Professional Documents
Culture Documents
on
Network Security Situation Awareness based on Network Simulation
Submitted in partial fulfillment of the requirements
for the award of the degree of
Bachelor of Technology
in
Computer Science and Engineering
by
Himanshu Rai
1209710908
Utkarsh Sagar
1109710119
Vikas Gupta
1109710121
(Semester-VII)
Under the Supervision of
Mr. Manish Kumar Sharma
CERTIFICATE
This is to certify that the project report entitled Network Security Situation Awareness
Based on Network Simulation submitted by Himanshu Rai, Utkarsh Sagar and Vikas
Gupta to the UPTU, Uttar Pradesh in partial fulfillment for the award of Degree of
Bachelor of Technology in Computer science & Engineering is a bonafide record of the
project work carried out by them under my supervision during the year 2014-2015.
Assistant Professor
Dept. of CSE
Dept. of CSE
CONTENTS
Title
Page
ACKNOWLEDGEMENTS
ABSTRACT
ii
LIST OF TABLES
iii
LIST OF FIGURES
iv
ABBREVIATIONS
NOMENCLATURE
vi
CHAPTER 1 INTRODUCTION
1.2 Background
2.1 Introduction
11
12
12
2.3.2 Scalability
12
2.3.3 Fidelity
13
2.3.4 Cost
13
14
14
15
16
17
18
2.5.3 NETSIM
19
2.5.4 OMNET++
19
2.5.5 QualNet
20
22
23
26
27
27
30
31
32
34
35
35
36
37
39
39
39
3.4.3 Requirements
39
39
40
40
40
40
40
40
40
41
41
3.6.2 Security
41
3.6.3 Maintenance
41
41
41
3.7.2 Outline
41
3.7.3 Survey
41
3.7.4 Design
42
3.7.5 Coding
42
3.7.6 Testing
42
43
43
44
45
REFERENCE
46
47
ACKNOWLEDGEMENT
We would like to express our deepest appreciation to all those who provided us the
possibility to complete this report. A special gratitude we give to our project guide, Mrs.
Sarita Bharti and our project coordinator whose contribution in stimulating suggestions and
encouragement helped us to coordinate our project.
We would like to express our deep sense of gratitude to Prof. Bhawna Mallick (H.O.D),
Computer Science & Engineering Department and all our faculty members for their support
whenever required. We have to appreciate the guidance given by other supervisors as well as
the panels especially in our project presentation that has improved our presentation skills,
thanks to their comments and advices. A special thanks to all our teammates and last but not
the least our parents for their encouragement and every possible support.
ABSTRACT
KEYWORDS: network security situation, network simulation, abstract packetforwarding, situation awareness.
Network Security Situation Awareness is a comprehensive technology which can obtain
and process the information of security, and it plays an important role in the field of
network security. As the traditional network security situation awareness methods
mainly forecast the situation value based on mathematical models, which will result in
the ignorance of the dynamic changes of network security situation elements, this paper
presents a method of network security situation awareness based on network simulation.
This method firstly constructs various simulation elements models; secondly it constructs
a network security situation awareness simulation scenario based on these constructed
models; thirdly it uses abstract packet-forwarding method to quickly infer network
security behaviors in simulation scenario meanwhile recording important log
information; finally it evaluates the value of network security situation based on the
log information and forecasts the network security situation. Experiment proves that
this method can reduce the network security stimulation time effectively and evaluate the
network security situation value accurately.
ii
List of Tables
Table Title
Page
2.1
21
2.2
25
iii
LISTOF FIGURES
Figure Title
Page
1.1
1.2
2.1
11
2.2
12
2.3
16
2.4
Architecture of NS2
17
2.5
Architecture of OPNET
18
2.6
Architecture of NETSIM
19
2.7
Architecture of OMNET++
20
2.8
Architecture of QualNet
21
2.9
22
2.10
Experimental Setup
23
3.1
Experimental Setup
22
3.1
28
3.2
31
3.3
32
3.4
Computing Queue
32
3.5
35
3.6
Milestone Chart
42
3.7
0-level DFD
43
3.8
1-level DFD
44
3.9
Flow Diagram
45
iv
ABBREVIATIONS
IDS
AIMS
NSSA
NSS
TTL
Time to Live
API
VoT
Value of Threat
SYN
Synchronization
UDP
SQL
SA
Security Awareness
FTP
NOMENCLATURE
English Symbols
l
Length
C(t)
L(t)
t+
Link
Bandwidth of link L
dq
Queuing Delay
dt
Send Delay
Propagation Delay
idh
Host ID
Number of connections
Correction Parameter
Weight of Service
Nodes weight
Performance Variation
vi
CHAPTER 1
INTRODUCTION
1.1
INTRODUCTORY CHAPTER
impact on the use of computer and network resources The sophistication of network
attacks has also been steadily increasing. First generation attacks propagated uniquelynamed executables that could be easily stopped once discovered. Newer attacks use
random names and execution patterns to throw off signature-based Intrusion Detection
Systems (IDS). Similarly, Denial of Service (DoS) attacks have increased in
sophistication from single computer attacks to distributed mobile attacks.
With the size and complexity of networks continuously increasing, network security
analysts face mounting challenges of securing and monitoring their network
infrastructure for attacks. This task is generally aided by kinds of network security
products, such as NetFlow, firewall and Host security system. As the number of security
incidents continues to increase, this task will become ever more insure-mountable, and
perhaps the main reason that the task of network security monitoring is so difficult is the
lack of tools to provide a sense of network security situational awareness that defined by
the Department of Homeland Security as the ability to effectively determine an overall
computer network status based on relationships between security events in multiple
dimensions.
The fields of statistics, pattern recognition, machine learning, and data mining have been
applied to the fields of network security situational awareness. Although new systems,
protocols and algorithms have been developed and adopted to prevent and detect network
intruders automatically. Even with these advancements, the central feature of Stolls story
has not changed: humans are still crucial in the computer security process. Administrators
must be willing to patiently observe and collect data on potential intruders. They need to
think quickly and creatively.
Unlike the traditional methods of analyzing network security textual log data, information
visualization approach has been proven that it can increase the efficiency and
effectiveness of network intrusion detection significantly by the reduction of human
cognition process. Information visualization cannot only help analysts to deal with the
large volume of analytical data by taking the advantage of computer graphics, but also
help network administrators to detect anomalies through visual pattern recognition. It can
even be used for discovering new types of attacks and forecasting the trend of unexpected
2
events. Current research in cyber security visualization has been growing and many
visual design methods have been explored. Some of the developed systems are ID
Graphs, IP Matrix, Visual Firewall and many others. Even with the aid of information
visualization, there are still complex issues that network security situational awareness is
difficult to describe, because the security events are hard to quantify, the terminology and
concepts become too obscure to understand, and large number and scope of the available
security multi-source data become a great challenge to the security analysts.
In our project, a novel visualization system, NetSecRadar, is proposed which can monitor
the network in real-time and perceive the overall view of security situation and find the
correlation of dangerous events in logs generated by multi-source network security
products using radial graph that is aesthetically pleasing and has a compact layout for
user interaction. The system utilizes multi-source data to analyze the irregular behavioral
patterns to identify and monitor the situational awareness, and synthesizes interactions,
filtering and drill-down to detect the potential information.
1.2
BACKGROUND
and log files to evaluate the network security situation. In network security situation
assessment, Xiu-zhen Chen proposed a quantitative hierarchical network security threat
evaluation method which has become the mainstream of network security situation
assessment;[25] Yong Wei and Yifeng Lian proposed a network security situation
assessment model based on log audit and performance correction algorithm on the basis
of the hierarchical network security situation assessment method[26].
In network security situation awareness, traditional network security situation awareness
algorithm is based on Statistical Bayesian Techniques and Gray Relational Model. It only
gives network managers the past and current state of network security situation, but can't
forecast the network security situation. Abstract packet-forwarding method can process
network behaviors in network simulation quickly. This method not only reduces the
simulation time, but also ensures the result accuracy.
To deal with the increased information security threats, many kinds of security
equipments have been used in the large scale network. These equipments produce lots of
security events. Its very difficult to obtain the security state of the whole network
precisely when facing too much warning information. To settle this problem, many
researches had introduced the concept of situation awareness into internet security
system. Bass was the first who introduced this concept into network and bring forward
the network security perception frame based on multi-sensor data fusion. It helps network
administrators to identify, track and measure network attack activities. With references
from Endsleys situation awareness framework, Jibao and others developed network
4
security situation awareness model. On the other hand, according to Basss concept, Liu
and others put forward the model of network security perception based on information
fusion. In order to know the whole network security trend, we have to collect, fusion and
analysis a great deal of information, decrease the false positive rate and false negative
rate. Yu and others reported a warning message fusion method based on weighted D-S
evidence theory. Fuse information from all sensors with different reliability and weight to
increase the reliability of warning message and decrease the false alarm rate effectively.
But, the important thing is how to set the reliability and power of each sensor accurately.
Wang and others suggested that using neural network for heterogeneous multi-sensor
data fusion and considerate time and severity of the attack when analysis the security
situation. Stefanos et al find the latent correlation with the help of automatic knowledge
discovery and realize correlation analysis among warning information. The advantage is
the mechanism of automatic knowledge discovery and the disadvantage is its not always
give satisfaction without the interaction of human. Sometime it may find a great deal of
useless message.
Using network simulation software we can effectively build a variety of network
environments and obtain the various information of network.
There are large amounts of data whose meaning can only be determined in the context of
the specifics of the monitored network. There are a large number of known patterns of
intrusions, but there are also a larger number of unknown or yet to be discovered patterns
of intrusions that must be made detectable. Finally, the intrusions themselves vary in
criticality with respect to the context in which the intrusion appears. The visualization
systems discussed in this paper each attempt to use visual presentation as a means of
mitigating these issues. While the visual display and user interaction techniques are
different for each class of visualization systems discussed, it is useful to understand how
the methodological approach of the class determines the context in which the system will
be effective. While no one approach has been shown to be superior to all others, lessons
can be learned from each methodological approach, allowing promising new areas of
investigation to be identified.
value of network, which based on the artificial immune can reflect the network real-time
state. Fig. 1.2 compute all.
CHAPTER 2
LITERATURE SURVEY
With the rapid development of computer network technology, network openness sharing
and interconnection degree growing computer network has brought more and more
convenience. But at the same time rapid expansion of network size complexity and
uncertainty increases, network time face serious challenge by the attacks, the threats of
unexpected events, availability, security, network security issues have become
increasingly prominent. Traditional network security technology functional unit in a
separate state, the lack of effective information extraction and information fusion
mechanism, unable to establish a link between the network resources, global information
about the performance of poor and unable to effectively manage, mass network security
information. Network security situation awareness techniques have been proposed in this
context become the hot spot of the new generation of network security technology and
development direction.
2.1 INTRODUCTION
We are living in what has been termed the "information age". In many domains, this has
meant a huge increase in systems, displays and technologies. From voice control to
sophisticated line of sight head mounted displays, almost anything is possible in today's
world, but too much is proving to be as big a challenge as too little once was. The
problem is no longer lack of information, but finding what is needed when it is needed.
Network security has become more important to personal computer users, organizations,
and the military. With the advent of the internet, security became a major concern and the
history of security allows a better understanding of the emergence of security technology.
The internet structure itself allowed for many security threats to occur. The architecture
of the internet, when modified can reduce the possible attacks that can be sent across the
network. Knowing the attack methods, allows for the appropriate security to emerge.
Many businesses secure themselves from the internet by means of firewalls and
encryption mechanisms. The businesses create an intranet to remain connected to the
internet but secured from possible threats. The entire field of network security is vast and
in an evolutionary stage. The range of study encompasses a brief history dating back to
10
11
The block diagram of a simple simulator can be shown with the help of figure. The
controller and controller element works simultaneously, then process is carried out to
produce output.
can evaluate the basic behavior of a network and test combinations of network features
that are likely to work. Thats why it is important for any network simulator to be
scalable so that future improvement would be easy to accumulate. Scalable network is
always useful for an organization. Network scalability main thing is
1. per-packet processing must be fast;
2. Separating control and packet handling.
2.3.3 Fidelity
Fidelity is the degree of exactness with which something is copied or reproduced. That
means network simulator should produce correct graph for situation. The correctness and
exactness is important in any of network simulation software. Any software must not
deviate from its original graph. In real time system the exactness is something which is
must. Without that it is difficult to cope with the situation.
2.3.4 Cost
For any software cost is very important dimension to judge on. In production, research,
retail, and accounting, a cost is the value of money that has been used up to produce
something, and hence is not available for use anymore. In business, one of acquisition, in
which case the amount of money expended to acquire it is counted as cost. In this case,
money is the input that is gone in order to acquire the thing. This acquisition cost may be
the sum of the cost of production as incurred by the original producer, and further costs
of transaction as incurred by the acquirer over and above the price paid to the producer.
Usually, the price also includes a mark-up for profit over the cost of production. And
there are new technology used in network simulation softwares such as firewall, IDS etc.
so to fetch data from these the overall cost of software increases. So the cost is important
feature with which we can detect the performance of network simulation software.
2.4 TYPES OF SIMULATION
We have seen that in continuous systems the state variables change continuously with
respect to time, whereas in discrete systems the state variables change instantaneously at
separate points in time. Unfortunately for the computational experimentation there are but
a few systems that are either completely discrete or completely continuous state, although
13
often one type dominates the other in such hybrid systems. The challenge here is to find a
computational model that mimics closely the behaviour of the system, specifically the
simulation time-advance approach is critical. If we take a closer look into the dynamic
nature of simulation models, keeping track of the simulation time as the simulation
proceeds, we can distinguish between two time-advance approaches: time-driven and
event-driven.
2.4.1 Time-Driven Simulation
In a time-driven simulation we have a variable recording the current time, which is
incremented in fixed steps. After each increment we check to see which events may
happen at the current time point, and handle those that do. For example, suppose we want
to simulate the trajectory of a projectile. At time zero we assign it an initial position and
velocity. At each time step we calculate a new position and velocity using the forces
acting on the projectile. Time-driven simulation is suitable here because there is an event
(movement) that happens at each time step. How do know when to stop the simulation?
We can use either the criterion of time reaching a certain point, or the model reaching a
certain state, or some combination of the two.
For continuous systems, time-driven simulations advance time with a fixed increment.
With this approach the simulation clock is advanced in increments of exactly t time
units. Then after each update of the clock, the state variables are updated for the time
interval [t, t+t]. This is the most widely known approach in simulation of natural
systems. Less widely used is the time-driven paradigm applied to discrete systems. In this
case we have specifically to consider whether: The time step t is small enough to
capture every event in the discrete system.
Here's a general algorithm for time-driven simulation:
1. Initialize the system state and simulation time
2. while (simulation is not finished)
1. Collect statistics about the current state
2. handle events that occurred between last step and now
3. Increment simulation time
14
15
Fig 2.3 Typical discontinuities in time versus state trajectories of continuous systems or
its higher order derivative with respect to time[29]
developed by OPNET technologies; Inc. OPNET had been originally developed at the
Massachusetts Institute of Technology (MIT) and since 1987 has become commercial
software. It provides a comprehensive development environment supporting the modeling
of communication networks and distributed systems. Both behavior and performance of
modeled systems can be analyzed by performing discrete event simulations. The main
programming language in OPNET is C (recent releases support C++ development). The
initial configuration (topology setup, parameter setting) is usually achieved using
Graphical User Interface (GUI), a set of XML files or through C library calls. Simulation
scenarios (e.g., parameter change after some time, topology update, etc.) usually require
writing C or C++ code; although in simpler cases one can use special scenario
parameters (e.g., link fail/restore time) [13]. It provides a comprehensive development
environment supporting the modeling of communication networks and distributed
systems. Both behavior and performance of modeled systems can be analyzed by
performing discrete event simulations.The component diagram of OPNET is given
below.
18
2.5.3 NetSim
NetSim is a discrete event simulator developed by Tetcos in 1997, in association with
Indian Institute of Science. NetSim has also been featured with Computer Networks and
Internets V edition by Dr. Douglas Comer, published by Prentice Hall. It has an objectoriented system modeling and simulation (M&S) environment to support and analysis of
voice and data communication scenarios for High Frequency Global Communication
Systems (HFGCS). It creates fast, platform independent software that could be used in
simple, consumer electronic products. Java designed for simple, efficient, platformindependent program for creating WWW based programs. Using Java one can create
small programs called applets that are embedded into an HTML document and viewable
on any Java compatible browser. Java applets are compiled into a set of byte-codes, or
machine-independent processing instructions. The component diagram of NETSIM is
given in Figure
2.5.4 OMNET++
It is a component based, modular and open architecture discrete event simulator
framework. The most common use of OMNET++ is for simulation of computer
networks, but it is also used for queuing network simulations and other areas as well. It is
licensed under its own Academic Public License, which allows GNU Public Licenselike
19
2.5.5 QualNet
It is a commercial network simulator from Scalable Network Technologies, Inc in 20002001. It is ultra highfidelity network simulation software that predicts wireless, wired and
mixed-platform network and networking device performance. A simulator for large and
heterogeneous networks and the distributed applications that execute on such networks
for implementing new protocols, Qualnet uses C/C++ and follows a procedural paradigm.
Uses the parallel simulation environment for complex systems (PARSEC) for basic
operations, hence can run on distributed machines. It is a commercial version of
20
GloMoSim used by Scalable Network Technologies for their defense projects. It is ultra
highfidelity network simulation software that predicts wireless, wired and mixedplatform network and networking device performance. A simulator for large,
heterogeneous networks and the distributed applications that execute on such networks.
The component diagram of QUALNET is given in Fig. 2.8.
Fig. 2.8
Architecture of QualNet
TABLE 2.1
The framework for network security situation awareness proposed in this paper is based
upon knowledge discovery and consists of two parts, the modeling of network security
situation and the generation of network security situation, as shown in Fig. 2.9. The
modeling of network security situation is to construct the formal model adapted for the
measuring of network security situation based upon the D-S Evidence Theory[4]; and
support the general process of the fusion and correlation analysis of various types of alert
events from security situation sensors. The generation of network security situation
primarily consists of three steps: firstly, acquiring attack patterns through interactive
knowledge discovery by introducing FP-Tree algorithm and WINEPI algorithm;
secondly, transforming the discovered frequent patterns and sequential patterns to the
correlation rules of alert events; finally, implementing the dynamically generation of
network security situation graph based upon the network security situation generation
algorithm.
22
23
In order to verify the effectiveness of the method, the following experiment model is
constructed as shown in Fig. 2.10, Server nodes provide the corresponding network
services; user and attacker can access to the server nodes through the network. Server
nodes, IDS and firewall will produce the corresponding log information and performance
information of server nodes. The service information S (id" id h, name, CDs) of server
nodes is expressed as follows:
(Server!, Web Server, Web, 0.4)
(Server2, Ftp Server, Ftp, 0.3)
(Server3, DataBase, Database, 0.3)
We build the simulation scenario by using GTNets, Server can be attacked by SYN flood
attack, UDP flood attack and Unicode decoding vulnerability attack; Server2 can be
attacked by MBLAST worm; Server3 can be attacked by SQL injection attack. All of the
server nodes may be attacked by an unknown attack. All attacks come from the attacker.
The various attacks academic security threat values of various attacks are determined as
follows.
SYN flood: 0.2
UDP flood: 0.4
Unicode decoding vulnerability: 0.1
MSBLAST worm: 0.4
SQL injection: 0.2
The simulation scenario is operated as follows:
I) User visits Server!, Server2 and Server3 during the experiment normally.
2) Attacker launches attacks every two seconds (attack one second, sleep one second).
According to the calculation of simulation results, we can obtain the network security
situational graph shown in Fig. 10. The horizontal axis is time and the vertical axis is the
network security situation value. In the first point, all server nodes are not detected being
attacked, but there are significant changes in the performance of Server2. In the sixth
24
node, Server is detected being attacked by SYN flood and UDP flood; Server2 is detected
being attacked by MSBLAST worm. Meanwhile these two servers both have changes in
performance.
25
CHAPTER 3
PROPOSED WORK
The process of traditional situation awareness can be visually represented by three-level
model. The contents of network security situation awareness can be summarized as 3
aspects: 1. network security situation elements extraction; 2. network security situation
assessment and 3. network security situation awareness. This project is concerned with
situation awareness, network health visualization and then preventive actions against
intrusions. In network security situation elements extraction, Jajodia collected network
vulnerability information to assess the network vulnerability situation. Ning collected
network alerting information to assess the network threat situation. The information
collected from one single aspect can't obtain the network security situation accurately,
thus obtaining comprehensive information and information's relevance is particularly
important. In this paper, we will obtain the comprehensive information and information's
relevance by node performance and log files to evaluate the network security situation. In
network security situation assessment, Xiu-zhen Chen proposed a quantitative hierarchical
network security threat evaluation method which has become the mainstream of network
security situation assessment. Yong Wei and Yi-feng Lian proposed a network security
situation assessment model based on log audit and performance correction algorithm
on the basis of the hierarchical network security situation assessment method. In network
security situation awareness, traditional network security situation awareness algorithm
is based on Statistical Bayesian Techniques and Gray Relational Model. It only gives
network managers the past and current state of network security situation, but can't forecast
the network security situation. Abstract packet-forwarding method can process network
behaviors in network simulation quickly. This method not only reduces the simulation
time, but also ensures the result accuracy.
3.1
Firewall and IDS both inspect network packets according to some certain rules to determine
transmit it or not to protect the network security, therefore Firewall and IDS use the same
design model. As shown in Fig. 3.1, Firewall and IDS model includes 5 modules: command
recognition, command processing, packet filter, processing result and log entry. Command
recognition recognizes the rules; Command processing supports command recognition by
some API; Packet filter filters packets by rules; Process Result decides transmit the packet
or not and Log entry records some important information for users to check.
Firewall rules include operation, source/destination address, source/destination packet
survival information (TTL), protocol, port and IDS rules are divided into two parts: rule
header and rule option. Rule header contains operation, protocol, source/destination
address and source/destination port information. Rule option includes alarm information
and the rules used to determine whether to trigger a response action. Rule option is an
important part of the core of the IDS detection engine, and it is flexible and powerful. Its
flexibility means that you can add appropriate options based on the different behavior
detection. Semicolon is the segmentation between the IDS rules options. Inter rule option
keyword and its parameters use a colon : as segmentation.
Snort is an open source IDS based on passive signature matching. All attack patterns are
formulated into detection rules. Each rule has two parts: a rule header and rule options. The
rule header contains the rule action, protocol, source/destination IP addresses and
netmasks, and the source and destination ports information. The rule option section
contains alert messages and information denoting on which parts of the packet should be
compared to determine if the rule action should be taken. Snort acquires network packets
via libpcap library.
27
Then Snort decodes the captured packets and sends them to the detection engine for
intrusion identification. Similar to Snort, AIMS defines a set of attack pattern rules to
describe attack behaviors. However, AIMS additionally defines alarm rules and threshold
rules for anomaly detection. In AIMS, there are a total of three different kinds of rules. The
alarm rules are used to detect anomalous network conditions. The pattern rules are the
normal signature matching rules. The threshold rules are used to decide whether some
network statistic number is anomalous. A shortcoming of Snort is that its maintenance
needs manually operations and is inflexible. The administrator must manually add new
28
viewpoint, AppletTrap is indeed an HTTP proxy server. If some ActiveX and Java Applet
code segments have unrecognized certificates, AppletTrap will block the code segments.
The blocking lists in AppletTrap are updateable to stop unknown malicious Java Applets
and JavaScripts. Compared with AppletTrap, AIMS adopts different approaches. For
example, AI MS uses active packets to update rules, but AppletTrap uses a web interface
to update its rules. In addition, system management is complicated when many AppletTrap
nodes online work in the network. Furthermore, AppletTrap is designed only for http
access, but AIMS is designed to monitor universal network packets passing through AIMS
nodes. FLAME is a performance-enhanced version of Lightweight Active Management
Environment (LAME). It provides programmers a flexible and secure programming
environment. To achieve security requirements, FLAME uses Cyclone in active packet
design as their secure programming language. Third parties may write their own modules
in Cyclone and deploy on FLAME nodes. Programmers can write a worm detection module
and install it on FLAME nodes. Compared with FLAME, AIMS is not designed as a
general-purposed active network system. Instead, AIMS is natively an intrusion detection
system employing active network technology. Therefore, AIMS provides a dynamically
programmable platform on which new intrusion detection modules or customize detection
rules can be flexibly applied. For the efficiency consideration, AIMS is also developed in
Cyclone as in FLAME. However, for the security and efficiency reasons, AIMS does not
allow on-line compilation as adopted in FLAME. IBAN (Intrusion Blocker based on Active
Networks) is a distributed intrusion prevention system based on active networks. IBAN
performs vulnerability scanning and inline intrusion detection and blocking. It consists of
a management station, mobile vulnerability scanner and mobile intrusion blockers.
However, because IBAN deeply relies on active networks, it incurs the limitations native
in active networks. To deploy IBAN, active network environments ANTS and SANTS
need to be deployed first.
3.1.2
Node Performance
Nodes in the network simulation software don't have real performance like in the real
world, so we need to add the appropriate parameters in the node model to represent the
performance of nodes. Performance parameters will be updated while processing packets
30
in order to indicate the changes of node performance. The structure of node performance
is shown in Fig 3.2
3.2
ABSTRACT PACKET-FORWARDING
Most time of network simulation is spent on packets forwarding simulation. Therefore, the
most effective way to reduce the time of network simulation is to abstract and simplify
packets forwarding simulation model. Fig. 3.3 depicts the packet forwarding simulation
process in the traditional discrete-event network simulation. Packets will go through the
buffer queue and the discrete-event queue respectively. Because of the existence of these
two queues, network simulation needs to do more work: on the one hand, packets need to
in/out buffer queue constantly; on the other hand, the discontinuous processing increases
the number of discrete events that need to be processed. Abstract packet-forwarding
method can solve these two problems and make the network simulation more effective.
31
For one packet p, whose length in bytes is Ip, it transmits from the node S to the next node
N through link L. What locates between the node S and link L is the corresponding
computing queue F. The time from packet p getting to queue F to transmitting to link L is
t. The moment just before the packet p reaching F is t; the number of packets in F is C(t);
the bytes length of all packets in F is L(t); the moment just after the packet preaching F is
4; the number of packets in F is C(4); the length in bytes of all packets in F is L(4). The
bandwidth of L is B; the propagation delay is 0; the maximum length in bytes of F is max.
In this case, whether to drop p or not is determined by the following formula:
32
If p is not dropped, after preaches F, C (4) and L (4) can be got by the following
formulas:
II)
For two packets p1, p2. These two packets transmit from the node S to the next hop node
N through link L. What located between the node S and link L is the corresponding
computing queue F. The time from packets p1, p2 getting to F to transmitting to link L is
t1, t2 respectively. The moment just before the packet p1 reaching F is tl_; the number of
packets in F is C(tl-); the length in bytes of all packets in F is L(tl_); the moment just
after the packet p1 reaching F is t)+; the number of packets in F is C(t)+); the length in
bytes of all packets in F is L(tl+)' Assuming the moment just before the packet p2 reaching
F is t2-; the number of packets in F is C(t2-); the length in bytes of all packets in F is
L(t2_); the moment just after the packet p2 reaching F is t2+; the number of packets in F
is C(t2+); the length in bytes of all packets in F is L(t2+)' The bandwidth of L is B. If PI,
P2 are both not dropped, tl<t2 and there is no packet reaching F between p1 and p2 we
can use the following recursive formula:
The function pos(x) indicates that when x<O, pos(x) =O and when x: o-O, pos(x) =x.
33
Assuming Ii is the length in bytes of the ith packet in the queue F by the t2_ time, C (t2-)
must meet the following formula:
Equations (1)-(6) is the computing realization of packets forward: (1)-(2) can confirm
whether to drop the packet or not and delay time; (3)-(4) confirm the changes of computing
queue when a packet reaches; (5)-(6) confirm the changes of computing queue when two
continuous packets reach F; (3)-(6) confirm the changes of computing queue when a
network simulation senior is running.
3.2.1
As shown in Fig. 3.4, discrete events don't need in/out discrete-event queue by using
continuous multi-hop processing to replace the traditional single-hop processing in
Network simulation. The realization of continuous multi-hop processing is based on
computing queue. As continuous multi-hop delay time and packet loss can be accumulated,
we can get them at one time. Continuous multi-hop processing may lead to packets not
reaching the next node in chronological order, which is called "out of order", so that the
computing queue's parameters, transmitting delay and packet loss, may be wrong. In
order to solve "out of order", we decide whether to use continuous multi-hop processing
on the base of link condition: when the links reach their bottleneck, packets should be
transmitted through computing queue and discrete-event queue normally and this hop
should be processed with the previous hops; if not, packets don't need in/out computing
queue and discrete event queue and this hop should be processed with the following hops.
By using abstract packet-forwarding method, traditional network simulation processing
model changes from Fig. 3.3 to Fig 3.5
34
Fig 3.5 Network Security Situation Assessment Based on Network Simulation Log Files
3.3
As shown in Fig.3.5, We will extract network security incidents and calculate the value
of the network security situation by using network simulation log files.
3.3.1
Event Extraction
Event extraction uses a rule-based log audit method. Firstly, we obtain preliminary safety
incidents by matching the rule base with log information. Secondly we remove the
duplicate security incidents by merging security incidents. Finally we can obtain the nodes
theoretic security threat. Nodes theoretic security threat is the security situation of a service
node when it is attacked. Nodes theoretic security threat value, namely VoT, is the
cumulative sum of attack threat. Attack severity is defended according to Snort User
Manual.
35
3.3.2
The value of nodes security situation is more accurately reflects the status of the server
nodes than nodes theoretic security threat. In this paper we calculate the value of nodes
security situation by using performance correction algorithm. Performance information P
is denoted by (idh, timep, , , , , ), idh represents node's ID, timep represents the time
from the beginning to the present; the performance parameters of node is ( , , , , ).
represents the number of packets processed; is the amount of memory used; is the
number of connections; is the sum of packets length which is processed; is the number
of packets dropped. The minimum values of performance parameters are 0 and the
maximum are (0, 0, 0, 0, 1). 0 is the maximum number of packets which can be
processed by server node per unit time; 0 is the maximum size of memory; 0 is the
maximum allowable number of connections; 0 is the maximum flow rate; 1 represents
that all the packets are dropped and = . Node performance P can be measured by using
the following formula:
At the beginning of a period of time, node performance parameters are (1, 1, 1, 1, 1), at
the end of this period, node performance parameters are (2, 2, 2, 2, 2). According to
(7), we can know:
36
Correcting nodes theoretic security threat with performance variation ,0.P, we can get
the value of nodes security situation SAh according to the following formula.
is correction parameter, the value of which is [0,1], representing the node performance
weight in the value of nodes security situation. When U=O, SAh represents nodes
theoretic security threat; When n=l, SAh represents the node performance change.
3.3.3
After getting the value of nodes security situation, we can calculate the value of network
security situation by using each service weight in network. Service information S is
denoted by (id" idh, name, CDs). ids represents server's ID; idh represents server node's
ID, name represents service name; CDs represents the weight of service. We can get
service node's weight CDh with the following formula.
37
m is the amount of services which are provided by the service node. The cumulative sum
of the weights of all network services is 1. Finally, we can calculate the value of network
security situation SA by using server node's SAh and CDh.
38
40
overview of an entire system, identifying all its elements at some level of abstraction and
low level design, which exposes the detailed design of each of these elements. This work
is expected to complete in the month of October-November.
3.7.5 Coding
This phase is the core of the project. It contains various codes required, to make the
modified algorithm working. With the help of coding, the comparison between the original
algorithm and modified algorithm will be made. This coding phase is very crucial part of
the project as this will require the modification of the algorithm to obtain optimum results.
Coding is expected up to the month of January.
3.7.6 Testing
This is the final phase of the project and the most important one. This phase will perform
rigorous testing on the codes written, simulator and the modified algorithm. This phase will
decide the success of the project. Testing is done to check for the bugs and then their
removal. Which further include the proper working of the codes, i.e. if they are giving the
expected results or not etc. The testing is the final step and will be completed (tentatively)
in the month of March.
Outline
survey
Design
1st
(1st draft)
(draft
+architecture)
Coding
Testing
42
43
44
45
CHAPTER 4
CONCLUSION AND FUTURE SCOPE
Network security situation awareness is a challenging problem in the field of networking.
It is helpful in assessment and forecasting of network of organisation. This also reduces
the work of network administrator. The main aim of simulation software is to easily fetch
the data required and process the result as soon as possible.
Network security situation awareness system is a new research domain, and it has great
importance in improving abilities of responding to emergences, reducing losses of
network attacks, revealing abnormally intrusions, enhancing system abilities of fighting
back. On the basis of evaluation our main work is to: Improve network security situation
assessment model and its quantitative evaluation method and to Find a better way to
accelerate network simulation. We analyzed the existing problems of network security
situation awareness and proposed a framework based on that. The framework consists of
the modeling of network security situation and the whole process of the generation of
network security situation.
The running time network simulation task will increase effectively. The essence of
abstract packet forwarding method is to enhance the packet processing speed, but it may
be ineffective if too many packets need to be processed per second such as large-scale
network worm simulation. On the basis of our studies, the next jobs are:
(1) Improve evaluation method and network security assessment model.
(2)Find a better way to accelerate network simulation.
REFERENCES
[1] B. Potter, "Software & network security," J Network Security, vol Bass T.,
Intrusion Detection Systems and Multisensor Data Fusion: Creation Cyberspace
Situation Awareness, Communications of the ACM, 2000, vol (43), April pp.99105.
[2] D. Schnackenberg, H. Holliday, R. Smith, K. Djahandari, and D. Sterne,
``Cooperative Intrusion Traceback and Response Architecture (CITRA), Proc.
Of DARPA Information Survivability Conference and Exposition (DISCEX-II) ,
Jun. 2001.
[3] D. Wetherall, J. Guttag, and D. Tennenhouse, ``ANTS: Network Services without
the Red Tape, IEEE Computer , vol.32, no.4, Apr. 1999.
[4] Fang Lan, Wang Chunlei, Ma Guoqing, A Framework for Network Security
Situation Awareness Based on Knowledge Discovery 978-1-4244-6349-7/10,
IEEE, 2010.
[5] Hideki K., Kazuhiro O. SnortView: visualization system of snort logs. The 2004
ACM.
[6] IETF81 Internet Engineering Task Force. Internet protocol: DARPA Internet
program protocol specification, 1981.
[7] I-Hsuan Huang and Cheng-Zen Yang, Design of an Active Intrusion Monitor
System Department of Computer Science and Engineering, Yuan Ze University,
Chungli, Taiwan, R.O.C. E-mail: {ihhuang,czyang}@syslab.cse.yzu.edu.tw
[8] K. G. Anagnostakis, M. Greenwald, S. Ioannidis, and S. Miltchev, ``Open Packet
Monitoring on FLAME: Safety, Performance and Applications, Proc. of the 4th
International Working Conference on Active Networks (IWAN), Dec. 2002.
[9] M. Asaka, S. Okazawa, A. Taguchi, and S. Goto, ``A Method of Tracing Intruders
by Use of Mobile Agents, Proc. of INET99 , Jun. 1999.
[10] M. R. Endsley, "Design and evaluation for situation awareness enhancement,".
Processings of the Human Factors and Ergonomica Society Annual Meeting.
Northrop Aircraft Hawthorne, CA. vol 32, pp. 97-101, October, 1988.
[11] M. Roesch and C Green, "Snort users manual," J Snort Release,2003
threat
evaluation
model for
49