BACK
TO MAIN
©1996-2011 All
Rights Reserved.
Online Journal of Bioinformatics. You may not store
these pages in any form except for your own personal use. All other usage or
distribution is illegal under international copyright treaties. Permission to
use any of these pages in any other way besides the
before mentioned must be gained in writing from the publisher. This
article is exclusively copyrighted in its entirety to OJB publications. This
article may be copied once but may not be, reproduced or
re-transmitted without the express permission of the editors. Linking:
To link to this page or any pages linking to this page you must link directly
to this page only here rather than put up your own page.
Online
Journal of Bioinformatics
REFEREE FORM
Please complete and remit to Editorial office, Online Journal of Bioinformatics
Title: Intrusion Detection System to
Detect DDOS Attacks in Gnutella Hybrid P2P Networks Using Artificial Immune
Systems
Author(s):Mueen Uddin1, Azizah Abdul Rahman2
ID Number: QA232
The
Editorial board must ensure that the OJB publishes only papers which are
scientifically sound. To achieve this objective, the referees are requested to
assist the Editors by making an assessment of a paper submitted for publication
by:
(a)
Writing a report as described in GENERAL STATEMENTS (Below),
(b} Check the boxes shown below under 1. and 2.
( YES or NO) [N.B.A "NO" assessment must be
supported by specific comment in the report.
(c) Make a recommendation under 3.
The
Editor-in-Chief would appreciate hearing from any referee who feels that he/she
will be unable to review a manuscript within four weeks.
1.
CRITERIA FOR JUDGEMENT (Mark "Yes" or "No").
General statements
What is this work about? Describes/reviews Gnutella program and Human
immune system and then
proposes anomaly and signature-based
intrusion
detection. An simulated immune system is proposed to minimize IDS attack. The work purports to present an
algorithm to improve detection of DDoS by
somehow
arbitrarily mapping of human immune system with Gnutella peer to peer
network according to author’s perception
Does it add any value to current
knowledge? May be of some use to prevent DDos, of main
interest here is proposed mapping to immune system and why.
Is it innovative? NC
Yes/No
answers.
Is
the work scientifically sound? NC
Is
the work an original contribution? Y
Are the conclusions justified on the evidence presented? NO
Is the work free of major errors in fact, logic or technique? Y
Is the paper clearly and concisely written?NO
Do you consider that the data provided on the care and use of animals (See
Instructions to Contributors) is sufficient to establish that the animals used
in the experiments were well looked after, that care was taken to avoid
distress, and that there was no unethical use of animals? NA
2. PRESENTATION (Mark "Yes" or "No").
Does
the title clearly indicate the content of the paper? NO (see below)
Does the abstract convey the essence of the article? (NO see below)
Are all the tables essential? Y
Are the figures and drawings of good quality? NO
Are the illustrations necessary for an understanding of the text? Y
Is the labelling adequate? Y
3. RECOMMENDATIONS(Mark one with an X)
Not
suitable for publication in the OJB
Reassess after major changes
Reassess after suggested changes X
Accept for publication with minor changes
Accept for publication without changes
4. REPORT This is quite a novel subject for this journal which
deals mainly with an IT problem, not Bioinformatics. However the idea of
mapping a secure network to an artificial immune system is within the scope of
consideration for this journal. The work purports to present an algorithm to
improve detection of DDoS by mapping of human immune system with Gnutella peer to peer network
according to author’s/literature’s perception. Gnutella and immune system are reviewed in detail, and
that readers of OJB are NOT FAMILIAR with the subject and is thus appropriate
(INTRODUCTION). The authors need to CLEARLY answer the following. What is the
purpose of this work?, Why have you mapped the immune
system in the way you did (ref), and what advantage has this mapping had over
conventional methods (you could use the simulation as an example)? The grammar
is poor throughout and far too many and long for corrections by staff at this
journal. Some of the graphics (figs 1,2 and 3) are not
of good quality and will have to be re-submitted. The crux of this work is in
the IDS detection, the ensuing method, genetic algorithm and simulation and authors
should concentrate on this part of the work in their discussion. The title is
not appropriate (see suggestions). The ABSTRACT is not precise, in this section, please describe reason, method and result only (see
suggestions). Again, authors need to justify mapping system used with
appropriate references. There is no discussion section which is replaced with
the method, simulation and results. The conclusion section is mostly redundant
(see suggested) and suggest only “The proposed system used anomaly and
signature-based detection. Each time an attack was identified, a new generation
was added to the detectors dataset. As false positives decreased, attack
detection increased.” Reassess after suggested changes X WB
Original submission
ABSTRACT
Distributed Denial of service (DDoS) attacks are an increasing
threat to the Internet
community. Intrusion detection systems have become a key component
in ensuring
the safety of systems and networks. As networks grow in size and
speed continues to
increase, it is crucial that efficient scalable techniques should
be developed for IDS
systems. This paper presents an analysis of the Gnutella
protocol, a type of the peerto-
peer networking model that currently provides decentralized
file-sharing
capabilities to its users and the distinction between server and
client is pale. Due to
dependence on a central unit, creates many vulnerabilities and
security breaches
and makes it hard to create security. In this paper a collaborative intrusion detection
system is proposed to detect DDoS
attacks by the inspiration of artificial immune
system. Since intrusion detection system is located on all leaf
peers in Gnutella
network, this system is a fully distributed system. It is clear
that the function of
artificial immune system is distributional, collaborative, robust,
complex adaptive
system. It increases the precision of attack discovery and
decreases false positive
rate. Therefore in this paper, after detecting attack with
adopting some alternatives,
the effect of attack is minimized and function of the system
is optimized. The
simulation of Gnutellasim is used to
simulate a sample network and the scenario of
attack. To analyze and achieve the function of suggested network
in training phase,
tcpdump
and gtk-gnutella tools are used to create the packets
of the Gnutella in a
new dataset.
Keywords: Gnutella hybrid peer to
peer network, artificial immune system, DDoS
attack, signature based IDS, anomaly based IDS.
Suggested
. Distributed Denial of Service (DDoS) attacks are an increasing threat to the Internet
community. Intrusion detection systems have become a key component in ensuring
the safety of systems and networks. As networks grow in size and speed,
efficient scalable techniques should be available for IDS systems. Gnutella is
a peer to-peer networking model that currently provides decentralized
file-sharing capabilities to its users but the distinction between server and
client is pale. Due to Gnutella’s dependence on a central unit, the program is
vulnerable to security breaches. An intrusion detection system to detect DDoS attacks by simulating artificial immune system is
herein described. The proposed system used anomaly and signature-based
detection. Each time an attack is identified, a new generation is added to the
detectors dataset. As false positives decrease, attack detection increases.
Keywords: Gnutella hybrid peer to
peer network, artificial immune system, DDoS attack,
signature based IDS, anomaly based IDS.
Original
INTRODUCTION
Traditional network file systems
provide reliable way for users on a LAN to pool and
share data. Internet-wide file sharing is still in its infancy.
Software developers and
researchers are struggling to find new ways to reliably, efficiently
and securely share
data across wide area networks that are plagued by high
latency, bottlenecks, and
unreliable or malicious nodes.Computer
networks are changing and developing very
quickly either in architecture context or software context of the
network and these
changes affect the network traffic. The assessment of the network
traffic has always
been discussed by researchers [38].
P2P computing is the sharing of
computer resources and services by direct exchange
between systems. These networks are mostly used for sharing and
finding the
contents of any type of data. These networks
takes advantage of existing computing
power, computer storage and networking connectivity, allowing
users to leverage
Some of the major applications of P2P
networks are File Sharing, Distributed computation Ad Hoc network
and
collaborative applications [39].
Gnutella is a decentralized P2P
file-sharing model developed in the early 2000 by
eated the WinAMP
MP3
player). This protocol is used to share and
download any type of files. It
provides decentralized architecture to store and retrieve files
from the network [39,
40]. The Gnutella protocol defines
the way in which servants communicate over the
network. It consists of a set of descriptors used for
communicating data between
servants and a set of rules governing the inter-servant exchange
of descriptors. Due
to its distributed nature, a network of servants that
implements the Gnutella
protocol is highly fault-tolerant, as operation of the network
will not be interrupted
if a subset of servants goes offline [4].
All Gnutella communication happens on
top of the TCP/IP protocol. Once a TCP/IP
connection is established between two servants, the Gnutella
connection string
\n\
servant
responding to this
\n\ by establishing a
valid Gnutella connection between these two servants. Any other
response to the
original connection string will be taken as a communication-rejection
by the initiator
servant.
After a connection is established,
two servants communicate with each other by
exchanging Gnutella protocol descriptors. Gnutella protocol also
defines the rules for
how these descriptors are exchanged between nodes.
Table 1: Gnutella Descriptors
Overview
Descriptor Description
Ping Used to actively
discover hosts on
network. A servant
receiving Ping
descriptor is
expected to
respond with one or
more Pong
descriptors.
Pong The response to a
Ping. Includes the
address of
connected Gnutella
servant &
information
regarding data it is
making available to
the network.
Query The primary
mechanism for
searching the
distributed
network. A servant
receiving a Query
descriptor will
respond with a
Query Hit if
a match
is found against its
local data set.
Query Hit The response to a
Query. This
descriptor provides
recipient with
enough information
to acquire data
matching the
corresponding
Query.
Push A mechanism that
allows firewalled
servant to add file
based data to
network.
Traffic in Gnutella hybrid peer to
peer network can be examined from different
aspects such as, the distribution of packet entrance in time
unit, the interval
between packet entrance and the distribution of packet size. If
the number of
packets exceeds the threshold value, network resources will be
saturated, because
the nodes (servants) in Gnutella hybrid peer to peer network
, leave the network or
join in anytime [18,20,4]. As a result these nodes will be
exposed to DDoS attacks
and such behaviors should be detected and prevented. In order
to prevent, detect,
encounter and stop these attacks, security should be recognized and
created over
the network [19].
Figure 1 Gnutella P2P Decentralized Model
Some of the noticeable factors in vulnerability
of Gnutella hybrid P2P network are
the flooding created when multiple messages (Packets) are
sent at the same time
over the network without knowing the exact destinations; and
the decentralized
nature of gnutella network [24].
The main strategy to resolve security
vulnerabilities problem in peer to peer network
is to use intrusion detection system. By employing IDS at
different layers in the
network, it is possible to detect suspicious ways and potential
attacks in Gnutella
hybrid P2P networks. These security breaches can be trounce by
firstly preventing
apply and implement intrusion detection systems in the network
to detect
intrusions. As these networks are continuously changing with
different topologies
inside the network, the strategies to detect intrusions are also
changing gradually, it
is therefore becomes essential that IDS system be dynamic in
nature to meet the
ever changing demands of the security constraints over time
[32].
The possibilities of attacks are
enormous in P2P networks. Some of most common
attacks are: [4]
1. Rational attacks
2. File Poisoning
3. Sybil Attacks
4. Eclipse Attacks
5. DDoS
This paper will focus on DDoS attacks. A Denial-Of-Service attack is an attack on a
computer or a network that causes the loss of a service [4]. There
exist many forms
or methods to perpetrate a DOS attack. In the case of P2P
networks, the most
common form of a DOS attack is an attempt to flood the network
with bogus
packets, thereby preventing legitimate network traffic. Another
method is to drown
the victim in fastidious computation so that it is too busy
to do answer any other
queries. DOS attacks are far more efficient if multiple hosts are
involved in the
attack, we then speak of a DDOS attack (distributed
denial-of-service) [14, 41].
In a DDOS attack, the attacking
computers are often personal computers with
broadband connections that have been compromised by a virus or
Trojan. The
perpetrator can then remotely control these machines (qualified as
zombies or
slaves) and direct an attack at any host or network. Finally, a
DDOS attack can be
even further amplified by using uncompromised hosts as
amplifiers. The zombies
answering packets to the victim. This is known as a reflection
attack [41]. These
types of attacks can be managed in Gnutella networks. As DDoS attack contains a
large number of distributed machines, the development of
defensive nodes would
be effective in discovering DDoS
attack [19,25].
DDoS attacks take advantage of the hosts on the Internet with
poor security. The
perpetrators breaks into such hosts, install slave programs, and at
the right time
instruct thousands of these slave programs to attack a particular
target. Since this
attack does not exploit a security problem at the target, no
mechanism currently
exists to defend against such an attack. Collaborative discovery
requires that
heterogeneous nodes be adhered and it guarantees high scalability and
security
against attacks.
Figure 2 Structure of DDoS Attack
Considering the features of
distributed systems and examining the different
mechanisms of human immune system, we can reveal some similarities
between
these two seemingly different contexts. The similarities are
inspired by human
immune system to identify effective intrusion in distributed
systems [7,10,16]. The
proposed IDS system uses artificial immune system to define
different algorithms.
The proposed model defines its
operations in several levels with heterogeneous
function of peers.
This paper addresses some of the
human properties more concretely and
emphasizes the innate and adaptive systems framework in proposed
networks. The
rest of this paper is organized as follows. Section 2
describes intrusion detection
system in detail related to the context of the paper. Section 3
briefly introduces
human immune system. Section 4 explores the process of
suggested IDS and debates
around artificial immune algorithms. Section 5 discusses and
describes brief analysis
of the results and details of datasets used for performing
analysis. Finally in section
6, the paper is concluded with a
discussion of proposed intrusion detection system
and artificial immune system.
RELATED WORK
Distributed Denial of service (DDoS) attacks are large and increasing threat to the
Internet
community. The need to protect against and
mitigate the effects of DDoS
attacks have been recognized by both the commercial and research
world for some
years. There has been much work done on detecting attackers and
isolating attack
streams. The majority of researches examining attacks just focus
on one system but
A recent study [42] observed 12,805
attacks on more than 5,000 distinct Internet
hosts in more than 2,000 distinct DNS domains over a three week
period. Most
attacks are short with 90% lasting less than an hour. A DDoS attack response must be
quick; much quicker than picking up the phone and calling
system administrators
autonomous systems. DD-police protects Gnutella peer to peer network
against DoS
model. In peer to peer network with its high dynamic nature,
nodes leave & join a
15].
In the context of exploiting the
features of human immune system for the security of
computer networks, Forrest performed the first researches to
discriminate between
self and nonself in network artificial
immune system. Then Hofmeyr designed an
artificial immune system called ARTIS. This system is not very
efficient because
collaboration and information exchange among nodes is not considered
and
intrusion detection is done separately in each computer.
LISYS is one of the first structures
for artificial immune systems that is designed for a
simple local network and can learn network traffic and
identified anomaly traffic.
This system detects seven common
network attacks with less than 100 detectors and
the length of detector is 49 bits [30,36].
The purpose of Cfengine
system is to automatically configure large number of
systems on heterogeneous nodes. Furthermore, as long as a new
discordance does
not happen, the intrusion detection system is passive. In
order to increase scalability,
Cfengine intrusion detection system updates the average of system
efficiency, the
number of each service input and output connection and packet
characteristic
[5,6,13].
Results of Cfengine show that danger signal potentially
affects false positive
rate and also memory detectors improve detection rate.
IMMUNE SYSTEM
The immune system is a network of
cells, tissues, and organs that work together to
(germs)
tiny infection causing organisms such as bacteria, viruses, parasites, and
fungi. Because the human body provides an ideal environment
for many microbes,
they t
to seek out and destroy them. The immune system is
amazingly complex. It can
recognize and remember millions of different enemies, and it can
produce secretions
and cells to match up with and wipe out each one of them
[37].
The cells and molecules that are
responsible for immunity forms immune system and
their comprehensive and coordinated reply against foreign
materials is called
immune response.
There are two major branches of
immune system.
1. Innate Immune Systems
2. Adaptive immune Systems.
Innate Immune Systems:
The innate immune system is an
unchanging mechanism that detects and destroys
certain invading organisms [11]. These systems form the first
line of defense against
microbes and it consists of cellular and biochemical defensive
mechanisms that exist
even before infection and are ready to response to infections
quickly. This
mechanism has an almost equal response against continual
infections. Innate
immunity mechanisms are unique for the structures that are common
among related
microbes and they may not distinguish the small differences of non
self.
Adaptive immune Systems
The adaptive immune system responds
to previously unknown foreign cells and
builds a response to them that can remain in the body over a
long period of time.
This remarkable information
processing biological system has caught the attention of
computer science in recent years [11]. These systems are
stimulated after exposure
to a microorganism. Their defensive power increases after
each encounter with a
special microbe. These systems evolve in response and also
proportionate to
infections. Apparent features of adaptable immunity systems are:
enormous
response to definite molecules, the ability to remember and
stronger response to
continual collision to a special kind of microbe [1,24].
Adaptive immune system identifies and
responses with a large number of microbe
and non microbe substances. In addition, it has a great
capacity in distinguishing
between different microbes and macromolecules even with very
close structures.
Foreign substances that induce
exclusive immune responses are the target for such
responses and are called antigen. Adaptive immunity systems are
further subdivided
into humoral immunity and cellular
immunity also known as cell mediated immunity.
ARTIFICIAL IMMUNE SYSTEM
that immune system maintains a network of interconnected
B-Cells. De Castro and
Timmis define artificial immune systems (AIS) to be adaptive systems,
inspired by
theoretical immunology and observed immune functions, principles and
models,
which are applied to problem solving. They are systems
developed using the human
immune system as inspiration, rather than creating a
comprehensive model, in an
attempt to capture some or all of the features it provides. In
most instances
however, only a few principles from immunology are used.
Table1. Mapping of human immune system with Gnutella peer to peer
network
Gnutella peer to
peer network
Human immune
system
Intrusion detection
system
Bone marrow &
thymus
Leaf peer primary lymphoid
organs
Ultra Peer Secondary
lymphoid organs
Detector Antibody
Intrusion Antigen
Normal traffic Self
Abnormal traffic Non self
APPARENT FEATURES OF ADAPTIVE
IMMUNITY RESPONSES
There are many features of the immune
system, including variety, adaptation,
immunological memory and protection against auto-immune attacks. The
following
section will explain these features in detail and show how they
can be modeled in
e systems and
then used to solve real-world problems. Some of the
typical problems amenable to being solved by Artificial Immune
Systems are security
vulnerability issues in P2P networks suing IDS systems and Data Mining
issues using
collaborative filtering and clustering [11]. All humoral
and cellular immunity systems
responses against foreign antigens that have some basic features
that characterize
the lymphocytes which create this response [1,8,28].
Generally the features of human
immune system that are applied in the proposed
system are as follows:
Variety:
The total number of lymphocytes
antigenic features in a person called lymphocyte
repertoire are in great number. This feature of lymphocyte
repertoire is called
variety which is the outcome of diversity in the structures of
connection areas to the
antigen in lymphocyte antigenic receptors. In other words various
lymphocyte clones
are different from each other in terms of the antigenic
receptors structure and
consequently antigenic features. So the produced repertoire has a lot
of varieties.
In the proposed system when an attack
template is detected, it is forwarded to all
connected Ultra Peers in the network. Then the proposed genetic
algorithm will be
applied for optimizing the attack template. The proposed
algorithm then will be
applied to all detected templates and are collectively known as
attack dataset and
the whole process is called variety.
Immunological Memory:
The collision of an immunity system
to a foreign antigen increases its ability to
respond to the same antigen again. The responses that are created
against the
second or next collisions to a kind of antigen are called
secondary immunity
responses and usually are faster and stronger than the first
immunity response
against the same kind of antigen. These memory cells have
specific features that
cause them to operate more effectively, in response to an
omission of antigen, than
naive lymphocytes that had previous collision to them.
Contraction and Homeostasis:
After the simulation of antigen, all
natural immune responses decrease as the time
progresses. Therefore the immune system returns to repose state and
this trend is
called constancy or homeostasis. The omission of stimulus causes
the death of
lymphocytes by means of apoptosis. If the same mechanism is applied
in P2P
networks, then after detecting the attack, Leaf peers go to the
suspended mode until
the network becomes stable called repose state.
Major Histocompatibility
Cells (MHC)
Major activities of T lymphocytes
consists defense against in-cell microbes and
activation of other cells such as macrophage and B lymphocytes.
Therefore the
recognition of transplant as self or nonself
is a genetic feature. Those genes that are
in charge of receiving the transplanted tissues as self or nonself are called
histocompatibility between people. All MHC molecules have some specific and
common features that are of great importance in presentation of
antigen and its
recognition by T lymphocytes. In the proposed system negative
selection algorithm
for training phase running on all Leaf Peers also uses the
same MHC properties of the
human immune system.
PROPOSED INTRUSION DETECTION SYSTEM
The proposed IDS system consists of
combination of different algorithms used to
investigate security breaches in Gnutella hybrid P2P networks. It
uses both anomaly
and signature based intrusion detection techniques with
combination of artificial
immune system to detect different attacks templates.
INTRUSION DETECTION SYSTEM
Amongst worms defensive mechanisms,
Intrusion Detection systems (IDS) are the
most widely deployed techniques that utilize the
self-duplicating repetitive nature of
computer worms to detect the patterns and signatures of theses
malicious codes in
the network traffic. Some of the IDS functionalities are:
1. Monitoring and analyzing both user
and system activity
2. Analyzing system configurations
and vulnerabilities
3. Assessing system and file
integrity
4. Ability to recognize patterns
typical of attacks
5. Analysis of abnormal activity
patterns
6. Tracking user policy violations
These systems based on the parameters
used for detection, can be broadly divided
to signature based and anomaly based systems [32].
Signature-based IDS
Signature-based detection is normally
used for detecting known attacks. No
knowledge of normal traffic is required but a signature database is
needed for this
type of detection systems. For worm detection, this type of
system does not care
how a worm finds the target, how it propagates itself or what
transmission scheme it
uses. The system takes a look at the payload and identify
whether or not it contain a
worm.
One big challenge of signature-based
IDS is that every signature requires an entry in
the database, and so a complete database might contain
hundreds or even
thousands of entries. Each packet is to be compared with all the
entries in the
database. This can be very resource- consuming and doing so will
slow down the
throughput and making the IDS vulnerable to DoS
attacks. Some of the IDS evasion
tools use this vulnerability and flood the signature based IDS
systems with too many
packets to the point that the IDS cannot keep up with the
traffic, thus making the IDS
time out and drop packets and as a result, possibly miss
attacks [23]. Further, this
type of IDS is still vulnerable against unknown attacks as it
relies on the signatures
currently in the database to detect attacks.
Anomaly-based IDS
Anomaly based systems detect abnormal
behaviors and generate alarms based on
the abnormal patterns in network traffic or application
behaviors. Typical
anomalous behaviors that may be captured include 1) misuse of
network
protocols such as overlapped IP fragments and running a standard
protocol on a
stealthy port; 2) uncharacteristic traffic patterns, such as more
UDP packets
compared to TCP ones, and 3) suspicious patterns in application
payload.
The biggest challenges of anomaly
based detection systems is defining what a
normal network behavior is, deciding the threshold to trigger
the alarm, and
preventing false alarms. The users of the network are normally
human, and
people are hard to predict. If the normal model is not defined
carefully, there will
be lots of false alarms and the detection system will suffer
from degraded
performance.
Proposed IDS System
The proposed IDS will be located in
all Leaf Peers in Gnutella hybrid P2P network; the
system detects and announces the existence of attack or presence
of intrusions to
other Ultra Peers by means of distributive Ultra Peer warning.
Consequently the
stated system discovers the network intrusions by cooperation
between Leaf Peer
and Ultra Peer. To explain the working of proposed system it
will be explored from
four different aspects these are:
1. IDS Detection Method
2. IDS Detection Activities
3. IDS Detection Network
4. IDS Detection frequency
IDS Detection Method
Intrusion detection system
distinguishes between behaviors based detection also
known as anomaly based and knowledge based often known
signature-based
detections. To detect the intrusion, algorithms of artificial immune
system like
negative selection and clonal selection
will be used to achieve the desired objectives.
In fact, new and unknown attacks are
detected. Anomaly traffic and normal traffic
are distinguished using danger theory.
The proposed system is designed by
combining the two techniques. In the training
phase anomaly based intrusion detection systems will be used to
detect abnormal
behaviors while in the testing phase signature based intrusion
detection will be used
to actually detect the intrusions.
IDS Detection Activities
With the saturation of network
resources in a short time and prediction of attack
possibility, the node (Leaf Peer or Ultra Peer) in the suggested
intrusion detection
system warns its Ultra Peers to confront attacks. Therefore, on
surrounding Ultra
Peer
become aware of possible attack. Invaded
peers would be suspended since they
are not resistant against attack and they are protected to
some extent. This system
has an active attitude by detecting and announcing Leaf Peer
and Ultra Peer new
behaviors.
IDS Detection Network
Intrusion detection system can be
divided into multiple groups depending on the
type of network to be used for performing the detection. In
Gnutella hybrid P2P
networks IDS are categorized into two main categories i.e. network
intrusion
detection system (NIDS) and host intrusion detection system (HIDS).
NIDS is installed
nd examines the traffic of the network from which it
passes. Since Ultra Peer in Gnutella hybrid peer to peer network
plays the role of
gateway and distinguishes anomaly traffic from normal traffic.
The Ultra Peer sends
attack strategy to other Ultra Peers after identifying and
proving attack.
HIDS performs on different nodes
based on collecting network traffic information.
These pieces of information are
separately analyzed in each node and the results are
used to immune the activities of the aforementioned node.
Obviously the proposed
intrusion detection system is located on all Leaf Peer so this
system performs
distributively. The results generated, informs other nodes in Gnutella hybrid
peer to
peer network of the existence of attacker nodes.
Detection Frequency
Leaf Peers perform intrusion
detection continuously while Ultra Peers would be
Stress
Figure 3 Taxonomy of proposed intrusion detection system
METHODOLOGY OF PROPOSED INTRUSION
DETECTION SYSTEM
The proposed system uses different
functions to detect intrusion especially DDoS
attack which is the main focus of this paper. Each peer does
more than one function,
like creating alarm in the proposed system, a process should
be followed that
requires several functions mentioned below:
Creation of Template:
Leaf Peer records the templates of
messages it receives in a short time span but if
the volume of received messages is more than the threshold
value specified in that
particular time span then, a new template will be formed containing
information
related to source IP address, the destination IP address (local)
and the time interval
between Gnutella packets and will be sent as the template of
possible attack;
otherwise the produced template be out aside.
Sending & Receiving of
Attack Template
After possible attack template is
formed by Leaf Peer, other peers in the network are
informed about the possible occurrence of this attack. If Ultra
Peer returns Stress
Reply message, Leaf Peer will inform
about possible attack occurrence by sending
Stress message to all peers. The
possible attack template is sent to Ultra Peer by
Template
message.
Identification of Attack
Based on Received Template
After receiving the possible attack
template using Template message, Ultra Peer
starts the activity of conforming received template to the
template of available
attacks in dataset. 30 percent conformity shows that an attack
has happened.
Sending Attack Template to
Other Ultra Peers
When an attack is diagnosed and
confirmed the Ultra Peer sends the attack template
to other Ultra Peers, so that they would be informed of the
occurrence of the attack
and they should increase their detection rate.
Classification of Attack Type
After an attack has been confirmed the
next step is to classify it between anomaly
traffic and normal traffic, an attitude should be chosen that by
receiving numerous
Gnutella messages in definite time
intervals and saturating bandwidth, considers the
peer sent traffic as attack traffic or anomaly traffic. The
classification of an attack is a
two step process, in first step Leaf Peers distinguish
between normal traffic and
possible abnormal traffic. This process is called discrimination
self/nonself [17].
While in the 2nd step, Ultra Peers distinguish between
possible normal traffic and
abnormal traffic, this process is done by applying danger theory
[13,21].
Threshold Value Limit
If the number of message sent are more than bandwidth occupied threshold value
and attack occurrence is announced as well then, sending and
receiving message to
the Ultra Peer can be prevented and the rate of sent messages
can be reduced by
adopting some measures. In fact invaded peers would be suspended
since they are
not resistant against attack and they are protected to some
extent, in a way that
they just accept high priority packets that are sent by
surrounding Ultra Peers.
Development of new generation
of detector (Genetic algorithm)
The templates with most conformity of
attacks are most likely to happen again in
near future and such templates are used in the selection phase
of genetic algorithm.
In fact ranking method is used, in a
way that detectors are ranked based on number
of conformity and then template selection would be done
according to rank based
fitness.
It is important to use a competitive
method to select best attack templates for
selection. This method works in a way that a small subcategory of
attack templates is
randomly chosen and then competes together. Finally in this
competition, one of
them is chosen based on affinity level [22]. After selecting
best templates (with more
conformity) by crossover operator and with the purpose of producing
better
templates, new templates would be created. After the function of
attack templates
crossover, mutation includes the change of zero to one. On the
other hand, the
function is applied in a lymphocyte repertoire to protect the
different forms of the
distinctness of attack templates.
ARTIFICIAL IMMUNE ALGORITHM
As human immune system performs
actively and distributively, artificial immune
system algorithms are extremely used in proposed system to
develop the purpose
specified. The major features of human immune system are inspected
to detect
intrusion and how it reacts against intrusions [14,28]. It will be
used in Gnutella
hybrid P2P network to confront DDoS
attacks. In the proposed IDS system negative
selection algorithm is used in training phase and it function as
follows:
Negative Selection Algorithm
Gnutella network packets are captured
by tcpdump monitoring tool [3] and gtkgnutella
file sharing software [2]. These packets are considered as
self dataset. After
that some detectors (immature detectors) are produced by
random Gaussian
function and by comparing these two datasets, any detector that do
not correspond
detector(mature detectors). In this stage, the number of detectors
is investigated. If
this number increases, the accuracy of detection goes up and computational
overload increases too [9,12].
Figure 4 Negative Selection Algorithm
After receiving each Gnutella packet,
the source IP address, the local destination IP
address and average time interval between two consecutive sent
packets will be
added to the template. Then the size of bandwidth occupied will
be examined. If it
does not reach the default threshold, the template will be
faded out of existence and
a new template will be made.
Otherwise, the possibility of attack
occurrence will be announced to connect Ultra
Peers. Leaf Peer after making sure of the existence of each
Ultra Peer sends the
template of possible attack to each Ultra Peer. In this stage,
Leaf Peer announces the
possibility of attack occurrence and distinguishes between abnormal traffic
and
normal traffic. Leaf Peer will be suspended for a definite time
span to prevent the
reception of any packet or message. When this time span ends, Leaf
Peer will return
to its initial state.
Ultra Peer announces its existence to
Leaf Peer by receiving the possibility of attack
occurrence and after receiving the template of possible attack, will
compare with
nonself
dataset. If the template conforms to each detector, Ultra Peer broadcasts it
to other Ultra Peers as a detector. Then Ultra Peer creates
conformed detectors
once again, increases their affinity and if detectors aren't
conformed, Ultra Peer will
Use gtk-gnutella
file sharing to
produce Gnutella normal traffic
Use tcpdump
monitoring tools to
capture packets
Gnd
Gad et
detector dataset)
Dth
1: while number of d less than Dth
with uniform Gaussian random
function
3: if Gnd contains d then
4: drop d
5: else
6: d insert into Gad
7: end if
8: end while
change its main structure.
According to the number of
conformities, detector state changes from mature stage
type and beneficial life time are inspected. As each kind of
detector has a definite life
time, those detectors whose life time is ended are deleted
from detectors dataset.
Genetic algorithm is used to improve
detectors in the proposed system. Genetic
algorithm also causes variety in nonself
templates in active stage, in a way based on
clonal
selection algorithm, those cells that identify detector grow and those cells
that
are not able to identify detector die.
As Leaf Peer and Ultra Peer operate
in a collaborative and parallel manner and
on
are separately inspected.
Figure 5 Leaf Peer Functions (Test Phase)
Gp: Gnutella Packet
BWd: percentage of Leaf Peer
Bandwidth depletion
BWth: Threshold of Leaf Peer
Bandwidth depletion
01: While peer is in active mode
02:
Gp
03: if BWd th then
04: forwards msg-stress
along connected Ultra Peers
05: else
06: Drop T
07: end if
08: if received msg-sressreply
then
09: forwards T to certain
Ultra Peers
10: stand in suspend
mode for time span
11: end if
12: end while
Figure 6 Ultra Peer Function (Test Phase)
DDOS ATTACK ANALYSIS
Distributed DoS
(DDoS) attacks are a flooding attack of many
attacking hosts (agents)
with distributed and coordinated control. Figure 2 shows the
structure of a DDoS
attack; one or more attackers control handlers and each handler
controls multiple
agents. Handlers and agents are extra layers introduced to
increase the rate of
packet traffic as well as to hide the attackers from view. Each
agent can choose the
size and type of packets as well as the duration of flooding.
While the victim may be
able to identify some agents and have them taken off-line, the
attacker can monitor
the effects of the attack and create new agents accordingly
[35].
To simulate the results a discrete
event simulator will be used to simulate the results
of Gnutella peer to peer file sharing. Gnutellasim
is suitable for Gnutella network and
is installed on PDNS and ns2.27. In order to evaluate the
suggested system, gtkgnutella-
0.96.8-2 file sharing client [2] and
tcpdump-4.1.1 monitoring software [3] is
used to generate and record Gnutella traffic.
Simulation Preliminaries
One challenge in intrusion detection
is finding good data sets for experiments and
testing. Our objective was to control the data set, so we chose
to collect data from
an internal restricted Gnutella peer to peer network. In
this environment, we can
Ta: Template of attack
Tc: number of conformity with Ta
Tttl: time to live for every detector
01: while Ultra Peer is in active mode
02: p
03: if Gp.Type is msg_stress
then
04: forwards
msg_stressreply along Leaf Peer
05: end if
06: Ta
07: if Gad contains Ta then
08: increment Tc
09: set Tttl to zero
10: update Gad with Ta
11: forward Ta along
every Ultra Peers in network
12: Run GA .Algorithm
on Gad
13: end if
14: end while
understand all of the connections, and we can limit DDoS attacks. We install firewall
of ISA server in the entrance of our network. Then external
connections must pass
through a firewall. The Dataset used for performing the
experiments and analysis is
related to Gnutella peer to peer network traffic. The proposed
scenario includes 23
peers that are divided into 5 Ultra Peers and 18 Leaf Peers.
Simulation Results Analysis
Gnutella Protocol v. 0.6 will be used
for performing the simulations. In IDS systems,
self is defined as the set of normal pair wise TCP/IP
connections between Leaf Peer
and Ultra Peer and nonself is the
set of connections. When enormous numbers of
Gnutella packets are transmitted over
the network they are not observed normally
on the network.
The efficiency of proposed system is
analyzed based on the following criteria:
Negative Selection Time
Some immature detectors are produced
by random Gaussian function and this
dataset compares with Gnutella normal dataset. If any detectors
do not match with
normal traffic template, it will be added to the mature
detectors' list. Output of
training file is a mature detectors' dataset. Figure 7 shows the
time of negative
selection in proportion to the number of detectors. By increasing
the number of
mature detectors, negative selection time will be increase too
but, detection
precision is optimized. Because of using genetic algorithm, the
time of negative
selection is more beneficial than LISYS algorithm.
0
5
10
15
20
0 25 35 45 55 75 Negative selection
time
Number of detector
Evaluation producing
mature detector time
Figure 7 Production Time of Mature Detector
Detection Precision
In order to increase the detection
precision, false positive should be reduced. This
research will identify parameters that appear most important for
minimizing false
positives, as well as how to maximize the percentage of detecting
intrusions.
The percentage of attack detection
will be measured by proportion of discovered
attack occurrences to all attack occurrences. dt R denotes the corresponding false
positives rate. d T
is the number of attacks that be discovered and a T
is the total
number of attacks.
100
a
d
dt T
T
R
In fact false positive is the sending
of alarm message by intrusion detection system in
the time that attack has not happened. p T is the total number false positive alarms
and a T is the total number of attacks.
100
a
p
fp T
T
R
The proposed system is adopted to
describe the tradeoff between the detection rate
and false positive rate. Therefore, we evaluate the best
attitude coherent to these
factors for yielding optimum resolves.
Number of Detectors
To study the effect of mature
detectors on the percentage of attack discovery and
false positive, the parameter of activation discovery is
considered 6, crossover
operator 0.4 and mutation operator 0.005. These two factors are
evaluated by the
change in the number of detectors in number of different
conformity bits. With
increase in number of detectors, the percentage of attack
discovery goes up on the
one side and the false positive increases on the other side.
In a way that in all the
forms of conformity bits, 75 detectors show the most efficient
response for
detecting attack. But due to computation over load, the number
detectors are
commonly not very high. In LISYS algorithm, the number of
detectors is 100. Figure 8
proves this.
0.000
0.200
0.400
0.600
0.800
1.000
8 10 12 14 16 18
percentage of detection
number of bits matching
Evaluation Detection(number of detector)
25 detector 35 detector 45
detector 55 detector 75 detector
Fig.8 Detection with
Different Number of Detector
Bit Matching Algorithm
Some detectors in this IDS system are
usually implemented as strings, whose
function is to classify new strings as normal or abnormal by
matching them in some
forms. The perfect matching is rare in the immune system. So,
we use a partial
matching rule known as r-contiguous bits matching. Under this
rule, two strings
Our observations in figure 9 show
that immune system as inspiration for detecting
intrusion is the best approaches. To study the effect of mature
detectors on the
percentage of attack discovery and false positive, the parameter of
activation
discovery is considered 6, crossover operator 0.6 and mutation
operator 0.005.
These two factors are evaluated by
the change in the number of detectors in the
number of different conformity bits. The number of strings a
detector matches
increases exponentially as the value of r decreases. For example, 8
conformity bits is
the best resolve for attack detection rate but is the worst
result for false positive
rate. After checking these factors, we use 12 conformity bits
and LISYS algorithm to
elect the number.
0.000
0.200
0.400
0.600
0.800
1.000
8 10 12 14 16 18
percenatge of detection
number of bits matching
Evaluation
Detection(r-bits contiguous
matching)
Figure 9 (A)
Evaluation Detection
0%
5%
10%
15%
20%
8 10 12 14 16 18
percentage of false positive
number of bits matching
Evaluation False
Positive(r-contiguous bits
matching)
Fig. 9 (b) Evaluation False
Positive
Activation Threshold Values
Activation threshold shows detector's
condition in mature, active and memory state.
Activation thresholds are a mechanism
designed to reduce false positives. To test
our expectations, we studied the effect of changing the
activation threshold on the
proper amount of activation threshold is evaluated with 75
detectors, crossover
operator 0.6 and mutation operator 0.005.
In fact the less this amount, the
sooner the detector goes to the activation stage,
therefore generation production will be more and the better
discovery will occur.
Also this parameter decreases the
false positive. 6 and 8 activation threshold has the
same attack discovery percentage with small differences. For
the number of
conformity bits 16, 14 and 18, the activation threshold of 8 is
better but LISYS
algorithm suggests 10 activation thresholds. Figure 10 illustrates
how the number of
false positives lessens as the activation threshold increases.
0.0000
0.2000
0.4000
0.6000
0.8000
1.0000
8 10 12 14 16 18
percentage of detection
number of bits matching
Evaluation Detection(Activation Threshold)
6 activation 8 activaiton
10 activation
Figure 10 (A)
Evaluation Detection
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
8 10 12 14 16 18
percentage of false positive
number of bits matching
Evaluation False positive(Activation Threshold)
6 activation 8 activaiton
10 activation
Figure 10 (B) Evaluation False Positive
As Gnutella peer to peer network has
two versions: Gnutella 0.4 and Gnutella 0.6. In
Gnutella 0.6 network,
peers with high processing strength are used which are called
Ultra Peers. So in this system, both
versions of Gnutella peer to peer network with
one-point crossover operator and two-point crossover operator are
examined for
intrusion detection [18,20,27,31]. Simulation results indicate the
superiority of
intrusion detection in Gnutella 0.6 hybrid peer to peer network by
two-point
crossover operator in comparison to other forms. As the number of
detectors
increases, more attacks will be discovered. Figure 6 denote
comparison of two
version Gnutella network by different crossover operator.
Figure 11 (A) Comparison of attack detection percentage to the number of
detectors for Gnutella 0.4
0%
20%
40%
60%
80%
0 25 35 45 55 75
percentage of detection Number of detector
Evaluation
Detection(Gnutella 0.4)
two-point crossover operator
one-point crossover operator
without crossover operator
Figure 11 (B) Comparison of attack detection percentage to the number of
detectors for Gnutella 0.6
Delay
The time of attack occurrence in
proportion to the time that intrusion detection
system reacts against attack. In the proposed system, the
average identification time
of each attack is 15 seconds.
CONCLUSION
Since creating security in
distributed networks is complicated, to obtain the
maximum of security and possible attacks discovery, it is
required to use the
advantages of various techniques of intrusion detection. The
proposed system used
the two approaches of intrusion detection, anomaly-based and
signature-based.
Each time that an attack is
identified by Genetic algorithm, a new generation is
created that will be added to detectors dataset. In fact the
template of new attacks
is discovered and this approach increases the ability and
power of the system. As
false positive decreases, attack detection precision increases.
The proposed IDS uses
artificial immune system to minimize the influence of attack by
identifying the attack
which ultimately increases functional efficiency to an accepted
level. In addition, the
proposed system inspects nodes cooperation and provides an
efficient way of
properly using the algorithms of artificial immune system. The
simulation results
0%
50%
100%
150%
200%
250%
0 25 35 45 55 75
percentage of detection
Number of detector
Evaluation
Detection(Gnutella 0.6)
two-point crossover operator
one-point crossover operator
without crossover operator
clearly show that the used method for this purpose not only has
adaptability,
scalability, flexibility and variety but also has high accuracy and
correctness.
REFERENCES
1. Artificial immune system(AIS): http://www.artificial-immune-system.org
2. gtk-gnutella:
http://www.gtk-gnutella.com
3. Swiss Federal
Institute of Technology (ETH) Zurich,
2005
4.
Architecture Group (SWAG) Department
of Computer Science University of Waterloo Ontario N2L 3G1
Canada.
5. U. Aickelin,
P. Bentley, S. Cayzer, J. Kim and J. McLeod.
"Danger Theory: The Link between
Artificial
Immune Systems and Intrusion Detection Systems." Proceedings 2nd
International
Conference on Artificial
Immune Systems, 2003: 147-155.
6. U. Aickelin
and J.Greensmith. "The
deterministic dendritic cell algorithm." In Proceeding of the 7th
International Conference on Artificial Immune Systems (ICARIS). , 2008: 291 302.
7. U. Aickelin,
J. Greensmith and J. Twycross.
"Immune system approaches to intrusion detection - a
review." in Proceeding of the Third International Conference on Artificial
Immune Systems. Number
3239 in Lecture Notes in Computer Science, 2004: 316 329.
8. A. Okine, D. Dasgupta and Nii.
"Immunity-based systems: A survey." In proceedings of the IEEE
International Conference on
Systems, Man, and Cybernetics,
1997: 369-374.
9. P.J Bentley
and J. Kim. "Evaluating negative selection
in an artificial immune system for network
intrusion detection." Proceedings of GECCO,
2001: 1330 1337.
10. P.J
Bentley and J. Kim. "Towards an artificial immune
system for network intrusion detection: An
investigation of dynamic clonal
selection." In the Congress on
Evolutionary Computation (CEC-2001),
Seoul, Korea, 2001: 1244 1252.
11. U. Aickelin#
and D. Dasgupta
University of Nottingham,
Nottingham, 2004
12. L.J. Cannady and J. Gonzalez. "A self-adaptive negative
selection approach for anomaly detection."
In Proceedings of the 2004
Congress of Evolutionary Computation,
2004: 1561-1568.
13. S. Cayzer and U. Aickelin. "Danger theory and its
applications to AIS." In Proceeding of the Second
Internation Conference on Artificial Immune Systems (ICARIS-02), 2002: 141-148.
14. R. Chang. "Defending
Against Flooding-Based Distributed Denial-of-Service Attacks." IEEE
Communications Magazine, 2001: 42-51.
15. E. Athanasopoulos, K.G. Anagnostakis,
and E. Markatos. "Misusing unstructured p2p systems to
perform dos attacks: The network that never forgets." in Proceedings of the 4th International
, 2006.
16. F. S. de
Paula, L. N. de Castro, and P. L. de Geus. "An intrusion detection system using ideas from
the immune system." In Proceeding of IEEE Congress on Evolutionary Computation
(CEC-2004), 2004:
1059-1066.
17. S. Forrest, A. Perelson, S. Allen, L.R. Cherukuri.
"Self-Nonself Discrimination in a
Computer." in
Proceeding IEEE Symposium
on Research in Security and Privacy, IEEE Computer Society Press, 1994:
202 212.
18. M. Foster, I. Ripeanu.
"Mapping the Gnutella network." in Proc. 1st International Workshop on
Peer-to-Peer Systems,
Cambridge, MA, 2002: 85-93.
19. G.Oikonomou,
P. Reiher, M. Robinson, and J. Mirkovic.
"A framework for collaborative DDOS
defense." in Proceedings of the 2006 annual computer security applications
conference, 2006: 33-42.
20. M. Garcia,
Y.Beverly and Hector. "Designing a super-peer
network." In Proceeding of 19th
International Conference on
Data Engineering, 2003: 49-61.
21. J. Greensmith, J. Twycross, and U. Aickelin.
"Dendritic cells for anomaly detection." In Proceeding
of the
Congress on Evolutionary Computation (CEC), 2006: 664 671.
22. J. Guan,
D.X. Liu, and B.G. Cui. "An
induction learning approach for building intrusion detection
models using genetic algorithms." in Proceedings of Fifth World Congress on Intelligent Control and
Automation WCICA, vol. 5, 2004: 4339-4342.
23. J. B. Raven Alder, Adam Doxtater, James Foster, Toby Kohlenberg,
& Michael Rash, "Snort 2.1
Intrusion Detection," 2nd ed.
Rockland, MA: Syngress (Distributed by O'Reilly and
Associates), 2004.
24. L. Xiao,
Y. Liu, and L.M. Ni.
"Improving Unstructured Peer-to-Peer Systems by Adaptive Connection
Establishment." IEEE Transactions on Computers, 2005.
25. J. Mirkovic, G. Prier and P. Reihe. "Alliance formation for DDoS defense."
, 2003: 11-18.
26. Q. Lv,
S. Ratnasamy, and S. Shenker.
"Can heterogeneity make gnutella scalable?"
in Proceedings
of the 1st
International Workshop on Peerto-Peer Systems
(IPTPS), Cambridge, MA, USA, 2002.
27. S. Stepney, R. Smith, J. Timmis, and
A. Tyrrell. "Towards a conceptual framework
for artificial
immune systems." In Proceeding of the 3rd International Conference on Artificial
Immune Systems
(ICARIS), LNCS 3239, 2004: 53-64.
28. teur), 125C,
pp373-389, 1974
29. S. Singh. "Anomaly detection
using negative selection based on the r-contiguous matching rule." in
Proceedings of the 1st
International Conference on Artificial Immune Systems (ICARIS'-02), 2002: 99-
106.
30. S. Spinellis and D. Androutsellis. "A Survey of Peer-to-Peer Content Distribution
Technologies." in
ACM Computing Surveys, vol.
36, 2004: 335-371.
31. Stolfo,
W. Lee and J. Salvatore. "A framework for constructing features and models
for intrusion
detection systems." ACM Transactions on Information and System Security (TISSEC), vol.
3, 2000: 227-
261.
32. U. Mueen,
K. Khowaja, A.R. Azizah.
"Dynamic Multi Layer signature based IDS using Mobile
Agents", International Journal
of Network Security and its Applications Vol 2. No.4.
2010, 129-141.
33. Z. Ge,
D. Figueiredo, S. Jaiswal,
J. Kurose, and D. Towsley. "Modeling peer-peer file sharing
systems." ,
2003: 2188-2198.
34. F. Forrest
and S. Esponda. "Detector coverage under the r-contiguous
bits matching rule." 2002
35. Dietrich, S., Long, N., and Dittrich, D. Analyzing distributed denial of service tools:
the shaft case. In
Proceedings of USENIX (Dec 2000).
36. E. Meshkova, J. Riihijärvi, M. Petrova and P. Mähönen. "A survey on resource discovery
mechanisms, peer-to-peer and service discovery frameworks." computer networks,Department of
Wireless Networks, RWTH
Aachen University, Kackertstrasse 9, D-52072 Aachen,
Germany, 2008:
2097 2128.
37. tment of Health and Human
Services National Institutes of
Health, 2003.
38. -to-
39.
40. Gomes. "Gnutella keeps
growing and growing" Online. WSJ Interactive Edition,
http://www.zdnet.com/zdnn/stories/news/0,4586,2766234,00.html.
May 2001
41. Thomas D¨ubendorfer,
Arno Wagner: Past and Future Internet Disasters: DDoS
attacks.
42. Moore, D., Voelker,
G. M., and Savage, S. Inferring internet denial of service activity. In
Proceedings of Usenix Security Symposium (August 2001).
INTRODUCTION
Traditional network file systems
provide a reliable way for users on a LAN to pool and share data. Internet-wide
file sharing is still in its infancy. Software developers and researchers are
struggling to find new ways to reliably, efficiently and securely share data
across wide area networks that are plagued by high latency, bottlenecks, and
unreliable or malicious nodes. Computer networks are changing and developing
very quickly either in architecture context or software context of the network
and these changes affect the network traffic [38].
P2P computing is the sharing of
computer resources and services by direct exchange between systems. These
networks are mostly used for sharing and finding the contents of any type of
data. These networks takes advantage of existing computing power, computer
storage and networking connectivity, allowing users to leverage Some of the
major applications of P2P networks are File Sharing, Distributed computation Ad
Hoc network and collaborative applications [39].
Gnutella is a decentralized P2P
file-sharing model developed in 2000AD. This protocol is used to share and
download any type of files. It provides decentralized architecture to store and
retrieve files from the network [39, 40]. The Gnutella protocol defines the way
in which servants communicate over the network. It consists of a set of
descriptors used for communicating data between servants and a set of rules
governing the inter-servant exchange of descriptors. Due to its distributed
nature, a network of servants that implements the Gnutella protocol is highly
fault-tolerant, as operation of the network will not be interrupted if a subset
of servants goes offline [4].
All Gnutella communication happens on
top of the TCP/IP protocol. Once a TCP/IP connection is established between two
servants, the Gnutella connection string “GNUTELLA CONNECT/<protocol version
string>\n\n” may be sent by one of the clients (the current protocol version
string is “0.4”). The servant responding to this connection
may respond with GNUTELLA OK\n\n” message thereby establishing a valid Gnutella
connection between these two servants. Any other response to the
original connection string will be taken as a communication-rejection by the
initiator servant.
After a connection is established,
two servants communicate with each other by exchanging gnutella
protocol descriptors. Gnutella protocol also defines the rules for how these
descriptors are exchanged between nodes
Traffic in Gnutella hybrid peer to
peer network can be examined from different aspects such as, the distribution
of packet entrance in time unit, the interval between packet entrance and the
distribution of packet size. If the number of packets exceeds the threshold
value, network resources will be saturated, because the nodes (servants) in
Gnutella hybrid peer to peer network , leave the network or join in anytime
[18,20,4]. As a result these nodes will be exposed to DDoS
attacks and such behaviors should be detected and prevented. In order to
prevent, detect, encounter and stop these attacks, security should be
recognized and created over the network [19].
Figure
1. Gnutella P2P Decentralized Model
Some of the noticeable factors in
vulnerability of Gnutella hybrid P2P network are the flooding created when
multiple messages (Packets) are sent at the same time over the network without
knowing the exact destinations; and the decentralized nature of gnutella network [24]. The plain strategy to resolve
security vulnerabilities problem in peer to peer network is to use intrusion
detection system. By employing IDS at different layers in the network, it is
possible to detect suspicious ways and potential attacks in Gnutella hybrid P2P
networks. These security breaches can be trounce by firstly preventing apply
and implement intrusion detection systems in the network to detect intrusions.
As these networks are continuously changing with different topologies inside
the network, the strategies to detect intrusions are also changing gradually,
it is therefore becomes essential that IDS system be dynamic in nature to meet
the ever changing demands of the security constraints over time [32].
The possibilities of attacks are
enormous in P2P networks. Some of most common attacks are: [4]
1. Rational attacks
2. File Poisoning
3. Sybil Attacks
4. Eclipse Attacks
5. DDoS
A Denial-Of-Service attack is an
attack on a computer or a network that causes the loss of a service [4]. There
exist many forms or methods to perpetrate a DOS attack. In the case of P2P
networks, the most common form of a DOS attack is an attempt to flood the
network with bogus packets, thereby preventing legitimate network traffic.
Another method is to drown the victim in fastidious computation so that it is
too busy to do answer any other queries. DOS attacks are far more efficient if
multiple hosts are involved in the attack, we then speak of a DDOS attack
(distributed denial-of-service) [14, 41].
In a DDOS attack, the attacking
computers are often personal computers with broadband connections that have
been compromised by a virus or Trojan. The perpetrator can then remotely
control these machines (qualified as zombies or slaves) and direct an attack at
any host or network. Finally, a DDOS attack can be even further amplified by
using uncompromised hosts as amplifiers. The zombies
answering packets to the victim. This is known as a reflection attack
[41]. These types of attacks can be managed in Gnutella networks. As DDoS attack contains a large number of distributed
machines, the development of defensive nodes would be effective in discovering DDoS attack [19,25].
DDoS attacks take advantage of the hosts on the Internet with
poor security. The perpetrators breaks into such hosts, install slave programs,
and at the right time instruct thousands of these slave programs to attack a
particular target. Since this attack does not exploit a security problem at the
target, no mechanism currently exists to defend against such an attack.
Collaborative discovery requires that heterogeneous nodes be adhered and it
guarantees high scalability and security against attacks.
Figure 2 Structure of DDoS
Attack
Considering the features of distributed
systems and examining the different mechanisms of human immune system, we can
reveal some similarities between these two seemingly different contexts. The
similarities are inspired by human immune system to identify effective
intrusion in distributed systems [7,10,16]. The
proposed IDS system uses artificial immune system to define different
algorithms. The proposed model defines its operations in several levels with
heterogeneous function of peers.
This paper addresses some of the
human properties more concretely and emphasizes the innate and adaptive systems
framework in proposed networks. The rest of this paper is organized as follows.
Section 2 describes intrusion detection system in detail related to the context
of the paper. Section 3 briefly introduces human immune system. Section 4
explores the process of suggested IDS and debates around artificial immune
algorithms. Section 5 discusses and describes brief analysis of the results and
details of datasets used for performing analysis. Finally in section 6, the
paper is concluded with a discussion of proposed intrusion detection system and
artificial immune system.
Distributed Denial of service (DDoS) attacks are large and
increasing threat to the Internet community. The need to protect against and
mitigate the effects of DDoS attacks have been
recognized by both the commercial and research world for some years. There has
been much work done on detecting attackers and isolating attack streams. The
majority of researches examining attacks just focus on one system but a recent
study [42] observed 12,805 attacks on more than 5,000 distinct Internet hosts
in more than 2,000 distinct DNS domains over a three week period. Most attacks
are short with 90% lasting less than an hour. A DDoS
attack response must be quick; much quicker than picking up the phone and
calling system administrators autonomous systems. DD-police protects Gnutella
peer to peer network against DoS model. In peer to
peer network with its high dynamic nature, nodes leave & join a 15].
In the context of exploiting the
features of human immune system for the security of computer networks, Forrest
performed the first research to discriminate between self and non-self in
network artificial immune system. Hofmeyr designed an
artificial immune system called ARTIS. This system is not very efficient
because collaboration and information exchange among nodes is not considered
and intrusion detection is done separately in each computer. LISYS is one of
the first structures for artificial immune systems that is designed for a
simple local network and can learn network traffic and identified anomaly
traffic. This system detects seven common network attacks with less than 100
detectors and the length of detector is 49 bits [30,36].
The purpose of Cfengine
system is to automatically configure large number of systems on heterogeneous
nodes. Furthermore, as long as a new discordance does not happen, the intrusion
detection system is passive. In order to increase scalability, Cfengine intrusion detection system updates the average of
system efficiency, the number of each service input and output connection and
packet characteristic [5,6,13]. Results of Cfengine show that danger signal potentially affects false
positive rate and also memory detectors improve detection rate.
Immune system
The immune system is a network of
cells, tissues, and organs that work together to (germs) tiny infection causing
organisms such as bacteria, viruses, parasites, and fungi. Because
the human body provides an ideal environment for many microbes, they to seek
out and destroy them. The immune system is amazingly complex. It can
recognize and remember millions of different enemies, and it can produce
secretions and cells to match up with and wipe out each one of them [37]. The
cells and molecules that are responsible for immunity forms immune system and
their comprehensive and coordinated reply against foreign materials is called
immune response. There are two major branches of immune system, the innate and
adaptive.
Innate Immune Systems:
The innate immune system is an
unchanging mechanism that detects and destroys certain invading organisms [11].
These systems form the first line of defense against microbes and it consists
of cellular and biochemical defensive mechanisms that exist even before
infection and are ready to response to infections quickly. This mechanism has
an almost equal response against continual infections. Innate immunity
mechanisms are unique for the structures that are common among related microbes
and they may not distinguish the small differences of non self.
Adaptive immune Systems
The adaptive immune system responds
to previously unknown foreign cells and builds a response to them that can
remain in the body over a long period of time. This remarkable information
processing biological system has caught the attention of computer science in
recent years [11]. These systems are stimulated after exposure to a
microorganism. Their defensive power increases after each encounter with a
special microbe. These systems evolve in response and also proportionate to
infections. Apparent features of adaptable immunity systems are: enormous
response to definite molecules, the ability to remember and stronger response
to continual collision to a special kind of microbe [1,24].
Adaptive immune system identifies and
responses with a large number of microbe and non microbe substances. In
addition, it has a great capacity in distinguishing between different microbes
and macromolecules even with very close structures. Foreign substances that
induce exclusive immune responses are the target for such responses and are
called antigen. Adaptive immunity systems are further subdivided into humoral immunity and cellular immunity also known as cell
mediated immunity.
Artificial immune system
De Castro and Timmis
define artificial immune systems (AIS) to be adaptive systems, inspired by
theoretical immunology and observed immune functions, principles and models,
which are applied to problem solving. They are systems developed using the
human immune system as inspiration, rather than creating a comprehensive model,
in an attempt to capture some or all of the features it provides. In most
instances however, only a few principles from immunology are used.
Table
2. Mapping of human immune system with
Gnutella peer to peer network
Apparent features of adaptative immune responses
There are many features of the immune
system, including variety, adaptation, immunological memory and protection
against auto-immune attacks. The following section will explain these features
in detail and show how they can be modeled in e systems and then used to solve
real-world problems. Some of the typical problems amenable to being solved by
Artificial Immune Systems are security vulnerability issues in P2P networks
suing IDS systems and Data Mining issues using collaborative filtering and
clustering [11]. All humoral and cellular immunity
systems responses against foreign antigens that have some basic features that
characterize the lymphocytes which create this response [1,8,28].
Generally the features of human immune system that are applied in the proposed
system are as follows:
Variety:
The total number of lymphocytes
antigenic features in a person called lymphocyte repertoire are in great
number. This feature of lymphocyte repertoire is called variety which is the
outcome of diversity in the structures of connection areas to the antigen in
lymphocyte antigenic receptors. In other words various lymphocyte clones are
different from each other in terms of the antigenic receptors structure and
consequently antigenic features. So the produced repertoire has a lot of
varieties.
In the proposed system when an attack
template is detected, it is forwarded to all connected Ultra Peers in the network.
Then the proposed genetic algorithm will be applied for optimizing the attack
template. The proposed algorithm then will be applied to all detected templates
and are collectively known as attack dataset and the whole process is called
variety.
Immunological Memory:
The collision of an immunity system
to a foreign antigen increases its ability to respond to the same antigen
again. The responses that are created against the second or next collisions to
a kind of antigen are called secondary immunity responses and usually are
faster and stronger than the first immunity response against the same kind of
antigen. These memory cells have specific features that cause them to operate
more effectively, in response to an omission of antigen, than naive lymphocytes
that had previous collision to them.
Contraction and Homeostasis:
After the simulation of antigen, all
natural immune responses decrease as the time progresses. Therefore the immune
system returns to repose state and this trend is called constancy or
homeostasis. The omission of stimulus causes the death of lymphocytes by means
of apoptosis. If the same mechanism is applied in P2P networks, then after
detecting the attack, Leaf peers go to the suspended mode until the network
becomes stable called repose state.
Major Histocompatibility
Cells (MHC)
Major activities of T lymphocytes
consists defense against in-cell microbes and activation of other cells such as
macrophage and B lymphocytes. Therefore the recognition of transplant as self
or nonself is a genetic feature. Those genes that are
in charge of receiving the transplanted tissues as self or nonself
are called histocompatibility between people. All MHC
molecules have some specific and common features that are of great importance
in presentation of antigen and its recognition by T lymphocytes. In the
proposed system negative selection algorithm for training phase running on all
Leaf Peers also uses the same MHC properties of the human immune system.
Intrusion detection system
The proposed IDS system consists of
combination of different algorithms used to investigate security breaches in
Gnutella hybrid P2P networks. It uses both anomaly and signature based
intrusion detection techniques with combination of artificial immune system to
detect different attacks templates. Amongst worms defensive mechanisms,
Intrusion Detection systems (IDS) are the most widely deployed techniques that
utilize the self-duplicating repetitive nature of computer worms to detect the
patterns and signatures of theses malicious codes in the network traffic. Some
of the IDS functionalities are:
1. Monitoring and analyzing both user
and system activity
2. Analyzing system configurations
and vulnerabilities
3. Assessing system and file
integrity
4. Ability to recognize patterns
typical of attacks
5. Analysis of abnormal activity
patterns
6. Tracking user policy violations
These systems based on the parameters
used for detection, can be broadly divided to signature based and anomaly based
systems [32].
Signature-based IDS
Signature-based detection is normally
used for detecting known attacks. No knowledge of normal traffic is required
but a signature database is needed for this type of detection systems. For worm
detection, this type of system does not care how a worm finds the target, how
it propagates itself or what transmission scheme it uses. The system takes a
look at the payload and identify whether or not it contain a worm.
One big challenge of signature-based
IDS is that every signature requires an entry in the database, and so a
complete database might contain hundreds or even thousands of entries. Each
packet is to be compared with all the entries in the database. This can be very
resource- consuming and doing so will slow down the throughput and making the
IDS vulnerable to DoS attacks. Some of the IDS
evasion tools use this vulnerability and flood the signature based IDS systems
with too many packets to the point that the IDS cannot keep up with the
traffic, thus making the IDS time out and drop packets and as a result,
possibly miss attacks [23]. Further, this type of IDS is still vulnerable
against unknown attacks as it relies on the signatures currently in the
database to detect attacks.
Anomaly-based IDS
Anomaly based systems detect abnormal
behaviors and generate alarms based on the abnormal patterns in network traffic
or application behaviors. Typical anomalous behaviors that may be captured
include 1) misuse of network protocols such as overlapped IP fragments and
running a standard protocol on a stealthy port; 2) uncharacteristic traffic
patterns, such as more UDP packets compared to TCP ones, and 3) suspicious
patterns in application payload. The biggest challenges of anomaly based
detection systems is defining what a normal network behavior is, deciding the
threshold to trigger the alarm, and preventing false alarms. The users of the
network are normally human, and people are hard to predict. If the normal model
is not defined carefully, there will be lots of false alarms and the detection
system will suffer from degraded performance.
Proposed IDS System
The proposed IDS will be located in
all Leaf Peers in Gnutella hybrid P2P network; the system detects and announces
the existence of attack or presence of intrusions to other Ultra Peers by means
of distributive Ultra Peer warning. Consequently the stated system discovers
the network intrusions by cooperation between Leaf Peer and Ultra Peer. To
explain the working of proposed system it will be explored from four different
aspects these are:
1. IDS Detection Method
2. IDS Detection Activities
3. IDS Detection Network
4. IDS Detection frequency
IDS Detection Method
Intrusion detection system
distinguishes between behaviors based detection also known as anomaly based and
knowledge based often known signature-based detections. To detect the
intrusion, algorithms of artificial immune system like negative selection and clonal selection will be used to achieve the desired
objectives. In fact, new and unknown attacks are detected. Anomaly traffic and
normal traffic are distinguished using danger theory. The proposed system is
designed by combining the two techniques. In the training phase anomaly based
intrusion detection systems will be used to detect abnormal behaviors while in
the testing phase signature based intrusion detection will be used to actually
detect the intrusions.
IDS Detection Activities
With the saturation of network
resources in a short time and prediction of attack possibility, the node (Leaf
Peer or Ultra Peer) in the suggested intrusion detection system warns its Ultra
Peers to confront attacks. Therefore, on surrounding Ultra Peer become aware of
possible attack. Invaded peers would be suspended since they are not resistant
against attack and they are protected to some extent. This system has an active
attitude by detecting and announcing Leaf Peer and Ultra Peer new behaviors.
IDS Detection Network
Intrusion detection system can be
divided into multiple groups depending on the type of network to be used for performing
the detection. In Gnutella hybrid P2P networks IDS are categorized into two
main categories i.e. network intrusion detection system (NIDS) and host
intrusion detection system (HIDS). NIDS is installed and examines the traffic
of the network from which it passes. Since Ultra Peer in Gnutella hybrid peer
to peer network plays the role of
gateway and distinguishes anomaly traffic from normal traffic.
The Ultra Peer sends attack strategy to other Ultra Peers after identifying and
proving attack.
HIDS performs on different nodes
based on collecting network traffic information. These pieces of information
are separately analyzed in each node and the results are used to immune the
activities of the aforementioned node. Obviously the proposed intrusion detection
system is located on all Leaf Peer so this system performs distributively.
The results generated, informs other nodes in Gnutella hybrid peer to peer
network of the existence of attacker nodes.
Detection Frequency
Leaf Peers perform intrusion detection
continuously while Ultra Peers would be The proposed
system uses different functions to detect intrusion especially DDoS attack which is the main focus of this paper. Each
peer does more than one function, like creating alarm in the proposed system, a
process should be followed that requires several functions mentioned below:
METHOD
Creation of Template:
Leaf Peer records the templates of
messages it receives in a short time span but if the volume of received
messages is more than the threshold value specified in that particular time
span then, a new template will be formed containing information related to
source IP address, the destination IP address (local) and the time interval
between Gnutella packets and will be sent as the template of possible attack;
otherwise the produced template will be out aside.
Figure 3 Taxonomy of proposed
intrusion detection system
Sending & Receiving of Attack
Template
After an attack, a template is formed
by Leaf Peer, other peers in the network are informed
about the possible occurrence of this attack. If Ultra Peer returns Stress
Reply message, Leaf Peer will inform about possible attack occurrence by
sending Stress message to all peers. The possible attack template is sent to
Ultra Peer by Template message.
Identification of Attack Based on
Received Template
After receiving the possible attack
template using Template message, Ultra Peer starts the activity of conforming
received template to the template of available attacks in dataset. 30 percent
conformity shows that an attack has happened.
Sending Attack Template to Other
Ultra Peers
When an attack is diagnosed and
confirmed the Ultra Peer sends the attack template to other Ultra Peers, so that
they would be informed of the occurrence of the attack and they should increase
their detection rate.
Classification of Attack Type
After an attack has been confirmed
the next step is to classify it between anomaly traffic and normal traffic, an
attitude should be chosen that by receiving numerous Gnutella messages in
definite time intervals and saturating bandwidth, considers the peer sent
traffic as attack traffic or anomaly traffic. The classification of an attack
is a two step process, in first step Leaf Peers distinguish between normal
traffic and possible abnormal traffic. This process is called discrimination
self/nonself [17]. While in the 2nd step, Ultra Peers
distinguish between possible normal traffic and abnormal traffic, this process
is done by applying danger theory [13,21].
Threshold Value Limit
If the number of message sent are
more than bandwidth occupied threshold value and attack occurrence is announced
as well then, sending and receiving message to the Ultra Peer can be prevented
and the rate of sent messages can be reduced by adopting some measures. In fact
invaded peers would be suspended since they are not resistant against attack
and they are protected to some extent, in a way that they just accept high
priority packets that are sent by surrounding Ultra Peers.
Development of new generation of
detector (Genetic algorithm)
The templates with most conformity of
attacks are most likely to happen again in near future and such templates are
used in the selection phase of genetic algorithm. In fact ranking method is
used, in a way that detectors are ranked based on number of conformity and then
template selection would be done according to rank based fitness.
It is important to use a competitive
method to select best attack templates for selection. This method works in a
way that a small subcategory of attack templates is randomly chosen and then
competes together. Finally in this competition, one of them is chosen based on
affinity level [22]. After selecting best templates (with more conformity) by
crossover operator and with the purpose of producing better templates, new
templates would be created. After the function of attack templates crossover,
mutation includes the change of zero to one. On the other hand, the function is
applied in a lymphocyte repertoire to protect the different forms of the
distinctness of attack templates.
Artificial immune algorithm
As human immune system performs
actively and distributively, artificial immune system
algorithms are extremely used in proposed system to develop the purpose
specified. The major features of human immune system are inspected to detect
intrusion and how it reacts against intrusions [14,28].
It will be used in Gnutella hybrid P2P network to confront DDoS
attacks. In the proposed IDS system negative selection algorithm is used in
training phase and it function as follows:
Negative Selection Algorithm
Gnutella network packets are captured
by tcpdump monitoring tool [3] and gtkgnutella
file sharing software [2]. These packets are considered as
self dataset. After that some detectors (immature detectors) are produced by
random Gaussian function and by comparing these two datasets, any detector that
do not correspond
detector(mature detectors). In this stage, the number of
detectors is investigated. If this number increases, the accuracy of detection
goes up and computational overload increases too [9,12].
After receiving each Gnutella packet,
the source IP address, the local destination IP address and average time
interval between two consecutive sent packets will be added to the template.
Then the size of bandwidth occupied will be examined. If it does not reach the
default threshold, the template will be faded out of existence and a new
template will be made. Otherwise, the possibility of attack occurrence will be
announced to connect Ultra Peers. Leaf Peer after making sure of the existence
of each Ultra Peer sends the template of possible attack to each Ultra Peer. In
this stage, Leaf Peer announces the possibility of attack occurrence and
distinguishes between abnormal traffic and normal traffic. Leaf Peer will be
suspended for a definite time span to prevent the reception of any packet or
message. When this time span ends, Leaf Peer will return to its initial state.
Ultra Peer announces its existence to
Leaf Peer by receiving the possibility of attack occurrence and after receiving
the template of possible attack, will compare with nonself
dataset. If the template conforms to each detector, Ultra Peer broadcasts it to
other Ultra Peers as a detector. Then Ultra Peer creates conformed detectors
once again, increases their affinity and if detectors aren't conformed, Ultra Peer
will change its main structure. According to the number of conformities,
detector state changes from mature stage type and beneficial life time are
inspected. As each kind of detector has a definite life time, those detectors
whose life time is ended are deleted from detectors dataset.
Figure
4. Negative selection algorithm
Genetic algorithm is used to improve
detectors in the proposed system. Genetic algorithm also causes variety in nonself templates in active stage, in a way based on clonal selection algorithm, those cells that identify
detector grow and those cells that are not able to identify detector die.
As Leaf Peer and Ultra Peer operate
in a collaborative and parallel manner and on are separately inspected.
Figure 5 Leaf Peer Functions (Test
Phase)
Figure 6 Ultra Peer Function (Test
Phase)
Ddos attack analysis
Distributed DoS
(DDoS) attacks are a flooding attack of many
attacking hosts (agents) with distributed and coordinated control. Figure 2
above showed the structure of a DDoS attack; one or
more attackers control handlers and each handler controls multiple agents.
Handlers and agents are extra layers introduced to increase the rate of packet
traffic as well as to hide the attackers from view. Each agent can choose the
size and type of packets as well as the duration of flooding. While the victim
may be able to identify some agents and have them taken off-line, the attacker
can monitor the effects of the attack and create new agents accordingly [35].
To simulate the results a discrete event simulator will be used to simulate the
results of Gnutella peer to peer file sharing. Gnutellasim
is suitable for Gnutella network and is installed on PDNS and ns2.27. In order
to evaluate the suggested system, gtkgnutella-
0.96.8-2 file sharing client [2] and tcpdump-4.1.1 monitoring software [3] is
used to generate and record Gnutella traffic.
Simulation Preliminaries
One challenge in intrusion detection
is finding good data sets for experiments and testing. Our objective was to
control the data set, so we chose to collect data from an internal restricted
Gnutella peer to peer network. In this environment, we can Ta: Template of
attack understand all of the connections, and we can
limit DDoS attacks. We install firewall of ISA server
in the entrance of our network. Then external connections must pass through a
firewall. The Dataset used for performing the experiments and analysis is
related to Gnutella peer to peer network traffic. The proposed scenario
includes 23 peers that are divided into 5 Ultra Peers and 18 Leaf Peers.
Simulation Results Analysis
Gnutella Protocol v. 0.6 will be used
for performing the simulations. In IDS systems, self is defined as the set of
normal pair wise TCP/IP connections between Leaf Peer and Ultra Peer and nonself is the set of connections. When enormous numbers of
Gnutella packets are transmitted over the network they are not observed
normally on the network. The efficiency of proposed system is analyzed based on
the following criteria:
Negative Selection Time
Some immature detectors are produced
by random Gaussian function and this dataset compares with Gnutella normal
dataset. If any detectors do not match with normal traffic template, it will be
added to the mature detectors' list. Output of training file is a mature
detectors' dataset. Figure 7 shows the time of negative selection in proportion
to the number of detectors. By increasing the number of mature detectors,
negative selection time will be increase too but, detection precision is
optimized. Because of using genetic algorithm, the time of negative selection
is more beneficial than LISYS algorithm.
Figure 7 Production Time of Mature
Detector
Detection Precision
In order to increase the detection
precision, false positive should be reduced. This research will identify
parameters that appear most important for minimizing false positives, as well
as how to maximize the percentage of detecting intrusions. The percentage of
attack detection will be measured by proportion of discovered attack occurrences
to all attack occurrences. Rdt denotes the
corresponding false positives rate. Td is the number of attacks that be
discovered and Ta is the total number of attacks.
In fact false positive is the sending
of alarm message by intrusion detection system in the time that attack has not
happened. Tp is the total number false positive
alarms and Ta is the total number of attacks.
The proposed system is adopted to
describe the tradeoff between the detection rate and false positive rate. Therefore,
we evaluate the best attitude coherent to these factors for yielding optimum
resolves.
Number of Detectors
To study the effect of mature
detectors on the percentage of attack discovery and false positive, the
parameter of activation discovery is considered 6, crossover operator 0.4 and
mutation operator 0.005. These two factors are evaluated by the change in the
number of detectors in number of different conformity bits. With increase in
number of detectors, the percentage of attack discovery goes up on the one side
and the false positive increases on the other side. In a way that in all the
forms of conformity bits, 75 detectors show the most efficient response for
detecting attack. But due to computation over load, the number detectors are commonly
not very high. In LISYS algorithm, the number of detectors is 100. Figure 8
illustrates this.
Fig.8 Detection with Different Number
of Detector
Bit Matching Algorithm
Some detectors in this IDS system are
usually implemented as strings, whose function is to classify new strings as
normal or abnormal by matching them in some forms. The perfect matching is rare
in the immune system. So, we use a partial matching rule known as r-contiguous
bits matching. Under this rule, two strings match only if they are identical in
at least ‘r’ contiguous locations.
Our observations in figure 9 show
that immune system as inspiration for detecting intrusion is the best
approaches. To study the effect of mature detectors on the percentage of attack
discovery and false positive, the parameter of activation discovery is
considered 6, crossover operator 0.6 and mutation operator 0.005. These two
factors are evaluated by the change in the number of detectors in the number of
different conformity bits. The number of strings a detector matches increases
exponentially as the value of r decreases. For example, 8 conformity bits is
the best resolve for attack detection rate but is the worst result for false
positive rate. After checking these factors, we use 12 conformity bits and
LISYS algorithm to
elect the number.
Figure 9 (A)
Evaluation Detection
Fig. 9 (b) Evaluation False Positive
Activation Threshold Values
Activation threshold shows detector's
condition in mature, active and memory state. Activation thresholds are a
mechanism designed to reduce false positives. To test our expectations, we
studied the effect of changing the activation threshold on the proper amount of
activation threshold is evaluated with 75 detectors, crossover operator 0.6 and
mutation operator 0.005.
In fact the less this amount, the
sooner the detector goes to the activation stage, therefore generation
production will be more and the better discovery will occur.
Also this parameter decreases the
false positive. 6 and 8 activation threshold has the same attack discovery
percentage with small differences. For the number of conformity bits 16, 14 and
18, the activation threshold of 8 is better but LISYS algorithm suggests 10
activation thresholds. Figure 10 illustrates how the number of false positives
lessens as the activation threshold increases.
Figure 10 (A)
Evaluation Detection
Figure 10 (B) Evaluation
False Positive
As Gnutella peer to peer network has
two versions: Gnutella 0.4 and Gnutella 0.6. In Gnutella 0.6 network, peers with
high processing strength are used which are called Ultra Peers. So in this
system, both versions of Gnutella peer to peer network with one-point crossover
operator and two-point crossover operator are examined for intrusion detection
[18,20,27,31]. Simulation results indicate the
superiority of intrusion detection in Gnutella 0.6 hybrid peer to peer network
by two-point crossover operator in comparison to other forms. As the number of
detectors increases, more attacks will be discovered. Figure 6 denote
comparison of two
version Gnutella network by different crossover operator.
Figure 11 (A) Comparison of attack
detection percentage to the number of detectors for nutella
Figure 11 (B) Comparison of attack
detection percentage to the number of detectors for
Gnutella
0.6.
Delay
The time of attack occurrence in
proportion to the time that intrusion detection system reacts against attack.
In the proposed system, the average identification time of each attack is 15
seconds.
CONCLUSION
The proposed system used anomaly and
signature-based detection. Each time an attack is identified, a new generation
is added to the detectors dataset. As false positives decrease, attack
detection increases.
REFERENCES
1. Artificial immune system(AIS): http://www.artificial-immune-system.org
2. gtk-gnutella:
http://www.gtk-gnutella.com
3. Swiss Federal Institute of
Technology (ETH) Zurich, 2005
4. Architecture Group (SWAG)
Department of Computer Science University of Waterloo Ontario
N2L 3G1 Canada.
5. U. Aickelin,
P. Bentley, S. Cayzer, J. Kim and J. McLeod.
"Danger Theory: The Link between
Artificial Immune Systems and Intrusion Detection
Systems." Proceedings 2nd International
Conference on Artificial Immune Systems, 2003: 147-155.
6. U. Aickelin
and J.Greensmith. "The
deterministic dendritic cell algorithm."
In Proceeding of
the 7th International Conference on Artificial
Immune Systems (ICARIS). , 2008: 291 302.
7. U. Aickelin,
J. Greensmith and J. Twycross.
"Immune system approaches to intrusion
detection – a review." in Proceeding of
the Third International Conference on Artificial
Immune Systems. Number 3239
in Lecture Notes in Computer Science, 2004: 316 329.
8.
A. Okine, D. Dasgupta and Nii.
"Immunity-based systems: A survey." In proceedings of the
IEEE International Conference on Systems, Man, and Cybernetics, 1997:
369-374.
9.
P.J Bentley and J. Kim.
"Evaluating negative selection in an artificial immune system for
network intrusion detection." Proceedings of GECCO, 2001: 1330
1337.
10. P.J Bentley and J. Kim. "Towards an artificial immune system for network
intrusion
detection: An
investigation of dynamic clonal selection." In
the Congress on Evolutionary
Computation (CEC-2001), Seoul, Korea,
2001: 1244 1252.
11.
U. Aickelin# and D. Dasgupta, University of
Nottingham, Nottingham, 2004
12. L.J. Cannady and J.
Gonzalez. "A self-adaptive negative
selection approach for anomaly
detection."
In Proceedings of the 2004 Congress of Evolutionary Computation, 2004: 1561-
1568.
13. S. Cayzer and U. Aickelin. "Danger theory and its applications to AIS." In
Proceeding of the
Second Internation
Conference on Artificial Immune Systems (ICARIS-02), 2002: 141-148.
14.
R. Chang. "Defending Against Flooding-Based
Distributed Denial-of-Service Attacks." IEEE
Communications Magazine, 2001: 42-51.
15. E. Athanasopoulos,
K.G. Anagnostakis, and E. Markatos. "Misusing unstructured p2p systems
to perform dos
attacks: The network that never forgets." in Proceedings of the 4th
International, 2006.
16. F. S. de Paula, L. N. de Castro, and P. L. de
Geus.
"An intrusion detection system using ideas
from the
immune system." In Proceeding of IEEE Congress on Evolutionary Computation
(CEC-2004), 2004:
1059-1066.
17.
S. Forrest, A. Perelson, S. Allen, L.R. Cherukuri. "Self-Nonself
Discrimination in a Computer."
In Proceeding IEEE Symposium on
Research in Security and Privacy, IEEE Computer Society
Press, 1994: 202 212.
18.
M. Foster, I. Ripeanu. "Mapping the
Gnutella network." in Proc. 1st International Workshop
On Peer-to-Peer Systems, Cambridge, MA,
2002: 85-93.
19.
G.Oikonomou, P. Reiher,
M. Robinson, and J. Mirkovic. "A framework for
collaborative DDOS
defense." in Proceedings of the
2006 annual computer security applications conference,
2006: 33-42.
20. M. Garcia, Y.Beverly
and Hector. "Designi ng a super-peer network."
In Proceeding of 19th
International Conference on Data
Engineering, 2003: 49-61.
21. J. Greensmith, J. Twycross, and U. Aickelin. "Dendritic cells for
anomaly detection." In
Proceeding of the Congress on Evolutionary Computation
(CEC), 2006: 664 671.
22. J. Guan, D.X. Liu, and B.G. Cui. "An induction learning approach for building
intrusion
detection
models using genetic algorithms." in Proceedings of Fifth World Congress
on
Intelligent Control and Automation
WCICA, vol. 5, 2004: 4339-4342.
23.
J. B. Raven Alder, Adam Doxtater, James
Foster, Toby Kohlenberg, & Michael Rash,
"Snort 2.1 Intrusion
Detection," 2nd ed. Rockland, MA: Syngress
(Distributed by O'Reilly and
Associates), 2004.
24. L. Xiao, Y. Liu, and L.M. Ni. "Improving Unstructured Peer-to-Peer Systems by
Adaptive
Connection
Establishment." IEEE Transactions on Computers,
2005.
25. J. Mirkovic, G.
Prier and P. Reihe. "Alliance formation for DDoS
defense, 2003: 11-18.
26.
Q. Lv, S. Ratnasamy,
and S. Shenker. "Can heterogeneity make gnutella scalable?" in
Proceedings of the 1st International
Workshop on Peerto-Peer Systems (IPTPS), Cambridge,
MA, USA, 2002.
27. S. Stepney, R.
Smith, J. Timmis, and A. Tyrrell. "Towards a conceptual framework for
artificial
immune systems." In Proceeding of the 3rd International Conference on
Artificial
Immune Systems (ICARIS), LNCS 3239,
2004: 53-64. 28. teur),
125C, pp373-389, 1974
29.
S. Singh. "Anomaly detection using negative selection based on the
r-contiguous matching
rule." In
Proceedings of the 1st International Conference on Artificial Immune Systems
(ICARIS'-02), 2002:
99-106.
30. S. Spinellis and D.
Androutsellis. "A Survey of Peer-to-Peer Content Distribution
technologies."
In ACM Computing Surveys, vol. 36, 2004: 335-371.
31.
Stolfo, W. Lee and J. Salvatore. "A
framework for constructing features and models for
intrusion
detection systems." ACM Transactions on Information and System Security
(TISSEC), vol. 3, 2000: 227-261.
32.
U. Mueen, K. Khowaja,
A.R. Azizah. "Dynamic Multi Layer signature
based IDS using Mobile
Agents", International Journal of
Network Security and its Applications Vol 2. No.4.
2010,
129-141.
33.
Z. Ge, D. Figueiredo,
S. Jaiswal, J. Kurose, and D. Towsley.
"Modeling peer-peer file sharing
systems.",
2003: 2188-2198.
34. F. Forrest and S. Esponda. "Detector coverage under the
r-contiguous bits matching rule."
2002
35.
Dietrich, S., Long, N., and Dittrich, D.
Analyzing distributed denial of service tools: the shaft
case. In
Proceedings of USENIX (Dec 2000).
36. E. Meshkova, J. Riihijärvi, M. Petrova and P. Mähönen.
"A survey on resource discovery
mechanisms,
peer-to-peer and service discovery frameworks." computer
networks,Department
of Wireless Networks, RWTH Aachen University, Kackertstrasse
9, D-
52072 Aachen, Germany, 2008: 2097
2128.
37.
Department of Health and Human Services National Institutes of Health,
2003.
40.
Gomes. "Gnutella keeps growing and growing" Online. WSJ
Interactive Edition,
http://www.zdnet.com/zdnn/stories/news/0,4586,2766234,00.html. May 2001
41.
Thomas D¨ubendorfer, Arno Wagner: Past and
Future Internet Disasters: DDoS attacks.
42.
Moore, D., Voelker, G. M., and Savage, S.
Inferring internet denial of service activity. In
Proceedings of Usenix
Security Symposium (August 2001).