Академический Документы
Профессиональный Документы
Культура Документы
Submitted by:
Muhammad Ahsan (12-CS-033)
Submitted to:
July 2016
2
There are no secrets to success. It is the result of preparation,
hard work, and learning from failure.
July 2016
3
THESIS APPROVAL
Thesis/Project Title: Host based Intrusion Detection System
Project Supervisor:
DR Khalid Hussain.
Particulars of the students:
S. No. Reg. No. Full Name CGPA Signatures
1. 12-CS-033 Muhammad 2.45
Ahsan
2. 12-CS-043 Noman-Ul- 2.96
Ehsan
3.
Advisor’s Consent
I Prof./Dr./Mr./Ms. ________________________________________________ am willing to
guide these students in all phases of above-mentioned project/thesis as advisor. I have
carefully seen the Title and description of the project/thesis and believe that it is of an
appropriate difficulty level for the number of students named above.
_______________ ___________________________
Date Signature
External Examiner
I have carefully read the project proposal and feel that the proposed project is a useful
one and of a sufficient difficulty level to justify a one-year work load of above
mentioned students.
Recommended Signatures and Date
Yes No
July 2016
4
ABSTRACT
Cyber threats have become one of the core components in today’s world. Cyber-attacks are
viewed as a threat to nation’s sovereignty, regardless that attacks are generated from within
the national border or outside the national border. These threats raise the question mark on
the sovereignty of many sectors like telecom, oil and gas, health care, finance, education,
military, government sectors and security agencies. These threats are increasing day by day.
There are many cyber-attacks like TCP sequence prediction, DOS, DDOS, Malware,
Phishing, Password, Social Engineering, Unpatched Software etc. Most Intrusion Detection
Systems like Snort, Nessus, Tripwire and OSSEC comprised the phenomena to detect these
types of attacks. Rushing and Wormhole attacks are new to their nature in the market. There
is a room to improve with latest technique to mitigate these attacks. This research proposed a
host based Intrusion Detection System based on signature based detection that monitors host
decoy serving several purposes: it can distract adversaries from a valuable host, provides
early warning about new attacks of network layer and allows in depth examination of
adversaries during and after exploitation of an attack.
July 2016
5
ACKNOWLEDGEMENTS
In the name of Allah, The Most Gracious and the Most Merciful. The Allah Almighty helps
us with his blessings and gave us strength to complete this project. A special appreciation
goes to our Project Supervisor Dr Khalid Hussain for his support and supervision and also
likes to say thanks to our project co-supervisor Veena Dillshad for their support and
knowledge regarding to the project. We would like to express our gratitude towards our
parents for their kind co-operation and encouragement which help us in completion of this
project. We would like to say thanks to our teachers and our colleague’s for their help and
guidance in the development of this project.
July 2016
6
Table of Contents
Chapter 1 ..................................................................................................................12
Introduction ..............................................................................................................12
Overview: .............................................................................................................12
1.1:Introduction: ...................................................................................................12
1.2: Background: ..................................................................................................12
1.3: what is intrusion detection system? ...............................................................13
1.4: Why Intrusion Detection system? .................................................................13
1.5: Architecture of Host Based Intrusion Detection system. ..............................14
1.6: Types of Intrusion detection system: ............................................................14
1.7: Host Based Intrusion detection system: ........................................................15
1.8: Network Based Intrusion Detection System. ................................................15
1.9: Scope of the project: ......................................................................................15
1.10: Problem Statement: .....................................................................................16
1.11: purposed Methodology: ...............................................................................16
1.12: Objective: ....................................................................................................16
1.13: Scope: ..........................................................................................................16
1.14: Applications of Host Based Intrusion Detection system: ...........................16
1.15: Summary: ....................................................................................................17
Chapter 2 ..................................................................................................................18
Literature Review .....................................................................................................18
Overview: .............................................................................................................18
2.1:Attack prediction Models for Cloud Intrusion Detections Systems. .............18
2.2: A review on Intrusion Detection Techniques for cloud computing and
Security challenges. ..............................................................................................19
2.3: Architecture for Intrusion detection using Autonomous Agents. .................20
2.4: An intrusion detection and prevention system in cloud computing. .............20
2.5: Rushing Attack and its Preventions Techniques ..........................................21
2.6: Swarm Intelligence in Intrusion Detection...................................................21
2.7: Summary........................................................................................................22
Chapter 3 ..................................................................................................................23
July 2016
7
Proposed Methodology ............................................................................................23
Overview: .............................................................................................................23
3.1: Architecture of Host based Intrusion detection system: ...............................23
General Use Case: ................................................................................................23
3.3.1: Use Case of Intrusion detection system: .................................................23
3.3.2: Use Case of Packet Sniffing: ..................................................................24
3.3.3: Use Case of Anomaly Detection:............................................................25
3.3.4: Use Case of Alerts Management and Log maintaining in Host Based
Intrusion Detection System. ..............................................................................26
3.3.5: Class Diagram of Host Based Intrusion Detection System. ...................27
3.3.6: Data flow diagram of Intrusion detection system. ..................................28
3.3.7: Flow chart of Intrusion detection system. ...............................................29
3.2: Framework that is used in the development of Host based Intrusion
detection system. ..................................................................................................30
3.2.1: Microsoft .Net framework: .....................................................................30
3.2.2: Language used for attack generation. .....................................................30
3.2.3: C# internal Database. ..............................................................................30
3.3: Attacks. ..........................................................................................................30
3.3.1: Rushing Attack........................................................................................30
3.3.2: Wormhole Attack. ...................................................................................31
3.4: Tools and Software. .......................................................................................32
3.4.1: Snort. .......................................................................................................32
3.4.2: Tripwire. ..................................................................................................33
3.4.3: OSSEC ....................................................................................................34
3.4.4: Wireshark ................................................................................................35
3.4.5: Winpcap ..................................................................................................35
3.4.6: TCP Packet. .............................................................................................35
3.4.7: DNS Port. ................................................................................................35
3.4.8: UDP Port. ................................................................................................35
3.4.9: SQL Server Compact. .............................................................................36
3.4.10: Priority Queue. ......................................................................................36
3.4.11: Log Maintaining....................................................................................36
3.5: Summary: ......................................................................................................36
July 2016
8
Chapter 4 ..................................................................................................................37
EXPERIMENTAL RESULTS.................................................................................37
Overview: .............................................................................................................37
4.1 Host Based Intrusion Detection Interface: .....................................................37
4.2: Interface to select the device: ........................................................................38
4.3: Data in IP Header: .........................................................................................38
4.4:Summary: .......................................................................................................39
CHAPTER 5 ............................................................................................................40
CONCLUSION ........................................................................................................40
Chapter 6 ..................................................................................................................41
Future Work .............................................................................................................41
Overview: .............................................................................................................41
5.1: Intrusion detection and prevention systems. .................................................41
5.2: Cloud Computing. .........................................................................................41
5.3: Privacy in Cloud Computing. ........................................................................42
5.4: Enhancement. ................................................................................................42
5.5: Expected Results. ..........................................................................................42
5.6:Summary.........................................................................................................42
Chapter 7 ..................................................................................................................42
References ................................................................................................................43
Appendix ..................................................................................................................45
July 2016
9
LIST OF FIGURES
Figure 3.7: General Flow chart of Host based Intrusion Detection system……………..29
July 2016
10
ANNEXURE TABLE:
July 2016
11
Chapter 1
Introduction
Overview:
Chapter one gives an overview about the intrusion detection system and their types. Intrusion
detection system background and what are intrusion detection systems and why intrusion
detection systems are used. Intrusion detection system is used to monitor the network traffic
and it is used to protect the systems from intrusion and malicious attacks. Intrusion detection
systems are used to maintain the data integrity. Host based intrusion detection systems are
used to monitor the network traffic and prevent the host from malicious attacks. The host
based intrusion detection system will cover the latest network layer attacks that include
rushing attack and wormhole attack. The main objective of intrusion detection system is to
reduce the probability of the network layer attack so that data integrity can be maintained and
efficiency of the system will increase.
1.1: Introduction
Intrusion detection system is a kind of a system that monitors the network and host activities
from intrusion/malicious attacks. The main function or purpose of this system is to find the
anomalies. Intrusion detection system is basically used to detect the unauthorized activity of
an unauthorized user. It works in a way to check a check the number of data packets having
large amount of data. As there is increase in the number of networks so there exist
shortcomings in every type of technology. The intrusion represents a serious threat to the
network security as an attacker or intruder always look to disrupt the services of the network.
To protect the data integrity and information so there will be some kind of mechanism so that
everyone should not be able to access the information from a security point of view so
different kind of systems would be develops to protect the data and its integrity. The main
purpose of intrusion detection system is to detect the attacks and to provide a proper
notification that an attack has been launched. Intrusion detection is a process of monitoring
and detecting the events that occurs on the networks or computer system and analyzing the
possible threats that may violate the security policies. The intrusion detection system first
captures the data packets that is in the form of IP packets then it decodes that captures data
packets and transform them into a unique pattern then it analyzes and classify the data
whether the data is in proper format or not. To handle a large amount of traffic over the
network and to maintain the integrity of data a new method is adopted that is called as
intrusion detection system.
1.2: Background
The goal of intrusion detection system is to monitor the network and host assets to detect
intrusion and anomalous behavior. The intrusion detection system idea was first given by
James Anderson in his paper in 1980. The James Anderson paper was written for the
government organization, introduced that the audit trials contained important information that
could be valuable in tracking intrusion, misuse and understanding the user behavior. This will
give the concept of detecting misuse, intrusion and specific user events emerged. In 1983 Dr
Dorothy Denning began work on a government project that is called as intrusion detection
July 2016
12
development. The main goal was to analyze audit trails from government mainframe
computers and create profiles of users based upon their activities. After one year Dr Denning
developed the first model of intrusion detection. Later on there are significant advances have
been made at university of California. The haystack project releases another project of
intrusion detection for the US air force. This project of intrusion detection system will work
on the basis of analyzing the audit data by comparing it with the defined patterns. In 1990
Davis Todd introduced the idea of network intrusion detection system so network intrusion
detection is deployed at many government offices where network traffic analysis provided
massive amount of information. This will create more awareness and interest in the field of
intrusion detection systems and investment in the market of intrusion detection system is
increased significantly. The intrusion detection systems market gain popularity and generates
revenue in 1997. The main purpose of intrusion detection system is maintaining the data
integrity and prevents the systems for different network layers attacks. Currently markets
statistics shows that Intrusion Detection system is amidst the top selling security technologies
and there demand is increasing day by day.
July 2016
13
1.5: Architecture of Host Based Intrusion Detection system
Figure 1.1 presents the general architecture diagram of Host based Intrusion detection system.
The host based intrusion detection system is installed on the specific machine. Host Based
Intrusion Detection system works on the basis of signature based detection. The signatures
have already defined in Host Based Intrusion Detection system. The work stations, laptop and
personal computers are connected to the network. There is firewall also in the network and it
is considered as a network security system. It controls the both incoming and outgoing
network traffic and it works on the basis of predefined set of rules. The firewall basically acts
as a barrier between trusted and untrusted networks. The main function of firewall is to filter
the network traffic between the two or more networks. The Host Based Intrusion Detection
system is installed on the single host. The Host Based Intrusion Detection system will work
on the basis of signature based detection by comparing all the data packets with the data
bases of the signatures. If the incoming data packets match with set of predefined signature
then Host based Intrusion detection system consider it as an anomaly and raises an alarm to
notify the user that an intrusion has been occurs and it also maintains the log of that
Intrusion. The Host Based Intrusion Detection system monitors every type of traffic that is
coming to the system and it checks every data packet that whether it contains some kind of
intrusion or not. The main function of Intrusion Detection system is to maintain the data
integrity and information.
July 2016
14
1.7: Host Based Intrusion detection system
Host based intrusion detection system will monitor every system that serves as a host. It
collects the data and analyzes it. The data can be analyzed by a separate machine. It is
basically used to check the unauthorized modification of a file. Host based intrusion detection
is considered as an agent based software that resides on a computer and it is governed by the
system. Host based intrusion detection system monitors each type of traffic that is coming
into the system. Host based intrusion detection system has the ability to monitor the system
data on schedule basis. Intrusion detection system is a kind of system that monitors the
Network and Host activities from intrusion/malicious attacks. It works in a way to check the
numbers of data packets having large amount of data. It analyzes the data packets, generate
reports and perform analysis to detect intrusion. IDS have many versions but approach of all
is to detect malicious activities and traffic over the Network and Host. It basically
generates/maintain log for all the activities done by the system. It detects the malicious
activities and malicious files which are coming from any source and maintain the log of those
activities and files.
(a) File system monitors: Checks the integrity of files and directories in a system.
(b) Log analysis: It maintains the log file for patterns which indicates malicious
activity.
(c) Connection analysis: It monitors the connection attempt to and from host.
(d) Kernel base IDS: It monitors the malicious activities on kernel level.
Most of HIDS have ability to monitor and prevent the malicious activities. These systems are
generally deployed on a central location and also manage from there. It has agent that
configured in local hosts. There can be single and multiple policies for all machines depend
on operating system, machine types, physical location and user type. Once policy is
configured, it is then distributed to group of host.
July 2016
15
and wormhole attack. The main goal of this project is to secure user data from network layer
attacks so that user information cannot be stolen and data integrity can be maintained.
1.12: Objective
The main objective of Host Based Intrusion Detection system is to reduce the
probability of most common network layer attacks. By reducing the probability of
Network Layer attacks efficiency of system increases.
Software product of host based Intrusion detection system has been able to detect the
rushing and wormhole attacks when these attacks are performed to a specific network
the Host Based Intrusion Detection System detect these attacks and raised an alarm to
notify the system administrator that an attack has been launched on the system.
To secure the user’s data from some dangerous attacks so that user’s personal
information cannot be stolen.
1.13: Scope
As it is a time of technology and everyone is familiar with the technology. People are using
technology via mobile phone and computers so when they interact. There will be exchange of
data. The project main goal is to protect the user data from the latest network layer attacks.
By reducing the probability of network layer attacks the data integrity can be maintained and
the performance and efficiency of the system also increases. The main goal of Host Based
Intrusion Detection system is to detect the latest network layer attacks that include rushing
and wormhole attack and to secure user data from these network layer attacks so that user
information cannot be stolen and data integrity can be maintained.
July 2016
16
have a very vast domain in information security. The intrusion detection systems are used to
protect the data integrity and its information.
The following are the applications of host based Intrusion detection system.
a) Government offices
b) Banking organization
c) Intelligence agencies
d) Armed forces communication centers
e) Educational organizations
f) Strategic organizations
1.15: Summary
The chapter one covers the introduction of intrusion detection system. Intrusion Detection
System is a kind of a security system that is used to monitor the network traffic and hosts
from intruders and attackers. The main purpose of this system is to find the anomalies and
intrusion in the network and they are used to protect the user data and information. The Host
Based Intrusion Detection System works on the basis of signature based detection. Host
Based Intrusion Detection system monitors every kind of traffic that is coming to the system.
The main objective of Host based intrusion detection system is to detect the rushing attack
and wormhole attack. The main goal is to protect the user information from rushing and
wormhole attacks.
July 2016
17
Chapter 2
Literature Review
Overview:
The chapter two provides an overview about the literature review. In this chapter we will
review the literature of Intrusion Detection Systems that represents the literature review about
the latest network layer attacks that include rushing attack and wormhole attack. Hisham A
.Kholidy provides an overview about the early warning attacks. It describes the three
prediction models that include Finite State Hidden Markov prediction model, Finite context
Prediction model and Holt winter Prediction Model. The Snehal G .Kene highlights the
privacy problems for cloud computing. He also uses different Intrusion Detection Techniques
to detect intrusions and he also describes Intrusion and its impact on data integrity and
confidentiality. Ahmed Patel highlights the various techniques that are used to detect
intrusions. He also describes the latest Intrusion detection system and alarm management
techniques to detect intrusions. Prof A.K Gulve describes the techniques of intrusion
detection system and describes the four basic approaches that can be used in intrusion
detection system. These approaches include Statistics based approach, Data mining approach,
SOM based approach and supervised and unsupervised learning approach.
The finite context prediction model is basically based upon learning VMM over a finite
context. The finite context prediction model uses a training algorithm. The FCPM model is
very flexible to implement and understand. The FCPM model does not require knowledge of
the network topology and the system configurations. FCPM can predict the attacks FCPM are
July 2016
18
evaluated and compared using LLDOS 1.0 attack. The Holt Winter Prediction model
generally understands the unusual behavior of the network traffic. When the amount of
network traffic is either too high or too low as compared to the normal network traffic. The
Holt winter prediction model does not requires the attack signatures as it compares the
unusual behavior of the network with the normal behavior of the network. The error rate of
Halt Winter prediction model is too high that it cannot be used in Intrusion detection for
cloud computing systems. By implementing the three prediction models The Finite State
Hidden Markov Prediction Model (FSHMPM), the Finite Context Prediction Model (FCPM)
and Holt Winter Prediction Model (HWPM). By implementing the FSHMPM model author
analyze the successful early warnings 39.6 minutes before the launching of LLDDoS1.0
attack. FCPM has successfully fired early warnings 58.98 minutes before launching of
LLDDoS1.0 attack. He analyzes the error rate of 42.07% for HTTP and 44.02% for FTP by
using HWPM.
July 2016
19
2.3: Architecture for Intrusion detection using Autonomous
Agents
Jai Sundar Balasubramaniyan et.al; highlights the problems in the systems due to their limited
configurability, scalability and efficiency [3] . As there are shortcomings in most of the
architectures. The existing architecture has built a single monolithic entity that does the data
collection and the processing. In this paper the author basically review the architecture for
distributed intrusion detection systems that is based on multiple independent entities that are
working collectively. The author proposed an architecture that is based on multiple entities
called as autonomous agents. The intrusion detection system is basically used to identify the
problems. The intrusion is defined as it is kind of action or an attempt that is done to
compromise the integrity, confidentiality of the data.
The Intrusion Detection System works in the distributed environment by using the
autonomous agents, the autonomous agents is defined as a software agent that is installed on
a particular computer and it performs a security monitoring function at that particular
machine. The autonomous agents are independent working entities and their execution totally
depends upon the operating system. The autonomous agents can be removed and add into the
system without alerting the other entities. The Intrusion Detection System works well in the
distributed environment by using the autonomous agents. The intrusion detection system will
work in real time environment by using these techniques.
July 2016
20
data and after detecting the intrusion it will generate an alarm and proceed with a proper
response.
The author further divided the Intrusion Detection and Prevention Systems in to three main
categories.
a) NIDPS: Network Intrusion Detection and Prevention System will monitor and
analyze the network traffic and analyzes the application protocol activities to
identify the intrusion.
b) HIDPS: Host Based Intrusion Detection and Prevention System will monitor all
the states of the system and it will monitor both the incoming and outgoing
network traffic on the system. HIDPS can also maintain the logs of all the network
traffic.
c) AIDPS: Application Based Intrusion Detection and Prevention System is a kind
of a specific application that monitors the performance and behavior of the
system. It input is data sources of the running applications.
In this paper the author highlights the latest development of intrusion detection and
prevention systems for cloud computing to detect the intrusion in cloud computing. Author
provides a comprehensive taxonomy and possible solution for the detection of intrusion in
cloud computing.
July 2016
21
better with good performance. The swarm intelligence is basically based on bio inspired
family methods that consider it as an inspiration in the behavior’s of swarm of the animals
and the insects. The swarm intelligence is used in the Intrusion Detection System and the
researcher apply it while the development of Intrusion Detection System. There are different
methods of swarm intelligence that are used in the development of Intrusion Detection
Systems. The major role of swarm intelligence is that it will increase the efficiency of the
Intrusion Detection Systems.
2.7: Summary
The chapter two covers the literature review. The researchers describe Intrusion detection
system and various techniques that are used to detect intrusion. Hisham A. Kholidy discusses
and highlight the various cloud technologies that do not gives early warning about the
attacks. The author also describes the various predictions that are used for the prediction of
attacks. Snehal G. Kene highlights the privacy problem for cloud computing. He also
describes intrusion and its impact on data integrity. Ahmed Patel highlights intrusion
detection techniques and alarm management techniques that are used to detect intrusions.
Satyam Shrivastava defines as the Mobile Ad Hoc network contains different types of nodes
and these nodes are connected with each other through the wireless link and he also explains
the rushing attack phenomena that how the attacker will gain the access of the
communication by using the rushing attack. C.Kolias defines the use of Swarm intelligence in
Intrusion Detection Systems and how the efficiency of Intrusions Detection System will be
increased by using swarm intelligence.
July 2016
22
Chapter 3
Proposed Methodology
Overview:
The chapter three provides an overview about the architecture of Host Based Intrusion
Detection System. The proposed methodology that is used in Host based intrusion detection
system for the detection of intrusion. This chapter also provides an overview about the latest
network attacks. This chapter describes the tools that are used for the development of Host
Based Intrusion Detection System. This chapter covers the phenomena of rushing and
wormhole attack and proposed solution that is used to detect rushing and wormhole attack.
This chapter also describes the interface that host based intrusion detection system contains.
The chapter also gives a brief overview of those libraries that are used in packet sniffing and
in host based intrusion detection system application.
Intrusion
Detection
Based upon
signature based Network administrator
detection
Generate Alerts
and Maintains log
July 2016
23
Figure 3.1 presents the use case for intrusion detection system. In this intrusion detection
system is installed on a specific machine. First of all it monitors the data traffic between
different machines and between different components of networks. It captures the data
packets by using packet sniffing mode. After sniffing the data packets it analyzes the packets
by using some predefined rules. These rules can be modified by the requirements of any
individual or of an organization. After analyzing the data packets if any anomalies or
intrusion detected then it generates alert. These alerts are of four types and mostly traditional
IDS perform false negative alerts. After generation of alerts it maintain log of those data
packets which it captures. These logs can be reviewed by the administrator. Alert based agent
compromise on logs which are generated and signatures which are provided before to detect
the intrusion.
Enter IP
Intrusion Detection
system Request to the
Network administrator
Web Server
Tools Started
Packet Sniffing
July 2016
24
Figure 3.2 presents the use case of packet sniffing of Intrusion Detection System in which
Intrusion Detection System will sniff the data packets. When IP address or website is enter
by the user in address bar of browser and request to access that IP address or website, and
then Intrusion Detection System start capturing all the data packets with the help of winpcap
then Host Based Intrusion Detection System will start analyzing the data packets and start
comparing these data packets with the set of predefined set of signatures to detect the
anomaly or intrusion in the system.
Intrusion Detection
system
Packet Decode
Rule <<include>>
Detection <<include>>
Intrusion
Matching Engine Detection
Output Stage
Figure 3.3 presents the use case of anomaly detection of Host Based Intrusion Detection
System. First Host Based Intrusion Detection System captures the data packets then it
decodes those data packet. This process is done by applying some functions on data packets.
After that there are some preprocessor rules where packets are examined and analyzed
before they handed over to detection engine. In detection engine it performs simple test to
detect intrusion. Here some rules are predefined and signature Database is present. If
predefined signatures and signature in the data packets are matched then it is consider an
intrusion. Then in output stage it compiles the results.
July 2016
25
3.3.4: Use Case of Alerts Management and Log maintaining in Host Based
Intrusion Detection System
Intrusion Detection
system
System administrator
Packet
Raise Alarm
Log Maintain
Figure 3.4 presents the use case for management of alerts and log maintaining generated by
the Host Based Intrusion Detection system. As packet received to the system it decodes that
data packet and sends this to the detection engine. Here it checks the intrusion by matching
the signature of packets with predefined signatures. If any intrusion is found then it raises an
alarm. Which infect describes that there is threat to data. After this it maintains log of
captured data packets.
July 2016
26
3.3.5: Class Diagram of Host Based Intrusion Detection System
Data packet
Packet number Intrusion
Packet checking() Rules
Defined Rules
Detect Error Anomaly Checking
Error Type()
Figure 3.5 presents the class diagram for Intrusion Detection System. In the first function
which is used to check the data packet. Here those packets are checked which contains data
and moved between different components over the specific network. After it detect the error
in those packets. Then it matches those errors with predefined rules. This is done to check
whether there is any anomaly in the packets or not. After this it maintains the log or audit and
checks the alert type. After this it gets the data and analyzes the data. After performing
analysis on the data it generates the alarm. If any of intrusion were found then it blocks that
intrusion and then data can be reviewed.
July 2016
27
3.3.6: Data flow diagram of Intrusion detection system.
Attacks
Client Server
Intrusion
Detection
System
Alerts
Logs Maintain
Figure 3.6 presents the general data flow diagram of Intrusion Detection System. When two
machines (client and server) are communicating with each other in a specific session then
there is possibility that attack on data and information can be occurs (either data present on
machines or between machines). So when an attack on data occur intrusion detection system
(HIDS or NIDS) detects those attacks and generate alerts by raising an alarm. Then it notifies
the machines that following anomaly is being detected. After that it maintains the log of those
activities.
July 2016
28
3.3.7: Flow chart of Intrusion detection system
Start
Packet Sniffing
Comparison With
Signature Rules
No
Store Malicious
Traffic in Database
Normal Traffic
Intrusion Detection
Log Maintain
Log Maintain
Figure 3.7: General Flow chart of Host based Intrusion Detection system
Figure 3.7 presents the general flow chart of Host Based Intrusion Detection System
application. First the user starts the system then it selects the interface to sniff the data
packets from the live network traffic. After selecting the interface the application starts
sniffing the data packets. After sniffing the data packets it decodes these data packets and
transforms them into the useful meaning form. Now by converting the parse data to
meaningful information the application compares these data packets with the set of signatures
July 2016
29
that are defined and stored in the data base. If the data packets match with the signatures then
they are considered as a malicious traffic. The system stores this malicious traffic in the data
base and an intrusion is detected and the system also maintains the log of malicious traffic. If
the incoming data packet does not match with the signatures then it is considered as a normal
traffic and the system will maintain the log of every kind of traffic.
The Microsoft .Net framework is used for the development of Host Based Intrusion Detection
application. The .Net framework provides all the necessary libraries and compiles time and
run time to run any kind of language used in the development of product application. The two
main components of .Net framework are common language runtime and class library
framework. The common language runtime is the runtime environment of the .Net framework
that executes and manages all the running codes like a virtual machine. The C# language is
used for the development of host based intrusion detection application. For packet capturing
and sniffing the C# language is used. The socket programming for Host based intrusion
detection system is fully developed in .Net framework.
3.3: Attacks
Host Based Intrusion detection system detects the latest network layer attacks that include
rushing and wormhole attacks. These attacks are new and their nature of attack is different
from the other network layer attacks. The Host based Intrusion detection system application
will detect these attacks by using the signature based methodology and maintains the log of
both malicious and normal traffic.
Rushing attack is considered as one of the latest attack in network layer. Rushing attack
causes the system resources to become scare and legitimate for the users. Rushing attack has
significant effect on network capabilities and functions that include control and message
July 2016
30
delivery. In rushing attack when the sender node sends a route request packet to another node
in the network. If an attacker is present it will accept the route request packets and send that
packet to the destination node with minimum time as compared to the other nodes that are
present in the network. As the packet reaches to the destination node with in minimum time
so destination will accept the route request packet and discard all other Route request packet
that reaches through the other nodes. Destination node will accept this as a valid route and
uses this route for further communication. So in this way attacker will gain access of the
communication between the sender node and destination node.
Figure 3.8 presents the phenomena of Rushing attack. In this diagram a sender nodes route
request packet to the other node in the network. As the packet is received by both D node and
A node. If attacker is present at A node so it will route request packet with in minimum time
as compared to node D. so the packet send by node A will reach first to the receiver node so
it will accept the route request packet and discard all other Route request packet that reaches
to the receiver node. So communication will be established between the sender node and
receiver node so in this way attacker will gain the access of the communication between the
sender and receiver.
Wormhole attack is a latest network layer attack. When a node route requests a data packet
then the packet is received by the neighboring node. If a wormhole node is present in the
network it will create a fake tunnel node that is shorter than the original route within the
network. There is more than one malicious node and a tunnel is present in wormhole attack.
The attacker can easily launch the wormhole attack without having knowledge of the
network.
July 2016
31
Figure 3.9: Wormhole Attack
Figure 3.9 represents the phenomena of wormhole attack. In wormhole attack a node route
request a packet. The packet passes through the various nodes as the packet reaches at origin
point an attacker is present at that point so the attacker will create a wormhole tunnel and
sends the route request packet directly at the destination point so the destination point will
accept the route request of origin point and discard all the other route request packet that
reaches to the destination point. So a wormhole attack is originated with in the network.
Packet Stream
Packet Decoder
Preprocessor
(Plugins)
Detection Engine
Output Stage
(Plugins)
Figure 3.10 presents the general Architecture diagram of snort. For packet sniffing snort uses
external packet sniffing library. Libpcap library is used to capture the data packets. Snort first
captures the data packets through Libpcap. Then these packets will be decoded and then
packets are sending through a set of preprocessor rules. Preprocessor contains a set of
predefined rules the data packets are compared with these set of defined rules to check
whether packet matches the set of defined rules or not. The Packets are sending to the
July 2016
32
detection engine. The detection engine will check the each data packet against the set of
defined rules and signatures and check that whether packets contain intrusion or not. If the
packets contain intrusion then snort will generate the alert and maintain the log.
3.4.2: Tripwire
Tripwire is a security and data integrity tool useful for monitoring and alerting on a specific
file. Tripwire detects changes to file systems and objects. When tripwire is first initialized the
tripwire scans the file system as directed by the system administrator and store the
information of each file in a data base. After sometime the system files are again scanned and
the results are compared against the store values in the database. If there are some type of
changes so that are reported to the user. Cryptographic hashes are basically used to detect the
changes in the file.
Figure 3.11 presents the general flow diagram of Tripwire intrusion detection system. The
tripwire is first installed on the computer. The user can customize it rule and policies
according to the user needs. After installing the tripwire then initialize the tripwire database.
The database will generally hold all the rules and regulation and results of the system. After
initializing the tripwire database now run the tripwire. The tripwire will scan the whole
system and after scanning the tripwire will examine all the report. If any kinds of changes are
observed the tripwire will examine the report file and if no changes are permitted then it will
take appropriate measures to increase the security. If any kind of changes are permitted then
it will check that whether the policy file of tripwire is working properly. If the policy file is
not working properly it will update the policy. The tripwire basically scans the system after
July 2016
33
sometime and if any kinds of changes are found then it will consider it as an intrusion and
notify the user about that intrusion.
3.4.3: OSSEC
Ossec is a free open source Host based intrusion detection system. It basically performs root
kit detection, log analysis, integrity checking, and time base alerting along with active
response. It detects the intrusion for most of the operating systems like windows, Linux,
Solaris and OSX. Ossec consists of centralized and cross platform architecture that allows the
multiple systems to be monitored easily. Ossec has a powerful correlation analysis engine,
file integrity checking and windows registry monitoring. OSSEC can also be installed on
servers and it is used to monitor the other servers called as OSSEC agents. The OSSEC
agents are monitored by another type of OSSEC installation called as OSSEC servers. Once
the OSSEC server is installed to monitor the agents the additional agents may be added or
removed by any time.
Devices
Sys Log
Sys Log
Sys Log
Log Translator
JSON
Structured Log
Storage
Figure 3.12: Architecture Diagram of OSSEC
Figure 3.12 presents the architecture diagram of OSSEC. It contains devices that include
switches, router and appliances that can only send syslog messages to the server then it will
goes to the rule engines for further processing. Hosts are the servers that can run the rules
engine client that can send syslog format messages to the central server. The log rule engine
is an automated log reader .it reads the logs and sees if there is any kind of intrusion it
generates an alert. OSSEC provides the rule engines to generate the alert. It also contains the
raw log Storage .It receives the raw logs from the hosts and the devices as well as alerts. The
July 2016
34
log translator is a component that parses the raw logs and convert them into the structured
JSON .Different logs will have different JSONS. The structured log storage holds the
structural logs. By structuring the logs makes them easy to monitor, search and process.
3.4.4: Wireshark
Wireshark is a powerful network analysis tool commonly known as Ethereal. Wireshark
captures the data packets and display them in human readable format. Wireshark includes
color coding and other features that help the user to inspect each individual network packet.
Wireshark provides the interface as soon as you start the Wireshark it will start captures the
data packets in real time environment. Wireshark uses three colors that include red, green and
black. These colors help the user to identify the type of traffic. Green color is used for TCP
traffic, blue color is used for DNS traffic and light blue color is used to highlight UDP traffic.
Wireshark is an extremely powerful tool that is used for network analysis.
3.4.5: Winpcap
Winpcap is an open source library used for packet capture and network analysis for win32
platform. Winpcap includes a kernel level packet filter, a low dynamic link library and a high
level system independent library. The main purpose of winpcap is that it is used to capture
the data packets and it is also used to filter the data packets according to the user specified
rules before dispatching them to the application. Winpcap also transmits raw packets to the
network and gather the statistical information on the network traffic.
July 2016
35
datagram information’s to the current location. The UDP port can receive more than one
message at a time and they are also identified by well port numbers.
3.5: Summary
The chapter three covers the purposed methodology that is used in the development of Host
Based intrusion detection system. HIDS works on the basis of signature based detection. In
signature based detection a typical threshold value is set if the data packets matches with the
signature that it is considered as an intrusion. It the incoming data packets match with the
signature data base then it generates an alarm to notify user about the attack. This chapter
also covers the tools that are used for testing during the development of Host Based Intrusion
Detection application. Different types of Intrusions Detections System have been tested and
each system has its own requirements, specification and restrictions. Wireshark is used for
network analysis and Winpcap library is used for packet sniffing. Host Based Intrusion
Detection System will maintain the Log of every type of incoming and outgoing traffic.
July 2016
36
Chapter 4
EXPERIMENTAL RESULTS
Overview:
The Chapter four provides an overview about the experimental results of Host Based
Intrusion Detection System. This chapter also describe a brief overview about the whole
interface of Host Based Intrusion Detection System application and also describe the
phenomena that how this application works on the system. The chapter four also describes
how the interface is selected and what kind of information does it contains and what type of
data information is present in IP header.
Figure 4.1 presents the interference of Host based Intrusion Detection application. First user
selects the interface available on network interface card to start capturing the data packets.
User clicks on the start button then the application start capturing the data packets.
July 2016
37
4.2: Interface to select the device
Figure 4.2 presents the interface of Host based intrusion detection system in which there are
two IP addresses first IP address is the source IP address and the other is destination IP
address. This shows a captured data packets from the selected interface.
This shows the data in IP header datagram. It contains the following features.
a) Header Length
b) Total Length
c) Differentiated Services
d) Identification
July 2016
38
e) Flags
f) Fragmentation offset
g) Time to live
h) Protocol
i) Checksum
j) Source IP address
k) Destination IP address
The time in which packet is incoming and outgoing is defined by the date and time. Source
defines the IP address from which a packet is packing and destination IP address defines the
IP address of the machine on which the packet is coming. The source port defines the port by
which the packet is send and destination port specifies the port in which the incoming packet
is received.
4.4: Summary
The chapter four covers the experimental results that are obtain by using the Host Based
Intrusion Detection System application. The HIDS system is used to protect the data
integrity. This chapter describes the whole interface of Host Based Intrusion Detection
System that how the system is used and how to select the interface to start capturing the data
packets that is coming into the system. This chapter also describes the information that is
contained by the IP Header.
July 2016
39
CHAPTER 5
CONCLUSION
In this project Host Based Intrusion Detection System the network layer attacks that include
rushing and wormhole attack is detected successfully. In this project the signature based
methodology is used to detect the intrusion in the system. First the system starts capturing the
live network traffic that is coming into the system. Then it decodes these data packets and
transforms them into a unique pattern. After doing this the system also analyzes the data
packets then it matches this meaning full information with the signature rules. If it matches
with the signatures then it is considered as a malicious traffic. All the malicious traffic is
stored in the data base. The log of both malicious and normal traffic has been maintained. In
attack generation phase both the attacks are generated by using C and C# languages. In
wormhole attack the first machine generates the data packets and sends these data packets to
specified Mac address of the second machine. The Destination machine also captures these
data packets and stores these data packets into the file. Then it will load these data packets
into the queue then the machine also sends the data packets to the specified target machine. In
Rushing attack the first machine generates the data packets and sends these data packets to
the specified Mac address of the destination machine. The destination machine also starts
capturing these data packets and stores these packets into the file then it loaded these data
packets into the priority queue and sends these data packets to the specified Mac address of
the target machine.
July 2016
40
Chapter 6
Future Work
Overview:
The chapter six provides an overview that in the future how to enhance the features of Host
Based Intrusion Detection System application. This chapter also describes the enhancement
in Host Based Intrusion Detection application and its possible outcomes for the security of
data. The chapter six also describe its future work and describe the advantages of being
deployed this system in distributed environment and also describe its functions and
advancements that have been done to detect and prevent the system from the latest network
layer attack.
July 2016
41
5.3: Privacy in Cloud Computing
The privacy and security is considered as one the major problem in cloud computing. If an
attack occurs it will not only effect the security and privacy and it will also damages the User
data and information. So by applying Host Based Intrusion Detection and Prevention System
application the security in cloud computing is increased and it will provide a good
authentication process that will make the User confidential data and information safe. The
Host Based Intrusion Detection and Prevention System detects and prevents the attack and
this will make the cloud services more secure.
5.4: Enhancement
In future the Host based Intrusion detection application will deployed in cloud computing
infrastructure. The application consists of both detection and prevention features. The
application will work on the basis of signature based detection. Once the signature of any
attack is added into the database of the Host Based Intrusion Detection and prevention
application it will compare the incoming data packets with the provided signatures. If the data
packet matches with the signature of the attack it will generate the alarm and block that
attack. So by using Host Based Intrusion Detection and Prevention System the security and
privacy in cloud computing becomes better. The HIDPS will monitor every kind of network
traffic and it will maintain the log of network traffic.
5.6: Summary
The chapter five provides a brief description of future work of Host Based Intrusion
Detection and Prevention application. The HIDPS system is used in cloud computing to
increase the privacy and security. The system application is used to make the authentication
process good in cloud computing. This system will detect the latest network layer attacks in
cloud computing and provides a better security and authentication process for the clients.
HIDPS will detect and prevent the cloud computing system from the network layer attacks
and maintain the logs of network traffic.
July 2016
42
References
1. Kholidy, H.A., A. Erradi, and S. Abdelwahed. Attack Prediction Models for Cloud
Intrusion Detection Systems. in Artificial Intelligence, Modelling and Simulation
(AIMS), 2014 2nd International Conference on. 2014: IEEE.
2. Kene, S.G. and D.P. Theng. A review on intrusion detection techniques for cloud
computing and security challenges. in Electronics and Communication Systems
(ICECS), 2015 2nd International Conference on. 2015: IEEE.
4. Patel, A., et al., An intrusion detection and prevention system in cloud computing: A
systematic review. Journal of network and computer applications, 2013. 36(1): p. 25-
41.
5. Shrivastava, S., Rushing Attack and its Prevention Techniques. International Journal
of Application or Innovation in Engineering & Management, 2013. 2(4): p. 453-456.
7. Frank, J. Artificial intelligence and intrusion detection: Current and future directions.
in Proceedings of the 17th national computer security conference. 1994: Baltimore,
USA.
9. Wang, W., et al., Defending against wormhole attacks in mobile ad hoc networks.
Wireless communications and mobile computing, 2006. 6(4): p. 483-503.
10. Scarfone, K. and P. Mell, Guide to intrusion detection and prevention systems (idps).
NIST special publication, 2007. 800(2007): p. 94.
11. Yi, S. and R. Kravets, MOCA: Mobile certificate authority for wireless ad hoc
network4s. 200.
12. Hu, Y.-C., A. Perrig, and D.B. Johnson. Rushing attacks and defense in wireless ad
hoc network routing protocols. in Proceedings of the 2nd ACM workshop on Wireless
security. 2003: ACM.
13. Lazos, L., et al. Preventing wormhole attacks on wireless ad hoc networks: a graph
theoretic approach. in IEEE Wireless Communications and Networking Conference,
2005. 2005: IEEE.
July 2016
43
14. Srinivasan, T., V. Vijaykumar, and R. Chandrasekar. A self-organized agent-based
architecture for power-aware intrusion detection in wireless ad-hoc networks. in 2006
International Conference on Computing & Informatics. 2006: IEEE.
15. Al Shahrani, A.S. Rushing attack in mobile ad hoc networks. in Intelligent Networking
and Collaborative Systems (INCoS), 2011 Third International Conference on. 2011:
IEEE.
16. Subashini, S. and V. Kavitha, A survey on security issues in service delivery models
of cloud computing. Journal of network and computer applications, 2011. 34(1): p. 1-
11.
17. Dhage, S.N. and B. Meshram, Intrusion detection system in cloud computing
environment. International Journal of Cloud Computing, 2012. 1(2-3): p. 261-282.
18. Patel, A., et al., An intrusion detection and prevention system in cloud computing: A
systematic review. Journal of network and computer applications, 2013. 36(1): p. 25-
41.
19. Burroughs, D.J., L.F. Wilson, and G.V. Cybenko. Analysis of distributed intrusion
detection systems using Bayesian methods. in Performance, Computing, and
Communications Conference, 2002. 21st IEEE International. 2002: IEEE.
20. Axelsson, S., Intrusion detection systems: A survey and taxonomy. 2000, Technical
report.
July 2016
44
APPENDIX
As a default, appendixes do not appear in the table of contents but instead have their own
table of appendices.
To achieve this appendices have their own heading style, which is visually similar to the main
headings but are functionally different.
The Appendices do require the chapter heading page so that the beginning of appendices is
listed in the table of contents and so that the footers say Appendices rather than saying
References.
Appendix Headings automatically start on a new page.
July 2016
45
APPENDIX A
Rushing Attack Generation:
using System;
usingSystem.Collections.Generic;
usingSystem.ComponentModel;
usingSystem.Data;
usingSystem.Drawing;
usingSystem.Linq;
usingSystem.Text;
usingSystem.Windows.Forms;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;
using C5;
namespaceRushing_Generation
{
publicenumProtocol
{
TCP = 6,
UDP = 17,
Unknown = -1
};
publicpartialclassRushingForm : Form
{
privateSocketmainSocket; //The socket which captures all incoming packets
privatebyte[] byteData = newbyte[4096];
privateboolbContinueCapturing = false; //A flag to check if packets are to be captured
or not
privatebyte[] send;
July 2016
46
privateSocketsocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.IP);
IPEndPoint endpoint = newIPEndPoint(IPAddress.Loopback, 3233);
publicRushingForm()
{
InitializeComponent();
}
btnStart.Text = "&Stop";
bContinueCapturing = true;
//For sniffing the socket to capture the packets has to be a raw socket, with the
//address family being of type internetwork, and protocol being IP
mainSocket = newSocket(AddressFamily.InterNetwork,
SocketType.Raw, ProtocolType.IP);
July 2016
47
//Socket.IOControl is analogous to the WSAIoctl method of Winsock 2
mainSocket.IOControl(IOControlCode.ReceiveAll, //Equivalent to SIO_RCVALL
constant
//of Winsock 2
byTrue,
byOut);
privatevoidOnReceive(IAsyncResultar)
{
try
{
if (bContinueCapturing)
{
byteData = newbyte[4096];
string s;
//Another call to BeginReceive so that we continue to receive the incoming
//packets
s = Convert.ToString(mainSocket.BeginReceive(byteData, 0, byteData.Length,
SocketFlags.None,
newAsyncCallback(OnReceive), null));
July 2016
48
IPriorityQueue<string>pqueue=new C5.IntervalHeap<string>();
C5.IPriorityQueueHandle<string> h=null;
pqueue.Add(refh,s);
foreach (string value inpqueue.ToArray())
{
while (pqueue.Count != 0)
{
string minimum = pqueue.FindMin(out h);
socket.Bind(endpoint);
socket.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, false);
// string text = value;
send = Encoding.ASCII.GetBytes(minimum);
socket.SendTo(send, send.Length, SocketFlags.None, endpoint);
pqueue.DeleteMin(out h);
}
}
socket.Close();
}
}
catch (ObjectDisposedException)
{
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Rushing", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}
IPHostEntryHosyEntry = Dns.GetHostEntry((Dns.GetHostName()));
if (HosyEntry.AddressList.Length> 0)
{
foreach (IPAddress ip inHosyEntry.AddressList)
{
strIP = ip.ToString();
cmbInterfaces.Items.Add(strIP);
}
}
July 2016
49
Controls.Add(label1);
}
privatevoidRushingForm_FormClosing(object sender, FormClosingEventArgs e)
{
if (bContinueCapturing)
{
mainSocket.Close();
}
}
July 2016
50
APPENDIX B
Rushing Server Generation:
using System;
usingSystem.Collections.Generic;
usingSystem.Linq;
usingSystem.Text;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;
namespaceRushing_Client_Generation
{
classProgram
{
List<Data> storage = newList<Data>();
privateboolIsRunning = false;
publicvoid Client()
{
byte[] data = newbyte[4096];
intrecieve;
Socketsocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.IP);
IPEndPointclientEndPoint = newIPEndPoint(IPAddress.Any, 3233);
socket.Bind(clientEndPoint);
IPEndPoint sender = newIPEndPoint(IPAddress.Any, 0);
EndPoint remote = (EndPoint)(sender);
IsRunning = true;
while (IsRunning)
{
data = newbyte[4096];
recieve = socket.ReceiveFrom(data, ref remote);
Console.WriteLine("Packet Recieved From {0}:", remote.ToString());
Console.WriteLine(Encoding.ASCII.GetString(data, 0, recieve));
storage.Add(newData(recieve, data));
}
socket.Close();
}
structData
{
intrecieve;
byte[] data;
July 2016
51
}}
}
}
}
July 2016
52
APPENDIX C
Wormhole Attack Generation:
using System;
usingSystem.Collections.Generic;
usingSystem.ComponentModel;
usingSystem.Data;
usingSystem.Drawing;
usingSystem.Text;
usingSystem.Windows.Forms;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;
namespaceWormhole_Generation
{
publicenumProtocol
{
TCP = 6,
UDP = 17,
Unknown = -1
};
publicpartialclassWormHoleForm : Form
{
privateSocketmainSocket; //The socket which captures all incoming packets
privatebyte[] byteData = newbyte[4096];
privateboolbContinueCapturing = false; //A flag to check if packets are to be captured
or not
privatebyte[] send;
privateSocketsocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.IP);
IPEndPoint endpoint = newIPEndPoint(IPAddress.Any, 5050);
publicWormHoleForm()
{
InitializeComponent();
}
July 2016
53
string input =textBox1.Text.Trim();
endpoint.Address = IPAddress.Parse(input);
if (cmbInterfaces.Text == "")
{
MessageBox.Show("Select an Interface to capture the packets.", "WormHole",
MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
try
{
if (!bContinueCapturing)
{
//Start capturing the packets...
btnStart.Text = "&Stop";
bContinueCapturing = true;
//For sniffing the socket to capture the packets has to be a raw socket, with the
//address family being of type internetwork, and protocol being IP
mainSocket = newSocket(AddressFamily.InterNetwork,
SocketType.Raw, ProtocolType.IP);
}
else
{
btnStart.Text = "&Start";
bContinueCapturing = false;
July 2016
54
//To stop capturing the packets close the socket
mainSocket.Close();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "WormHole", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}
privatevoidOnReceive(IAsyncResultar)
{
try
{
Queuequeue = newQueue();
intnReceived = mainSocket.EndReceive(ar);
if (bContinueCapturing)
{
byteData = newbyte[4096];
string s;
//Another call to BeginReceive so that we continue to receive the incoming
//packets
s = Convert.ToString(mainSocket.BeginReceive(byteData, 0, byteData.Length,
SocketFlags.None,
newAsyncCallback(OnReceive), null));
queue.Enqueue(s);
//Console.WriteLine("Item in queue" + queue.Count);
July 2016
55
}
socket.Close();
}
}
catch (ObjectDisposedException)
{
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "WormHole", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}
stringstrIP = null;
IPHostEntryHosyEntry = Dns.GetHostEntry((Dns.GetHostName()));
if (HosyEntry.AddressList.Length> 0)
{
foreach (IPAddress ip inHosyEntry.AddressList)
{
strIP = ip.ToString();
cmbInterfaces.Items.Add(strIP);
}
}
Controls.Add(label1);
}
privatevoidWormholeForm_FormClosing(object sender, FormClosingEventArgs e)
{
if (bContinueCapturing)
{
mainSocket.Close();
}
}
July 2016
56
}
}
}
July 2016
57
APPENDIX D
Wormhole Server Generation:
using System;
usingSystem.Collections.Generic;
usingSystem.Linq;
usingSystem.Text;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;
namespaceWormHole_Client_Generation
{
classProgram
{
publicvoid Client()
{
byte[] data = newbyte[4096];
intrecieve;
Socketsocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.IP);
IPEndPointclientEndPoint = newIPEndPoint(IPAddress.Any, 5050);
socket.Bind(clientEndPoint);
IPEndPoint sender = newIPEndPoint(IPAddress.Any, 0);
EndPoint remote = (EndPoint)(sender);
IsRunning = true;
while (IsRunning)
{
data = newbyte[4096];
recieve = socket.ReceiveFrom(data, ref remote);
Console.WriteLine("Packet Recieved From {0}:", remote.ToString());
Console.WriteLine(Encoding.ASCII.GetString(data, 0, recieve));
storage.Add(newData(recieve, data));
}
socket.Close();
}
structData
{
intrecieve;
byte[] data;
July 2016
58
{
this.recieve = recieve;
this.data = data;
}
}
}
}
}
July 2016
59
APPENDIX E
Main Form Code:
using System;
usingSystem.Collections.Generic;
usingSystem.ComponentModel;
usingSystem.Data;
usingSystem.Drawing;
usingSystem.Text;
usingSystem.Windows.Forms;
usingSystem.Net.Sockets;
using System.Net;
usingSystem.Collections;
namespace IDS
{
publicenumProtocol
{
TCP = 6,
UDP = 17,
Unknown = -1
};
publicpartialclassHIDSForm : Form
{
privateSocketmainSocket; //The socket which captures all incoming packets
privatebyte[] byteData = newbyte[4096];
privateboolbContinueCapturing = false; //A flag to check if packets are to be captured
or not
privatedelegatevoidAddTreeNode(TreeNode node);
Loglog = newLog();
PacketToStorePacketToStore = newPacketToStore();
Signaturesignature = newSignature();
publicHIDSForm()
{
InitializeComponent();
log.openFile();
}
July 2016
60
try
{
if (!bContinueCapturing)
{
//Start capturing the packets...
btnStart.Text = "&Stop";
bContinueCapturing = true;
//For sniffing the socket to capture the packets has to be a raw socket, with the
//address family being of type internetwork, and protocol being IP
mainSocket = newSocket(AddressFamily.InterNetwork,
SocketType.Raw, ProtocolType.IP);
July 2016
61
}
privatevoidOnReceive(IAsyncResultar)
{
try
{
intnReceived = mainSocket.EndReceive(ar);
ParseData(byteData, nReceived);
if (bContinueCapturing)
{
byteData = newbyte[4096];
TreeNodeipNode = MakeIPTreeNode(ipHeader);
rootNode.Nodes.Add(ipNode);
July 2016
62
TCPHeadertcpHeader = newTCPHeader(ipHeader.Data, //IPHeader.Data stores the
data being
//carried by the IP datagram
ipHeader.MessageLength);//Length of the data field
TreeNodetcpNode = MakeTCPTreeNode(tcpHeader);
rootNode.Nodes.Add(tcpNode);
break;
caseProtocol.UDP:
TreeNodeudpNode = MakeUDPTreeNode(udpHeader);
rootNode.Nodes.Add(udpNode);
TreeNodednsNode = MakeDNSTreeNode(udpHeader.Data,
//Length of UDP header is always eight bytes so we subtract that out of the total
//length to find the length of the data
Convert.ToInt32(udpHeader.Length) - 8);
rootNode.Nodes.Add(dnsNode);
}
break;
caseProtocol.Unknown:
break;
}
AddTreeNodeaddTreeNode = newAddTreeNode(OnAddTreeNode);
July 2016
63
rootNode.Text = ipHeader.SourceAddress.ToString() + "-" +
ipHeader.DestinationAddress.ToString();
ipNode.Text = "IP";
ipNode.Nodes.Add("Ver: " + ipHeader.Version);
ipNode.Nodes.Add("Header Length: " + ipHeader.HeaderLength);
ipNode.Nodes.Add("Differntiated Services: " + ipHeader.DifferentiatedServices);
ipNode.Nodes.Add("Total Length: " + ipHeader.TotalLength);
ipNode.Nodes.Add("Identification: " + ipHeader.Identification);
ipNode.Nodes.Add("Flags: " + ipHeader.Flags);
ipNode.Nodes.Add("Fragmentation Offset: " + ipHeader.FragmentationOffset);
ipNode.Nodes.Add("Time to live: " + ipHeader.TTL);
switch (ipHeader.ProtocolType)
{
caseProtocol.TCP:
ipNode.Nodes.Add("Protocol: " + "TCP");
break;
caseProtocol.UDP:
ipNode.Nodes.Add("Protocol: " + "UDP");
break;
caseProtocol.Unknown:
ipNode.Nodes.Add("Protocol: " + "Unknown");
break;
}
ipNode.Nodes.Add("Checksum: " + ipHeader.Checksum);
ipNode.Nodes.Add("Source: " + ipHeader.SourceAddress.ToString());
ipNode.Nodes.Add("Destination: " + ipHeader.DestinationAddress.ToString());
PacketToStore.getSourceIp();
PacketToStore.getDestinationIp();
July 2016
64
PacketToStore.getTimeToLive();
log.getSourceIp();
log.getDestinationIp();
stringgetSourceIp=signature.getSourceIp();
stringgetDestinationIp = signature.getDestinationIp();
stringgetTimeToLive = signature.getTimeToLive();
string[] attack=newstring[1];
for (int i = 0; i <attack.Length; i++)
{
attack[i] = getTimeToLive+getDestinationIp+getSourceIp;
Console.WriteLine("At"+i+ " index value is"+attack[i]);
}
returnipNode;
}
// public void checkAttack(string[] attack)
//{
// }
//Helper function which returns the information contained in the TCP header as a
//tree node
publicTreeNodeMakeTCPTreeNode(TCPHeadertcpHeader)
{
TreeNodetcpNode = newTreeNode();
PacketToStore.setSourcePort(tcpHeader.SourcePort);
PacketToStore.setDestinationPort(tcpHeader.DestinationPort);
log.setSourcePort(tcpHeader.SourcePort);
log.setDestinationPort(tcpHeader.DestinationPort);
signature.setSourcePort(tcpHeader.SourcePort);
signature.setDestinationPort(tcpHeader.DestinationPort);
tcpNode.Text = "TCP";
if (tcpHeader.AcknowledgementNumber != "")
tcpNode.Nodes.Add("Acknowledgement Number: " +
tcpHeader.AcknowledgementNumber);
if (tcpHeader.UrgentPointer != "")
tcpNode.Nodes.Add("Urgent Pointer: " + tcpHeader.UrgentPointer);
PacketToStore.getSourcePort();
PacketToStore.getDestinationProt();
July 2016
65
log.getSourcePort();
log.getDestinationProt();
signature.getSourcePort();
signature.getDestinationProt();
returntcpNode;
}
//Helper function which returns the information contained in the UDP header as a
//tree node
publicTreeNodeMakeUDPTreeNode(UDPHeaderudpHeader)
{
TreeNodeudpNode = newTreeNode();
PacketToStore.setSourcePort(udpHeader.SourcePort);
PacketToStore.setDestinationPort(udpHeader.DestinationPort);
log.setSourcePort(udpHeader.SourcePort);
log.setDestinationPort(udpHeader.DestinationPort);
signature.setSourcePort(udpHeader.SourcePort);
signature.setDestinationPort(udpHeader.DestinationPort);
udpNode.Text = "UDP";
udpNode.Nodes.Add("Source Port: " + udpHeader.SourcePort);
udpNode.Nodes.Add("Destination Port: " + udpHeader.DestinationPort);
udpNode.Nodes.Add("Length: " + udpHeader.Length);
udpNode.Nodes.Add("Checksum: " + udpHeader.Checksum);
PacketToStore.getSourcePort();
PacketToStore.getDestinationProt();
log.getSourcePort();
log.getDestinationProt();
signature.getSourcePort();
signature.getDestinationProt();
returnudpNode;
}
//Helper function which returns the information contained in the DNS header as a
//tree node
privateTreeNodeMakeDNSTreeNode(byte[] byteData, intnLength)
{
DNSHeaderdnsHeader = newDNSHeader(byteData, nLength);
TreeNodednsNode = newTreeNode();
dnsNode.Text = "DNS";
dnsNode.Nodes.Add("Identification: " + dnsHeader.Identification);
dnsNode.Nodes.Add("Flags: " + dnsHeader.Flags);
dnsNode.Nodes.Add("Questions: " + dnsHeader.TotalQuestions);
dnsNode.Nodes.Add("Answer RRs: " + dnsHeader.TotalAnswerRRs);
dnsNode.Nodes.Add("Authority RRs: " + dnsHeader.TotalAuthorityRRs);
dnsNode.Nodes.Add("Additional RRs: " + dnsHeader.TotalAdditionalRRs);
returndnsNode;
}
July 2016
66
privatevoidOnAddTreeNode(TreeNode node)
{
treeView.Nodes.Add(node);
}
IPHostEntryHosyEntry = Dns.GetHostEntry((Dns.GetHostName()));
if (HosyEntry.AddressList.Length> 0)
{
foreach (IPAddress ip inHosyEntry.AddressList)
{
strIP = ip.ToString();
cmbInterfaces.Items.Add(strIP);
}
}
}
July 2016
67