A Project Report

on
Network Security Situation Awareness based on Network Simulation
Submitted in partial fulfillment of the requirements
for the award of the degree of
Bachelor of Technology
in
Computer Science and Engineering
by
Himanshu Rai
1209710908
Utkarsh Sagar
1109710119
Vikas Gupta
1109710121
(Semester-VII)
Under the Supervision of
Mr. Manish Kumar Sharma

Galgotias College of Engineering & Technology

Greater Noida 201306
Affiliated to

Uttar Pradesh Technical University

Lucknow

GALGOTIAS COLLEGE OF ENGINEERING & TECHNOLOGY

GREATER NOIDA - 2 0 13 0 6 , UTTAR PRADESH, INDIA.

CERTIFICATE

This is to certify that the project report entitled Network Security Situation Awareness
Based on Network Simulation submitted by Himanshu Rai, Utkarsh Sagar and Vikas
Gupta to the UPTU, Uttar Pradesh in partial fulfillment for the award of Degree of
Bachelor of Technology in Computer science & Engineering is a bonafide record of the
project work carried out by them under my supervision during the year 2014-2015.

Dr. Bhawna Mallick

Mrs. Sarita Bharti

Professor and Head

Assistant Professor

Dept. of CSE

Dept. of CSE

CONTENTS
Title

Page

ACKNOWLEDGEMENTS

ABSTRACT

ii

LIST OF TABLES

iii

LIST OF FIGURES

iv

ABBREVIATIONS

NOMENCLATURE

vi

CHAPTER 1 INTRODUCTION

1.1 Introductory Chapter

1.2 Background

1.3 Steps in Network Security

1.3.1 Situation Awareness

1.3.2 Situation Evaluation

1.3.3 Situation Forecast

CHAPTER 2 LITERATURE SURVEY

2.1 Introduction

2.2 Basics of simulation

11

2.3 Dimensions of simulation performance

12

2.3.1 Execution speed

12

2.3.2 Scalability

12

2.3.3 Fidelity

13

2.3.4 Cost

13

2.4 Types of simulation

14

2.4.1 Time driven Simulation

14

2.4.2 Event driven simulation

15

2.5 Network Simulation tools

16

2.5.1 NS2 (Network Simulator version2)

17

2.5.2 OPNET (Optimized Network Engineering Tools)

18

2.5.3 NETSIM

19

2.5.4 OMNET++

19

2.5.5 QualNet

20

2.6 Framework for network security situation awareness

22

2.7 Old Experimental Setup and Results

23

CHAPTER 3 PROPOSED WORK

26

3.1 Important element construction

27

3.1.1 Firewall and IDS

27

3.1.2 Node Performance

30

3.2 Abstract Packet Forwarding

31

3.2.1 Computing Queue

32

3.2.2 Continuous Multi-hop Processing

34

3.3 Network Security Situation Awareness

35

3.3.1 Event Extraction

35

3.3.2 Performance Correction Method

36

3.3.3 Network Security Situation Value

37

3.4 Overall Description

39

3.4.1 Product Perspective

39

3.4.2 Product Functions

39

3.4.3 Requirements

39

3.4.4 Design and implementation constraint

39

3.4.5 User Characterstics

40

3.4.6 Assumptions and Dependencies

40

3.5 External Interface Requirments

40

3.5.1 User Interfaces

40

3.5.2 Hardware Interfaces

40

3.5.3 Software Interface

40

3.5.4 Performance Requirements

40

3.6 Other Non-Functional Requirements

41

3.6.1 Safety Requirements

41

3.6.2 Security

41

3.6.3 Maintenance

41

3.7 Milestone Chart

41

3.7.1 Problem Statement

41

3.7.2 Outline

41

3.7.3 Survey

41

3.7.4 Design

42

3.7.5 Coding

42

3.7.6 Testing

42

3.8 Data Flow Diagram

43

3.8.1 0-level DFD

43

3.8.2 1-level DFD

44

3.8.3 Flow Diagram of Project

45

CHAPTER 54 CONCLUSION AND FUTURE SCOPE

REFERENCE

46

47

ACKNOWLEDGEMENT

We would like to express our deepest appreciation to all those who provided us the
possibility to complete this report. A special gratitude we give to our project guide, Mrs.
Sarita Bharti and our project coordinator whose contribution in stimulating suggestions and
encouragement helped us to coordinate our project.
We would like to express our deep sense of gratitude to Prof. Bhawna Mallick (H.O.D),
Computer Science & Engineering Department and all our faculty members for their support
whenever required. We have to appreciate the guidance given by other supervisors as well as
the panels especially in our project presentation that has improved our presentation skills,
thanks to their comments and advices. A special thanks to all our teammates and last but not
the least our parents for their encouragement and every possible support.

ABSTRACT
KEYWORDS: network security situation, network simulation, abstract packetforwarding, situation awareness.
Network Security Situation Awareness is a comprehensive technology which can obtain
and process the information of security, and it plays an important role in the field of
network security. As the traditional network security situation awareness methods
mainly forecast the situation value based on mathematical models, which will result in
the ignorance of the dynamic changes of network security situation elements, this paper
presents a method of network security situation awareness based on network simulation.
This method firstly constructs various simulation elements models; secondly it constructs
a network security situation awareness simulation scenario based on these constructed
models; thirdly it uses abstract packet-forwarding method to quickly infer network
security behaviors in simulation scenario meanwhile recording important log
information; finally it evaluates the value of network security situation based on the
log information and forecasts the network security situation. Experiment proves that
this method can reduce the network security stimulation time effectively and evaluate the
network security situation value accurately.

ii

List of Tables
Table Title

Page

2.1

Languages Used By Simulator

21

2.2

Simulation Experiment Data and Calculation Result

25

iii

LISTOF FIGURES
Figure Title

Page

1.1

Traditional method of situation awareness

1.2

Steps in situation awareness

2.1

The information gap

11

2.2

Simple simulator block diagram

12

2.3

Typical discontinuities in Time versus State trajectories of continuous

16

2.4

Architecture of NS2

17

2.5

Architecture of OPNET

18

2.6

Architecture of NETSIM

19

2.7

Architecture of OMNET++

20

2.8

Architecture of QualNet

21

2.9

Framework of Network Security Situation Awareness

22

2.10

Experimental Setup

23

3.1

Experimental Setup

22

3.1

Firewall and IDS

28

3.2

Structure of Node Performance

31

3.3

Traditional Packet Transmit Simulation Process

32

3.4

Computing Queue

32

3.5

Network Security Situation Assessment Based on log files

35

3.6

Milestone Chart

42

3.7

0-level DFD

43

3.8

1-level DFD

44

3.9

Flow Diagram

45

iv

ABBREVIATIONS
IDS

Intrusion Detection System

AIMS

Active Intrusion Monitoring System

NSSA

Network Security Situation Awareness

NSS

Network Simulation Software

TTL

Time to Live

API

Application Program Interface

VoT

Value of Threat

SYN

Synchronization

UDP

User Datagram Protocol

SQL

Structured Query Language

SA

Security Awareness

FTP

File Transfer Protocol

NOMENCLATURE
English Symbols
l

Length

Time taken by packet getting to Queue

C(t)

Number of packets in queue at time t

L(t)

Length of Packets in queue at time t

t+

Moment after packet reached to queue

Link

Bandwidth of link L

dq

Queuing Delay

dt

Send Delay

Propagation Delay

idh

Host ID

timep Time from beginning to present

Number of packets processed

Amount of memory used

Number of connections

Sum of packets length which are processed

number of packets dropped

Correction Parameter

Weight of Service

Nodes weight

Performance Variation

vi

CHAPTER 1
INTRODUCTION
1.1

INTRODUCTORY CHAPTER

Traditional network security devices such as Intrusion Detection Systems (IDS),

firewalls, and security scanners operate independently of one another, with virtually no
knowledge of the network assets they are defending. This lack of information results in
numerous ambiguities when interpreting alerts and making decisions on adequate
responses. Network systems are suffering from various security threats including network
worms, large scale network attacks etc. and network security situation awareness is an
effective way to solve these problems. The general process is to perceive the network
security events happened in a certain time period and cyberspace environment,
synthetically manipulate the security data, analyze the attack behaviors systems suffered,
provide the global view of network security, and assess the whole security situation and
predict the future security trends of the network.
With the development of computer and communication technology, the growing number
of web user and more kinds of web service needed make the scale of computer network
larger and applications more complex. At the same time, network security incidents occur
much more frequently, and computer network information security is facing a severe
situation. The traditional single defense and detection equipment have been unable to
meet the demand of network security.
In 1988, Endsley defined situation awareness as "the perception of the elements in the
environment within a volume of time and space, the comprehension of their meaning, and
the projection of their status in the near future". Network Security Situation Awareness
can integrate all reasons of security, reflect an overall network security situation
dynamically, predict the development of the security situation early, make the insecurity
risk and loss to minimum, and provide reliable reference bases for enhancing the network
security. Therefore, network security situation awareness has become a hot topic in the
field of network security.
Threats against computer networks have never been greater, nor have they had a greater

impact on the use of computer and network resources The sophistication of network
attacks has also been steadily increasing. First generation attacks propagated uniquelynamed executables that could be easily stopped once discovered. Newer attacks use
random names and execution patterns to throw off signature-based Intrusion Detection
Systems (IDS). Similarly, Denial of Service (DoS) attacks have increased in
sophistication from single computer attacks to distributed mobile attacks.
With the size and complexity of networks continuously increasing, network security
analysts face mounting challenges of securing and monitoring their network
infrastructure for attacks. This task is generally aided by kinds of network security
products, such as NetFlow, firewall and Host security system. As the number of security
incidents continues to increase, this task will become ever more insure-mountable, and
perhaps the main reason that the task of network security monitoring is so difficult is the
lack of tools to provide a sense of network security situational awareness that defined by
the Department of Homeland Security as the ability to effectively determine an overall
computer network status based on relationships between security events in multiple
dimensions.
The fields of statistics, pattern recognition, machine learning, and data mining have been
applied to the fields of network security situational awareness. Although new systems,
protocols and algorithms have been developed and adopted to prevent and detect network
intruders automatically. Even with these advancements, the central feature of Stolls story
has not changed: humans are still crucial in the computer security process. Administrators
must be willing to patiently observe and collect data on potential intruders. They need to
think quickly and creatively.
Unlike the traditional methods of analyzing network security textual log data, information
visualization approach has been proven that it can increase the efficiency and
effectiveness of network intrusion detection significantly by the reduction of human
cognition process. Information visualization cannot only help analysts to deal with the
large volume of analytical data by taking the advantage of computer graphics, but also
help network administrators to detect anomalies through visual pattern recognition. It can
even be used for discovering new types of attacks and forecasting the trend of unexpected
2

events. Current research in cyber security visualization has been growing and many
visual design methods have been explored. Some of the developed systems are ID
Graphs, IP Matrix, Visual Firewall and many others. Even with the aid of information
visualization, there are still complex issues that network security situational awareness is
difficult to describe, because the security events are hard to quantify, the terminology and
concepts become too obscure to understand, and large number and scope of the available
security multi-source data become a great challenge to the security analysts.
In our project, a novel visualization system, NetSecRadar, is proposed which can monitor
the network in real-time and perceive the overall view of security situation and find the
correlation of dangerous events in logs generated by multi-source network security
products using radial graph that is aesthetically pleasing and has a compact layout for
user interaction. The system utilizes multi-source data to analyze the irregular behavioral
patterns to identify and monitor the situational awareness, and synthesizes interactions,
filtering and drill-down to detect the potential information.
1.2

BACKGROUND

Network security situation awareness is a comprehensive technology which can obtain

and process the information of security, and it plays an important role in the field of
network security. As the traditional network security situation awareness methods mainly
forecast the situation value based on mathematical models, which will result in the
ignorance of the dynamic changes of network security situation elements, The process of
traditional situation awareness can be visually represented by three-level model in Fig.
l.1. The contents of network security situation awareness can be summarized as 3 aspects:
1. Network security situation elements extraction; 2. Network security situation
assessment and 3.network security situation awareness. In network security situation
elements extraction, Jajodia collected network vulnerability information to assess the
network vulnerability situation, Ning collected network alerting information to assess the
network threat situation[19]. The information collected from one single aspect can't
obtain the network security situation accurately, thus obtaining comprehensive
information and information's relevance is particularly important. In our project, we will
obtain the comprehensive information and information's relevance by node performance
3

and log files to evaluate the network security situation. In network security situation
assessment, Xiu-zhen Chen proposed a quantitative hierarchical network security threat
evaluation method which has become the mainstream of network security situation
assessment;[25] Yong Wei and Yifeng Lian proposed a network security situation
assessment model based on log audit and performance correction algorithm on the basis
of the hierarchical network security situation assessment method[26].
In network security situation awareness, traditional network security situation awareness
algorithm is based on Statistical Bayesian Techniques and Gray Relational Model. It only
gives network managers the past and current state of network security situation, but can't
forecast the network security situation. Abstract packet-forwarding method can process
network behaviors in network simulation quickly. This method not only reduces the
simulation time, but also ensures the result accuracy.

Fig. 1.1 Traditional method of situation awareness [21]

To deal with the increased information security threats, many kinds of security
equipments have been used in the large scale network. These equipments produce lots of
security events. Its very difficult to obtain the security state of the whole network
precisely when facing too much warning information. To settle this problem, many
researches had introduced the concept of situation awareness into internet security
system. Bass was the first who introduced this concept into network and bring forward
the network security perception frame based on multi-sensor data fusion. It helps network
administrators to identify, track and measure network attack activities. With references
from Endsleys situation awareness framework, Jibao and others developed network
4

security situation awareness model. On the other hand, according to Basss concept, Liu
and others put forward the model of network security perception based on information
fusion. In order to know the whole network security trend, we have to collect, fusion and
analysis a great deal of information, decrease the false positive rate and false negative
rate. Yu and others reported a warning message fusion method based on weighted D-S
evidence theory. Fuse information from all sensors with different reliability and weight to
increase the reliability of warning message and decrease the false alarm rate effectively.
But, the important thing is how to set the reliability and power of each sensor accurately.
Wang and others suggested that using neural network for heterogeneous multi-sensor
data fusion and considerate time and severity of the attack when analysis the security
situation. Stefanos et al find the latent correlation with the help of automatic knowledge
discovery and realize correlation analysis among warning information. The advantage is
the mechanism of automatic knowledge discovery and the disadvantage is its not always
give satisfaction without the interaction of human. Sometime it may find a great deal of
useless message.
Using network simulation software we can effectively build a variety of network
environments and obtain the various information of network.
There are large amounts of data whose meaning can only be determined in the context of
the specifics of the monitored network. There are a large number of known patterns of
intrusions, but there are also a larger number of unknown or yet to be discovered patterns
of intrusions that must be made detectable. Finally, the intrusions themselves vary in
criticality with respect to the context in which the intrusion appears. The visualization
systems discussed in this paper each attempt to use visual presentation as a means of
mitigating these issues. While the visual display and user interaction techniques are
different for each class of visualization systems discussed, it is useful to understand how
the methodological approach of the class determines the context in which the system will
be effective. While no one approach has been shown to be superior to all others, lessons
can be learned from each methodological approach, allowing promising new areas of
investigation to be identified.

The Direct Approach: One methodology is to show what is happening as it is happening

in a direct one-to-one relationship between the physical networking components and
computers to the visualized elements. This approach yields systems that are intuitive to
use and understand and operate in real-time or near-real-time. They generally take lowlevel data directly from packet or IDS logs and display it without abstracting either
visualized elements or input data.
Even with the aid of information visualization, there are still complex issues that network
security situational awareness is difficult to describe, because the security events are hard
to quantify, the terminology and concepts become too obscure to understand, and large
number and scope of the available security multi-source data become a great challenge to
the security analysts. In this paper, a novel visualization system, NetSecRadar, is
proposed which can monitor the network in real-time and perceive the overall view of
security situation and find the correlation of dangerous events in logs generated by multi
source network security products using radial graph that is aesthetically pleasing and has
a compact layout for user interaction. The system utilizes multi-source data to analyze the
irregular behavioral patterns to identify and monitor the situational awareness, and
synthesizes interactions, filtering and drill-down to detect the potential information.
1.3 STEPS IN NETWORK SECURITY
The process of traditional situation awareness can be visually represented by three-level
model
1.3.1 Situation Awareness
Situation awareness is the perception of environmental elements with respect to time
and/or space, the comprehension of their meaning, and the projection of their status after
some variable has changed, such as time, or some other variable, such as a predetermined
event. Situation awareness (SA) involves being aware of what is happening in the
vicinity, in order to understand how information, events, and one's own actions will
impact goals and objectives, both immediately and in the near future. One with an adept
sense of situation awareness generally has a high degree of knowledge with respect to
inputs and outputs of a system, i.e. an innate "feel" for situations, people, and events that
play out due to variables the subject can control.
6

In network security situation awareness we have to collect network vulnerability

information to assess the network vulnerability situation. The information collected from
one single aspect can't obtain the network security situation accurately, thus obtaining
comprehensive information and information's relevance is particularly important.
1.3.2 Situation Evaluation
With the rapid development of global information and the increasing dependence on
network for people, network security problems are becoming more and more serious.
Xiu-zhen Chen proposed a quantitative hierarchical network security threat evaluation
method which has become the mainstream of network security situation assessment.
Yong Wei and Yifeng Lian proposed a network security situation assessment model
based on log audit and performance correction algorithm on the basis of the hierarchical
network security situation assessment method.
In situation evaluation we use proper algorithms to fetch the situation of network and get
the forecast of network. Different parameters values are formed to check the situation.
Data fetching is done.
1.3.3 Situation Forecast
In network security situation awareness, traditional network security situation awareness
algorithm is based on Statistical Bayesian Techniques and Gray Relational Model. It only
gives network managers the past and current state of network security situation, but can't
forecast the network security situation. Abstract packet-forwarding method can process
network behaviors in network simulation quickly. This method not only reduces the
simulation time, but also ensures the result accuracy. Different methods used for network
security dynamic situation forecasting method (Unbiased Gray Markov Forecasting
Method: UGM_HM), which is based on the Unbiased Grey system theory and Markov
Forecasting theory. UGM_HM combines advantages of Unbiased Grey system theory
and Markov Forecasting theory. UGM_HM takes the complex network environment as a
Grey system and takes the dynamic risk value of network as a Grey value. The long-term
network security situation is reflected by the Unbiased GM (1, 1) and the state transition
probabilities are identified by Markov chain theory. The above mentioned dynamic risk

value of network, which based on the artificial immune can reflect the network real-time
state. Fig. 1.2 compute all.

Fig. 1.2 Steps in situation awareness

CHAPTER 2
LITERATURE SURVEY
With the rapid development of computer network technology, network openness sharing
and interconnection degree growing computer network has brought more and more
convenience. But at the same time rapid expansion of network size complexity and
uncertainty increases, network time face serious challenge by the attacks, the threats of
unexpected events, availability, security, network security issues have become
increasingly prominent. Traditional network security technology functional unit in a
separate state, the lack of effective information extraction and information fusion
mechanism, unable to establish a link between the network resources, global information
about the performance of poor and unable to effectively manage, mass network security
information. Network security situation awareness techniques have been proposed in this
context become the hot spot of the new generation of network security technology and
development direction.
2.1 INTRODUCTION
We are living in what has been termed the "information age". In many domains, this has
meant a huge increase in systems, displays and technologies. From voice control to
sophisticated line of sight head mounted displays, almost anything is possible in today's
world, but too much is proving to be as big a challenge as too little once was. The
problem is no longer lack of information, but finding what is needed when it is needed.
Network security has become more important to personal computer users, organizations,
and the military. With the advent of the internet, security became a major concern and the
history of security allows a better understanding of the emergence of security technology.
The internet structure itself allowed for many security threats to occur. The architecture
of the internet, when modified can reduce the possible attacks that can be sent across the
network. Knowing the attack methods, allows for the appropriate security to emerge.
Many businesses secure themselves from the internet by means of firewalls and
encryption mechanisms. The businesses create an intranet to remain connected to the
internet but secured from possible threats. The entire field of network security is vast and
in an evolutionary stage. The range of study encompasses a brief history dating back to

internets beginnings and the current development in network security. In order to

understand the research being performed today, background knowledge of the internet, its
vulnerabilities, attack methods through the internet, and security technology is important
and therefore they are reviewed.
The design and development of security solutions such as Intrusion Detection Systems
(IDS) is a challenging and complex task. In this process, the evolving system needs to be
evaluated continuously. There are several ways to study a system or technology. The
most accurate is the analysis of the deployed production system. However, in the case of
IDS evaluation, real experiments incorporating attack scenarios cannot be done in an
operational environment because the induced risk of failures such as service loss is too
high. For this very reason, evaluation is often carried out in small testbeds. Virtual
machines are a solution for modeling mid-scale networks, but the representation of very
large networks with thousands or millions of devices and links is out of scope. There
exist scientific initiatives such as Planet- Lab 1 providing computational resources to a
larger extent. This is an important opportunity for researchers to evaluate network or
security functionality, but although they provide detailed results, experiments are time
consuming and remain complex to setup and maintain. Another approach is to represent
the system with the aid of mathematical models and find analytical answers, i.e. logical
and quantitative relationships between the entities. Typically, such models also become
very complex, in particular for a concurrent system such as IDS. Therefore, simulations
are useful for the evaluation of distributed systems and protocols. Depending on the
evaluation metrics, the simulations allow the abstraction from irrelevant properties. In
addition, hazard scenarios, called what-if scenarios, can be constructed which may not
be possible in real-world test environments.
The Network Security Simulator, a simulation environment that is based on the servicecentric agent platform JIAC. It focuses on network security-related scenarios such as
attack analysis and evaluation of countermeasures. We introduce the main NeSSi2
concepts and discuss the motivation for realizing them with agent technology. Then, we
present the individual components and examples where NeSSi2 has been successfully
applied.

10

Fig. 2.1 The information gap[16]

2.2 BASICS OF SIMULATION

Most of the commercial simulators are GUI driven, while some network simulators are
CLI driven. The network model / configuration describe the state of the network (nodes,
routers, switches, and links) and the events (data transmissions, packet error etc.). An
important output of simulations is the trace files. Trace files log every packet, every event
that occurred in the simulation and are used for analysis. Network simulators can also
provide other tools to facilitate visual analysis of trends and potential trouble spots.

11

The block diagram of a simple simulator can be shown with the help of figure. The
controller and controller element works simultaneously, then process is carried out to
produce output.

Fig 2.2 Simple simulator block diagram

2.3 DIMENSIONS OF SIMULATION PERFORMANCE

2.3.1 Execution Speed
Simulation uses large amount of data to produce result that is the main aim of
programmer is to reduce the complexity of data travelled to get the results as soon as
possible. All simulation software has problem with execution speed .The more data to
process the less execution speed becomes. To reduce this problem the thing we can do is
to remove the buffer queue which also removes the in and out buffer queue. The
execution speed is as fast as possible to determine the threat soon and to tell network
administrator about the network situation as fast as possible which easily helps to forecast
the network situation. Thats the reason execution speed is most important dimension for
any network simulator software.
2.3.2 Scalability
Scalability is the ability of a system, network, or process to handle a growing amount of
work in a capable manner or its ability to be enlarged to accommodate that growth. A
network simulator duplicates the behavior of a real network, but cannot interact with real
networks. A simulator uses lower quality reproduction or abstraction of the real system
and focuses on simply replicating the real networks behavior. A network simulation is a
cost-effective method for developing the early stages of network-centric systems. Users
12

can evaluate the basic behavior of a network and test combinations of network features
that are likely to work. Thats why it is important for any network simulator to be
scalable so that future improvement would be easy to accumulate. Scalable network is
always useful for an organization. Network scalability main thing is
1. per-packet processing must be fast;
2. Separating control and packet handling.
2.3.3 Fidelity
Fidelity is the degree of exactness with which something is copied or reproduced. That
means network simulator should produce correct graph for situation. The correctness and
exactness is important in any of network simulation software. Any software must not
deviate from its original graph. In real time system the exactness is something which is
must. Without that it is difficult to cope with the situation.
2.3.4 Cost
For any software cost is very important dimension to judge on. In production, research,
retail, and accounting, a cost is the value of money that has been used up to produce
something, and hence is not available for use anymore. In business, one of acquisition, in
which case the amount of money expended to acquire it is counted as cost. In this case,
money is the input that is gone in order to acquire the thing. This acquisition cost may be
the sum of the cost of production as incurred by the original producer, and further costs
of transaction as incurred by the acquirer over and above the price paid to the producer.
Usually, the price also includes a mark-up for profit over the cost of production. And
there are new technology used in network simulation softwares such as firewall, IDS etc.
so to fetch data from these the overall cost of software increases. So the cost is important
feature with which we can detect the performance of network simulation software.
2.4 TYPES OF SIMULATION
We have seen that in continuous systems the state variables change continuously with
respect to time, whereas in discrete systems the state variables change instantaneously at
separate points in time. Unfortunately for the computational experimentation there are but
a few systems that are either completely discrete or completely continuous state, although
13

often one type dominates the other in such hybrid systems. The challenge here is to find a
computational model that mimics closely the behaviour of the system, specifically the
simulation time-advance approach is critical. If we take a closer look into the dynamic
nature of simulation models, keeping track of the simulation time as the simulation
proceeds, we can distinguish between two time-advance approaches: time-driven and
event-driven.
2.4.1 Time-Driven Simulation
In a time-driven simulation we have a variable recording the current time, which is
incremented in fixed steps. After each increment we check to see which events may
happen at the current time point, and handle those that do. For example, suppose we want
to simulate the trajectory of a projectile. At time zero we assign it an initial position and
velocity. At each time step we calculate a new position and velocity using the forces
acting on the projectile. Time-driven simulation is suitable here because there is an event
(movement) that happens at each time step. How do know when to stop the simulation?
We can use either the criterion of time reaching a certain point, or the model reaching a
certain state, or some combination of the two.
For continuous systems, time-driven simulations advance time with a fixed increment.
With this approach the simulation clock is advanced in increments of exactly t time
units. Then after each update of the clock, the state variables are updated for the time
interval [t, t+t]. This is the most widely known approach in simulation of natural
systems. Less widely used is the time-driven paradigm applied to discrete systems. In this
case we have specifically to consider whether: The time step t is small enough to
capture every event in the discrete system.
Here's a general algorithm for time-driven simulation:
1. Initialize the system state and simulation time
2. while (simulation is not finished)
1. Collect statistics about the current state
2. handle events that occurred between last step and now
3. Increment simulation time
14

The difficulty of an efficient time-driven simulation of such a system is in the integration

method applied. Specifically, multi-step integration methods to solve the underlying
differential equations might prove not to work in this case. The reason is that these
methods use extrapolation to estimate the next time step, this would mean that they will
try to adapt to the sudden change in state of the system thus reducing the time step to
infinite small sizes.
2.4.2 Event Driven Simulation
In event-driven simulation the next-event time advance approach is used. For the case of
discrete systems this method consists of the following phases:
Step 1: The simulation clock is initialised to zero and then the times of occurrence of all
future events are will be determined.
Step 2: The simulation clock is advanced to the time of the occurrence of the most
imminent (i.e. first) of the future events.
Step 3: The state of the system is updated to account for the fact that an event has
occurred.
Step 4: Knowledge of the times of occurrence of future events is updated and the first
step is repeated.
The advantage of this approach is that periods of inactivity can be skipped over by
jumping the clock from event time to the next event time. This is perfectly safe since by
definition all state changes only occur at event times. Therefore causality is guaranteed.
The event-driven approach to discrete systems is usually exploited in queuing and
optimization problems. However, as we will see next, it is often also a very interesting
paradigm for the simulation of continuous systems.
Consider a continuous system where every now and then (possibly at irregular or
probabilistic time steps) discontinuities occur, for instance in the temperature of a room
where the heating is regulated in some feed-back loop:

15

Fig 2.3 Typical discontinuities in time versus state trajectories of continuous systems or
its higher order derivative with respect to time[29]

2.5 NETWORK SIMULATION TOOLS

In the network research area, establishing of network in a real time scenario is very
difficult. A single test bed takes a large amount of time and cost. So implementation of a
whole network in real world is not easily possible and very costly to. The simulator helps
the network developer to check whether the network is able to work in the real time. Thus
both the time and cost of testing the functionality of network have been reduced and
implementations are made easy. The Network Simulator provides an integrated,
versatile, easy-to-use GUI-based network designer tool to design and simulate a
network with SNMP, TL1, TFTP, FTP, Telnet and Cisco IOS device.
Network simulator allows the researchers to test the scenarios that are difficult or
expensive to simulate in real world. It particularly useful to test new networking
protocols or to changes the existing protocols in a controlled and reproducible
environment. One can design different network topologies using various types of nodes
(hosts, hubs, bridges, routers and mobile units etc.) The network simulators are of
different types which can be compared on the basis of: range (from the very simple to the
very complex), specifying the nodes and the links between those nodes and the traffic
between the nodes, specify everything about the protocols used to handle traffic in a
network, graphical applications (allow users to easily visualize the workings of their
simulated environment.), text-based applications (permit more advanced forms of
16

customization) and programming-oriented tools (providing a programming framework

that customizes to create an application that simulates the networking environment to be
tested.)
2.5.1 NS2 (Network Simulator Version2)
NS2 is a discrete event simulator targeted at networking research. It provides support for
simulation of TCP, routing, and multicast protocols over all networks (wired and
wireless). Network simulator 2 has been developed under the VINT (Virtual Inter
Network Testbed) project; in 1995 it is a joint effort by people from University of
California at Berkeley, University of Southern California's Information Sciences Institute,
Lawrence Berkeley National Laboratory and Xerox Palo Alto Research Center. The main
sponsors are the Defense Advanced Research Projects Agency and the National Science
Foundation. It is a discrete event simulator that provides substantial support for
simulation of TCP, routing, and multicast protocols over wired and wireless networks.
Otcl: Otcl runs much slower but can be changed very quickly (and interactively), making
it ideal for simulation configuration.

Fig 2.4 Architecture of NS2 [26]

2.5.2 OPNET (Optimized Network Engineering Tools)

It is extensive and powerful simulation software with wide variety of possibilities to
simulate entire heterogeneous networks with various protocols. This simulator is
17

developed by OPNET technologies; Inc. OPNET had been originally developed at the
Massachusetts Institute of Technology (MIT) and since 1987 has become commercial
software. It provides a comprehensive development environment supporting the modeling
of communication networks and distributed systems. Both behavior and performance of
modeled systems can be analyzed by performing discrete event simulations. The main
programming language in OPNET is C (recent releases support C++ development). The
initial configuration (topology setup, parameter setting) is usually achieved using
Graphical User Interface (GUI), a set of XML files or through C library calls. Simulation
scenarios (e.g., parameter change after some time, topology update, etc.) usually require
writing C or C++ code; although in simpler cases one can use special scenario
parameters (e.g., link fail/restore time) [13]. It provides a comprehensive development
environment supporting the modeling of communication networks and distributed
systems. Both behavior and performance of modeled systems can be analyzed by
performing discrete event simulations.The component diagram of OPNET is given
below.

Fig.2.5 Architecture of OPNET [26]

18

2.5.3 NetSim
NetSim is a discrete event simulator developed by Tetcos in 1997, in association with
Indian Institute of Science. NetSim has also been featured with Computer Networks and
Internets V edition by Dr. Douglas Comer, published by Prentice Hall. It has an objectoriented system modeling and simulation (M&S) environment to support and analysis of
voice and data communication scenarios for High Frequency Global Communication
Systems (HFGCS). It creates fast, platform independent software that could be used in
simple, consumer electronic products. Java designed for simple, efficient, platformindependent program for creating WWW based programs. Using Java one can create
small programs called applets that are embedded into an HTML document and viewable
on any Java compatible browser. Java applets are compiled into a set of byte-codes, or
machine-independent processing instructions. The component diagram of NETSIM is
given in Figure

Fig 2.6 Architecture of NETSIM [26]

2.5.4 OMNET++
It is a component based, modular and open architecture discrete event simulator
framework. The most common use of OMNET++ is for simulation of computer
networks, but it is also used for queuing network simulations and other areas as well. It is
licensed under its own Academic Public License, which allows GNU Public Licenselike
19

freedom but only in noncommercial settings. It provides component architecture for

models. A C++ class library which consists of the simulation kernel and utility classes
(for random number generation, statistics collection, topology discovery etc), this one
you will use to create simulation components (simple modules and channels);
infrastructure to assemble simulations from these components and configure them (NED
language, ini files); runtime user interfaces or environments for simulations (Tkenv,
Cmdenv); an Eclipse-based simulation IDE for designing, running and evaluating
simulations; extension interfaces for real-time simulation, emulation, MRIP, parallel
distributed simulation, database connectivity and so on. The component diagram of
OMNET++ is given in Figure

Fig 2.7 Architecture of OMNET++ [26]

2.5.5 QualNet
It is a commercial network simulator from Scalable Network Technologies, Inc in 20002001. It is ultra highfidelity network simulation software that predicts wireless, wired and
mixed-platform network and networking device performance. A simulator for large and
heterogeneous networks and the distributed applications that execute on such networks
for implementing new protocols, Qualnet uses C/C++ and follows a procedural paradigm.
Uses the parallel simulation environment for complex systems (PARSEC) for basic
operations, hence can run on distributed machines. It is a commercial version of
20

GloMoSim used by Scalable Network Technologies for their defense projects. It is ultra
highfidelity network simulation software that predicts wireless, wired and mixedplatform network and networking device performance. A simulator for large,
heterogeneous networks and the distributed applications that execute on such networks.
The component diagram of QUALNET is given in Fig. 2.8.

Fig. 2.8

Architecture of QualNet

TABLE 2.1

Languages used by simulators [26]

21

2.6 A FRAMEWORK FOR NETWORK SECURITY SITUATION AWARENESS

The framework for network security situation awareness proposed in this paper is based
upon knowledge discovery and consists of two parts, the modeling of network security
situation and the generation of network security situation, as shown in Fig. 2.9. The
modeling of network security situation is to construct the formal model adapted for the
measuring of network security situation based upon the D-S Evidence Theory[4]; and
support the general process of the fusion and correlation analysis of various types of alert
events from security situation sensors. The generation of network security situation
primarily consists of three steps: firstly, acquiring attack patterns through interactive
knowledge discovery by introducing FP-Tree algorithm and WINEPI algorithm;
secondly, transforming the discovered frequent patterns and sequential patterns to the
correlation rules of alert events; finally, implementing the dynamically generation of
network security situation graph based upon the network security situation generation
algorithm.

Fig. 2.9 A Framework For Network Security Situation Awareness [4]

22

2.7 OLD EXPERIMENTAL SETUP AND RESULTS

In order to complete the proposed work, the experimental setup that is required, must be
arranged as it is shown in the Fig. 3.1. It will require a client/server environment
equipped with Routers, Firewall, IDS and Switches. The user may be an employee who
has proper authority to use the network. And the attacker is somebody unknown who is
trying to break the network security through internet. Router is used to decide the path of
the data packets to be transferred, 2 separate Firewalls have been used first one protects
organizational network from outside network (Internet) and other one protects
transactions inside the organizational network. IDS is used to record logs, process them
and create rules for further detection and protection of previously occurred attacks.

Fig. 2.10 Experimental Setup [18]

23

In order to verify the effectiveness of the method, the following experiment model is
constructed as shown in Fig. 2.10, Server nodes provide the corresponding network
services; user and attacker can access to the server nodes through the network. Server
nodes, IDS and firewall will produce the corresponding log information and performance
information of server nodes. The service information S (id" id h, name, CDs) of server
nodes is expressed as follows:
(Server!, Web Server, Web, 0.4)
(Server2, Ftp Server, Ftp, 0.3)
(Server3, DataBase, Database, 0.3)
We build the simulation scenario by using GTNets, Server can be attacked by SYN flood
attack, UDP flood attack and Unicode decoding vulnerability attack; Server2 can be
attacked by MBLAST worm; Server3 can be attacked by SQL injection attack. All of the
server nodes may be attacked by an unknown attack. All attacks come from the attacker.
The various attacks academic security threat values of various attacks are determined as
follows.
SYN flood: 0.2
UDP flood: 0.4
Unicode decoding vulnerability: 0.1
MSBLAST worm: 0.4
SQL injection: 0.2
The simulation scenario is operated as follows:
I) User visits Server!, Server2 and Server3 during the experiment normally.
2) Attacker launches attacks every two seconds (attack one second, sleep one second).
According to the calculation of simulation results, we can obtain the network security
situational graph shown in Fig. 10. The horizontal axis is time and the vertical axis is the
network security situation value. In the first point, all server nodes are not detected being
attacked, but there are significant changes in the performance of Server2. In the sixth
24

node, Server is detected being attacked by SYN flood and UDP flood; Server2 is detected
being attacked by MSBLAST worm. Meanwhile these two servers both have changes in
performance.

Table 2.2 Simulation Experimental Data And Calculation Result [18]

25

CHAPTER 3
PROPOSED WORK
The process of traditional situation awareness can be visually represented by three-level
model. The contents of network security situation awareness can be summarized as 3
aspects: 1. network security situation elements extraction; 2. network security situation
assessment and 3. network security situation awareness. This project is concerned with
situation awareness, network health visualization and then preventive actions against
intrusions. In network security situation elements extraction, Jajodia collected network
vulnerability information to assess the network vulnerability situation. Ning collected
network alerting information to assess the network threat situation. The information
collected from one single aspect can't obtain the network security situation accurately,
thus obtaining comprehensive information and information's relevance is particularly
important. In this paper, we will obtain the comprehensive information and information's
relevance by node performance and log files to evaluate the network security situation. In
network security situation assessment, Xiu-zhen Chen proposed a quantitative hierarchical
network security threat evaluation method which has become the mainstream of network
security situation assessment. Yong Wei and Yi-feng Lian proposed a network security
situation assessment model based on log audit and performance correction algorithm
on the basis of the hierarchical network security situation assessment method. In network
security situation awareness, traditional network security situation awareness algorithm
is based on Statistical Bayesian Techniques and Gray Relational Model. It only gives
network managers the past and current state of network security situation, but can't forecast
the network security situation. Abstract packet-forwarding method can process network
behaviors in network simulation quickly. This method not only reduces the simulation
time, but also ensures the result accuracy.

3.1

Important Elements Construction

The essence of network simulation is to simulate network packets forwarding. In this

project we will design and actualize firewall, intrusion detection system (IDS) and node
performance based on this principle.
3.1.1

Firewall and IDS

Firewall and IDS both inspect network packets according to some certain rules to determine
transmit it or not to protect the network security, therefore Firewall and IDS use the same
design model. As shown in Fig. 3.1, Firewall and IDS model includes 5 modules: command
recognition, command processing, packet filter, processing result and log entry. Command
recognition recognizes the rules; Command processing supports command recognition by
some API; Packet filter filters packets by rules; Process Result decides transmit the packet
or not and Log entry records some important information for users to check.
Firewall rules include operation, source/destination address, source/destination packet
survival information (TTL), protocol, port and IDS rules are divided into two parts: rule
header and rule option. Rule header contains operation, protocol, source/destination
address and source/destination port information. Rule option includes alarm information
and the rules used to determine whether to trigger a response action. Rule option is an
important part of the core of the IDS detection engine, and it is flexible and powerful. Its
flexibility means that you can add appropriate options based on the different behavior
detection. Semicolon is the segmentation between the IDS rules options. Inter rule option
keyword and its parameters use a colon : as segmentation.
Snort is an open source IDS based on passive signature matching. All attack patterns are
formulated into detection rules. Each rule has two parts: a rule header and rule options. The
rule header contains the rule action, protocol, source/destination IP addresses and
netmasks, and the source and destination ports information. The rule option section
contains alert messages and information denoting on which parts of the packet should be
compared to determine if the rule action should be taken. Snort acquires network packets
via libpcap library.

27

Fig. 3.1 Firewall and IDS

Then Snort decodes the captured packets and sends them to the detection engine for
intrusion identification. Similar to Snort, AIMS defines a set of attack pattern rules to
describe attack behaviors. However, AIMS additionally defines alarm rules and threshold
rules for anomaly detection. In AIMS, there are a total of three different kinds of rules. The
alarm rules are used to detect anomalous network conditions. The pattern rules are the
normal signature matching rules. The threshold rules are used to decide whether some
network statistic number is anomalous. A shortcoming of Snort is that its maintenance
needs manually operations and is inflexible. The administrator must manually add new
28

rules in Snort. If Snort is deployed in a wide distributed environment, it will be complicated

to manage these nodes. Also, there is no way to dynamically upgrade modules or engines
in Snort. However, AIMS is natively designed to provide a flexible mechanism for dynamic
reconfiguration. The Cooperative Intrusion Traceback and Response Architecture
(CITRA) is an architecture integrating intrusion detection systems, routers, firewalls,
security management systems, and other components to trace intrusions, avoid or decrease
subsequent damage from intrusions, combine and report intrusion activities or coordinate
intrusion responses in a system-wide basis. CITRA makes intrusion analysis and intrusion
response automatically that are done by administrator manually before. The primary
shortcoming of CITRA is that the system modules of CITRA cannot be reconfigured or
customized when new types of intrusions occur. Only its policies can be modified.
Therefore, the administrator needs to modify the policies for new intrusion types. However,
as the intrusion techniques are rapidly evolving, manual modification is not enough to
counteract all kinds of attacks. In addition, CITRA is not flexible because a specific
intrusion description language called Common Intrusion Specification Language (CISL) is
needed to describe attacks and responses. Furthermore, because CISL is of a stateless
design, CITRA cannot detect attacks hided in multiple packet flows. Intrusion Detection
Agent System (IDA) is a network intrusion detection system employing mobile agent
technique. IDA works by watching events that may relate to intrusions instead of analyzing
all of the user activities. If an MLSI (Marks Left by Suspected Intruder) is found, the IDA
manager will dispatch agents to gather information related to the MLSI, analyze the
information, and decide whether an intrusion occurs. In IDA, mobile agents autonomously
migrate to target systems to collect information only related to intrusions. This avoids the
need to transfer system logs to the server. There are message boards to keep information
gathered from the target systems by information gathering agents. This helps exchange
information between agents and the bulletin board. Compared to the active packet
approach, mobile agents are more active. They can suspend detection processing, migrate
to another node, and then resume the suspended execution. However, the mobile agent
mechanism is more complicate than the active network approach. Trend Micro releases
InterScan AppletTrap in August 2001. AppletTrap is designed to detect malicious mobile
code or active contents in Java, ActiveX, JavaScript, or VBScript. From the architecture
29

viewpoint, AppletTrap is indeed an HTTP proxy server. If some ActiveX and Java Applet
code segments have unrecognized certificates, AppletTrap will block the code segments.
The blocking lists in AppletTrap are updateable to stop unknown malicious Java Applets
and JavaScripts. Compared with AppletTrap, AIMS adopts different approaches. For
example, AI MS uses active packets to update rules, but AppletTrap uses a web interface
to update its rules. In addition, system management is complicated when many AppletTrap
nodes online work in the network. Furthermore, AppletTrap is designed only for http
access, but AIMS is designed to monitor universal network packets passing through AIMS
nodes. FLAME is a performance-enhanced version of Lightweight Active Management
Environment (LAME). It provides programmers a flexible and secure programming
environment. To achieve security requirements, FLAME uses Cyclone in active packet
design as their secure programming language. Third parties may write their own modules
in Cyclone and deploy on FLAME nodes. Programmers can write a worm detection module
and install it on FLAME nodes. Compared with FLAME, AIMS is not designed as a
general-purposed active network system. Instead, AIMS is natively an intrusion detection
system employing active network technology. Therefore, AIMS provides a dynamically
programmable platform on which new intrusion detection modules or customize detection
rules can be flexibly applied. For the efficiency consideration, AIMS is also developed in
Cyclone as in FLAME. However, for the security and efficiency reasons, AIMS does not
allow on-line compilation as adopted in FLAME. IBAN (Intrusion Blocker based on Active
Networks) is a distributed intrusion prevention system based on active networks. IBAN
performs vulnerability scanning and inline intrusion detection and blocking. It consists of
a management station, mobile vulnerability scanner and mobile intrusion blockers.
However, because IBAN deeply relies on active networks, it incurs the limitations native
in active networks. To deploy IBAN, active network environments ANTS and SANTS
need to be deployed first.
3.1.2

Node Performance

Nodes in the network simulation software don't have real performance like in the real
world, so we need to add the appropriate parameters in the node model to represent the
performance of nodes. Performance parameters will be updated while processing packets
30

in order to indicate the changes of node performance. The structure of node performance
is shown in Fig 3.2

Fig. 3.2 Structure of Node Performance

3.2

ABSTRACT PACKET-FORWARDING

Most time of network simulation is spent on packets forwarding simulation. Therefore, the
most effective way to reduce the time of network simulation is to abstract and simplify
packets forwarding simulation model. Fig. 3.3 depicts the packet forwarding simulation
process in the traditional discrete-event network simulation. Packets will go through the
buffer queue and the discrete-event queue respectively. Because of the existence of these
two queues, network simulation needs to do more work: on the one hand, packets need to
in/out buffer queue constantly; on the other hand, the discontinuous processing increases
the number of discrete events that need to be processed. Abstract packet-forwarding
method can solve these two problems and make the network simulation more effective.
31

Abstract packet-forwarding method consists of computing queue and continuous multi-hop

processing.

Fig. 3.3 Traditional Packet Transmit Simulation Process

3.2.1 Computing Queue
As shown in Fig. 3.4, when "buffer queue" in traditional network simulation is replaced by
"computing queue", the packets transmitted from one node to the next node, only need to
in/out discrete event queue. Delay and packet loss can be calculated by the following
algorithm.
I)

For one packet p, whose length in bytes is Ip, it transmits from the node S to the next node
N through link L. What locates between the node S and link L is the corresponding
computing queue F. The time from packet p getting to queue F to transmitting to link L is
t. The moment just before the packet p reaching F is t; the number of packets in F is C(t);
the bytes length of all packets in F is L(t); the moment just after the packet preaching F is
4; the number of packets in F is C(4); the length in bytes of all packets in F is L(4). The
bandwidth of L is B; the propagation delay is 0; the maximum length in bytes of F is max.
In this case, whether to drop p or not is determined by the following formula:

Fig. 3.4 Computing Queue

32

If P is not dropped, all the delay time of p transmitting from S to N is dp (including

queuing delay dq; send delay dt; propagation delay D) represented by the following
formula:

If p is not dropped, after preaches F, C (4) and L (4) can be got by the following
formulas:

II)

For two packets p1, p2. These two packets transmit from the node S to the next hop node
N through link L. What located between the node S and link L is the corresponding
computing queue F. The time from packets p1, p2 getting to F to transmitting to link L is
t1, t2 respectively. The moment just before the packet p1 reaching F is tl_; the number of
packets in F is C(tl-); the length in bytes of all packets in F is L(tl_); the moment just
after the packet p1 reaching F is t)+; the number of packets in F is C(t)+); the length in
bytes of all packets in F is L(tl+)' Assuming the moment just before the packet p2 reaching
F is t2-; the number of packets in F is C(t2-); the length in bytes of all packets in F is
L(t2_); the moment just after the packet p2 reaching F is t2+; the number of packets in F
is C(t2+); the length in bytes of all packets in F is L(t2+)' The bandwidth of L is B. If PI,
P2 are both not dropped, tl<t2 and there is no packet reaching F between p1 and p2 we
can use the following recursive formula:

The function pos(x) indicates that when x<O, pos(x) =O and when x: o-O, pos(x) =x.

33

Assuming Ii is the length in bytes of the ith packet in the queue F by the t2_ time, C (t2-)
must meet the following formula:

Equations (1)-(6) is the computing realization of packets forward: (1)-(2) can confirm
whether to drop the packet or not and delay time; (3)-(4) confirm the changes of computing
queue when a packet reaches; (5)-(6) confirm the changes of computing queue when two
continuous packets reach F; (3)-(6) confirm the changes of computing queue when a
network simulation senior is running.
3.2.1

Continuous Multi-hop Processing

As shown in Fig. 3.4, discrete events don't need in/out discrete-event queue by using
continuous multi-hop processing to replace the traditional single-hop processing in
Network simulation. The realization of continuous multi-hop processing is based on
computing queue. As continuous multi-hop delay time and packet loss can be accumulated,
we can get them at one time. Continuous multi-hop processing may lead to packets not
reaching the next node in chronological order, which is called "out of order", so that the
computing queue's parameters, transmitting delay and packet loss, may be wrong. In
order to solve "out of order", we decide whether to use continuous multi-hop processing
on the base of link condition: when the links reach their bottleneck, packets should be
transmitted through computing queue and discrete-event queue normally and this hop
should be processed with the previous hops; if not, packets don't need in/out computing
queue and discrete event queue and this hop should be processed with the following hops.
By using abstract packet-forwarding method, traditional network simulation processing
model changes from Fig. 3.3 to Fig 3.5

34

Fig 3.5 Network Security Situation Assessment Based on Network Simulation Log Files
3.3

NETWORK SECURITY SITUATION ASSESSMENT

As shown in Fig.3.5, We will extract network security incidents and calculate the value
of the network security situation by using network simulation log files.
3.3.1

Event Extraction

Event extraction uses a rule-based log audit method. Firstly, we obtain preliminary safety
incidents by matching the rule base with log information. Secondly we remove the
duplicate security incidents by merging security incidents. Finally we can obtain the nodes
theoretic security threat. Nodes theoretic security threat is the security situation of a service
node when it is attacked. Nodes theoretic security threat value, namely VoT, is the
cumulative sum of attack threat. Attack severity is defended according to Snort User
Manual.
35

3.3.2

Performance Correction Method

The value of nodes security situation is more accurately reflects the status of the server
nodes than nodes theoretic security threat. In this paper we calculate the value of nodes
security situation by using performance correction algorithm. Performance information P
is denoted by (idh, timep, , , , , ), idh represents node's ID, timep represents the time
from the beginning to the present; the performance parameters of node is ( , , , , ).
represents the number of packets processed; is the amount of memory used; is the
number of connections; is the sum of packets length which is processed; is the number
of packets dropped. The minimum values of performance parameters are 0 and the
maximum are (0, 0, 0, 0, 1). 0 is the maximum number of packets which can be
processed by server node per unit time; 0 is the maximum size of memory; 0 is the
maximum allowable number of connections; 0 is the maximum flow rate; 1 represents
that all the packets are dropped and = . Node performance P can be measured by using
the following formula:

At the beginning of a period of time, node performance parameters are (1, 1, 1, 1, 1), at
the end of this period, node performance parameters are (2, 2, 2, 2, 2). According to
(7), we can know:

36

Correcting nodes theoretic security threat with performance variation ,0.P, we can get
the value of nodes security situation SAh according to the following formula.

is correction parameter, the value of which is [0,1], representing the node performance
weight in the value of nodes security situation. When U=O, SAh represents nodes
theoretic security threat; When n=l, SAh represents the node performance change.
3.3.3

Network Security Situation Value

After getting the value of nodes security situation, we can calculate the value of network
security situation by using each service weight in network. Service information S is
denoted by (id" idh, name, CDs). ids represents server's ID; idh represents server node's
ID, name represents service name; CDs represents the weight of service. We can get
service node's weight CDh with the following formula.

37

m is the amount of services which are provided by the service node. The cumulative sum
of the weights of all network services is 1. Finally, we can calculate the value of network
security situation SA by using server node's SAh and CDh.

Where n is the number of service nodes in network.

Network security visualization is a growing community of network security research in
recent years. More and more visualization tools are designed to help analysts cope with
huge amount of network security data. Hence the demand of visualization techniques has
stretched into each step of situation awareness research like situation perception, situation
comprehension and even situation pre-diction. NVisionIP and VisFlowConnect take the
lead in introducing visualization technology into NSSA, NVisionIP uses multi-level matrix
graphs in status analysis of a class-B network by using Net Flow logs, and VisFlowConnect
is a visualization design based on parallel axis technology to enhance the ability of an
administrator to detect and investigate anomalous traffic between a local network and
external domains. The Intrusion Detection System (IDS) is the most popular application
that reports a variety of network events taken for the important input data of NSSA, IDS
RainStorm , SnortView and Avisa are typical visual analysis tools that help administrators
to recognize false positives, detect real abnormal events such as worm propagations and
Botnet activities and make a better situation assessment. However, those visual s systems
based on a single kind of logs such as NetFlow log or IDS log are obviously insufficient.
To achieve situational awareness BANKSAFE, a scalable and web-based visualization
system, analyzes health monitoring logs, Firewall logs and IDS logs in the same time, and
Horn uses visual analytics to support the modeling of the computer network defense from
kinds of raw data sources to decision goals

38

3.4 OVERALL DESCRIPTION

3.4.1 Product Perspective
Considering the liability and scope of the project, it is must if its requirement and
specification are clear well before its beginning. As a product, this could be a software or
architecture or system, the role of it will be vital. Network security situation awareness is
a comprehensive technology which can obtain and process the information, detect
intrusions and also forecast security risk.
3.4.2 Product Functions
This Project mainly uses the log files of user firewall and IDS along with different node
situation parameter which is helpful in determining the risk level of each node as well as
complete network. This method will reduce the network security stimulation time
effectively and evaluate the network security situation value accurately. After evaluation
of situational value graphical representation will be shown.
3.4.3 Requirements:
Hardware Elements: Latest 1.8 GHz CPU processor, display device, Keyboard, Mouse,
Fully Equipped LAN (Bridges, Switches, Firewall, Routers etc.).
Software Requirement: Snort AIMS, Network Simulator, Firewall.
3.4.4 Design and implementation constraint
This method firstly constructs various simulation elements models.
Secondly it constructs a network security situation awareness simulation scenario based on
these constructed models.
thirdly it uses abstract packet-forwarding method to quickly infer network security
behaviors in simulation scenario meanwhile recording important log information.
finally it evaluates the value of network security situation based on the log
information and forecasts the network security situation.
3.4.5 User Characteristics
39

The user can be anyone who have knowledge of networking.

The user readily willing to interact with the software.
3.4.6 Assumptions and Dependencies
Network simulator always takes some unnecessary time, so we use abstract packet
forwarding mechanism to reduce time.
According to log files of network simulation, well extract network security events and
node performance info. To be used to calculate network security.
3.5 External Interface Requirements
3.5.1 User Interfaces
The network admin privilege.
3.5.2 Hardware Interface
A proper working tool is required in order to accomplish a job. Similar goes in the case of
completion of a project. Tools and hardware required are a working laptop and internet
connection to begin with.
3.5.3 Software Interface
Platform

- C, python, Snort AIMS

3.5.4 Performance Requirements

Processing of packets should be fast as a large number of packets have to be processed.
Node performance level should be perfect.
Log files in snort AIMS should be selected according to latest rules.
The graphical representation should be perfect and fast as soon as attack appears.

40

3.6 Other Non-functional Requirements

3.6.1 Safety Requirements
No safety as such as it is designed for a network admin. database for a user and all log is
maintained.
3.6.2 Security
Security is must only admin have privilege to access this software.
3.6.3 Maintenance
The training database is an important factor which determines the accuracy of the results.
Hence the quality of the database should be updated with as much diversity as possible.

3.7 MILESTONE CHART

3.7.1 Problem Statement
Using network simulator software we will show the graphical representation of security
level of organizational network. We have our own firewall and IDS built in in that software.
3.7.2 Outline
The outline of the project includes selection of the domain, deciding the topic for project,
study of research papers, and studying the existing algorithms and modifying them. Outline
of the project completed and submitted in the month of September.
3.7.3 Survey
It includes the study of various research papers related to the topic, Preparing the S.R.S.
for the project and selecting the algorithms to implement for our project. The completion
of the documentation of our project is expected in the month of October.
3.7.4 Design
Design phase includes the initial implementation of the project and will provide the basic
and initial shape to the project. This phase includes high level design, which provides an
41

overview of an entire system, identifying all its elements at some level of abstraction and
low level design, which exposes the detailed design of each of these elements. This work
is expected to complete in the month of October-November.
3.7.5 Coding
This phase is the core of the project. It contains various codes required, to make the
modified algorithm working. With the help of coding, the comparison between the original
algorithm and modified algorithm will be made. This coding phase is very crucial part of
the project as this will require the modification of the algorithm to obtain optimum results.
Coding is expected up to the month of January.
3.7.6 Testing
This is the final phase of the project and the most important one. This phase will perform
rigorous testing on the codes written, simulator and the modified algorithm. This phase will
decide the success of the project. Testing is done to check for the bugs and then their
removal. Which further include the proper working of the codes, i.e. if they are giving the
expected results or not etc. The testing is the final step and will be completed (tentatively)
in the month of March.

Milestone August September

October November January February March April

Outline
survey
Design

1st

(1st draft)
(draft
+architecture)

Coding
Testing

Fig 3.6 Milestone Chart

42

3.8 Data flow Diagram

3.8.1 0-level DFD

Fig 3.7 0 level DFD

43

3.8.2 1 level DFD

Fig 3.8 1 level DFD

44

3.8.3 Flow Diagram

Fig. 3.9 flow chart of project

45

CHAPTER 4
CONCLUSION AND FUTURE SCOPE
Network security situation awareness is a challenging problem in the field of networking.
It is helpful in assessment and forecasting of network of organisation. This also reduces
the work of network administrator. The main aim of simulation software is to easily fetch
the data required and process the result as soon as possible.
Network security situation awareness system is a new research domain, and it has great
importance in improving abilities of responding to emergences, reducing losses of
network attacks, revealing abnormally intrusions, enhancing system abilities of fighting
back. On the basis of evaluation our main work is to: Improve network security situation
assessment model and its quantitative evaluation method and to Find a better way to
accelerate network simulation. We analyzed the existing problems of network security
situation awareness and proposed a framework based on that. The framework consists of
the modeling of network security situation and the whole process of the generation of
network security situation.
The running time network simulation task will increase effectively. The essence of
abstract packet forwarding method is to enhance the packet processing speed, but it may
be ineffective if too many packets need to be processed per second such as large-scale
network worm simulation. On the basis of our studies, the next jobs are:
(1) Improve evaluation method and network security assessment model.
(2)Find a better way to accelerate network simulation.

REFERENCES
[1] B. Potter, "Software & network security," J Network Security, vol Bass T.,
Intrusion Detection Systems and Multisensor Data Fusion: Creation Cyberspace
Situation Awareness, Communications of the ACM, 2000, vol (43), April pp.99105.
[2] D. Schnackenberg, H. Holliday, R. Smith, K. Djahandari, and D. Sterne,
``Cooperative Intrusion Traceback and Response Architecture (CITRA), Proc.
Of DARPA Information Survivability Conference and Exposition (DISCEX-II) ,
Jun. 2001.
[3] D. Wetherall, J. Guttag, and D. Tennenhouse, ``ANTS: Network Services without
the Red Tape, IEEE Computer , vol.32, no.4, Apr. 1999.
[4] Fang Lan, Wang Chunlei, Ma Guoqing, A Framework for Network Security
Situation Awareness Based on Knowledge Discovery 978-1-4244-6349-7/10,
IEEE, 2010.
[5] Hideki K., Kazuhiro O. SnortView: visualization system of snort logs. The 2004
ACM.
[6] IETF81 Internet Engineering Task Force. Internet protocol: DARPA Internet
program protocol specification, 1981.
[7] I-Hsuan Huang and Cheng-Zen Yang, Design of an Active Intrusion Monitor
System Department of Computer Science and Engineering, Yuan Ze University,
Chungli, Taiwan, R.O.C. E-mail: {ihhuang,czyang}@syslab.cse.yzu.edu.tw
[8] K. G. Anagnostakis, M. Greenwald, S. Ioannidis, and S. Miltchev, ``Open Packet
Monitoring on FLAME: Safety, Performance and Applications, Proc. of the 4th
International Working Conference on Active Networks (IWAN), Dec. 2002.
[9] M. Asaka, S. Okazawa, A. Taguchi, and S. Goto, ``A Method of Tracing Intruders
by Use of Mobile Agents, Proc. of INET99 , Jun. 1999.
[10] M. R. Endsley, "Design and evaluation for situation awareness enhancement,".
Processings of the Human Factors and Ergonomica Society Annual Meeting.
Northrop Aircraft Hawthorne, CA. vol 32, pp. 97-101, October, 1988.
[11] M. Roesch and C Green, "Snort users manual," J Snort Release,2003

[12] M. Roesch and C. Green, ``Snort Users Manual, http://www.snort.org/

docs/writing_rules/ , Apr. 2003.
[13] Mica R. Endsley, Designing for Situation Awareness in Complex System
workshop on symbiosis of humans Tokyo, japan 2001
[14] P. Ning, Y Cui, and D. S. Reeves, et ai, "Techniques and tools for analyzing
intrusion alerts," JACM TISSEC New York. vol 7, pp. 274-318, May 2004.
[15] R. Feiertag, C. Kahn, P. Porras, D. Schnackenberg, S. S. Chen, and B. Tung, S.
Jajodia, S Noble, and B. O'Berry, 'Topological analysis of network attack
vulnerability," in Managing Cyber Threats. Springer US, 2005, pp. 247-266.
[16] S. Jajodia, S Noble, and B. O'Berry, 'Topological analysis of network attack
vulnerability," in Managing Cyber Threats. Springer US, 2005, pp. 247-266.
[17] S. Murphy, E. Lewis, R. Watson, and R. Yee, ``Strong Security for Active
Networks, Proc. of the IEEE OPENARCH Conference, Apr. 2001.
[18] Song-song Lu, Xiao-feng Wang, Li Mao, Network Security Situation Awareness
Based On Network Simulation, IEEE Workshop on Electronics, Computer and
Applications 2014
[19] T. Issariyakul and E. Hossain, Introduction to Network Simulator NS2 , Springer
2008.
[20] USA, October 25 -29, 2004). VizSEC/DMSEC '04. IEEE Computer Society,
2004, 143-147.
[21] W. L. Cholter, P. Narasimhan, D. Sterne, R. Balupari, K. Djahandari, A. Mani,
and S. Murphy, ``IBAN: intrusion blocker based on active networks, Proc. of
the DARPA Active Networks Conference and Exposition (DANCE), Jun. 2002.
work-shop on Visualization and data mining for computer security. (Washington,
DC,
[22] Xiangdong Cai, Yang Jingyi and Huanyu Zhang, Network Security Threats
Situation Assessment and Analysis, Technology Study International Journal of
Security and Its Applications, Vol.7, No.5 (2013),
[23] Xiao-Feng Wang, Hong-Li Zhang, Feng-Yu Wang, and Zhao-Xin Zhang,
"Dynamic continuous computing in network simulation," J Journal of System
Simulation, vol 21, pp. 7439-7444, December 2009.
48

[24] Xiu-Zhen Chen, Qing-Hua Zheng, and Xiao-Hong Guan, "Quantitative

hierarchical

threat

evaluation

model for

network security," J Journal of

Software, vol 17, pp. 885-897, April 2006.

[25] Yong Wei and Yi-Feng Lian, "A network security situational awareness model
based on log audit and performance correction," J Chinese Journal of Computers,
vol 32, pp. 763-772, April 2009.
[26] Mrs. Saba Siraj, Mr. Ajay Kumar Gupta, Mrs Rinku-Badgujar, Network
Simulation Tools Survey IJARCCE vol.1, issue 4 june 2012.
[27] http://www.ietf.org/rfc/rfc0791.txt?number=791
[28] http://artemis.wszib.edu.pl/~sloot/1_4.html

49