set Z_ 0.0
$ns initial_node_pos $node_(5) 35
set node_(6) [$ns node]
$node_(6) set X_ 192$node_(6) set Y_ 524
$node_(6) set Z_ 0.0
$ns initial_node_pos $node_(6) 35
set node_(7) [$ns node]
$node_(7) set X_ 1275
$node_(7) set Y_ 676
$node_(7) set Z_ 0.0
$ns initial_node_pos $node_(7) 35
set node_(8) [$ns node]
$node_(8) set X_ 877
$node_(8) set Y_ 515
$node_(8) set Z_ 0.0
$ns initial_node_pos $node_(8) 35
set node_(9) [$ns node]
$node_(9) set X_ 511
$node_(9) set Y_ 524
$node_(9) set Z_ 0.0
$ns initial_node_pos $node_(9) 35
set node_(10) [$ns node]
$node_(10) set X_ 1126
$node_(10) set Y_ 723
$node_(10) set Z_ 0.0
-
8/13/2019 Content Materials1
34/40
34
$ns initial_node_pos $node_(10) 35
set node_(11) [$ns node]
$node_(11) set X_ 630
$node_(11) set Y_ 515
$node_(11) set Z_ 0.0
$ns initial_node_pos $node_(11) 35
$ns at 0.0 "$ns trace-annotate \" NICE Process started.....\""
$ns at 1.0 "$ns trace-annotate \" SERVER PROCESS UTILIZATION.....\""
$ns at 3.7 "$ns trace-annotate \" VIRUS INFECTS THE SERVER2 SO THE
PROCESS IS VERY SLOW.....\""$ns at 5.0 "$ns trace-annotate \" NICE AGENT REPORTS TO CONTROL
CENTER.....\""
$ns at 7.2 "$ns trace-annotate \" ATTACK ANALYZER COUNTERMEASURES
THE PROBLEM.....\""
proc NICE {malicious_node}
{
if(node_(31).rt_upd=true)
{
update_routing_table
-
8/13/2019 Content Materials1
35/40
35
select route (msg*data)
}
else
{
update routing_table "";
}
}
proc controlmeasure {input skey}
{
upvar $skey keyint n,e,d,p,q,u,m1,m2,h,m;
if
{
[bitsize $key(n)] < [bitsize $input]
}
{
puts "keysize [bitsize $key(n)] must be greater than text [bitsize
nput]/$input" select risk_probality
# e - public exponent
}
if {![info exists key(p)]}
{
return [rsa_slow_decrypt $input key]
}
else
{
# m1 = c ^ (d mod (p-1)) mod p
set m1 [powm $input [fdiv_r $key(d) [sub_ui $key(p) 1]] $key(p)]
# m2 = c ^ (d mod (q-1)) mod q
set m2 [powm $input [fdiv_r $key(d) [sub_ui $key(q) 1]] $key(q)]
# h = u * ( m2 - m1 ) mod q
set h [sub $m2 $m1]
-
8/13/2019 Content Materials1
36/40
36
if {[cmp_si $h 0] < 0}
set h [add $h $key(q)]
}
set h [fdiv_r [mul $key(u) $h] $key(q)]
# m = m2 + h * p
set m [add $m1 [mul $h $key(p)]]
key =m1*m2/m
return $m
}
proc encrypt_packet {ptext pkey} {upvar $pkey key
set plen [binary format I [string length $ptext]]
set md5 [binary format H32 [::md5::md5 $ptext]] # encrypt a packet
# packet format: [md5][length][payload][padding]
set ptext ${md5}${plen}$ptext
return [encrypt $ptext key]
encrypt m*h;
}
}
set udp8 [$ns create-connection UDP $node_(27) LossMonitor $node_(26) 0]
$udp8 set fid_ 1
$udp8 set class_ 1
set cbr7 [$udp8 attach-app Traffic/CBR]
$cbr7 set packetSize_ 512
$cbr7 set interval_ .05
$ns at 1.0 "$cbr7 start"
#$ns at 4.1 "$cbr7 stop"
set udp9 [$ns create-connection UDP $node_(12) LossMonitor $node_(26) 0]
$udp9 set fid_ 1
$udp9 set class_ 1
set cbr8 [$udp9 attach-app Traffic/CBR]
$cbr8 set packetSize_ 512
-
8/13/2019 Content Materials1
37/40
-
8/13/2019 Content Materials1
38/40
38
$cbr10 set interval_ .5
$ns at 3.8 "$cbr10 start"
$ns at 7.5 "$cbr10 stop"
set udp11 [$ns create-connection UDP $node_(14) LossMonitor $node_(25) 0]
$udp11 set fid_ 1
$udp11 set class_ 1
set cbr10 [$udp11 attach-app Traffic/CBR]
$cbr10 set packetSize_ 512
$cbr10 set interval_ .05
$ns at 5.0 "$cbr10 start"$ns at 7.0 "$cbr10 stop"
set udp11 [$ns create-connection UDP $node_(25) LossMonitor $node_(8) 0]
$udp11 set fid_ 1
$udp11 set class_ 1
set cbr10 [$udp11 attach-app Traffic/CBR]
$cbr10 set packetSize_ 512
$cbr10 set interval_ .05
$ns at 5.05 "$cbr10 start"
$ns at 7.0 "$cbr10 stop"
set udp11 [$ns create-connection UDP $node_(8) LossMonitor $node_(16) 0]
$udp11 set fid_ 1
$udp11 set class_ 1
set cbr10 [$udp11 attach-app Traffic/CBR]
$cbr10 set packetSize_ 512
$cbr10 set interval_ .05
$ns at 5.1 "$cbr10 start"
$ns at 7.0 "$cbr10 stop"
set udp10 [$ns create-connection UDP $node_(13) LossMonitor $node_(10) 0]
$udp10 set fid_ 1
$udp10 set class_ 1
set cbr9 [$udp10 attach-app Traffic/CBR]
$cbr9 set packetSize_ 512
-
8/13/2019 Content Materials1
39/40
39
$cbr9 set interval_ .05
$ns at 7.6 "$cbr9 start"
set udp11 [$ns create-connection UDP $node_(10) LossMonitor $node_(0) 0]
$udp11 set fid_ 1
$udp11 set class_ 1
set cbr10 [$udp11 attach-app Traffic/CBR]
$cbr10 set packetSize_ 512
$cbr10 set interval_ .05
$ns at 7.6 "$cbr10 start"
proc finish {}{
global ns tracefile namfile
$ns flush-trace
close $tracefile
close $namfile
exec ./xgraph ENERGY.tr TRAFFIC.tr BANDWIDTH.tr -geometry 800x400
-t "PERFORMACE ANALYSIS ON QOS PARAMETERS" -x
"NETWORKAREA" -y "PACKETDELIVERY RATIO" -bg white &
exec ./nam out.nam &
exit 0
}
for {set i 0} {$i < $val(nn) } { incr i }
{
$ns at $val(stop) "\$node_($i) reset"
source z.tcl
}
$ns at $val(stop) "$ns nam-end-wireless $val(stop)"
$ns at $val(stop) "finish"
$ns at $val(stop) "puts \"done\" ; $ns halt"
$ns run
-
8/13/2019 Content Materials1
40/40
REFERENCES
[1] X. Ou, W.F. Boyer, and M.A. McQueen, “A Scalable Approach to Attack Graph
Generation,” Proc. 13th ACM Conf. Computer and Comm. Security (CCS ’06), pp.
336-345, 2006.
[2] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and
Control Channels in Network Traffic,” Proc. 15th Ann. Network and Distributed
Sytem Security Symp. (NDSS ’08), Feb. 2008.
[3] S. Roschke, F. Cheng, and C. Meinel, “A New Alert Correlation Algorithm
Based on Attack Graph,” Proc. Fourth Int’l Conf. Computational Intelligence in
Security for Information Systems, pp. 58-67, 2011
[4] Niraj Suresh Katkamwar, Atharva Girish Puranik and Purva Deshpande,
“Securing Cloud Servers against Flooding Based DDoZ Attacks,”International
Journal of Application or Innovation in Engineering & Management (IJAIEM),Nov.
2012.
[5] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker,
“Detecting Spam Zombies by Monitoring Outgoing Messages,” IEEE Trans.
Dependable and Secure Computing, vol. 9, no. 2, pp. 198-210, Apr. 2012.
[6] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee,
D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “A View of Cloud Computing,”
ACM Comm., vol. 53, no. 4, pp. 50-58, Apr. 2010.
[7] Nidal M. Turab, Anas Abu Taleb Shadi R. Masadeh, “CLOUD COMPUTING
CHALLENGES AND SOLUTIONS,” International Journal of Computer Networks