Professional Documents
Culture Documents
1. Introduction
Providing access to network services and to the Internet, an
organization offers many benefits to itself and its staff. However,
the more access that is provided, the greater is the danger of
increased vulnerability for hackers to exploit.
Computer intrusions are occurring almost routinely, and
have become a major issue of our networked society. How to
detect intrusions presents a big challenge to every organization,
which includes selecting the IDS software, assessing the
tradeoffs between the risks and cost factors, etc.
Our research is focused on the studies of network intrusions
and their effects on the network in a simulated environment. In
this paper we report our experimental results of network
performance measures and simulation efficiency of networks
under the DOS attacks, all simulated using OPNET.
urg flag set. We used the data of the TCPDUMP outside file
(1999/week5/Monday data set) from MIT/Lincoln Lab which
contains Dosnuke attack packets [2].
4.2 Customizing Data Packet Format
We defined our own packet format in the OPNET simulation.
The packet corresponds to the IP header, which includes the IP
addresses, port numbers, the flags, and a few other fields.
4.3 Pre-processing Source Traffic File
Before we could build the simulated network model using
OPNET, we need to first pre-process the TCPDUMP file (or
Ethereal file) to extract pertinent information, including:
The packet inter-arrival times, which are saved as a list
of double-type values.
The time duration, which is the time difference between
the first packet and the last packet of the traffic source.
A list of the distinct IP addresses in the traffic source.
for packets sent to port 139 (NetBIOS) of the victim PC with the
urg flag set in the packet header.
The pre-processing tools we developed can be reused for
simulating other types of intrusion attacks. To demonstrate, we
also simulated the ProcessTable DOS attack using the
MIT/Lincoln Lab TCPDUMP files. We needed to set up a
network in OPNET using 20 PC nodes because there are 20
distinct IP addresses involved in the traffic source. We also
modified the intrusion detection logic of the firewall node using
the new attacks signature, and added the corresponding
statistical measures to the OPNET simulation. The results of the
simulations are described in the following section.
5 Analysis of Simulation Results
5.1 The Dosnuke Attack
The source traffic data for the Dosnuke attack comes from the
MIT/Lincoln Lab TCPDUMP outside file, 1999/week5/Monday
data set. This data set includes the initial 5 minutes of data, and
only one type of the attack. In our experiment, we pre-processed
the source file, and extracted less than 3 minutes of data
containing a total of 367 TCP packets. There were 10 packets
captured by the firewall node due to the Dosnuke attack, 9 of
which were sent from the attacker node to the victim and one
sent from the victim back to the attacker.
We set up several statistical measures in OPNET to study
the performance of the intrusion simulation. For example, Figure
5 depicts the IP address distributions of the data packets during
the entire simulation, where the IP addresses correspond to the
PC node numbers 0 9 of the y-axis. The figure clearly
demonstrates patterns of consecutive accesses to the same IP
addresses during several short intervals of the simulation
although these accesses are irrelevant to the Dosnuke attack.
References
0
30
60
90
120
131
12
10
8
6
4
2
0
30
60
70
80
90
100
114