Host Intrusion Detection System

Submitted by:
Muhammad Ahsan (12-CS-033)

Noman Ul Ehsan (12-CS-43)

Submitted to:

Supervisor: Dr. Khalid Hussain

Co-supervisor: Ms. Veena Dilshad

Department of Computer Science and Engineering

HITEC University, Taxila

 Dedication

“Dedicated to ALLAH ALMIGHTY, Prophet (P-B-U-H) and

my teachers and parents. Who helped and encouraged me and
pray for my success”.

July 2016
2
There are no secrets to success. It is the result of preparation,
hard work, and learning from failure.

July 2016
3
 THESIS APPROVAL
Thesis/Project Title: Host based Intrusion Detection System
Project Supervisor:
DR Khalid Hussain.
Particulars of the students:
S. No. Reg. No. Full Name CGPA Signatures
1. 12-CS-033 Muhammad 2.45
Ahsan
2. 12-CS-043 Noman-Ul- 2.96
Ehsan
3.

Advisor’s Consent
I Prof./Dr./Mr./Ms. ________________________________________________ am willing to
guide these students in all phases of above-mentioned project/thesis as advisor. I have
carefully seen the Title and description of the project/thesis and believe that it is of an
appropriate difficulty level for the number of students named above.
_______________ ___________________________
Date Signature
External Examiner
I have carefully read the project proposal and feel that the proposed project is a useful
one and of a sufficient difficulty level to justify a one-year work load of above
mentioned students.
Recommended Signatures and Date
Yes No

July 2016
4
 ABSTRACT
Cyber threats have become one of the core components in today’s world. Cyber-attacks are
viewed as a threat to nation’s sovereignty, regardless that attacks are generated from within
the national border or outside the national border. These threats raise the question mark on
the sovereignty of many sectors like telecom, oil and gas, health care, finance, education,
military, government sectors and security agencies. These threats are increasing day by day.
There are many cyber-attacks like TCP sequence prediction, DOS, DDOS, Malware,
Phishing, Password, Social Engineering, Unpatched Software etc. Most Intrusion Detection
Systems like Snort, Nessus, Tripwire and OSSEC comprised the phenomena to detect these
types of attacks. Rushing and Wormhole attacks are new to their nature in the market. There
is a room to improve with latest technique to mitigate these attacks. This research proposed a
host based Intrusion Detection System based on signature based detection that monitors host
decoy serving several purposes: it can distract adversaries from a valuable host, provides
early warning about new attacks of network layer and allows in depth examination of
adversaries during and after exploitation of an attack.

July 2016
5
 ACKNOWLEDGEMENTS
In the name of Allah, The Most Gracious and the Most Merciful. The Allah Almighty helps
us with his blessings and gave us strength to complete this project. A special appreciation
goes to our Project Supervisor Dr Khalid Hussain for his support and supervision and also
likes to say thanks to our project co-supervisor Veena Dillshad for their support and
knowledge regarding to the project. We would like to express our gratitude towards our
parents for their kind co-operation and encouragement which help us in completion of this
project. We would like to say thanks to our teachers and our colleague’s for their help and
guidance in the development of this project.

Muhammad Ahsan (12-CS-033)

Nouman ul Ehsan (12-CS-043)

July 2016
6
 Table of Contents
Chapter 1 ..................................................................................................................12
Introduction ..............................................................................................................12
Overview: .............................................................................................................12
1.1:Introduction: ...................................................................................................12
1.2: Background: ..................................................................................................12
1.3: what is intrusion detection system? ...............................................................13
1.4: Why Intrusion Detection system? .................................................................13
1.5: Architecture of Host Based Intrusion Detection system. ..............................14
1.6: Types of Intrusion detection system: ............................................................14
1.7: Host Based Intrusion detection system: ........................................................15
1.8: Network Based Intrusion Detection System. ................................................15
1.9: Scope of the project: ......................................................................................15
1.10: Problem Statement: .....................................................................................16
1.11: purposed Methodology: ...............................................................................16
1.12: Objective: ....................................................................................................16
1.13: Scope: ..........................................................................................................16
1.14: Applications of Host Based Intrusion Detection system: ...........................16
1.15: Summary: ....................................................................................................17
Chapter 2 ..................................................................................................................18
Literature Review .....................................................................................................18
Overview: .............................................................................................................18
2.1:Attack prediction Models for Cloud Intrusion Detections Systems. .............18
2.2: A review on Intrusion Detection Techniques for cloud computing and
Security challenges. ..............................................................................................19
2.3: Architecture for Intrusion detection using Autonomous Agents. .................20
2.4: An intrusion detection and prevention system in cloud computing. .............20
2.5: Rushing Attack and its Preventions Techniques ..........................................21
2.6: Swarm Intelligence in Intrusion Detection...................................................21
2.7: Summary........................................................................................................22
Chapter 3 ..................................................................................................................23

July 2016
7
Proposed Methodology ............................................................................................23
Overview: .............................................................................................................23
3.1: Architecture of Host based Intrusion detection system: ...............................23
General Use Case: ................................................................................................23
3.3.1: Use Case of Intrusion detection system: .................................................23
3.3.2: Use Case of Packet Sniffing: ..................................................................24
3.3.3: Use Case of Anomaly Detection:............................................................25
3.3.4: Use Case of Alerts Management and Log maintaining in Host Based
Intrusion Detection System. ..............................................................................26
3.3.5: Class Diagram of Host Based Intrusion Detection System. ...................27
3.3.6: Data flow diagram of Intrusion detection system. ..................................28
3.3.7: Flow chart of Intrusion detection system. ...............................................29
3.2: Framework that is used in the development of Host based Intrusion
detection system. ..................................................................................................30
3.2.1: Microsoft .Net framework: .....................................................................30
3.2.2: Language used for attack generation. .....................................................30
3.2.3: C# internal Database. ..............................................................................30
3.3: Attacks. ..........................................................................................................30
3.3.1: Rushing Attack........................................................................................30
3.3.2: Wormhole Attack. ...................................................................................31
3.4: Tools and Software. .......................................................................................32
3.4.1: Snort. .......................................................................................................32
3.4.2: Tripwire. ..................................................................................................33
3.4.3: OSSEC ....................................................................................................34
3.4.4: Wireshark ................................................................................................35
3.4.5: Winpcap ..................................................................................................35
3.4.6: TCP Packet. .............................................................................................35
3.4.7: DNS Port. ................................................................................................35
3.4.8: UDP Port. ................................................................................................35
3.4.9: SQL Server Compact. .............................................................................36
3.4.10: Priority Queue. ......................................................................................36
3.4.11: Log Maintaining....................................................................................36
3.5: Summary: ......................................................................................................36

July 2016
8
Chapter 4 ..................................................................................................................37
EXPERIMENTAL RESULTS.................................................................................37
Overview: .............................................................................................................37
4.1 Host Based Intrusion Detection Interface: .....................................................37
4.2: Interface to select the device: ........................................................................38
4.3: Data in IP Header: .........................................................................................38
4.4:Summary: .......................................................................................................39
CHAPTER 5 ............................................................................................................40
CONCLUSION ........................................................................................................40
Chapter 6 ..................................................................................................................41
Future Work .............................................................................................................41
Overview: .............................................................................................................41
5.1: Intrusion detection and prevention systems. .................................................41
5.2: Cloud Computing. .........................................................................................41
5.3: Privacy in Cloud Computing. ........................................................................42
5.4: Enhancement. ................................................................................................42
5.5: Expected Results. ..........................................................................................42
5.6:Summary.........................................................................................................42
Chapter 7 ..................................................................................................................42
References ................................................................................................................43
Appendix ..................................................................................................................45

July 2016
9
 LIST OF FIGURES

Figure 1.1: Host Based Intrusion Detection System……………………………………. 14

Figure 3.1: Use Case of Intrusion Detection system ………………………………….... 23

Figure 3.2: Use Case of Packet Sniffing……………………………………………….. 24

Figure 3.3: Use Case of Anomaly detection……………………………………………. 25

Figure 3.4: Use Case of Alert and Log Management……………………………………26

Figure 3.5: Class diagram of Host Based Intrusion Detection System……………….....27

Figure 3.6: Use Case of Intrusion Detection System……………………………………28

Figure 3.7: General Flow chart of Host based Intrusion Detection system……………..29

Figure 3.8: Rushing Attack…………………………………………………………….. 31

Figure 3.9: Wormhole Attack…………………………………………………………...31

Figure 3.10: Snort Architecture…………………………………………………………32

Figure 3.11: Flow Diagram of Tripwire Intrusion Detection System…………………..33

Figure 3.12: Architecture Diagram of OSSEC…………………………………………34

Figure 4.1: Interface of Host Based Intrusion Detection application………………….. 37

Figure 4.2: Interface to select device……………………………………………………38

Figure 4.3: Data in IP Header…………………………………………………………...38

Figure 4.4: Log File of Host based Intrusion Detection system………………………...39

July 2016
10
ANNEXURE TABLE:

Rushing Attack Generation See Annexure I

Rushing Server Generation See Annexure II
Wormhole Attack Generation See Annexure III
Wormhole Server Generation See Annexure IV

Main Application Code See Annexure V

July 2016
11
 Chapter 1
Introduction

Overview:
Chapter one gives an overview about the intrusion detection system and their types. Intrusion
detection system background and what are intrusion detection systems and why intrusion
detection systems are used. Intrusion detection system is used to monitor the network traffic
and it is used to protect the systems from intrusion and malicious attacks. Intrusion detection
systems are used to maintain the data integrity. Host based intrusion detection systems are
used to monitor the network traffic and prevent the host from malicious attacks. The host
based intrusion detection system will cover the latest network layer attacks that include
rushing attack and wormhole attack. The main objective of intrusion detection system is to
reduce the probability of the network layer attack so that data integrity can be maintained and
efficiency of the system will increase.

1.1: Introduction
Intrusion detection system is a kind of a system that monitors the network and host activities
from intrusion/malicious attacks. The main function or purpose of this system is to find the
anomalies. Intrusion detection system is basically used to detect the unauthorized activity of
an unauthorized user. It works in a way to check a check the number of data packets having
large amount of data. As there is increase in the number of networks so there exist
shortcomings in every type of technology. The intrusion represents a serious threat to the
network security as an attacker or intruder always look to disrupt the services of the network.
To protect the data integrity and information so there will be some kind of mechanism so that
everyone should not be able to access the information from a security point of view so
different kind of systems would be develops to protect the data and its integrity. The main
purpose of intrusion detection system is to detect the attacks and to provide a proper
notification that an attack has been launched. Intrusion detection is a process of monitoring
and detecting the events that occurs on the networks or computer system and analyzing the
possible threats that may violate the security policies. The intrusion detection system first
captures the data packets that is in the form of IP packets then it decodes that captures data
packets and transform them into a unique pattern then it analyzes and classify the data
whether the data is in proper format or not. To handle a large amount of traffic over the
network and to maintain the integrity of data a new method is adopted that is called as
intrusion detection system.

1.2: Background
The goal of intrusion detection system is to monitor the network and host assets to detect
intrusion and anomalous behavior. The intrusion detection system idea was first given by
James Anderson in his paper in 1980. The James Anderson paper was written for the
government organization, introduced that the audit trials contained important information that
could be valuable in tracking intrusion, misuse and understanding the user behavior. This will
give the concept of detecting misuse, intrusion and specific user events emerged. In 1983 Dr
Dorothy Denning began work on a government project that is called as intrusion detection

July 2016
12
development. The main goal was to analyze audit trails from government mainframe
computers and create profiles of users based upon their activities. After one year Dr Denning
developed the first model of intrusion detection. Later on there are significant advances have
been made at university of California. The haystack project releases another project of
intrusion detection for the US air force. This project of intrusion detection system will work
on the basis of analyzing the audit data by comparing it with the defined patterns. In 1990
Davis Todd introduced the idea of network intrusion detection system so network intrusion
detection is deployed at many government offices where network traffic analysis provided
massive amount of information. This will create more awareness and interest in the field of
intrusion detection systems and investment in the market of intrusion detection system is
increased significantly. The intrusion detection systems market gain popularity and generates
revenue in 1997. The main purpose of intrusion detection system is maintaining the data
integrity and prevents the systems for different network layers attacks. Currently markets
statistics shows that Intrusion Detection system is amidst the top selling security technologies
and there demand is increasing day by day.

1.3: What is intrusion detection system?

Intrusion detection system is a type of security system for networks and computers. The
intrusion detection system gathers and analyzes the information from the networks and the
computers to verify the possible threats and intrusions that can affect the data integrity
become potential threats for the systems. The intrusion detection system also monitors and
analyzes the both system and the user activities. Intrusion detection system also analyzes the
system configurations and vulnerabilities. Intrusion detection has an ability to recognize the
patterns of different kind of attacks. With the increase of the network layer attacks the main
purpose of intrusion detection system is to detect the unauthorized activity of an unauthorized
user. The main function of intrusion detection system is to detect the attacks and to provide a
proper notification that an attack has been launched.

1.4: Why Intrusion Detection system?

Intrusion detection system is a kind of security system that is used to monitor the
unauthorized activity and intrusion in the network and in the system. Intrusion detection
system monitors the network traffic at different points and generates the report and maintains
logs. If intrusion occurs in the system or in the network it generates an alarm and notify the
user or network administrator that an attack has been launched. Intrusion detection system is
easy to develop and it has an ability to look deep into the networks and the systems and sees
what is happening there from the security point of view. Intrusion detection system will have
the ability to detect the true intrusion. Intrusion detection systems are basically used to
protect the data and its integrity.

July 2016
13
1.5: Architecture of Host Based Intrusion Detection system

Figure 1.1: Host Based Intrusion Detection System

Figure 1.1 presents the general architecture diagram of Host based Intrusion detection system.
The host based intrusion detection system is installed on the specific machine. Host Based
Intrusion Detection system works on the basis of signature based detection. The signatures
have already defined in Host Based Intrusion Detection system. The work stations, laptop and
personal computers are connected to the network. There is firewall also in the network and it
is considered as a network security system. It controls the both incoming and outgoing
network traffic and it works on the basis of predefined set of rules. The firewall basically acts
as a barrier between trusted and untrusted networks. The main function of firewall is to filter
the network traffic between the two or more networks. The Host Based Intrusion Detection
system is installed on the single host. The Host Based Intrusion Detection system will work
on the basis of signature based detection by comparing all the data packets with the data
bases of the signatures. If the incoming data packets match with set of predefined signature
then Host based Intrusion detection system consider it as an anomaly and raises an alarm to
notify the user that an intrusion has been occurs and it also maintains the log of that
Intrusion. The Host Based Intrusion Detection system monitors every type of traffic that is
coming to the system and it checks every data packet that whether it contains some kind of
intrusion or not. The main function of Intrusion Detection system is to maintain the data
integrity and information.

1.6: Types of Intrusion detection system

There are two types of Intrusion detection systems.
1. Host based Intrusion detection system.
2. Network based Intrusion detection system.

July 2016
14
1.7: Host Based Intrusion detection system
Host based intrusion detection system will monitor every system that serves as a host. It
collects the data and analyzes it. The data can be analyzed by a separate machine. It is
basically used to check the unauthorized modification of a file. Host based intrusion detection
is considered as an agent based software that resides on a computer and it is governed by the
system. Host based intrusion detection system monitors each type of traffic that is coming
into the system. Host based intrusion detection system has the ability to monitor the system
data on schedule basis. Intrusion detection system is a kind of system that monitors the
Network and Host activities from intrusion/malicious attacks. It works in a way to check the
numbers of data packets having large amount of data. It analyzes the data packets, generate
reports and perform analysis to detect intrusion. IDS have many versions but approach of all
is to detect malicious activities and traffic over the Network and Host. It basically
generates/maintain log for all the activities done by the system. It detects the malicious
activities and malicious files which are coming from any source and maintain the log of those
activities and files.

HIDS is divided into following four types.

(a) File system monitors: Checks the integrity of files and directories in a system.
(b) Log analysis: It maintains the log file for patterns which indicates malicious
activity.
(c) Connection analysis: It monitors the connection attempt to and from host.
(d) Kernel base IDS: It monitors the malicious activities on kernel level.

Most of HIDS have ability to monitor and prevent the malicious activities. These systems are
generally deployed on a central location and also manage from there. It has agent that
configured in local hosts. There can be single and multiple policies for all machines depend
on operating system, machine types, physical location and user type. Once policy is
configured, it is then distributed to group of host.

1.8: Network Based Intrusion Detection System

A network intrusion detection system monitors traffic over the network and it detects the
malicious and unauthorized activity on the network. A Network Based Intrusion Detection
system monitors all traffic of server, switch and gateways. It monitors all the incoming and
outgoing network traffic. It scans all the system files and looking for unauthorized activity
and maintain the data integrity.

1.9: Scope of the project

As it is a time of technology and everyone is familiar with the technology. People are using
technology via mobile phone and computers so when they interact. There will be exchange of
data. The project main goal is to protect the user data from the latest network layer attacks.
By reducing the probability of network layer attacks the data integrity can be maintained and
the performance and efficiency of the system also increases. The main goal of Host Based
Intrusion Detection system is to detect the latest network layer attacks that include rushing

July 2016
15
and wormhole attack. The main goal of this project is to secure user data from network layer
attacks so that user information cannot be stolen and data integrity can be maintained.

1.10: Problem Statement

In the network when two or more than two nodes becomes compromised simultaneously. It
hampers the quality of service of the network. There is a need to detect and mitigate those
compromised node at control level.

1.11: Proposed Methodology

The proposed methodology that is used in Host based intrusion detection system is by using
the signature based detection. The Host Based Intrusion Detection system works on the basis
of signature based detection. The signature based detection is performed by comparing the
data packets with the databases of the signatures. A signature is already defined set of rules or
patterns that are related to the known attacks. By using the signature based detection the
system is configured to look for the specific patterns. The intrusion detection system basically
compares the incoming packets against the set of predefined rules to find the intrusion. This
can be done by comparing the data packets with the data bases.

1.12: Objective
 The main objective of Host Based Intrusion Detection system is to reduce the
probability of most common network layer attacks. By reducing the probability of
Network Layer attacks efficiency of system increases.
 Software product of host based Intrusion detection system has been able to detect the
rushing and wormhole attacks when these attacks are performed to a specific network
the Host Based Intrusion Detection System detect these attacks and raised an alarm to
notify the system administrator that an attack has been launched on the system.
 To secure the user’s data from some dangerous attacks so that user’s personal
information cannot be stolen.

1.13: Scope
As it is a time of technology and everyone is familiar with the technology. People are using
technology via mobile phone and computers so when they interact. There will be exchange of
data. The project main goal is to protect the user data from the latest network layer attacks.
By reducing the probability of network layer attacks the data integrity can be maintained and
the performance and efficiency of the system also increases. The main goal of Host Based
Intrusion Detection system is to detect the latest network layer attacks that include rushing
and wormhole attack and to secure user data from these network layer attacks so that user
information cannot be stolen and data integrity can be maintained.

1.14: Applications of Host Based Intrusion Detection system

The Host based Intrusion detection system is a kind of security system that is used to protect
the system from different kinds of network layer attacks. The intrusion detection systems

July 2016
16
have a very vast domain in information security. The intrusion detection systems are used to
protect the data integrity and its information.

The following are the applications of host based Intrusion detection system.

a) Government offices
b) Banking organization
c) Intelligence agencies
d) Armed forces communication centers
e) Educational organizations
f) Strategic organizations

1.15: Summary
The chapter one covers the introduction of intrusion detection system. Intrusion Detection
System is a kind of a security system that is used to monitor the network traffic and hosts
from intruders and attackers. The main purpose of this system is to find the anomalies and
intrusion in the network and they are used to protect the user data and information. The Host
Based Intrusion Detection System works on the basis of signature based detection. Host
Based Intrusion Detection system monitors every kind of traffic that is coming to the system.
The main objective of Host based intrusion detection system is to detect the rushing attack
and wormhole attack. The main goal is to protect the user information from rushing and
wormhole attacks.

July 2016
17
 Chapter 2
Literature Review
Overview:
The chapter two provides an overview about the literature review. In this chapter we will
review the literature of Intrusion Detection Systems that represents the literature review about
the latest network layer attacks that include rushing attack and wormhole attack. Hisham A
.Kholidy provides an overview about the early warning attacks. It describes the three
prediction models that include Finite State Hidden Markov prediction model, Finite context
Prediction model and Holt winter Prediction Model. The Snehal G .Kene highlights the
privacy problems for cloud computing. He also uses different Intrusion Detection Techniques
to detect intrusions and he also describes Intrusion and its impact on data integrity and
confidentiality. Ahmed Patel highlights the various techniques that are used to detect
intrusions. He also describes the latest Intrusion detection system and alarm management
techniques to detect intrusions. Prof A.K Gulve describes the techniques of intrusion
detection system and describes the four basic approaches that can be used in intrusion
detection system. These approaches include Statistics based approach, Data mining approach,
SOM based approach and supervised and unsupervised learning approach.

2.1: Attack prediction Models for Cloud Intrusion Detections

Systems
Hisham A. Kholidy et.al; 2014 highlights the current security technologies used in cloud
computing [1] . The cloud computing is now becoming and emerging field. There are many
benefits of cloud computing technology. There are several kind of attacks occur on cloud
computing. To secure the data information and services in cloud computing is now becoming
more challenging than the traditional platforms. Different kinds of attacks occur on cloud
computing systems. Most of the technologies in cloud computing do not provide information
and early warning about the attacks. These early warning will help the administrator to take
some preemptive measures. The simple Intrusion detection system is not able meet these
challenges and its capabilities can be further increased such as risk assessments and by using
the prediction models. This paper will discuss the three prediction models that are integrated
into the cloud computing environment. These models include Finite State Markov Prediction
Model, the Finite Context Prediction Model and Holt Winter Prediction Model. The Finite
State Markov Prediction Model is basically based upon Hidden Markov Model that generally
represents the sequence of events by matching the attack signatures as a series of state
transmission with the certain probability. The model uses the training algorithm and forward
back propagation to reduce the probability and the prediction parameters of attack. By
receiving the alerts the prediction model predicts the attack before the attack can compromise
the system.

The finite context prediction model is basically based upon learning VMM over a finite
context. The finite context prediction model uses a training algorithm. The FCPM model is
very flexible to implement and understand. The FCPM model does not require knowledge of
the network topology and the system configurations. FCPM can predict the attacks FCPM are

July 2016
18
evaluated and compared using LLDOS 1.0 attack. The Holt Winter Prediction model
generally understands the unusual behavior of the network traffic. When the amount of
network traffic is either too high or too low as compared to the normal network traffic. The
Holt winter prediction model does not requires the attack signatures as it compares the
unusual behavior of the network with the normal behavior of the network. The error rate of
Halt Winter prediction model is too high that it cannot be used in Intrusion detection for
cloud computing systems. By implementing the three prediction models The Finite State
Hidden Markov Prediction Model (FSHMPM), the Finite Context Prediction Model (FCPM)
and Holt Winter Prediction Model (HWPM). By implementing the FSHMPM model author
analyze the successful early warnings 39.6 minutes before the launching of LLDDoS1.0
attack. FCPM has successfully fired early warnings 58.98 minutes before launching of
LLDDoS1.0 attack. He analyzes the error rate of 42.07% for HTTP and 44.02% for FTP by
using HWPM.

2.2: A review on Intrusion Detection Techniques for cloud

computing and Security challenges
Snehal G. Kene et.al; 2015, Highlights the privacy problems and security for cloud
computing [2] . As Cloud computing is now becoming a growing filed in information
technology. Cloud computing is define as it is an internet based computing in which there are
virtually shared servers in which the data centre will provide the software’s ,platform and
infrastructure. The cloud computing is divided into three main categories that include Iaas,
Paas and Saas. The Saas system will offer the complete online applications in which the user
can access the applications directly. Iaas gives access to the user to the whole virtual
machine. The Paas offers the development tools and it is used to run and build the application
likes Google app. The cloud computing basically consists of four models these models are
public, private, community and hybrid clouds. The public cloud is generally used by the
public and it is managed by a business association. The private cloud is used by a particular
association. Community cloud is used by a particular group of organization having the same
goals and it can be managed by an organization or by a third party user. The main objective
of cloud computing is that the customer uses the services and pay for that. Cloud computing
is now being used in most of the organizations. The security of cloud computing is very much
important. The cloud computing is now becoming an easy target by the attackers. The most
common network layer attacks in cloud computing are Address resolution protocol, man in
the middle attack, Denial of service and distributed Denial of surface attack. The Intrusion
detection system will play an important role in the security of cloud computing. The Intrusion
Detection system will detect the known as well as unknown attacks. The Intrusion Detection
system is basically used to maintain the integrity and confidentiality of the data. The author
have introduced the new ideas for the development of intrusion detection system for cloud
computing. These ideas include involuntary computing, fuzzy theory, and Ontology and risk
management. These are the probalistic approaches that are used to reach at the conclusion.
The author basically highlights the security and privacy problems for the cloud computing.
He identifies that the distributed architecture which is open for all the intruders. He uses the
various Intrusion detection techniques that are signature based, anomaly based and Hybrid
techniques. The Author analyzes the existing techniques. After analysis it provides the
limitation of each technique whether these Techniques fulfill the security needs or not.

July 2016
19
2.3: Architecture for Intrusion detection using Autonomous
Agents
Jai Sundar Balasubramaniyan et.al; highlights the problems in the systems due to their limited
configurability, scalability and efficiency [3] . As there are shortcomings in most of the
architectures. The existing architecture has built a single monolithic entity that does the data
collection and the processing. In this paper the author basically review the architecture for
distributed intrusion detection systems that is based on multiple independent entities that are
working collectively. The author proposed an architecture that is based on multiple entities
called as autonomous agents. The intrusion detection system is basically used to identify the
problems. The intrusion is defined as it is kind of action or an attempt that is done to
compromise the integrity, confidentiality of the data.

There are two types of model used in intrusion detection systems.

a) Misuse detection model

In this model the intrusion detection is performed by exploring the weak problems in
the system.
b) Anomaly detection model
In anomaly detection model the detection is performed by analyzing the system
behavior. By using this model a set of rules are defined if anything differs from the
rules it is considered as an intrusion in the system.

The Intrusion Detection System works in the distributed environment by using the
autonomous agents, the autonomous agents is defined as a software agent that is installed on
a particular computer and it performs a security monitoring function at that particular
machine. The autonomous agents are independent working entities and their execution totally
depends upon the operating system. The autonomous agents can be removed and add into the
system without alerting the other entities. The Intrusion Detection System works well in the
distributed environment by using the autonomous agents. The intrusion detection system will
work in real time environment by using these techniques.

2.4: An intrusion detection and prevention system in cloud

computing
Ahmed Patel et .al; 2013 highlights the different various techniques that are used to detect
intrusion in cloud computing [4] . The distributed and open architecture of cloud computing
become a potential target by the intruders. The paper provides a brief idea about the latest
development of intrusion detection and prevention system for cloud computing. Traditionally
intrusion detection systems are inefficient so that they can be deployed in cloud environment.
The main objective of intrusion detection and prevention system is to detect the malicious
activity and prevent the system from further attacks. The intrusion detection system can
detect the intrusion and raises an alarm and notify the administrator about the attack and
prevent the attack from succeeding. The intrusion detection and prevention system has the
ability to detect and stop the intrusion form further succeeding. The intrusion detection and
prevention system has the ability to detect and block the intrusion. The intrusion detection
and prevention systems work in a cloud computing by collecting the audit data, analyze the

July 2016
20
data and after detecting the intrusion it will generate an alarm and proceed with a proper
response.

The author further divided the Intrusion Detection and Prevention Systems in to three main
categories.

a) NIDPS: Network Intrusion Detection and Prevention System will monitor and
analyze the network traffic and analyzes the application protocol activities to
identify the intrusion.
b) HIDPS: Host Based Intrusion Detection and Prevention System will monitor all
the states of the system and it will monitor both the incoming and outgoing
network traffic on the system. HIDPS can also maintain the logs of all the network
traffic.
c) AIDPS: Application Based Intrusion Detection and Prevention System is a kind
of a specific application that monitors the performance and behavior of the
system. It input is data sources of the running applications.

In this paper the author highlights the latest development of intrusion detection and
prevention systems for cloud computing to detect the intrusion in cloud computing. Author
provides a comprehensive taxonomy and possible solution for the detection of intrusion in
cloud computing.

2.5: Rushing Attack and its Preventions Techniques

Satyam Shrivastava defines as the Mobile Ad Hoc network contains different types of nodes
and these nodes are connected with each other through the wireless link [5] . The nodes made
their communication through the wireless link. There are two ways in which the nodes will
operate they will work as a router to forward packets to the other nodes in a multi hope
fashion. The mobile Ad hoc is a wireless network and it does not have any fixed access point.
In rushing attack the attacker increases the routing speed. The rushing attack is considered as
one of the latest network layer attack and it made effect on network capabilities and functions
that include control and message delivery. In rushing attack when the sender node sends a
route request packet to another node in the network. If an attacker is present it accepts the
route request packets and sends that packet to the destination node with minimum time as
compared to the other nodes that are present in the network. As the packet reaches to the
destination node with in minimum time so destination accepts the route request packet and
discard all other Route request packet that reaches through the other nodes. Destination node
considers this as a valid route and uses this route for further communication. So by doing this
the attacker had gain the access to all of the communication of the network.

2.6: Swarm Intelligence in Intrusion Detection

Kolias defines the use of Swarm intelligence in Intrusion Detection Systems and how the
efficiency of Intrusion Detection System will increase [6] . The Intrusion Detection is
becoming an important component to save the confidential data and information. The
Intrusion Detection System is used in various information security infrastructures so there
will be a need to increase the efficiency of Intrusions Detections System so that it works

July 2016
21
better with good performance. The swarm intelligence is basically based on bio inspired
family methods that consider it as an inspiration in the behavior’s of swarm of the animals
and the insects. The swarm intelligence is used in the Intrusion Detection System and the
researcher apply it while the development of Intrusion Detection System. There are different
methods of swarm intelligence that are used in the development of Intrusion Detection
Systems. The major role of swarm intelligence is that it will increase the efficiency of the
Intrusion Detection Systems.

2.7: Summary
The chapter two covers the literature review. The researchers describe Intrusion detection
system and various techniques that are used to detect intrusion. Hisham A. Kholidy discusses
and highlight the various cloud technologies that do not gives early warning about the
attacks. The author also describes the various predictions that are used for the prediction of
attacks. Snehal G. Kene highlights the privacy problem for cloud computing. He also
describes intrusion and its impact on data integrity. Ahmed Patel highlights intrusion
detection techniques and alarm management techniques that are used to detect intrusions.
Satyam Shrivastava defines as the Mobile Ad Hoc network contains different types of nodes
and these nodes are connected with each other through the wireless link and he also explains
the rushing attack phenomena that how the attacker will gain the access of the
communication by using the rushing attack. C.Kolias defines the use of Swarm intelligence in
Intrusion Detection Systems and how the efficiency of Intrusions Detection System will be
increased by using swarm intelligence.

July 2016
22
 Chapter 3
Proposed Methodology

Overview:
The chapter three provides an overview about the architecture of Host Based Intrusion
Detection System. The proposed methodology that is used in Host based intrusion detection
system for the detection of intrusion. This chapter also provides an overview about the latest
network attacks. This chapter describes the tools that are used for the development of Host
Based Intrusion Detection System. This chapter covers the phenomena of rushing and
wormhole attack and proposed solution that is used to detect rushing and wormhole attack.
This chapter also describes the interface that host based intrusion detection system contains.
The chapter also gives a brief overview of those libraries that are used in packet sniffing and
in host based intrusion detection system application.

3.1: Architecture of Host based Intrusion detection system

General Use Case:
3.3.1: Use Case of Intrusion detection system

Capture the network

Data packets
Intrusion Detection Alert based agent component
system
Analyze the Data
packets

Intrusion
Detection

Based upon
signature based Network administrator
detection

Generate Alerts
and Maintains log

Figure 3.1: Use Case of Intrusion Detection System

July 2016
23
Figure 3.1 presents the use case for intrusion detection system. In this intrusion detection
system is installed on a specific machine. First of all it monitors the data traffic between
different machines and between different components of networks. It captures the data
packets by using packet sniffing mode. After sniffing the data packets it analyzes the packets
by using some predefined rules. These rules can be modified by the requirements of any
individual or of an organization. After analyzing the data packets if any anomalies or
intrusion detected then it generates alert. These alerts are of four types and mostly traditional
IDS perform false negative alerts. After generation of alerts it maintain log of those data
packets which it captures. These logs can be reviewed by the administrator. Alert based agent
compromise on logs which are generated and signatures which are provided before to detect
the intrusion.

Step –By-Step Description:

a) The user enters a website in address bar of his machine’s browser.
b) The user search through the search engine.
c) The browser of that system sends that search request to web server.
d) The Host Based Intrusion Detection System captures the data packets.
e) The Host Based Intrusion Detection System analyzes those captured data packets.
f) The signature of anomalies is provided to detection system.
g) The Host Based Intrusion Detection System detects the intrusion by comparing data
packets with provided signatures in the data base of the system.
h) The Intrusion Detection System detects the intrusion and generates log of those data
packets.

3.3.2: Use Case of Packet Sniffing:

Enter IP

Intrusion Detection
system Request to the
Network administrator
Web Server

Tools Started

Packet Sniffing

Figure 3.2: Use Case of Packet Sniffing

July 2016
24
 Figure 3.2 presents the use case of packet sniffing of Intrusion Detection System in which
Intrusion Detection System will sniff the data packets. When IP address or website is enter
by the user in address bar of browser and request to access that IP address or website, and
then Intrusion Detection System start capturing all the data packets with the help of winpcap
then Host Based Intrusion Detection System will start analyzing the data packets and start
comparing these data packets with the set of predefined set of signatures to detect the
anomaly or intrusion in the system.

3.3.3: Use Case of Anomaly Detection

Intrusion Detection
system
Packet Decode

Preprocessor Analyze Data

<<include>>
Rules Packets

Rule <<include>>
Detection <<include>>
Intrusion
Matching Engine Detection

Output Stage

Figure 3.3: Use Case Anomaly Detection

Figure 3.3 presents the use case of anomaly detection of Host Based Intrusion Detection
System. First Host Based Intrusion Detection System captures the data packets then it
decodes those data packet. This process is done by applying some functions on data packets.
After that there are some preprocessor rules where packets are examined and analyzed
before they handed over to detection engine. In detection engine it performs simple test to
detect intrusion. Here some rules are predefined and signature Database is present. If
predefined signatures and signature in the data packets are matched then it is consider an
intrusion. Then in output stage it compiles the results.

July 2016
25
3.3.4: Use Case of Alerts Management and Log maintaining in Host Based
Intrusion Detection System

Intrusion Detection
system
System administrator
Packet

Rule Detection Intrusion

Matching Engine Detection

Raise Alarm

Log Maintain

Figure 3.4: Use Case of Alert and Log management

Figure 3.4 presents the use case for management of alerts and log maintaining generated by
the Host Based Intrusion Detection system. As packet received to the system it decodes that
data packet and sends this to the detection engine. Here it checks the intrusion by matching
the signature of packets with predefined signatures. If any intrusion is found then it raises an
alarm. Which infect describes that there is threat to data. After this it maintains log of
captured data packets.

July 2016
26
3.3.5: Class Diagram of Host Based Intrusion Detection System

Data packet
Packet number Intrusion
Packet checking() Rules
Defined Rules
Detect Error Anomaly Checking
Error Type()

Alert Agenerate Agent Data Verify Intrusion

Alerts Types Data Info generate alarm
check Alerts() getData() action take against intrusion
check Audits() analyze Data() block intrusion()
checks logs() review data()
Figure 3.5: Class Diagram of Host based Intrusion detection system

Figure 3.5 presents the class diagram for Intrusion Detection System. In the first function
which is used to check the data packet. Here those packets are checked which contains data
and moved between different components over the specific network. After it detect the error
in those packets. Then it matches those errors with predefined rules. This is done to check
whether there is any anomaly in the packets or not. After this it maintains the log or audit and
checks the alert type. After this it gets the data and analyzes the data. After performing
analysis on the data it generates the alarm. If any of intrusion were found then it blocks that
intrusion and then data can be reviewed.

July 2016
27
3.3.6: Data flow diagram of Intrusion detection system.

Attacks

Client Server

Intrusion
Detection
System

Alerts

Logs Maintain

Figure 3.6: Data Flow diagram of Intrusion Detection System

Figure 3.6 presents the general data flow diagram of Intrusion Detection System. When two
machines (client and server) are communicating with each other in a specific session then
there is possibility that attack on data and information can be occurs (either data present on
machines or between machines). So when an attack on data occur intrusion detection system
(HIDS or NIDS) detects those attacks and generate alerts by raising an alarm. Then it notifies
the machines that following anomaly is being detected. After that it maintains the log of those
activities.

July 2016
28
3.3.7: Flow chart of Intrusion detection system

Start

Select Interface to Sniff

Packets

Start Packet Sniffing

Packet Sniffing

Parse Data to Meaningful

Information

Comparison With
Signature Rules

Matched With Yes Display Malicious

Signature Rules Traffic

No

Store Malicious
Traffic in Database
Normal Traffic

Intrusion Detection

Log Maintain
Log Maintain

Figure 3.7: General Flow chart of Host based Intrusion Detection system

Figure 3.7 presents the general flow chart of Host Based Intrusion Detection System
application. First the user starts the system then it selects the interface to sniff the data
packets from the live network traffic. After selecting the interface the application starts
sniffing the data packets. After sniffing the data packets it decodes these data packets and
transforms them into the useful meaning form. Now by converting the parse data to
meaningful information the application compares these data packets with the set of signatures

July 2016
29
that are defined and stored in the data base. If the data packets match with the signatures then
they are considered as a malicious traffic. The system stores this malicious traffic in the data
base and an intrusion is detected and the system also maintains the log of malicious traffic. If
the incoming data packet does not match with the signatures then it is considered as a normal
traffic and the system will maintain the log of every kind of traffic.

3.2: Framework that is used in the development of Host based

Intrusion detection system
3.2.1: Microsoft .Net framework

The Microsoft .Net framework is used for the development of Host Based Intrusion Detection
application. The .Net framework provides all the necessary libraries and compiles time and
run time to run any kind of language used in the development of product application. The two
main components of .Net framework are common language runtime and class library
framework. The common language runtime is the runtime environment of the .Net framework
that executes and manages all the running codes like a virtual machine. The C# language is
used for the development of host based intrusion detection application. For packet capturing
and sniffing the C# language is used. The socket programming for Host based intrusion
detection system is fully developed in .Net framework.

3.2.2: Language used for attack generation

The C# language is used for the generation of rushing and wormhole attack. The attack is
generated in windows platform. In rushing attack the attacker send the data packet in
minimum time as compared to other while in wormhole attack the attacker made a separate
tunnel for further communication.

3.2.3: C# internal Database

C# provides a facility of its own internal database that is used to store the incoming data
packets from the network. It also provides a local database that is installed automatically on
visual studio 2013. This local database is used in place of SQL server and it is used in light
projects.

3.3: Attacks
Host Based Intrusion detection system detects the latest network layer attacks that include
rushing and wormhole attacks. These attacks are new and their nature of attack is different
from the other network layer attacks. The Host based Intrusion detection system application
will detect these attacks by using the signature based methodology and maintains the log of
both malicious and normal traffic.

3.3.1: Rushing Attack

Rushing attack is considered as one of the latest attack in network layer. Rushing attack
causes the system resources to become scare and legitimate for the users. Rushing attack has
significant effect on network capabilities and functions that include control and message

July 2016
30
delivery. In rushing attack when the sender node sends a route request packet to another node
in the network. If an attacker is present it will accept the route request packets and send that
packet to the destination node with minimum time as compared to the other nodes that are
present in the network. As the packet reaches to the destination node with in minimum time
so destination will accept the route request packet and discard all other Route request packet
that reaches through the other nodes. Destination node will accept this as a valid route and
uses this route for further communication. So in this way attacker will gain access of the
communication between the sender node and destination node.

Figure 3.8: Rushing Attack

Figure 3.8 presents the phenomena of Rushing attack. In this diagram a sender nodes route
request packet to the other node in the network. As the packet is received by both D node and
A node. If attacker is present at A node so it will route request packet with in minimum time
as compared to node D. so the packet send by node A will reach first to the receiver node so
it will accept the route request packet and discard all other Route request packet that reaches
to the receiver node. So communication will be established between the sender node and
receiver node so in this way attacker will gain the access of the communication between the
sender and receiver.

3.3.2: Wormhole Attack

Wormhole attack is a latest network layer attack. When a node route requests a data packet
then the packet is received by the neighboring node. If a wormhole node is present in the
network it will create a fake tunnel node that is shorter than the original route within the
network. There is more than one malicious node and a tunnel is present in wormhole attack.
The attacker can easily launch the wormhole attack without having knowledge of the
network.

July 2016
31
 Figure 3.9: Wormhole Attack

Figure 3.9 represents the phenomena of wormhole attack. In wormhole attack a node route
request a packet. The packet passes through the various nodes as the packet reaches at origin
point an attacker is present at that point so the attacker will create a wormhole tunnel and
sends the route request packet directly at the destination point so the destination point will
accept the route request of origin point and discard all the other route request packet that
reaches to the destination point. So a wormhole attack is originated with in the network.

3.4: Tools and Software

3.4.1: Snort
Snort is a free open source network intrusion detection and prevention system. Snort has the
ability to perform the packet logging and real time analysis on the internet protocol. Snort
performs content searching and protocol analysis and matching. The snort is basically used to
detect the attacks. Snort can be configured in three modes that include sniffer, packet logger
and network intrusion detection. In sniffer mode the snort will only read the data packets and
display all the packets on the console. In packet logger mode the program will log the packets
to the disk. In network intrusion detection mode the program will monitor the network traffic
and analyze the network traffic against a rule that is defined by the user.

Packet Stream

Packet Decoder

Preprocessor
(Plugins)

Detection Engine

Output Stage
(Plugins)

Alerts and Logs

Figure 3.10: Snort Architecture

Figure 3.10 presents the general Architecture diagram of snort. For packet sniffing snort uses
external packet sniffing library. Libpcap library is used to capture the data packets. Snort first
captures the data packets through Libpcap. Then these packets will be decoded and then
packets are sending through a set of preprocessor rules. Preprocessor contains a set of
predefined rules the data packets are compared with these set of defined rules to check
whether packet matches the set of defined rules or not. The Packets are sending to the

July 2016
32
detection engine. The detection engine will check the each data packet against the set of
defined rules and signatures and check that whether packets contain intrusion or not. If the
packets contain intrusion then snort will generate the alert and maintain the log.

3.4.2: Tripwire

Tripwire is a security and data integrity tool useful for monitoring and alerting on a specific
file. Tripwire detects changes to file systems and objects. When tripwire is first initialized the
tripwire scans the file system as directed by the system administrator and store the
information of each file in a data base. After sometime the system files are again scanned and
the results are compared against the store values in the database. If there are some type of
changes so that are reported to the user. Cryptographic hashes are basically used to detect the
changes in the file.

Figure 3.11: Flow Diagram of Tripwire Intrusion Detection System

Figure 3.11 presents the general flow diagram of Tripwire intrusion detection system. The
tripwire is first installed on the computer. The user can customize it rule and policies
according to the user needs. After installing the tripwire then initialize the tripwire database.
The database will generally hold all the rules and regulation and results of the system. After
initializing the tripwire database now run the tripwire. The tripwire will scan the whole
system and after scanning the tripwire will examine all the report. If any kinds of changes are
observed the tripwire will examine the report file and if no changes are permitted then it will
take appropriate measures to increase the security. If any kind of changes are permitted then
it will check that whether the policy file of tripwire is working properly. If the policy file is
not working properly it will update the policy. The tripwire basically scans the system after

July 2016
33
sometime and if any kinds of changes are found then it will consider it as an intrusion and
notify the user about that intrusion.

3.4.3: OSSEC
Ossec is a free open source Host based intrusion detection system. It basically performs root
kit detection, log analysis, integrity checking, and time base alerting along with active
response. It detects the intrusion for most of the operating systems like windows, Linux,
Solaris and OSX. Ossec consists of centralized and cross platform architecture that allows the
multiple systems to be monitored easily. Ossec has a powerful correlation analysis engine,
file integrity checking and windows registry monitoring. OSSEC can also be installed on
servers and it is used to monitor the other servers called as OSSEC agents. The OSSEC
agents are monitored by another type of OSSEC installation called as OSSEC servers. Once
the OSSEC server is installed to monitor the agents the additional agents may be added or
removed by any time.

Devices

Sys Log

Log Rules Engines

Sys Log

Raw Log Storage

Sys Log

Log Translator

JSON

Structured Log
Storage
Figure 3.12: Architecture Diagram of OSSEC

Figure 3.12 presents the architecture diagram of OSSEC. It contains devices that include
switches, router and appliances that can only send syslog messages to the server then it will
goes to the rule engines for further processing. Hosts are the servers that can run the rules
engine client that can send syslog format messages to the central server. The log rule engine
is an automated log reader .it reads the logs and sees if there is any kind of intrusion it
generates an alert. OSSEC provides the rule engines to generate the alert. It also contains the
raw log Storage .It receives the raw logs from the hosts and the devices as well as alerts. The

July 2016
34
log translator is a component that parses the raw logs and convert them into the structured
JSON .Different logs will have different JSONS. The structured log storage holds the
structural logs. By structuring the logs makes them easy to monitor, search and process.

3.4.4: Wireshark
Wireshark is a powerful network analysis tool commonly known as Ethereal. Wireshark
captures the data packets and display them in human readable format. Wireshark includes
color coding and other features that help the user to inspect each individual network packet.
Wireshark provides the interface as soon as you start the Wireshark it will start captures the
data packets in real time environment. Wireshark uses three colors that include red, green and
black. These colors help the user to identify the type of traffic. Green color is used for TCP
traffic, blue color is used for DNS traffic and light blue color is used to highlight UDP traffic.
Wireshark is an extremely powerful tool that is used for network analysis.

3.4.5: Winpcap
Winpcap is an open source library used for packet capture and network analysis for win32
platform. Winpcap includes a kernel level packet filter, a low dynamic link library and a high
level system independent library. The main purpose of winpcap is that it is used to capture
the data packets and it is also used to filter the data packets according to the user specified
rules before dispatching them to the application. Winpcap also transmits raw packets to the
network and gather the statistical information on the network traffic.

3.4.6: TCP Packet

Transmission control protocol is a standard that defines how we can establish and maintain
the network conversion with which the applications can exchange the data. The transmission
control protocol works with the internet protocol. It basically defines how computers send
data packets to each other. The Transmission control protocol is consider as a connection
oriented protocol and it understand how to break the application into the data packets that a
network can send, deliver packet and accept these data packets from the network layer. It is
also considered as a free error data transmission.

3.4.7: DNS Port

DNS is basically used to look for the names and IP addresses. It usually requires the port 53
on the server. When two DNS server send data to each other they will use port 53. UDP is
used for individual’s queries and TCP for transfer zones. It is necessary to maintain a
connection between DNS server and DNS database. This can be only achieved by using the
TCP protocol. A client computer always sends a DNS query using UDP protocol over port
53. If the Client computer does not gets a response from a DNS query server it will must
retransmit the DNS query by using the TCP after the interval of at least 5 seconds.

3.4.8: UDP Port

The user datagram protocol is unreliable connectionless oriented protocol that uses an IP
address of the destination of Host and port number to identify the destination of the
application. The UDP port is only a 16 bit address that only exist for parsing certain types of

July 2016
35
datagram information’s to the current location. The UDP port can receive more than one
message at a time and they are also identified by well port numbers.

3.4.9: SQL Server Compact

SQL server compact is a free SQL server embedded database that is used standalone
connected applications for computers, mobile phone, desktops and web clients.

3.4.10: Priority Queue

The priority queue is like a normal queue but it behaves different than the normal queue.
Instead of being come out in first in first order. The values will come out in that order in
which the priority is set. The priority is set for the generations of raw packets so that the
packets will be generated by using the priority queue.

3.4.11: Log Maintaining

The log is maintained as well as it will keep the record of all the incoming and outgoing
network traffic. The log maintaining is used in order to check the network traffic that whether
the network traffic contains any kind of error or not. Log maintaining is used in host based
Intrusion detection application as it will keep the record of all the network traffic.

3.5: Summary
The chapter three covers the purposed methodology that is used in the development of Host
Based intrusion detection system. HIDS works on the basis of signature based detection. In
signature based detection a typical threshold value is set if the data packets matches with the
signature that it is considered as an intrusion. It the incoming data packets match with the
signature data base then it generates an alarm to notify user about the attack. This chapter
also covers the tools that are used for testing during the development of Host Based Intrusion
Detection application. Different types of Intrusions Detections System have been tested and
each system has its own requirements, specification and restrictions. Wireshark is used for
network analysis and Winpcap library is used for packet sniffing. Host Based Intrusion
Detection System will maintain the Log of every type of incoming and outgoing traffic.

July 2016
36
 Chapter 4
EXPERIMENTAL RESULTS

Overview:
The Chapter four provides an overview about the experimental results of Host Based
Intrusion Detection System. This chapter also describe a brief overview about the whole
interface of Host Based Intrusion Detection System application and also describe the
phenomena that how this application works on the system. The chapter four also describes
how the interface is selected and what kind of information does it contains and what type of
data information is present in IP header.

4.1 Host Based Intrusion Detection Interface

Figure 4.1: Interface of Host Based Intrusion Detection application

Figure 4.1 presents the interference of Host based Intrusion Detection application. First user
selects the interface available on network interface card to start capturing the data packets.
User clicks on the start button then the application start capturing the data packets.

July 2016
37
4.2: Interface to select the device

Figure 4.2: Interface to select device

Figure 4.2 presents the interface of Host based intrusion detection system in which there are
two IP addresses first IP address is the source IP address and the other is destination IP
address. This shows a captured data packets from the selected interface.

4.3: Data in IP Header

Figure 4.3: Data in IP Header

This shows the data in IP header datagram. It contains the following features.

a) Header Length
b) Total Length
c) Differentiated Services
d) Identification

July 2016
38
 e) Flags
f) Fragmentation offset
g) Time to live
h) Protocol
i) Checksum
j) Source IP address
k) Destination IP address

4.4: Log File of HIDS

This is the log file of Host Based Intrusion Detection System. It contains the following
characteristics.

a) Date and Time

b) Source port
c) Destination port
d) Source IP and Destination IP address

The time in which packet is incoming and outgoing is defined by the date and time. Source
defines the IP address from which a packet is packing and destination IP address defines the
IP address of the machine on which the packet is coming. The source port defines the port by
which the packet is send and destination port specifies the port in which the incoming packet
is received.

Figure 4.4: Log File of Host based Intrusion Detection system

4.4: Summary
The chapter four covers the experimental results that are obtain by using the Host Based
Intrusion Detection System application. The HIDS system is used to protect the data
integrity. This chapter describes the whole interface of Host Based Intrusion Detection
System that how the system is used and how to select the interface to start capturing the data
packets that is coming into the system. This chapter also describes the information that is
contained by the IP Header.

July 2016
39
 CHAPTER 5
CONCLUSION

In this project Host Based Intrusion Detection System the network layer attacks that include
rushing and wormhole attack is detected successfully. In this project the signature based
methodology is used to detect the intrusion in the system. First the system starts capturing the
live network traffic that is coming into the system. Then it decodes these data packets and
transforms them into a unique pattern. After doing this the system also analyzes the data
packets then it matches this meaning full information with the signature rules. If it matches
with the signatures then it is considered as a malicious traffic. All the malicious traffic is
stored in the data base. The log of both malicious and normal traffic has been maintained. In
attack generation phase both the attacks are generated by using C and C# languages. In
wormhole attack the first machine generates the data packets and sends these data packets to
specified Mac address of the second machine. The Destination machine also captures these
data packets and stores these data packets into the file. Then it will load these data packets
into the queue then the machine also sends the data packets to the specified target machine. In
Rushing attack the first machine generates the data packets and sends these data packets to
the specified Mac address of the destination machine. The destination machine also starts
capturing these data packets and stores these packets into the file then it loaded these data
packets into the priority queue and sends these data packets to the specified Mac address of
the target machine.

July 2016
40
 Chapter 6
Future Work

Overview:
The chapter six provides an overview that in the future how to enhance the features of Host
Based Intrusion Detection System application. This chapter also describes the enhancement
in Host Based Intrusion Detection application and its possible outcomes for the security of
data. The chapter six also describe its future work and describe the advantages of being
deployed this system in distributed environment and also describe its functions and
advancements that have been done to detect and prevent the system from the latest network
layer attack.

5.1: Intrusion detection and prevention systems

The developed Host Based Intrusion Detection System (HIDS) works on the basis of
signature based detection. In future to enhance the features of Host based Intrusion Detection
system. A prevention system is also developed so that the system not only detects the attacks
but it will also prevent the system from these attacks. By developing an Intrusion Detection
and Prevention System the system will detect the known attacks and it will also block the
known attacks. In now a day’s Intrusion Detection and Prevention System is consider as a
cost effective way to block and detect the malicious traffic that’s contains worms and virus
threats. The Intrusion Detection and Prevention System will serve as a network monitoring
point and it will identify all the possible threats and stop them and it will generate an alarm to
notify the system administrator about the attack.

5.2: Cloud Computing

Cloud computing is now becoming an emerging fielded in information technology. The cloud
computing has become the core for many IT organizations. More and more organizations are
now shifting towards the cloud computing. Due to the open architecture and distributed
environment the cloud computing is now becoming a potential and most valuable target by
the attacker. The security of cloud computing is an emerging concern and it is one of the most
difficult task to improve the security of clouds. The previously developed Intrusion Detection
System did not have a good efficiency. In future the Host Based Intrusion Detection and
Prevention System is deployed in cloud computing. By deploying the Host Based Intrusion
Detection and Prevention System in cloud computing it will maintain the log of every kind of
traffic and it will increase the security in cloud. The proposed Host Based Intrusion Detection
and Prevention application will work on the basis of signature based detection and it will
compare the incoming data packets with the signature database. If the data packet matches
with the signature then it will generate an alarm to notify the administrator about the attack
and it will prevent the system by blocking the attack. So In this way by deploying the HIDPS
in cloud computing it will enhance its security and prevents the system from further loss

July 2016
41
5.3: Privacy in Cloud Computing
The privacy and security is considered as one the major problem in cloud computing. If an
attack occurs it will not only effect the security and privacy and it will also damages the User
data and information. So by applying Host Based Intrusion Detection and Prevention System
application the security in cloud computing is increased and it will provide a good
authentication process that will make the User confidential data and information safe. The
Host Based Intrusion Detection and Prevention System detects and prevents the attack and
this will make the cloud services more secure.

5.4: Enhancement
In future the Host based Intrusion detection application will deployed in cloud computing
infrastructure. The application consists of both detection and prevention features. The
application will work on the basis of signature based detection. Once the signature of any
attack is added into the database of the Host Based Intrusion Detection and prevention
application it will compare the incoming data packets with the provided signatures. If the data
packet matches with the signature of the attack it will generate the alarm and block that
attack. So by using Host Based Intrusion Detection and Prevention System the security and
privacy in cloud computing becomes better. The HIDPS will monitor every kind of network
traffic and it will maintain the log of network traffic.

5.5: Expected Results

The Host Based Intrusion Detection and Prevention System end goal is to make the cloud
computing more secure from the latest network layer attacks. By deploying the Host Based
Intrusion Detection and Prevention System in cloud computing the overall security risks
becomes less and a strong authentication process will be there that will help the user to store
and access there confidential information safely. The application will detect and block the
known attacks and it will maintain the log of all the network traffic.

5.6: Summary
The chapter five provides a brief description of future work of Host Based Intrusion
Detection and Prevention application. The HIDPS system is used in cloud computing to
increase the privacy and security. The system application is used to make the authentication
process good in cloud computing. This system will detect the latest network layer attacks in
cloud computing and provides a better security and authentication process for the clients.
HIDPS will detect and prevent the cloud computing system from the network layer attacks
and maintain the logs of network traffic.

July 2016
42
 References
1. Kholidy, H.A., A. Erradi, and S. Abdelwahed. Attack Prediction Models for Cloud
Intrusion Detection Systems. in Artificial Intelligence, Modelling and Simulation
(AIMS), 2014 2nd International Conference on. 2014: IEEE.

2. Kene, S.G. and D.P. Theng. A review on intrusion detection techniques for cloud
computing and security challenges. in Electronics and Communication Systems
(ICECS), 2015 2nd International Conference on. 2015: IEEE.

3. Balasubramaniyan, J.S., et al. An architecture for intrusion detection using

autonomous agents. in Computer Security Applications Conference, 1998.
Proceedings. 14th Annual. 1998: IEEE.

4. Patel, A., et al., An intrusion detection and prevention system in cloud computing: A
systematic review. Journal of network and computer applications, 2013. 36(1): p. 25-
41.

5. Shrivastava, S., Rushing Attack and its Prevention Techniques. International Journal
of Application or Innovation in Engineering & Management, 2013. 2(4): p. 453-456.

6. Kolias, C., G. Kambourakis, and M. Maragoudakis, Swarm intelligence in intrusion

detection: A survey. computers & security, 2011. 30(8): p. 625-642.

7. Frank, J. Artificial intelligence and intrusion detection: Current and future directions.
in Proceedings of the 17th national computer security conference. 1994: Baltimore,
USA.

8. Kothandaraman, D., et al., Prevention of Wormhole and Rushing Attack on Location-

based Geocasting and Forwarding Routing Protocol in Mobile Ad-hoc Network.
Prevention, 2010. 12(8).

9. Wang, W., et al., Defending against wormhole attacks in mobile ad hoc networks.
Wireless communications and mobile computing, 2006. 6(4): p. 483-503.

10. Scarfone, K. and P. Mell, Guide to intrusion detection and prevention systems (idps).
NIST special publication, 2007. 800(2007): p. 94.

11. Yi, S. and R. Kravets, MOCA: Mobile certificate authority for wireless ad hoc
network4s. 200.

12. Hu, Y.-C., A. Perrig, and D.B. Johnson. Rushing attacks and defense in wireless ad
hoc network routing protocols. in Proceedings of the 2nd ACM workshop on Wireless
security. 2003: ACM.

13. Lazos, L., et al. Preventing wormhole attacks on wireless ad hoc networks: a graph
theoretic approach. in IEEE Wireless Communications and Networking Conference,
2005. 2005: IEEE.

July 2016
43
14. Srinivasan, T., V. Vijaykumar, and R. Chandrasekar. A self-organized agent-based
architecture for power-aware intrusion detection in wireless ad-hoc networks. in 2006
International Conference on Computing & Informatics. 2006: IEEE.

15. Al Shahrani, A.S. Rushing attack in mobile ad hoc networks. in Intelligent Networking
and Collaborative Systems (INCoS), 2011 Third International Conference on. 2011:
IEEE.

16. Subashini, S. and V. Kavitha, A survey on security issues in service delivery models
of cloud computing. Journal of network and computer applications, 2011. 34(1): p. 1-
11.

17. Dhage, S.N. and B. Meshram, Intrusion detection system in cloud computing
environment. International Journal of Cloud Computing, 2012. 1(2-3): p. 261-282.

18. Patel, A., et al., An intrusion detection and prevention system in cloud computing: A
systematic review. Journal of network and computer applications, 2013. 36(1): p. 25-
41.

19. Burroughs, D.J., L.F. Wilson, and G.V. Cybenko. Analysis of distributed intrusion
detection systems using Bayesian methods. in Performance, Computing, and
Communications Conference, 2002. 21st IEEE International. 2002: IEEE.

20. Axelsson, S., Intrusion detection systems: A survey and taxonomy. 2000, Technical
report.

July 2016
44
 APPENDIX
As a default, appendixes do not appear in the table of contents but instead have their own
table of appendices.
To achieve this appendices have their own heading style, which is visually similar to the main
headings but are functionally different.
The Appendices do require the chapter heading page so that the beginning of appendices is
listed in the table of contents and so that the footers say Appendices rather than saying
References.
Appendix Headings automatically start on a new page.

July 2016
45
APPENDIX A
Rushing Attack Generation:

using System;
usingSystem.Collections.Generic;
usingSystem.ComponentModel;
usingSystem.Data;
usingSystem.Drawing;
usingSystem.Linq;
usingSystem.Text;
usingSystem.Windows.Forms;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;
using C5;

namespaceRushing_Generation
{
publicenumProtocol
{
TCP = 6,
UDP = 17,
Unknown = -1
};

publicpartialclassRushingForm : Form
{
privateSocketmainSocket; //The socket which captures all incoming packets
privatebyte[] byteData = newbyte[4096];
privateboolbContinueCapturing = false; //A flag to check if packets are to be captured
or not
privatebyte[] send;

July 2016
46
privateSocketsocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.IP);
IPEndPoint endpoint = newIPEndPoint(IPAddress.Loopback, 3233);

publicRushingForm()
{
InitializeComponent();
}

privatevoidbtnStart_Click(object sender, EventArgs e)

{
if (textBox1.Text == "" || textBox1.Text.Equals(string.Empty))
{
MessageBox.Show("Enter Destination IP Address. ", "WormHole", MessageBoxButtons.OK,
MessageBoxIcon.Error);
return;
}
string input = textBox1.Text.Trim();
endpoint.Address = IPAddress.Parse(input);
if (cmbInterfaces.Text == "")
{
MessageBox.Show("Select an Interface to capture the packets.", "Rushing",
MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
try
{
if (!bContinueCapturing)
{
//Start capturing the packets...

btnStart.Text = "&Stop";

bContinueCapturing = true;

//For sniffing the socket to capture the packets has to be a raw socket, with the
//address family being of type internetwork, and protocol being IP
mainSocket = newSocket(AddressFamily.InterNetwork,
SocketType.Raw, ProtocolType.IP);

//Bind the socket to the selected IP address

mainSocket.Bind(newIPEndPoint(IPAddress.Parse(cmbInterfaces.Text), 0));

//Set the socket options

mainSocket.SetSocketOption(SocketOptionLevel.IP, //Applies only to IP packets
SocketOptionName.HeaderIncluded, //Set the include the header
true); //option to true

byte[] byTrue = newbyte[4] { 1, 0, 0, 0 };

byte[] byOut = newbyte[4] { 1, 0, 0, 0 }; //Capture outgoing packets

July 2016
47
//Socket.IOControl is analogous to the WSAIoctl method of Winsock 2
mainSocket.IOControl(IOControlCode.ReceiveAll, //Equivalent to SIO_RCVALL
constant
//of Winsock 2
byTrue,
byOut);

//Start receiving the packets asynchronously

mainSocket.BeginReceive(byteData, 0, byteData.Length, SocketFlags.None,
newAsyncCallback(OnReceive), null);
}
else
{
btnStart.Text = "&Start";
bContinueCapturing = false;
//To stop capturing the packets close the socket
mainSocket.Close();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Rushing", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}

privatevoidOnReceive(IAsyncResultar)
{

try
{

// Queue queue = new Queue();

intnReceived = mainSocket.EndReceive(ar);

//Analyze the bytes received...

// ParseData (byteData, nReceived);

if (bContinueCapturing)
{

byteData = newbyte[4096];
string s;
//Another call to BeginReceive so that we continue to receive the incoming
//packets
s = Convert.ToString(mainSocket.BeginReceive(byteData, 0, byteData.Length,
SocketFlags.None,
newAsyncCallback(OnReceive), null));

July 2016
48
IPriorityQueue<string>pqueue=new C5.IntervalHeap<string>();
C5.IPriorityQueueHandle<string> h=null;
pqueue.Add(refh,s);
foreach (string value inpqueue.ToArray())
{
while (pqueue.Count != 0)
{
string minimum = pqueue.FindMin(out h);
socket.Bind(endpoint);
socket.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, false);
// string text = value;
send = Encoding.ASCII.GetBytes(minimum);
socket.SendTo(send, send.Length, SocketFlags.None, endpoint);
pqueue.DeleteMin(out h);
}
}

socket.Close();
}
}
catch (ObjectDisposedException)
{
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Rushing", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}

privatevoidRushingForm_Load(object sender, EventArgs e)

{
label1.Text = "This application is designed to generate\n Rushing attack using c#.";
label1.BorderStyle = BorderStyle.Fixed3D;
textBox1.BorderStyle = BorderStyle.Fixed3D;
textBox1.Font = newFont("Times New Roman", 11);
label1.Font = newFont("Times New Roman", 10);
label1.TextAlign = ContentAlignment.MiddleCenter;
textBox1.TextAlign = HorizontalAlignment.Center;
stringstrIP = null;

IPHostEntryHosyEntry = Dns.GetHostEntry((Dns.GetHostName()));
if (HosyEntry.AddressList.Length> 0)
{
foreach (IPAddress ip inHosyEntry.AddressList)
{
strIP = ip.ToString();
cmbInterfaces.Items.Add(strIP);
}
}

July 2016
49
Controls.Add(label1);
}
privatevoidRushingForm_FormClosing(object sender, FormClosingEventArgs e)
{
if (bContinueCapturing)
{
mainSocket.Close();
}
}

privatevoid label1_Click(object sender, EventArgs e)

{
Label label1 = newLabel();
}}}

July 2016
50
APPENDIX B
Rushing Server Generation:
using System;
usingSystem.Collections.Generic;
usingSystem.Linq;
usingSystem.Text;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;
namespaceRushing_Client_Generation
{
classProgram
{
List<Data> storage = newList<Data>();
privateboolIsRunning = false;

publicvoid Client()
{
byte[] data = newbyte[4096];
intrecieve;
Socketsocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.IP);
IPEndPointclientEndPoint = newIPEndPoint(IPAddress.Any, 3233);
socket.Bind(clientEndPoint);
IPEndPoint sender = newIPEndPoint(IPAddress.Any, 0);
EndPoint remote = (EndPoint)(sender);
IsRunning = true;
while (IsRunning)
{
data = newbyte[4096];
recieve = socket.ReceiveFrom(data, ref remote);
Console.WriteLine("Packet Recieved From {0}:", remote.ToString());
Console.WriteLine(Encoding.ASCII.GetString(data, 0, recieve));
storage.Add(newData(recieve, data));
}

socket.Close();
}
structData
{
intrecieve;
byte[] data;

public Data(intrecieve, byte[] data)

{
this.recieve = recieve;
this.data = data;

July 2016
51
 }}

staticvoid Main(string[] args)

{

Console.WriteLine("Destination Machine is Listening For Incoming Packets\n");

Program client = newProgram();
client.Client();

}
}
}

July 2016
52
APPENDIX C
Wormhole Attack Generation:
using System;
usingSystem.Collections.Generic;
usingSystem.ComponentModel;
usingSystem.Data;
usingSystem.Drawing;
usingSystem.Text;
usingSystem.Windows.Forms;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;

namespaceWormhole_Generation
{
publicenumProtocol
{
TCP = 6,
UDP = 17,
Unknown = -1
};

publicpartialclassWormHoleForm : Form
{
privateSocketmainSocket; //The socket which captures all incoming packets
privatebyte[] byteData = newbyte[4096];
privateboolbContinueCapturing = false; //A flag to check if packets are to be captured
or not
privatebyte[] send;
privateSocketsocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.IP);
IPEndPoint endpoint = newIPEndPoint(IPAddress.Any, 5050);

publicWormHoleForm()
{
InitializeComponent();
}

privatevoidbtnStart_Click(object sender, EventArgs e)

{
if(textBox1.Text==""||textBox1.Text.Equals(string.Empty))
{
MessageBox.Show("Enter Destination IP Address.
","WormHole",MessageBoxButtons.OK,MessageBoxIcon.Error);
return;
}

July 2016
53
string input =textBox1.Text.Trim();
endpoint.Address = IPAddress.Parse(input);
if (cmbInterfaces.Text == "")
{
MessageBox.Show("Select an Interface to capture the packets.", "WormHole",
MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
try
{
if (!bContinueCapturing)
{
//Start capturing the packets...

btnStart.Text = "&Stop";

bContinueCapturing = true;

//For sniffing the socket to capture the packets has to be a raw socket, with the
//address family being of type internetwork, and protocol being IP
mainSocket = newSocket(AddressFamily.InterNetwork,
SocketType.Raw, ProtocolType.IP);

//Bind the socket to the selected IP address

mainSocket.Bind(newIPEndPoint(IPAddress.Parse(cmbInterfaces.Text), 0));

//Set the socket options

mainSocket.SetSocketOption(SocketOptionLevel.IP, //Applies only to IP packets
SocketOptionName.HeaderIncluded, //Set the include the header
true); //option to true

byte[] byTrue = newbyte[4] { 1, 0, 0, 0 };

byte[] byOut = newbyte[4] { 1, 0, 0, 0 }; //Capture outgoing packets

//Socket.IOControl is analogous to the WSAIoctl method of Winsock 2

mainSocket.IOControl(IOControlCode.ReceiveAll, //Equivalent to SIO_RCVALL
constant
//of Winsock 2
byTrue,
byOut);

//Start receiving the packets asynchronously

mainSocket.BeginReceive(byteData, 0, byteData.Length, SocketFlags.None,
newAsyncCallback(OnReceive), null);

}
else
{
btnStart.Text = "&Start";
bContinueCapturing = false;

July 2016
54
//To stop capturing the packets close the socket
mainSocket.Close();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "WormHole", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}

privatevoidOnReceive(IAsyncResultar)
{

try
{

Queuequeue = newQueue();
intnReceived = mainSocket.EndReceive(ar);

//Analyze the bytes received...

// ParseData (byteData, nReceived);

if (bContinueCapturing)
{

byteData = newbyte[4096];
string s;
//Another call to BeginReceive so that we continue to receive the incoming
//packets
s = Convert.ToString(mainSocket.BeginReceive(byteData, 0, byteData.Length,
SocketFlags.None,
newAsyncCallback(OnReceive), null));

queue.Enqueue(s);
//Console.WriteLine("Item in queue" + queue.Count);

foreach (string value inqueue.ToArray())

{
while (queue.Count != 0)
{
socket.Bind(endpoint);
socket.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, false);
// string text = value;
send = Encoding.ASCII.GetBytes(value);
socket.SendTo(send, send.Length, SocketFlags.None,endpoint);
s = (string)queue.Dequeue();
}

July 2016
55
 }

socket.Close();
}
}
catch (ObjectDisposedException)
{
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "WormHole", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}

privatevoidWormholeForm_Load(object sender, EventArgs e)

{
label1.Text = "This application is designed to generate\n Worm Hole attack using
c#.\n Enter Destination IPAddress Below in Text Box";
label1.BorderStyle = BorderStyle.Fixed3D;
textBox1.BorderStyle = BorderStyle.Fixed3D;
textBox1.Font = newFont("Times New Roman",11);
label1.Font = newFont("Times New Roman", 10);
label1.TextAlign = ContentAlignment.MiddleCenter;
textBox1.TextAlign = HorizontalAlignment.Center;

stringstrIP = null;

IPHostEntryHosyEntry = Dns.GetHostEntry((Dns.GetHostName()));
if (HosyEntry.AddressList.Length> 0)
{
foreach (IPAddress ip inHosyEntry.AddressList)
{
strIP = ip.ToString();
cmbInterfaces.Items.Add(strIP);
}
}
Controls.Add(label1);
}
privatevoidWormholeForm_FormClosing(object sender, FormClosingEventArgs e)
{
if (bContinueCapturing)
{
mainSocket.Close();
}
}

privatevoid label1_Click(object sender, EventArgs e)

{
Label label1 = newLabel();

July 2016
56
 }

}
}

Wormhole Attack Interface:

July 2016
57
APPENDIX D
Wormhole Server Generation:
using System;
usingSystem.Collections.Generic;
usingSystem.Linq;
usingSystem.Text;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;

namespaceWormHole_Client_Generation
{
classProgram
{

List<Data> storage = newList<Data>();

privateboolIsRunning = false;

publicvoid Client()
{
byte[] data = newbyte[4096];
intrecieve;
Socketsocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.IP);
IPEndPointclientEndPoint = newIPEndPoint(IPAddress.Any, 5050);
socket.Bind(clientEndPoint);
IPEndPoint sender = newIPEndPoint(IPAddress.Any, 0);
EndPoint remote = (EndPoint)(sender);
IsRunning = true;

while (IsRunning)
{
data = newbyte[4096];
recieve = socket.ReceiveFrom(data, ref remote);
Console.WriteLine("Packet Recieved From {0}:", remote.ToString());
Console.WriteLine(Encoding.ASCII.GetString(data, 0, recieve));
storage.Add(newData(recieve, data));
}

socket.Close();
}
structData
{
intrecieve;
byte[] data;

public Data(intrecieve, byte[] data)

July 2016
58
 {
this.recieve = recieve;
this.data = data;
}
}

staticvoid Main(string[] args)

{

Console.WriteLine("Destination Machine is Listening For Incoming WormHole Packets\n");

Program client = newProgram();
client.Client();

}
}
}

July 2016
59
APPENDIX E
Main Form Code:
using System;
usingSystem.Collections.Generic;
usingSystem.ComponentModel;
usingSystem.Data;
usingSystem.Drawing;
usingSystem.Text;
usingSystem.Windows.Forms;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;

namespace IDS
{
publicenumProtocol
{
TCP = 6,
UDP = 17,
Unknown = -1
};

publicpartialclassHIDSForm : Form
{
privateSocketmainSocket; //The socket which captures all incoming packets
privatebyte[] byteData = newbyte[4096];
privateboolbContinueCapturing = false; //A flag to check if packets are to be captured
or not
privatedelegatevoidAddTreeNode(TreeNode node);
Loglog = newLog();
PacketToStorePacketToStore = newPacketToStore();
Signaturesignature = newSignature();
publicHIDSForm()
{

InitializeComponent();
log.openFile();
}

privatevoidbtnStart_Click(object sender, EventArgs e)

{
if (cmbInterfaces.Text == "")
{
MessageBox.Show("Select an Interface to capture the packets.", "MJsniffer",
MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}

July 2016
60
try
{
if (!bContinueCapturing)
{
//Start capturing the packets...

btnStart.Text = "&Stop";

bContinueCapturing = true;

//For sniffing the socket to capture the packets has to be a raw socket, with the
//address family being of type internetwork, and protocol being IP
mainSocket = newSocket(AddressFamily.InterNetwork,
SocketType.Raw, ProtocolType.IP);

//Bind the socket to the selected IP address

mainSocket.Bind(newIPEndPoint(IPAddress.Parse(cmbInterfaces.Text), 0));

//Set the socket options

mainSocket.SetSocketOption(SocketOptionLevel.IP, //Applies only to IP packets
SocketOptionName.HeaderIncluded, //Set the include the header
true); //option to true

byte[] byTrue = newbyte[4] { 1, 0, 0, 0 };

byte[] byOut = newbyte[4] { 1, 0, 0, 0 }; //Capture outgoing packets

//Socket.IOControl is analogous to the WSAIoctl method of Winsock 2

mainSocket.IOControl(IOControlCode.ReceiveAll, //Equivalent to SIO_RCVALL
constant
//of Winsock 2
byTrue,
byOut);

//Start receiving the packets asynchronously

mainSocket.BeginReceive(byteData, 0, byteData.Length, SocketFlags.None,
newAsyncCallback(OnReceive), null);
}
else
{
btnStart.Text = "&Start";
bContinueCapturing = false;
//To stop capturing the packets close the socket
mainSocket.Close();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "MJsniffer", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}

July 2016
61
 }

privatevoidOnReceive(IAsyncResultar)
{
try
{
intnReceived = mainSocket.EndReceive(ar);

//Analyze the bytes received...

ParseData(byteData, nReceived);

if (bContinueCapturing)
{
byteData = newbyte[4096];

//Another call to BeginReceive so that we continue to receive the incoming

//packets
mainSocket.BeginReceive(byteData, 0, byteData.Length, SocketFlags.None,
newAsyncCallback(OnReceive), null);
}
}
catch (ObjectDisposedException)
{
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "MJsniffer", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}

privatevoidParseData(byte[] byteData, intnReceived)

{
TreeNoderootNode = newTreeNode();

//Since all protocol packets are encapsulated in the IP datagram

//so we start by parsing the IP header and see what protocol data
//is being carried by it
IPHeaderipHeader = newIPHeader(byteData, nReceived);

TreeNodeipNode = MakeIPTreeNode(ipHeader);
rootNode.Nodes.Add(ipNode);

//Now according to the protocol being carried by the IP datagram we parse

//the data field of the datagram
switch (ipHeader.ProtocolType)
{
caseProtocol.TCP:

July 2016
62
TCPHeadertcpHeader = newTCPHeader(ipHeader.Data, //IPHeader.Data stores the
data being
//carried by the IP datagram
ipHeader.MessageLength);//Length of the data field

TreeNodetcpNode = MakeTCPTreeNode(tcpHeader);

rootNode.Nodes.Add(tcpNode);

//If the port is equal to 53 then the underlying protocol is DNS

//Note: DNS can use either TCP or UDP thats why the check is done twice
if (tcpHeader.DestinationPort == "53" || tcpHeader.SourcePort == "53")
{
TreeNodednsNode = MakeDNSTreeNode(tcpHeader.Data, (int)tcpHeader.MessageLength);
rootNode.Nodes.Add(dnsNode);
}

break;

caseProtocol.UDP:

UDPHeaderudpHeader = newUDPHeader(ipHeader.Data, //IPHeader.Data stores the

data being
//carried by the IP datagram
(int)ipHeader.MessageLength);//Length of the data field

TreeNodeudpNode = MakeUDPTreeNode(udpHeader);

rootNode.Nodes.Add(udpNode);

//If the port is equal to 53 then the underlying protocol is DNS

//Note: DNS can use either TCP or UDP thats why the check is done twice
if (udpHeader.DestinationPort == "53" || udpHeader.SourcePort == "53")
{

TreeNodednsNode = MakeDNSTreeNode(udpHeader.Data,
//Length of UDP header is always eight bytes so we subtract that out of the total
//length to find the length of the data
Convert.ToInt32(udpHeader.Length) - 8);
rootNode.Nodes.Add(dnsNode);
}

break;

caseProtocol.Unknown:
break;
}

AddTreeNodeaddTreeNode = newAddTreeNode(OnAddTreeNode);

July 2016
63
rootNode.Text = ipHeader.SourceAddress.ToString() + "-" +
ipHeader.DestinationAddress.ToString();

//Thread safe adding of the nodes

treeView.Invoke(addTreeNode, newobject[] { rootNode });
}

//Helper function which returns the information contained in the IP header as a

//tree node
publicTreeNodeMakeIPTreeNode(IPHeaderipHeader)
{
if(ipHeader!=null)
PacketToStore.setSourceIp(ipHeader.SourceAddress.ToString());
PacketToStore.setDestinationIp(ipHeader.DestinationAddress.ToString());
PacketToStore.setTimeToLive(ipHeader.TTL);
log.setSourceIp(ipHeader.SourceAddress.ToString());
log.setDestinationIp(ipHeader.DestinationAddress.ToString());
signature.setSourceIp(ipHeader.SourceAddress.ToString());
signature.setDestinationIp(ipHeader.DestinationAddress.ToString());
signature.setTimeToLive(ipHeader.TTL);
log.WriteToLogFile("Hello","Word");
TreeNodeipNode = newTreeNode();

ipNode.Text = "IP";
ipNode.Nodes.Add("Ver: " + ipHeader.Version);
ipNode.Nodes.Add("Header Length: " + ipHeader.HeaderLength);
ipNode.Nodes.Add("Differntiated Services: " + ipHeader.DifferentiatedServices);
ipNode.Nodes.Add("Total Length: " + ipHeader.TotalLength);
ipNode.Nodes.Add("Identification: " + ipHeader.Identification);
ipNode.Nodes.Add("Flags: " + ipHeader.Flags);
ipNode.Nodes.Add("Fragmentation Offset: " + ipHeader.FragmentationOffset);
ipNode.Nodes.Add("Time to live: " + ipHeader.TTL);
switch (ipHeader.ProtocolType)
{
caseProtocol.TCP:
ipNode.Nodes.Add("Protocol: " + "TCP");
break;
caseProtocol.UDP:
ipNode.Nodes.Add("Protocol: " + "UDP");
break;
caseProtocol.Unknown:
ipNode.Nodes.Add("Protocol: " + "Unknown");
break;
}
ipNode.Nodes.Add("Checksum: " + ipHeader.Checksum);
ipNode.Nodes.Add("Source: " + ipHeader.SourceAddress.ToString());
ipNode.Nodes.Add("Destination: " + ipHeader.DestinationAddress.ToString());
PacketToStore.getSourceIp();
PacketToStore.getDestinationIp();

July 2016
64
PacketToStore.getTimeToLive();
log.getSourceIp();
log.getDestinationIp();
stringgetSourceIp=signature.getSourceIp();
stringgetDestinationIp = signature.getDestinationIp();
stringgetTimeToLive = signature.getTimeToLive();

string[] attack=newstring[1];
for (int i = 0; i <attack.Length; i++)
{
attack[i] = getTimeToLive+getDestinationIp+getSourceIp;
Console.WriteLine("At"+i+ " index value is"+attack[i]);
}

returnipNode;
}
// public void checkAttack(string[] attack)
//{

// }
//Helper function which returns the information contained in the TCP header as a
//tree node
publicTreeNodeMakeTCPTreeNode(TCPHeadertcpHeader)
{
TreeNodetcpNode = newTreeNode();
PacketToStore.setSourcePort(tcpHeader.SourcePort);
PacketToStore.setDestinationPort(tcpHeader.DestinationPort);
log.setSourcePort(tcpHeader.SourcePort);
log.setDestinationPort(tcpHeader.DestinationPort);
signature.setSourcePort(tcpHeader.SourcePort);
signature.setDestinationPort(tcpHeader.DestinationPort);
tcpNode.Text = "TCP";

tcpNode.Nodes.Add("Source Port: " + tcpHeader.SourcePort);

tcpNode.Nodes.Add("Destination Port: " + tcpHeader.DestinationPort);
tcpNode.Nodes.Add("Sequence Number: " + tcpHeader.SequenceNumber);

if (tcpHeader.AcknowledgementNumber != "")
tcpNode.Nodes.Add("Acknowledgement Number: " +
tcpHeader.AcknowledgementNumber);

tcpNode.Nodes.Add("Header Length: " + tcpHeader.HeaderLength);

tcpNode.Nodes.Add("Flags: " + tcpHeader.Flags);
tcpNode.Nodes.Add("Window Size: " + tcpHeader.WindowSize);
tcpNode.Nodes.Add("Checksum: " + tcpHeader.Checksum);

if (tcpHeader.UrgentPointer != "")
tcpNode.Nodes.Add("Urgent Pointer: " + tcpHeader.UrgentPointer);
PacketToStore.getSourcePort();
PacketToStore.getDestinationProt();

July 2016
65
log.getSourcePort();
log.getDestinationProt();
signature.getSourcePort();
signature.getDestinationProt();
returntcpNode;
}

//Helper function which returns the information contained in the UDP header as a
//tree node
publicTreeNodeMakeUDPTreeNode(UDPHeaderudpHeader)
{
TreeNodeudpNode = newTreeNode();
PacketToStore.setSourcePort(udpHeader.SourcePort);
PacketToStore.setDestinationPort(udpHeader.DestinationPort);
log.setSourcePort(udpHeader.SourcePort);
log.setDestinationPort(udpHeader.DestinationPort);
signature.setSourcePort(udpHeader.SourcePort);
signature.setDestinationPort(udpHeader.DestinationPort);
udpNode.Text = "UDP";
udpNode.Nodes.Add("Source Port: " + udpHeader.SourcePort);
udpNode.Nodes.Add("Destination Port: " + udpHeader.DestinationPort);
udpNode.Nodes.Add("Length: " + udpHeader.Length);
udpNode.Nodes.Add("Checksum: " + udpHeader.Checksum);
PacketToStore.getSourcePort();
PacketToStore.getDestinationProt();
log.getSourcePort();
log.getDestinationProt();
signature.getSourcePort();
signature.getDestinationProt();
returnudpNode;
}

//Helper function which returns the information contained in the DNS header as a
//tree node
privateTreeNodeMakeDNSTreeNode(byte[] byteData, intnLength)
{
DNSHeaderdnsHeader = newDNSHeader(byteData, nLength);

TreeNodednsNode = newTreeNode();

dnsNode.Text = "DNS";
dnsNode.Nodes.Add("Identification: " + dnsHeader.Identification);
dnsNode.Nodes.Add("Flags: " + dnsHeader.Flags);
dnsNode.Nodes.Add("Questions: " + dnsHeader.TotalQuestions);
dnsNode.Nodes.Add("Answer RRs: " + dnsHeader.TotalAnswerRRs);
dnsNode.Nodes.Add("Authority RRs: " + dnsHeader.TotalAuthorityRRs);
dnsNode.Nodes.Add("Additional RRs: " + dnsHeader.TotalAdditionalRRs);

returndnsNode;
}

July 2016
66
privatevoidOnAddTreeNode(TreeNode node)
{
treeView.Nodes.Add(node);
}

privatevoidSnifferForm_Load(object sender, EventArgs e)

{
stringstrIP = null;

IPHostEntryHosyEntry = Dns.GetHostEntry((Dns.GetHostName()));
if (HosyEntry.AddressList.Length> 0)
{
foreach (IPAddress ip inHosyEntry.AddressList)
{
strIP = ip.ToString();
cmbInterfaces.Items.Add(strIP);
}
}
}

privatevoidSnifferForm_FormClosing(object sender, FormClosingEventArgs e)

{
if (bContinueCapturing)
{
mainSocket.Close();
}
}
}
}

July 2016
67