0 evaluări0% au considerat acest document util (0 voturi)
9 vizualizări4 pagini
To prevent network infrastructure from malicious
traffic, such as DDoS attack and scanning, source filtering is
widely used in the network. There are different ways to store
the filters, e.g., a blacklist of source addresses. Among them,
TCAM-based is used as the de facto, because of its wire speed
performance. Unfortunately, TCAM is a scarce resource
because it’s limited by small capacity, high power
consumption and high cost. There are chances like a data
distributor had given his sensitive data to a set of trusted
agents. These agents can be called as third parties. There are
chances that some of the data is leaked and found in an
unauthorized place. This situation is called IDS. In existing
case, the method called watermarking is using to identify the
leakage. Or also uses the technique like injecting fake data
that appears to be realistic in the data. I propose data
allocation strategies that improve the probability of
identifying leakages. In enhancement work I include the
investigation of agent guilt models that capture leakage
scenarios.
Titlu original
Protection of Different Agent with Improved Ids Detection
To prevent network infrastructure from malicious
traffic, such as DDoS attack and scanning, source filtering is
widely used in the network. There are different ways to store
the filters, e.g., a blacklist of source addresses. Among them,
TCAM-based is used as the de facto, because of its wire speed
performance. Unfortunately, TCAM is a scarce resource
because it’s limited by small capacity, high power
consumption and high cost. There are chances like a data
distributor had given his sensitive data to a set of trusted
agents. These agents can be called as third parties. There are
chances that some of the data is leaked and found in an
unauthorized place. This situation is called IDS. In existing
case, the method called watermarking is using to identify the
leakage. Or also uses the technique like injecting fake data
that appears to be realistic in the data. I propose data
allocation strategies that improve the probability of
identifying leakages. In enhancement work I include the
investigation of agent guilt models that capture leakage
scenarios.
To prevent network infrastructure from malicious
traffic, such as DDoS attack and scanning, source filtering is
widely used in the network. There are different ways to store
the filters, e.g., a blacklist of source addresses. Among them,
TCAM-based is used as the de facto, because of its wire speed
performance. Unfortunately, TCAM is a scarce resource
because it’s limited by small capacity, high power
consumption and high cost. There are chances like a data
distributor had given his sensitive data to a set of trusted
agents. These agents can be called as third parties. There are
chances that some of the data is leaked and found in an
unauthorized place. This situation is called IDS. In existing
case, the method called watermarking is using to identify the
leakage. Or also uses the technique like injecting fake data
that appears to be realistic in the data. I propose data
allocation strategies that improve the probability of
identifying leakages. In enhancement work I include the
investigation of agent guilt models that capture leakage
scenarios.
Protection of Different Agent with Improved Ids Detection L.Gomathi Associate Professor Muthayammal College of Arts&science K.Priya Muthayammal College of Arts&science
Abstract To prevent network infrastructure from malicious traffic, such as DDoS attack and scanning, source filtering is widely used in the network. There are different ways to store the filters, e.g., a blacklist of source addresses. Among them, TCAM-based is used as the de facto, because of its wire speed performance. Unfortunately, TCAM is a scarce resource because its limited by small capacity, high power consumption and high cost. There are chances like a data distributor had given his sensitive data to a set of trusted agents. These agents can be called as third parties. There are chances that some of the data is leaked and found in an unauthorized place. This situation is called IDS. In existing case, the method called watermarking is using to identify the leakage. Or also uses the technique like injecting fake data that appears to be realistic in the data. I propose data allocation strategies that improve the probability of identifying leakages. In enhancement work I include the investigation of agent guilt models that capture leakage scenarios. KEYWORDS: DDoS, Filtering, IP, Traffic Analysis, Clustering, Classification, Internet Security 1.Introduction As the Internet grows, malicious users continue to find intelligent and insidious ways to attack it. Many types of attacks happen every day, but one particular kind denial-of- service (DoS) attacks remain the most common, accounting for more than a third of all malicious behavior on the Internet in 2011 [1]. The main goal of these attacks is literally to deny some or all legitimate users access to a particular Internet service, harming the service as a whole. In the extreme case, when the attack is aimed at the core Internet infrastructure (e.g., attacks on the root DNS servers [2]), the whole Internet could be jeopardized. There is a clear need for comprehensive, cheap, and easily deployable DoS protection mechanisms. Attackers may have different motivations (extortion, vengeance, or simple malice) and the goal of a DoS attack could be achieved in many ways. Thus, there is a wide variety of attack methods available [3] and a growing number of proposed defense mechanisms to stop or mitigate them. Many of the proposed DoS defenses are both clever and potentially effective [4]. However, the most common question with DoS defenses is how to deploy them. Some defenses require deployment in core routers [5], but the tier 1 ASes that own these routers have little incentive to do so. The economic model of all transit providers, including tier 1 providers, consists of charging for the amounts of forwarded traffic. Thus, such providers are extremely cautious with any kind of filtering, as they risk the loss of money or even customers. In addition, unless fully deployed by every major ISP, core defenses generally provide very limited protection. A major threat to the reliability of Internet services is the growth in stealthy and coordinated attacks, such as scans, worms and distributed denial-of-service (DDoS) attacks. While intrusion detection systems (IDSs) provide the ability to detect a wide variety of attacks, traditional IDSs focus on International Journal of Engineering Trends and Technology (IJETT) Volume 4 Issue 8- August 2013 ISSN: 2231-5381 http://www.ijettjournal.org Page 3532
monitoring a single subnetwork. This limits their ability to detect coordinated attacks in a scalable and accurate manner, since they lack the ability to correlate evidence from multiple subnetworks. An important challenge for intrusion detection research is how to efficiently correlate evidence from multiple subnetworks. Collaborative intrusion detection systems (CIDSs) aim to address this research challenge. A CIDS consists of a set of individual IDSs coming fromdifferent network administrative domains or organizations, which cooperate to detect coordinated attacks. Each IDS reports any alerts of suspicious behaviour that it has collected fromits local monitored network, then the CIDS correlates these alerts to identify coordinated attacks that affect multiple subnetworks. A key component of a CIDS is the alert correlation algorithm, which clusters similar incidents observed by different IDSs, prioritises these incidents, and identifies false alerts generated by individual IDSs. The problem of alert correlation (also known as event correlation) is an active area of research. A key issue is how to improve the scalability of alert correlation while still maintaining the expressiveness of the patterns that can be found. Singledimensional correlation schemes have been widely studied due to their simplicity, but they lack the expressiveness to characterize many types of attack behaviors. For example, such schemes can correlate alerts pertaining to the same source addresses, but cannot discriminate between different types of behaviour. More sophisticated schemes use multi-dimensional correlation to identify patterns in events. 2. RELATED WORK The new DOS attack, called Ad Hoc Flooding Attack(AHFA), can result in denial of service when used against on-demand routing protocols for mobile ad hoc networks, such as AODV & DSR. Wei-Shen Lai et al [3] have proposed a scheme to monitor the traffic pattern in order to alleviate distributed denial of service attacks. Shabana Mehfuz1 et al [4] have proposed a new secure power-aware ant routing algorithm(SPA-ARA) for mobile ad hoc networks that is inspired from ant colony optimization (ACO) algorithms such as swarm intelligent technique. Giriraj Chauhan and Sukumar Nandi [5] proposed a QoS aware on demand routing protocol that uses signal stability as the routing criteria along with other QoS metrics. Xiapu Luo et al [6] have presented the important problem of detecting pulsing denial of service (PDoS) attacks which send a sequence of attack pulses to reduce TCP throughput. Xiaoxin Wu et al [7] proposed a DoS mitigation technique that uses digital signatures to verify legitimate packets, and drop packets that do not pass the verification Ping. S.A.Arunmozhi and Y.Venkataramani [8] proposed a defense scheme for DDoS attack in which they use MAC layer information like frequency of RTD/CTS packet, sensing a busy channel and number of RTS/DATA retransmission. J ae-Hyun Jun, Hyunju Oh, and Sung-Ho Kiminvestigation scheme in which they use entropy-based detection mechanismagainst DDoS attacks in order to guarantee the transmission of normal traffic and prevent the flood of abnormal traffic. Qi Chen, Wenmin Lin, Wanchun Dou, Shui Yu [10] proposed a Confidence-Based Filtering method (CBF) to detect DDoS attack in cloud computing environment. In which anomaly detection is used and normal profile of network is formed at non attack period and CBF is used to detect the attacker at attack period. 3. Methods To train and evaluate our detection system, overall we used about 10 months of data collected through the ISC Security Information Exchange4 from June 2010 to March 2011. We used about four months of data (fromJune 2010 to September 2010) to build a labeled dataset, which we will refer to as LDS. We used LDS for two purposes: (1) for estimating the accuracy of the Classifier module through 10- fold cross validation; and (2) to train FluxBusters Classifier module before deployment. After training, we used approximately one additional month of data for a preliminary validation of the systemand parameter tuning, and finally we deployed and evaluated. International Journal of Engineering Trends and Technology (IJETT) Volume 4 Issue 8- August 2013 ISSN: 2231-5381 http://www.ijettjournal.org Page 3533
A practical deployment scenario is that of a single network under the same administrative authority, such as an ISP or a campus network. The operator can use our algorithms to install filters at a single edge router or at several routers, in order to optimize the use of its resources and to defend against an attack in a cost-efficient way. Our distributed algorithm may also be useful, not only for a routers within the same ISP, but also, in the future, when different ISPs start cooperating against common enemies. ACLs vs. firewall rules. Our algorithms may also be applicable in a different context: to configure firewall rules to protect public-access networks, such as university campus networks or web-hosting networks. Unlike routers where TCAM puts a hard limit on the number of ACLs, there is no hard limit on the number of firewall rules, in software; however, there is still an incentive to minimize their number and thus 13 any associated performance penalty [22]. There is a body of work on firewall rule management and (mis)configuration [23], which aims at detecting anomalies such as the existence of multiple firewall rules that match the same packet, or the existence of a rule that will never match packets flowing through a specific firewall. In contrast, we focus on resource allocation: given a blacklist and a whitelist as input to the problem, our goal is to optimally select which prefixes to filter so as to optimize an appropriate objective subject to the constraints. 4. Result and Analysis The proposed two-stage alert correlation scheme equipped with the probabilistic threshold estimation achieves significant advantage in detection rate over a naive threshold selection scheme for stealthy attack scenarios. The 98% confidence interval scheme gains a high Detection Rate without significant increase in the number of messages exchanged. Our results demonstrate that by using this probabilistic confidence limit to estimate the local support threshold in our two-stage architecture, we are able to capture most of the variation between different sub networks during a stealthy scan.
Fig:3. Cids percentage of load subscriptions. 5. Conclusion In a perfect world, there would be no need to hand over sensitive data to agents that may unknowingly or maliciously leak it. And even if, hand over sensitive data, in a perfect world, distributor could watermark each object so that distributor could trace its origins with absolute certainty. However, in many cases, Distributor must indeed work with agents that may not be 100 percent trusted, and may not be certain if a leaked object came froman agent or from some other source, since certain data cannot admit watermarks. In spite of these difficulties, i have shown that it is possible to assess the likelihood that an agent is responsible for a leak, based on the overlap of his data with the leaked data and the data of other agents, and based on the probability that objects can be guessed by other means. This model is relatively simple, but I believe that it captures the essential trade-offs. The algorithms I have presented implement a variety of data distribution strategies that can improve the distributors chances of identifying a leaker. I have shown that distributing objects judiciously can make a significant difference in identifying guilty agents, especially in cases where there is large overlap in the data that agents must receive. REFERENCES International Journal of Engineering Trends and Technology (IJETT) Volume 4 Issue 8- August 2013 ISSN: 2231-5381 http://www.ijettjournal.org Page 3534
[1] Trustwave SpiderLabs, The Web hacking incident database. Semiannual report. J uly to December 2010, 2011. [2] R. Naraine, Massive DDoS attack hit DNS root servers, InternetNews.com, October 2002, http: //www.esecurityplanet.com/trends/article.php/1486981/ Massive-DDoS-Attack-Hit-DNS-Root-Servers.htm. [3] J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, vol. 34, no. 2, pp. 3953, 2004. [4] T. Peng, C. Leckie, and K. Ramamohanarao, Survey of networkbased defense mechanisms countering the DoS and DDoS problems, ACM Computing Surveys (CSUR), vol. 39, no. 1, 2007. [5] E. Kline, M. Beaumont-Gay, J. Mirkovic, and P. Reiher, RAD: Reflector attack defense using message authentication codes, in Proceedings of Annual Computer Security Applications Conference (ASAC), 2009, pp. 269278. [6] P. Ferguson and D. Senie, Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, RFC 2827, May 2000. [7] R. Beverly and S. Bauer, The spoofer project: Inferring the extent of source address filtering on the internet, in Proceedings of USENIX SRUTI, 2005, pp. 5359. [8] Y. Rekhter, T. Li, and S. Hares, A Border Gateway Protocol 4 (BGP-4), RFC 4271, January 2006. [9] C. Partridge, T. Mendez, and W. Milliken, Host Anycasting Service, RFC 1546, November 1993. [10] H. Ballani and P. Francis, Towards a global IP anycast service, in Proceedings of SIGCOMM, vol. 35, no. 4, August 2005, pp. 301312. [11] D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina, Generic Routing Encapsulation (GRE), RFC 2784, March 2000. [12] J. Mirkovic and E. Kissel, Comparative evaluation of spoofing defenses, IEEE Transactions on Dependable and Secure Computing, pp. 218232, 2009. [13] J. Postel, Internet Protocol, RFC 791, September 1981. [14] R. Govindan and H. Tangmunarunkit, Heuristics for Internet map discovery, in Proceedings of INFOCOM, vol. 3, 2000, pp. 13711380. L.Gomathi received her BCA degree from university of Amman Arts & Science College and MCA degree fromBharathidasan University. She has completed her M.Phil at Periyar University. She is having 7 Yrs of experience in collegiate teaching and She is a Head of the department of computer applications in Muthayammal college of Arts and Science affiliated by Periyar University. K.Priya, received her UG & PG-Trinity college for women. Her Area of interest is Data Mining.