Security provision by applying verification of meta information in wireless sensor network.
The network is in the order of growing size in day to day life hence the security of the network is to be affected. IP fragmentation, SMTP mass mailing, DoS attacks, flood attacks, spoofing, are some of the attacks that detect in the network. One of the threat in network considered to be Intrusion. Intrusion is an action of intruding or an unwelcome visit or a set of actions expected to compromise integrity, confidentiality, or availability, of a compute as well as networking resource. In order to detect the intrusions the systems of intrusion detection, prevention and response systems are required. Incident handling techniques are categorized into three main classes. Intrusion prevention methods that take actions to prevent happening of attacks is of first. The intrusion detection systems (IDSes), which is Snort, which try to detect improper, incorrect, or anomalous network activities is second. Finally, there are intrusion response techniques that take reactive actions based on received IDS alerts to stop attacks before they can occur important damage and to make certain safety of the computing environment. There are many techniques to improve the network security, IDS plays a major role. The intrusion detection algorithm is based on identifying an attack signature or detecting the anomalous performance of the system. An IDS is a system or software to detect malicious or improper system and network activity and to alert a systems supervisor to this activity. The IDS is used in order to improve the security of the network by finding doubtful activities, whether the network is of local or global, the security should be provided in a great manner. The size of the local network is small thus the detection can be done by the incoming and outgoing data packets successfully. But the size of the global network increases thus the IDS is to be perform in the deep manner. Intrusion detection has been complete automatic in the network can be find whether the user is allowed or an intruder by the default characterize and facts. As the network can be grows larger the intrusion response is also needed to be automated in order to provide the response as possible. now the idea of Response and Recovery Engine has approach into account with the computerization in the response. The RRE uses the attack response trees in which the optimal response is provided by importance nodes for an bother that detected by IDS. Markov decision process is used to create the optimal decision of the intruders. It is selects the best possible. The decision method is that deal with the true or false method. This type of method can be used in the small scale networks. In case of the large scale networks, the markov decision process cannot be used. thus the fuzzy rule set is used to find out the values ranging from 0 to 1, it gives the best response based on the transitional results of the intrusion detection system.
An intrusion is mostly any sort of unlawful activity which is carried out by attackers to harm network resources or sensor nodes. An IDS is a mechanism to identify such unlawful or malicious activities . The primary functions of IDS are to monitor users' activities and network behavior at special layers. There are two important classes of IDSs. One is famous as signature-based IDS, where the signatures of different security attacks are maintained in a database. The kind of IDS is effective against familiar security attacks. However, new attacks are difficult to be detected as their signature would not subsist current in the database. The second type is anomaly-based IDS. The kind is effective to detect new attacks; however it at times misses to detect well-known security attacks. The reason is that anomaly-based IDSs do not maintain any database, but they constantly watch traffic patterns or system activities.
Host-based Intrusion Detection System:
A host-based IDS can be used to verify the data integrity of files and executables. It check a folder of sensitive files and any files added by the administrator and create a checksum of each file with a message-file digest value such as md5 sum 128-bit algorithm or sha 1 sum 160-bit algorithm. The host-based IDS stores the sums in a plain text and frequently compares the files checksums against the values in the text file. If any of the file do not match, the IDS alerts the supervisored by email or cellular pager.
Network Intrusion Detection System:
A network intrusion detection system (NIDS) monitor traffic on a network for doubtful action, which could be an attack or illegal activity. A large NIDS server can be set up on a strength of character network, to monitor all transfer; or smaller systems can be set up to monitor transfer for a exacting server, switch, gateway, or router. In addition to monitor incoming and outgoing network traffic, a NIDS server can also scan organism files looking for illegal activity and to keep up data and file integrity. The NIDS server can also notice changes in the server core components.
Objective of the Proposed system:
Improve the system performance
Node verification using RRE
Heterogeneous network connectivity
Automatic response from the attacker
Increase the throughput, energy and delay
II Related Work:
Due to have the proposed system the intrusion detection system can be used in various applications. Extreme Learning Machine (OS-ELM) is presented for intrusion detection. This technique uses alpha profiling to reduce the time complexity while irrelevant features and discarded using an ensemble of filtered, correlation and consistency based feature selection techniques. For sampling beta profiling is used to reduce the size of training dataset. The space and time complexity is also discussed, for performance evaluation NSL-KDD 2009 dataset is used. This method is efficient for Network Intrusion Detection System. IDS with memory and time constrains find it difficult to process whole dataset. IDS also suffer low accuracy and high detection rate. OSELM is a fast and accurate single hidden layer feed forward neural network. OS-ELM is designed to overcome the slow learning limitation of 125 feed forward neural network. It provides good generalization performance with fast learning speed. Fuzzy OS-ELM solves the approximation and classification problem.
Improving performance in Intrusion Detection System (IDS) using Quality of Service (QoS) and parallel technologies in Cisco catalyst switches to increase the analytical performance of a Network Intrusion Detection System (NIDS) when deployed in high-speed networks. To improve NIDS performance and to reduce the number of dropped packets. The NIDPSs to prevent attacks that occur in high speed network connectively. It describe the weakness of NIDPS and improve NIDPS in terms of performance, efficiency and effectiveness There are two major areas concerns in computer security one is the speed and volume of attacks, and another one is the complexity of multi-stage attacks. QoS technique permits the control of traffic and guarantees the throughput of the traffic in terms of time scale. QoS concerns the performance of the network traffic over several technologies, including Asynchronous Transfer Mode (ATM), 802.1 networks, IP-routed networks, Frame relay, and Synchronous Optical Network (SONET) as seen from the user's perspective. The performance metrics is evaluated by the method of packet generation, timing statistics, packet I/O totals, protocol statistics and snort NIDS throughput. The advantage of this system is improve the NIDS performance and reduces the number of packets dropped in the high network traffic. The NIDPSs to prevent attacks that occur in high speed network connectively. QoS configuration to improve NIDPS analysis performance and a parallel technology to reduce NIDPS processing time. The disadvantage of this system is discussed about weakness of NIDPS in scanning and analyzing in high speed network connectivity.
The Intrusion Detection Systems are those that achieve a high attack detection rate together with a small number of false alarms higher interpretability of the rule set. Improves the precision for the rare attack events, It detects the average accuracy of the attacker. The advantages of using this approach are twofold: first, the use of fuzzy sets, and especially linguistic labels, enables a smoother borderline between the concepts, and allows a higher interpretability of the rule set. Second, the divide-and-conquer learning scheme, in which we contrast all possible pair of classes with aims, improves the precision for the rare attack events, as it obtains a better separability between a "normal activity" and the different attack types. The "divide-and-conquer" strategy improves the individual accuracy for the different classes of the problem, which is reflected on the high value for the average accuracy metric. This algorithm for comparison has been selected from the state-of- the-art in GFS for IDS. Specifically, we have make use of a multi- objective fuzzy model (MOGFIDS), three different GFS schemes developed by Abadeh et al., and a genetic approach for boosting fuzzy association rules.
Identify payload traffic using DPI, Network security, Privacy and QoS. The functions of DPI are protocol detection, anti-virus, anti-malware and Intrusion Detection System (IDS). The detection engine may support by a signatures or heuristics. Most of the algorithms do training and testing, it takes approximately double time. To improve performance of Intrusion
Detection System by using in/out based attributes of records. It helps to correctly classify true normal and true abnormal. False negative classification is reduced less than 1%. The advantage of this system it is useful for security, compliance, application recognition and billing also. IDS is shallow packet inspection (state full packet inspection) is base on signature database. The disadvantage of this system is to perform the Multi-threading programming.
The method have proposed to use the Machine learning approaches have been widely used to increase the effectiveness of intrusion detection platforms. While some machine learning techniques are effective at detecting certain types of attacks, there are no known methods that can be applied universally and achieve consistent results for multiple attack types. One of the most widely used and best performing machine learning platform is the novel Multiple Adaptive Reduced Kernel Extreme Learning Machine (MARK-ELM) which combines Multiple Kernel boosting with the multiple classification reduced kernel ELM. It shows good detection performance with a high rate of false positives which is huge challenge for network operators. The literature requires extensive scaling, pre-processing and pre-filtering of input data. Many well performing machine learning approaches are not scalable to handle larger datasets such as those encountered in Network Intrusion Detection. The advantage of this method is showed good detection performance with a high rate of false positives which is huge challenge for network operators. Other approaches in the literature require extensive scaling, pre-processing and pre-filtering of input data. Network Intrusion Detection dataset with MARK-ELM achieving nearly 100% detection rates on the majority classes and excellent detection rates on the minority classes with extremely low false positive rates across all classes with low misclassification rates. The disadvantage of this method is many well performing machine learning approaches are not scalable to handle larger datasets such as those encountered in Network Intrusion Detection.
Snort Intrusion Detection System (Snort-IDS) is a security tool of network security. It has been widely used for protecting the network of the organizations. The snort-IDS utilize the rules to matching data packet traffic. If some packets matches the rules, snort IDS will generate the alert messages. Snort-IDS many rules and it also generates a lot of false alerts. To test the performance evaluation, the data set from the MIT-DAPRA 1999, this includes the normal and abnormal traffics. We applied the wireshark software to analyze data packets form of attack in dataset. The attack can be divided in to several groups based on the nature of network probe attack. Detection attack updated with the Detection Scoring Truth. Some attack can occur in several times but the Detection Scoring Truth identify as one time. The advantage of this method is to detect 100% of the network probe attacks based on MIT-DAPRA 1999 data set and it can achieve higher accuracy. It will increase the correctness of the detection rules and decrease false alert. The disadvantage of this system is attack can occur in several times but the Detection scoring truth identify as one time.
Paging algorithm is widely used in search engines, medicine analysis, data mining and many other fields. Page ranking is the google web page ranking algorithm based on web link analysis and has been widely used in search engines. To create a short sequence pattern library for split the target program call sequences pattern library is used to create a system call graph and page ranking algorithm is used to compute the weights between adjacent two nodes. PageRank based anomaly detection is more stable than classical STIDE detection method. We use a novel weighted hamming distance based on PageRank algorithm for anomaly intrusion detection. The advantage of this method is to calculate the each node pagerank value and it increases the time complexity. The disadvantage of this method is difficult to determine the network topology and weight, the accuracy of the modeling method is needed to improve and the initial parameter is more sensitive.
Kargus, highly-scalable software-based IDS that exploits the full potential of commodity computing hardware. First Kargus, processes incoming packets at network cards and achieves upto 40Gpbs input rate even for minimum-sized packets. Second, exploits high processing parallelism by balancing the pattern matching workloads with multicore CPUs and heterogeneous GPUs and benefits from extensive batch processing of multiple packets per each IDS function call. Third, it adapts resource usage depending on the input rate, significantly saving the power in a normal situation. It dramatically improves the performance by realizing two key principles: batching and parallelism. Receiving packets allows a high input rate by reducing the per-packet CPU cycle and memory bandwidth cost. The advantage of this system is to increase the cost and reduce the functional flexibility and receiving packet allow a high input rate and reduce the per-packet CPU cycle and memory bandwidth cost. The disadvantage of this system is to find that blind offloading often produces a poor performance if the offloading cost exceeds the CPU cycles required for the workload, which frequently occurs for small size packets. Even when the offloading cost is small for large size packets, it is beneficial to use CPU due to power saving and latency reduction when the workload level is satisfied by the CPU capacity.
Firewall cannot monitor the network attacks it is used to prevent the unauthorized users. Another network security tool is IDS is used to perform network activities monitoring. In high speed network large data should be analysed and processed in high- speed infrastructure. In this system parallelism is used to improve the performance of signature based NIDS running snort in parallel with a portion of packets and subset of rules so the processing time will be reduced this can be improve the system performance. Using a efficient string matching algorithm using a passive system drops many packets and misses many attacks in the high speed network, using hardware acceleration, and finally using parallelism. Hence the whole system can achieve a higher throughput. The advantage of this system is to improve the performance and reduce the processing time of the traffic, the whole system achieve the higher throughput. One of the most important weaknesses of network intrusion detection system is that processing the whole traffic is so time-consuming, so as network speeds continue to increase, it is crucial that efficient approaches are developed until intrusion detection systems can process more traffic in less time.
III Module Description:
[FIGURE 3.1 OMITTED]
In Figure 3.2 shown as the overall module description of the proposed system. In our system the network will be divided into heterogeneous network. The nodes will be randomly placed and verify the nodes using local engine and global engine.
3.1 Network Construction:
A random number is generated as assigned as private, public key. And the IP address, MAC address of the nodes will be encrypted using AES algorithm and the key length is reduced up to 64 from 128 [since it is used in simulation tool] and provide security.
This key generation and key assignment is done by BS is an assumption and the assigned key is stored in a trace file for each nodes separately. Network G is constructed using N number of Nodes. Where each node is random and deployed dynamically. All the nodes are entering into the network by sending a REQ message to the BS and get a Key from BS and will be placed randomly into the network. Once all the nodes are placed in the network.
3.2 Request Response Engine:
In RRE that requires some time to complete the RRE's final purpose is to save/reduce intrusion response costs and the system damage due to attacks compare to existing intrusion response solutions. Using the game theoretic advance, RRE adaptively adjust its performance according to the attacker's achievable future reactions, thus prevent the attacker from cause important damage to the system by taking an brightly chosen sequence of actions. To deal with safety issues with dissimilar granularities, RRE's two-layer architecture consists of local engines, it is used in individual host computers, and the global engine, it is used in the response and recovery server and decide on global response events once the system is not recoverable by the local engines. moreover, the hierarchical design improve scalability, ease of design, and performance of RRE, so that it can guard computing resources against attackers in large- scale computer networks. To retain network-level intrusion response wherever the global safety level is often a meaning of different properties and industry objectives, RRE employ a fuzzy control- based method that can take into account several objective functions consecutively. In particular, news from local engines are fed into the global response engine's fuzzy system as inputs. Then, the RRE calculate quantitative score of the probable network-level response events using its before defined fuzzy rule set. The fuzzy rule set is using a fuzzy numbers, and various input parameters can take on qualitative values such as high or low; therefore, the real-world challenge that correct crispy values of the occupied parameter are not all the time known is addressed completely.
3.3 Centralized Detect Eliminate and Control Algorithm:
A wireless sensor network N with M number of nodes n1, n1, n2, ...., nM are connected in a mesh- like formation. Random nodes S and D are assumed as the source node and the Destination node respectively and the intermediate nodes pass the data from source to destination. Node MD-[Monitor and Detector], will monitor the network flow when data is transmitted among S and D. Intermediate nodes can be attacked while data is transmitted. When data transmission happens the MD checks the time, bandwidth capacity and acquires the data amount of the intermediate nodes.
3.4 Time interval calculation:
The time interval and transmission rate is calculated by
t = [packet sentTime at i - packet recived Time at i+1] (3.1)
Avgt = [m.sup.t-1] (3.2)
The time interval between each pair of node is not equal to Avgt then find out the pair of node where the interval is changed and that particular node's neighbor node are assumed as DOS attack nodes.
3.5 ErrorRate calculation:
If the error Rate is high it means that the bandwidth at that particular point is getting changed by receiving data from the neighbor nodes. This helps to identify the neighbor nodes that are DOS attack nodes and they can be eliminated.
ErrorRate = [EstimatedB.sub.Raendlwaidthw-iRehalBandwith a B nd dt] (3.3)
The congestion in the intermediate node is calculated by packets received at i
[xi] = packets received at i's successor node form I (3.4)
[FIGURE 3.2 OMITTED]
In this figure 3.2 represent the data flow of the node transmission. The node is verified by the key value, id and ip-address for all the nodes. If the node is fully verified send to the destination again verify the node information and the source node information. If it is valid data can be passed through the node not valid inform the base station that node is malicious node and then continue the data transmission and the process can be continued for all data.
IV Experimental Results:
In DoS attack, only one node attacks, where as in DDOS the attack on victim node is performed by a number of nodes sending huge packets to the victim node and corrupting the communication between the good nodes in the network. In this scenario, our proposed approach CDEC will assign a separate node like tower which will monitor all the nodes in the network based on time, based on acknowledgement, and data based on bandwidth.
Whenever a communication or a data transmission occurs between the source nodes and destination nodes, the intermediate nodes should be carefully watched. The neighbor nodes of any intermediate nodes frequently send data packets to it and confuse the node. This makes it lose the original data and unable to pass it to the next hop in the route. This is clearly depicted in the following Figure 4.1.
[FIGURE 4.1 OMITTED]
The simulation is done using Network simulator 2, with 30 nodes initially. In this simulation a node say 28 is assumed as the source node and say node 20 is considered as the destination node. The data is sent from node 28 to 20. Another node says 1 in the center of the network is assigned as the monitoring node MD. It monitors the error rate, time of response, and bandwidth overhead of every current node in the simulation route. Nodes are randomly placed in the network and the green color node signifies the source node and the blue color node signifies the destination node. While transmitting the data packet, a node 26 become a malicious node and interrupts the nearest neighbor nodes by simply receiving the data packets from node 16, node 19, node 18 and node 23. This is monitored, identified and suggested as DoS attack by MD node.
[FIGURE 4.2 OMITTED]
Once node 26, gets packets from the nearest nodes, it communicates with those nodes, not concentrating on the data that is transmitted between nodes 28 and 20, which contains the packet with the original data. This function is depicted and shown in the following figure 4.3. The dos attack node is identified by checking the intermediate nodes packet received and by sending the ratio. Normally 4kbpsare assigned for each node, but when they exceed 4kbps, the particular node along with the neighbor node is monitored and if extra packets are received from the neighbor node, it is considered to be DOS attack.
Once the DOS attack happens it can continue repeatedly in the network. The next malicious node occurs in the next path between the source node and the destination node. DOS attack nodes spoil the network nodes by simply sending data continuously to other nodes. The next occurrence of a malicious node due to DoS attack is shown in Figure 4.4. At the simulation time of 15, node 3 becomes the malicious node. When it receives and sends data from node 28 to node 20, it dynamically acquires the data from neighbor nodes 0, 36 and 10, 33. Since it receives data packets from the neighbor nodes the bandwidth of the node 3 gets changed, and there is congestion in the traffic.
[FIGURE 4.3 OMITTED]
Due to the congestion and the bandwidth, the MD node, identifies and suggest node 3 as the malicious node, which is depicted in figure 4.4. The data transmission of the nodes in the network is not uniform when there is a DoS attack in the network. This is because the nodes that's end and receive data packets are not in order and the dos attack happens in different nodes from various locations to any intermediate node in the network. Hence the throughput is not in any particular format, and not uniform in manner as shown in Figure 4.5.
[FIGURE 4.4 OMITTED]
There are many ups and downs in the data packet transmission before deploying the CDEC method. After deployment of the CDEC method, the MN node is closely monitoring the intermediate nodes from the source node to the destination node routing. The packet transmission is calculated after deploying the CDEC. As the CDEC is applied before constructing the routing from the source node to the destination node, the overall DoS based malicious creation is controlled and the throughput of the network gets cleared. The throughput of the network after deployment of the CDEC occurs in a uniform manner as shown in Figure 4.5
[FIGURE 4.5 OMITTED]
The packet size and the packet transmission interval are uniform as the malicious node is controlled by the CDEC, which is applied before route creation. The network performance is calculated and evaluated by checking the performance metric values throughput, the end-2-end delay, and the energy before and after deploying the CDEC in the network.
[FIGURE 4.6 OMITTED]
In Figure 4.6 shown as the performance evaluation of CDEC vs existing approaches in terms of throughput. The throughput will be increased in this method.
[FIGURE 4.7 OMITTED]
The performance evaluation of CDEC versus existing approaches the energy should be increased as shown as in Figure 4.7
[FIGURE 4.8 OMITTED]
In Figure 4.8 shown as the delay must be reduced in terms of evaluating the CDEC algorithm versus existing approaches.
Performance of CDEC approach is compared with the existing system where the comparison metrics are throughput, energy and delay. The existing system obtained values are 5674 in throughput, 95 in energy and 19 in delay. But the CDEC approach obtained values are 6345 in throughput, 99 in energy and 12 in delay. From the simulation results it has been proved that the CDEC is more efficient in controlling malicious nodes and also giving a lot of quality to the network than the existing approaches
The proposed mechanism does not require the need for a centralized trusted authority which is not a feature of WSN because of their self structuring nature. This paper gives more accuracy than the existing DDOS algorithms and provides an approximately complete solution to the DDoS in WSN. This mechanism can also be used to safeguard the network from other routing attacks. This is brought about by altering the security parameters in tune with the nature of the attacks. The CDEC is more powerful and efficient than the existing system.
[1.] Navarro-Serment, L.E., R. Grabowski, C.J. Paredis and P.K. Khosla, 2002. "Millibots: The Development of a Framework and Algorithms for a Distributed Heterogeneous Robot Team," IEEE Robotics and Automation Magazine, 9(4): 31-40.
[2.] Bergbreiter, S. and K. Pister, 2003. "Cotsbots: An Off-the-Shelf Platform for Distributed Robotics," Proc. IEEE/RSJ Int'l Conf. Intelligent Robots and Systems.
[3.] Sibley, G.T., M.H. Rahimi and G.S. Sukhatme, 2002. "Robomote: A Tiny Mobile Robot Platform for Large-Scale Sensor Networks," Proc. IEEE Int'l Conf. Robotics and Automation (ICRA).
[4.] Jang-Jaccard, J. and S. Nepal, 2014. A survey of emerging threats in cybersecurity, Journal of Computer and System Sciences, 80(5): 973-993.
[5.] Fuchsberger, A., 2005. Intrusion detection systems and intrusion prevention systems. Information Security Technical Report. 10: 134-139. <http://www.sciencedirect.com.lcproxy.shu.ac.uk/science/article/pii/ S1363412705000415> Accessed September 14, 2013.
[6.] Arbor Networks, 9th Annual Worldwide Infrastructure Security Report and ATLAS Data, 2013. <http://www.arbornetworks.com/resources/infrastructuresecurity-report> Accessed March 25, 2014.
[7.] Albin, E. and N.C. Rowe, 2012. A realistic experimental comparison of the Suricata and Snort intrusion-detection systems, in: Workshops of the 26th International Conference on Advanced Information Networking and Applications (WAINA), IEEE, pp: 122-127.
[8.] Shiri, F.I., B. Shanmugam, N.B. Idris, 2011. A parallel technique for improving the performance of signature-based network intrusion detection system, in: Proceedings of 3rd International Conference Communication Software and Networks (ICCSN), IEEE, pp: 692-696.
[9.] Beale, J., B. Caswell, T. Kohlenberg, M. Poor, 2004. Snort 2.1 Intrusion Detection, second ed., Syngress Publishing.
[10.] Jiang, H., G. Zhang, G. Xie, K. Salamatian and L. Mathy, Scalable high-performance parallel design for network intrusion detection systems on many-core processors, in: Proceedings of the ninth ACM/IEEE symposium on Architectures for networking and communications systems, IEEE, pp: 137-146.
(1) Balaambikha R and (2) Thomas Paul Roy A
(1) Computer Science And Engineering PSNA College of Engineering and Technology Dindigul, India.
(2) Computer Science and Engineering PSNA College of Engineering and Technology Dindigul, India.
Received 25 January 2016; Accepted 28 April 2016; Available 5 May 2016
Address For Correspondence:
Balaambikha R, Computer Science And Engineering PSNA College of Engineering and Technology Dindigul, India.
|Printer friendly Cite/link Email Feedback|
|Author:||Balaambikha, R.; Thomas, Paul Roy A.|
|Publication:||Advances in Natural and Applied Sciences|
|Date:||May 15, 2016|
|Previous Article:||Exploitation of mechanical properties Ine-glasswoven roving with epoxy (Ly556).|
|Next Article:||Wear behaviour of Al-Chicken bone ash metal matrix composites.|