Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
9Activity
0 of .
Results for:
No results containing your search query
P. 1
Java-Based Intrusion Detection System in a Wired Network

Java-Based Intrusion Detection System in a Wired Network

Ratings: (0)|Views: 261 |Likes:
Published by ijcsis
Intrusion Detection has become an integral part of the information security process. The cost involved in protecting network resources is often neglected when compared with the actual cost of a successful intrusion, which strengthens the need to develop more powerful intrusion detection systems. Many existing systems for intrusion detection are developed in C, Objective-C, Tcl, C++ programming languages. In this paper, we design and develop a network intrusion detection system using Java programming language. We simulate the land attack, the flooding attack and the death’s ping attack to show the effectiveness of the proposed system in which packets in the network are captured online as they come on the network interface.
Intrusion Detection has become an integral part of the information security process. The cost involved in protecting network resources is often neglected when compared with the actual cost of a successful intrusion, which strengthens the need to develop more powerful intrusion detection systems. Many existing systems for intrusion detection are developed in C, Objective-C, Tcl, C++ programming languages. In this paper, we design and develop a network intrusion detection system using Java programming language. We simulate the land attack, the flooding attack and the death’s ping attack to show the effectiveness of the proposed system in which packets in the network are captured online as they come on the network interface.

More info:

Published by: ijcsis on Feb 19, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/24/2013

pdf

text

original

 
Java-Based Intrusion Detection System in a WiredNetwork 
Eug`ene C. Ezin
#1
, Herv´e Akakpo Djihountry
#2
#
 Institut de Mathematiques et de Sciences PhysiquesUnit ´ e de Recherche en Informatique et Sciences AppliqueesUniversity of Abomey-Calavi BP 613 Porto-Novo, Republic of Benin
1
eugene.ezin@imsp-uac.org
2
herve.akakpo@imsp-uac.org
 Abstract
—Intrusion Detection has become an integral part of the information security process. The cost involved in protectingnetwork resources is often neglected when compared with theactual cost of a successful intrusion, which strengthens the need todevelop more powerful intrusion detection systems. Many existingsystems for intrusion detection are developed in C, Objective-C,Tcl, C++ programming languages.In this paper, we design and develop a network intrusiondetection system using Java programming language. We simulatethe land attack, the flooding attack and the death’s ping attackto show the effectiveness of the proposed system in which packetsin the network are captured online as they come on the networkinterface.
 Keywords-component
 Intrusion Detection System (IDS), JpCaplibrary, Network Security.
I. I
NTRODUCTION
With the proliferation of networked computers and theInternet, their security has become a primary concern. Thisrapid advancement in the network technologies includes higherbandwidths and ease of connectivity of wireless and mobiledevices. In 1980, Anderson proposed that audit trails shouldbe used to monitor threats [1]. The importance of such datawas not been understood at that time and all the availablesystem security procedures were focused on denying access tosensitive data from an unauthorized source. Latter, Dorothy [2]proposed the concept of intrusion detection as a solution to theproblem of providing a sense of security in computer systems.This intrusion detection model is independent of system, typeof intrusion and application environment.Intrusion detection according to Bace is the process of intelligently monitoring the events occuring in a computersystem or network, analyzing them for signs of violationsof the security policy [3]. In short, intrusion detection is theprocess of monitoring computers or networks for unauthorizedentrance, activity, or file modification. Intrusion detectionsystems refer to those systems which are designed to monitoran agent’s activity to determine if the agent is exhibitingunexpected behavior. Intrusion detection model was proposedby Denning [2]. A more precise definition is found in [4] inwhich an intrusion detection system is a system that attemptsto identify
intrusions
, which we define to be unauthorized uses,misuses, or abuses of computer systems by either authorizedusers or external perpetrators. Some intrusion detection sys-tems monitor a single computer, while others monitor severalcomputers connected by a network.Intrusion detection systems detect intrusions by analyzinginformation about user activities from sources such as auditrecords, system tables, and network traffic summaries. Inshort, intrusion detection systems can also be used to monitornetwork traffic, thereby detecting if a system is being targetedby a network attack such as a denial of service attack.The primary aim of intrusion detection system is to protectthe availability, confidentiality and integrity of crytical net-worked information systems. Intrusion detection systems aredefined by both the method used to detect attacks and theplacement of the intrusion detection system on the network.The objective of an intrusion detection system is to providedata security and ensure continuity of services provided by anetwork [5].Two major approaches are used by intrusion detectionsystems: misuse detection and anomaly detection.Intrusion detection system may perform either misuse de-tection or anomaly detection and may be deployed as either anetwork-based system or a host-based system. This descriptionof intrusion detection system leads to four general groups:misuse-host, misuse-network, anomaly-host, and anomaly-network.Some intrusion detection systems combine qualities fromall these categories by implementing both misuse and anomalydetection, and are known in literature as hybrid systems [6].Even though Gupta in [7] gives an overview on robust andefficient intrusion detection systems, the intrusion detectionproblem is a hard one since no security is absolutely guaranteefor ever.The goal of this paper is to propose a model for intrusion de-tection with three different positions for the intrusion detectionsystem using Java programming language. The
Jpcap
libraryis used in the implementation. So doing, the overall system hasmore chance to detect an attack. To show the effectiveness of the overall system, three different attacks are simulated.The paper is organized as follows: section II presentsdifferent phases of an attack. Section III gives an overview onthe two approaches to intrusion detection. Section IV presents
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 201133http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
some intrusion detection systems. Section V presents thedesign of the intrusion detection system we proposed throughsubsection V-A which describes the functional componentsof the authentification process. Subsection V-B describes thefunctional description of the proposed system. Architecturesand possible locations of the proposed network intrusiondetection system are given in subsection V-D. A descriptionof the plateform is given in section V-E while section V-Fdescribes the involved open source tools to realize the network intrusion detection system. Section VI presents the globalarchitecture.II. T
YPES OF
A
TTACK
Classes of attack might include passive monitoring of communications, active network attacks, close-in attacks, ex-ploitation by insiders, and attacks through the service provider.Information systems and networks offer attractive targets andshould be resistant to attack from the full range of threatagents, from hackers to nation-states. A system must be ableto limit damage and recover rapidly when attacks occur. Thereare eleven types of attack namely: passive attack, active attack,distributed attack, insider attack, close-in attack, phishingattack, password attack, buffer overflow attack, hijack attack,spoofing attack, exploit attack.
 A. Passive Attac
A passive attack monitors unencrypted traffic and looksfor clear-text passwords and sensitive information that canbe used in other types of attacks. Passive attacks includetraffic analysis, monitoring of unprotected communications,decrypting weakly-encrypted traffic, and turing authentifica-tion information such as passwords. Passive interception of network operations enables adversaries to see upcoming ac-tions. Passive attacks result in the disclosure of information ordata files to an attacker without the consent or knowledge of the user.
 B. Active Attack 
In an active attack, the attacker tries to bypass or break intosecured systems. This can be done through stealth, viruses,worms, or Trojan horses. Active attacks include attempts tocircumvent or break protection features, to introduce maliciouscode, and to steal or modify information. These attacks aremounted against a network backbone, exploit informationin transit, electronically penetrate an enclave, or attack anauthorized remote user during an attempt to connect to anenclave. Active attacks result in the disclosure or disseminationof data files, deny of service, or modification of data.
C. Distributed Attack 
A distributed attack requires that the adversary introducecode, such as a Trojan horse or back-door program, to a
trusted 
component or software that will later be distributed to manyother companies and users. Distribution attacks focus on themalicious modification of hardware or software at the factoryor during distribution. These attacks introduce malicious codesuch as a back door to a product to gain unauthorized accessto information or to a system function at a later date.
 D. Inside Attack 
An insider attack involves someone from inside, such as adisgruntled employee, attacking the network. Insider attackscan be malicious or not. Malicious insiders intentionallyeavesdrop, steal, or damage information; use information ina fraudulent manner; or deny access to other authorized users.No malicious attacks typically result from carelessness, lack of knowledge, or intentional circumvention of security for suchreasons as performing a task.
 E. Close-In Attack 
A close-in attack involves someone attempting to get phys-ically close to network components, data, and systems inorder to learn more about a network. Close-in attacks consistof regular individuals attaining close physical proximity tonetworks, systems, or facilities for the purpose of modifying,gathering, or denying access to information. Close physicalproximity is achieved through surreptitious entry into thenetwork, open access, or both.One popular form of close-in attack is social engineeringin a social engineering attack, the attacker compromises thenetwork or system through social interaction with a person,through an electronic mail or phone. Various tricks can beused by the individual to reveal information about the securityof company. The information that the victim reveals to thehacker would most likely be used in a subsequent attack togain unauthorized access to a system or network.
F. Phishing Attack 
In phishing attack the hacker creates a fake web site thatlooks exactly like a popular site. The phishing part of the attack is that the hacker then sends an e-mail message trying to trick the user into clicking a link that leads to the fake site. Whenthe user attempts to log on with their account information, thehacker records the username and password and then tries thatinformation on the real site.
G. Password Attack 
In a password attack an attacker tries to crack the passwordsstored in a network account database or a password-protectedfile. There are three major types of password attacks: adictionary attack, a brute-force attack, and a hybrid attack.A dictionary attack uses a word list file, which is a list of potential passwords. A brute-force attack is when the attackertries every possible combination of characters.
 H. Buffer Overflow Attac
Buffer overflow attack is produced when the attacker sendsmore data to an application than is expected. A buffer overflowattack usually results in the attacker gaining administrativeaccess to the system in a command prompt or shell.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 201134http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
 I. Hijack Attack 
In a hijack attack, a hacker takes over a session between youand another individual and disconnects the other individualfrom the communication. You still believe that you are talkingto the original party and may send private information to thehacker by accident.
 J. Spoofing Attack 
In a spoofing attack, the hacker modifies the source addressof the packets he or she is sending so that they appear to becoming from someone else. This may be an attempt to bypassfirewall rules.
K. Exploit Attac
In this type of attack, the attacker knows a security problemwithin an operating system or a piece of software and leveragesthat knowledge by exploiting the vulnerability.III. D
IFFERENT
A
PPROACHES TO
I
NTRUSION
D
ETECTION
Many classifications exist in literature about intrusion de-tection [7], [8].The basic types of intrusion detection are host-based andnetwork-based. Host-based systems were the first type of intrusion detection systems to be developed and implemented.These systems collect and analyze data that originate in acomputer that hosts a service, such as a Web server. Oncethis data is aggregated for a given computer, it can eitherbe analyzed locally or sent to a separate/central analysismachine. Instead of monitoring the activities that take placeon a particular network, network-based intrusion detectionanalyzes data packets that travel over the actual network.These packets are examined and sometimes compared withempirical data to verify their nature: malicious or benign.Because they are responsible for monitoring a network, ratherthan a single host, network-based intrusion detection systemstend to be more distributed than host-based intrusion detectionsystem. The two types of intrusion detection systems differsignificantly from each other, but complement one anotherwell. The network architecture of host-based is agent-based,which means that a software agent resides on each of thehosts that will be governed by the system. In addition, moreefficient host-based intrusion detection systems are capableof monitoring and collecting system audit trails in real timeas well as on a scheduled basis, thus distributing both CPUutilization and network overhead and providing for a flexiblemeans of security administration.Two other approaches encountered in literature concerningintrusion detection systems for detecting intrusive behavior aremisuse detection and anomaly detection.
 A. Misuse Detection
Misuse detection relies on matching known patterns of hostile activity against databases of past attacks. They arehighly effective at identifying known attacks and vulnera-bilities, but rather poor at identifyning new security threats.Misuse-detection based intrusion detection systems can onlydetect known attacks.In [9], the following advantages and disadvantages of mis-use detectors can be found.
1) Advantages of misuse detectors:
misuse detectors arevery efficient at detecting attacks without signaling falsealarms. They can quickly detect specially-designed intrusiontools and techniques and provide systems’ administrators aneasy tool to monitor their systems even if they are not securityexperts.
2) Disadvantages of misuse detectors:
misuse detectorscan only detect attacks known beforehand. For this reasonthe systems must be updated with newly discovered attack signatures. Misuse detectors are designed to detect attacks thathave signatures introduced to the system only. When a well-known attack is changed slightly and a variant of that attack is obtained, the detector is unable to detect this variant of thesame attack.
 B. Anomaly Detection
Anomaly detection will search for something rare or unsualby applying statistical measures or artificial intelligence tocompare current activity against historical knowledge. Com-mon problems with anomaly-based systems are that, theyoften require extensive training data for artificial learningalgorithms, and they tend to be more computaionnaly expen-sive, because several metrics are often maintained, and theseneed to be updated against every system’s activites. Severalapproaches apply artificial neural networks in the intrusiondetection system that has been proposed [10].Anomaly detection based intrusion detection systems candetect known attacks and new attacks by using heuristicmethods.Anomaly detection-based intrusion detection systems areseparated into many sub-categories in the literature includingstatistical methodologies [11] data mining [12], artificial neuralnetworks [13], genetic algorithms [14] and immune systems[15]. Among these sub-categories, statistical methods are themost commonly used ones in order to detect intrusions byanalyzing abnormal activities occurring in the network.In [9], advantages and disadvantages of misuse detectorscan be found.
1) Advantages of anomaly detection:
anomaly-based intru-sion detection systems, superior to signature-based ones, areable to detect attacks even when detailed information of theattack does not exist. Anomaly-based detectors can be used toobtain signature information used by misuse-based intrusiondetection systems.
2) Disadvantages of anomaly detection:
anomaly-basedintrusion detection systems generally flag many false alarms just because user and network behavior are not always knownbeforehand. Anomaly-based approach requires a large set of training data that consist of system event log in order toconstruct a normal behavior profile.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 201135http://sites.google.com/site/ijcsis/ISSN 1947-5500

Activity (9)

You've already reviewed this. Edit your review.
1 hundred reads
Anthony Utin added this note
I need your assistance, I'm a final year students writing on "DEVELOPING A SECURITY MODEL FOR UNIVERSITY INTRANET" and I have chosen to write on HOST INTRUSION DETECTION SYSTEM (HIDs). Give me assistance on how to go about with the programming contents. My mail address is : anthonyutin@yahoo.com
scribdshullir liked this
scribdshullir liked this
scribdshullir liked this
scribdshullir liked this
scribdshullir liked this
scribdshullir liked this
Josagos Godwin liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->