ArticlePDF Available

Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP) to Improve Pedagogical Activities in Mobile Collaborative Learning (MCL) Environment

Authors:

Abstract and Figures

Mobile collaborative learning (MCL) is extremely recognized as focusing archetype in educational institutions. It demonstrates cerebral synergy of assorted collective minds. It handles several problems in order to motivate social activity for mutual communication. To advance and promote baseline for MCL; several supporting frameworks, architectures including number of different mobile applications have been introduced. But, no one has mainly focused to augment the security of those architectures. The paper handles issues of rogue DHCP server that highly affects network resources during MCL. The rogue DHCP is illegal server that issues the fake IP address to users for sniffing the legal traffic. This contribution specially targets the malicuius attacks that weaken the security of mobile supported collaborative framework (MSCF). The paper introduces multi-frame signature-cum anomaly-based intrusion detection system (MSAIDS) that blocks an unlawful behavior of rogue DHCP server. This novel security method emphasize confidence of users and secures also network from illegitimate interference of rogue DHCP server. Finally, paper confirms scheme through simulations. The simulations comrises of testbed, ns2 and discrete simulation. Keywords: Client · DHCP server · rogue DHCP server · mobile learning environment · algorithms · signature-cum anomaly based Intrusion detection · inclusion of IDS rules · sniffer · nikito · stick.
Content may be subject to copyright.
J. of Commun. & Comput. Eng. Copyright © Modern Science Publishers
ISSN 2090-6234 www.m-sciences.com
Volume 3, Issue 1, 2013, Pages 15:29
Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP)
to Improve Pedagogical Activities in Mobile Collaborative Learning (MCL)
Environment
Abdul Razaque · Khaled Elleithy
Received: 15 May, 2012/ Accepted: 21 August, 2012
Abstract Mobile collaborative learning (MCL) is
extremely recognized as focusing archetype in educational
institutions. It demonstrates cerebral synergy of assorted
collective minds. It handles several problems in order to
motivate social activity for mutual communication. To
advance and promote baseline for MCL; several supporting
frameworks, architectures including number of different
mobile applications have been introduced. But, no one has
mainly focused to augment the security of those
architectures. The paper handles issues of rogue DHCP
server that highly affects network resources during MCL.
The rogue DHCP is illegal server that issues the fake IP
address to users for sniffing the legal traffic. This
contribution specially targets the malicuius attacks that
weaken the security of mobile supported collaborative
framework (MSCF). The paper introduces multi-frame
signature-cum anomaly-based intrusion detection system
(MSAIDS) that blocks an unlawful behavior of rogue DHCP
server. This novel security method emphasize confidence of
users and secures also network from illegitimate
interference of rogue DHCP server. Finally, paper confirms
scheme through simulations. The simulations comrises of
testbed, ns2 and discrete simulation.
Keywords: Client · DHCP server · rogue DHCP server ·
mobile learning environment · algorithms · signature-cum
anomaly based Intrusion detection · inclusion of IDS rules ·
sniffer · nikito · stick.
Introduction
The rapid developments in information technologies (IT)
have improvised the use of mobile devices in open, large
scale and heterogeneous environments.
________________________________________________
Abdul Razaque · Khaled Elleithy
Wireless&Mobilecommunicationlaboratory
ComputerscienceandEngineeringdepartment
UniversityofBridgeport,CT,USA
E-mail: arazaque@bridgeport.edu,elleithy@bridgeport.edu
The mobile devices provide the bridge to connect learners
with institutions directly. This highly emerged platform has
put the concrete foundation of MCL to corroborate
pedagogical activities. The deployment of mobile devices
has not only underpinned MCL but also created many
chances for malicious attackers to crack the integrity and
privacy of users. The mobile users are highly dependent on
DHCP server for issuance of IP addresses.
The DHCP server provides highly organized and useful
administrative service to mobile devices. However,
unauthorized and misconfigured DHCP server (rogue
DHCP) is used into a network that creates problems for
users, breaking the security. It invites intruders and attackers
to redirect & intercept network traffic of any device that
uses the DHCP. Attacker (The man-in-middle) modifies the
original contents of communication. The malware and
Trojans horse install rogue DHCP server automatically on
network and affect legitimate servers.
If rogue DHCP server assigns an incorrect IP address
faster than original DHCP server, it causes the potentially
black hole for users. To control malicious attacks and
avoiding the network blockage, network administrators put
their efforts to guarantee the components of server, using
various tools. The graphical user interface (GUI) tool is used
to prevent the attack of rogue detection [5]. Idea of using
multilayer switches may be configured to control the attacks
of rogue DHCP server but it is little bit complex and not
efficient to detect rogue DHCP server and its malicious
consequences. According to statement of Subhash Badri, the
representative of DHCP Server team mentions in his online
report that GUI tool cannot make difference between
malicious DHCP servers and erroneously configured rogue
[7].
The DHCP spoofing is another solution for detecting
rogue DHCP server. However, if single segment is spoofed
that can damage the whole network. Spooling method takes
long time till attacker has enough time to capture the traffic
and assign the wrong IP addresses [8]. Time-tested, DHCP
Find Roadkil.net’s, DHCP Sentry, Dhcploc.exe and DHCP-
probe provide the solution to detect and defend rogue DHCP
server malware [6]. All of these tools cannot detect the new
malicious attacks.
16 Abdul Razaque . Khaled Elleithy
Intrusion detection systems (IDS) are also introduced to
ensure the protection of systems and networks. However,
IDS cannot detect the intrusion due to increase in size of
networks. The Signature based detection does not have
capacity to compare each packet with each signature in
database [2].
Distributed Intrusion Detection System (DIDS) is another
technique to support the mobile agents. This technique helps
system to sense intrusion from incoming and outgoing
traffics to detect known attacks [1]. Ant colony optimization
(ACO) based distributed intrusion detection system is
introduced to detect intrusions in distributed environments.
It detects the visible activities of attackers and identifies the
attack of false alarm rate [3].
Anomaly based intrusion detection is introduced to detect
those attacks for which no signatures exist [4], [6], [10].
This paper introduces MSAIDS approach supported with
novel algorithms, inclusion of new rules in IDS and
mathematical model to detect the malicious attacks. It
increases the privacy and confidentiality of users in MCL
environment.
Architectural Design for Mobile Supported
Collaborative Framework (MSCF)
The architecture for MSCS is envisioned as promising
platform shown in Figure 1 that supports latest technologies
and mobile applications to meet pedagogical requirements
and other collaborative activities within educational
institutions and beyond. This integrates various functional
components to cover all necessary features for MCL from
sending SMS to large size of videos.
It supports to content generation, content fragmentation,
content buffering, content retrieving, content integrating,
content diagnosing, content modification, content
visualization, content refinement, and ultimately to
dissemination of results MSCS consists of four layers,
which are base layer, coordination layer, modification layer
and application Layer.
All of the layers collectively support to asynchronous and
synchronous collaboration, support for multimodal,
provision of archive updating, middleware support, virtual
support, application sharing facility, provision of facility to
join in middle of the session, recording the activities of
participants, opportunities for interactive and shard white
board, connectivity management support, support for session
management, facility to head of organization to check the
activities of participants, notification of participant's
availability, giving the rights to participants to contact and
invite other participants anytime.
Architecture provides bindings to all theories of mobile
learning explained in [34]. It also synthesizes real
environment for several successful ongoing projects to cover
all features for mobile learning. The base layer plays role of
central importance in MSCS that creates contents for users.
The users interact with MSCS inside or outside the
organization for obtaining learning and other information.
Fig. 1: Mobile supported content server for synchronization and
asynchronization
The MSCS facilitates for all the quarries and information of
governmental and non-governmental organization but
particularly educational institutions. The most important
feature of MSCS is replacement of class room study. If users
do not want to attend the class, they are registered with
MSCS. It automatically provides the access to listen and
watch the on-line lecture and other information anywhere.
This is contributed as promising feature of MSCS to attract
the students and several organizations. The users are also
provided the facility of really syndicate syndrome (RSS) fed
to store the information for collaboration. The feature of
RSS fed provides opportunities to apply knowledge what
they gain in classroom. The number of students enjoys and
feels comfortable working as collaborative group using RSS
fed. The building the knowledge-based approach to transfer
the teacher-focused learning to student-focused learning and
task-assigned learning to understandable-based learning
must have central position [28] & [29].
The objectives of MSCS have been achieved with
support o enterprise data warehouse (EDW). The EDW
provides faster access for data from multiple sources that
gives accurate, consistent, detailed, integrated, secure and
timely information [30] & [31]. Users inside and outside of
the organization are able to assess their requirements, fulfill
research activities, set the priorities and feel impact of
change. EDW provides the heterogamous environment to
make analytical and decision support requirements of
organization. The architecture of MSCS is innovative idea
Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP) to Improve…………….. 17
that attracts various users to seek again an admission that
will be cause of increasing the literacy rate and motivating
the several organizations to deploy it for collaborative
purposes.
The MSCS also comprises of content server engine
(CSE) that is very efficient to handle requests coming from
the users. It searches either the requested information into
the EDW or gives the access to users to listen and watch
lectures or other live activities. CSE identifies the mobile
users on basis of mobile information device profile (MIDF),
status of previous network condition and requested URL.
Another promising feature of MSCS is satisfying the
authorization and authentication process in order to provide
the access to legitimate users only. This job is done with
help of CSE to verify status of users. If illegitimate user
sends request for getting the contents that request is
declined.
CSE is implemented on Internet information server (Web
server) that also provides access to those users who will use
health applications, bioinformatics, educational, defense,
security, business and banking related applications. MSCS
deals with three types of services normal, low priority and
high priority. If users request about normal service that is
handled with file system manager. It supports to text, graphs
and small size of videos. Requests about large size of videos
are dealt with database manager that is considered as low
priority services provider. High priority covers all type of
data services including text, graph, images and voice.
This task is performed with integration of cache server,
which set its own hyper text transfer protocol (HTTP)
connection. The cache server gets the request from mobile
and delivers the learning materials immediately. If requested
material is not cached on cache server that is obtained from
EDW. The beauty of cache server is to have direct access to
EDW. This process provides the faster delivery of learning
material.
With introduction of cache server, time is saved of
backups and log monitoring because substantial time is
spent on these activities every day. MSCS is more effective
for several forms of collaborative learning including Blog,
beaming and sharing information, web forum and wiki. The
multiple use of repository in MSCS captures and preserves
communication process. It serves as tangible indicators for
improving the quality of mobile learning [32] & [33].
Possible attacks of rogue DHCP server (SCENARIO-I)
With deployment of latest technologies, the need for
automated tools has been increased to protect the
information stored either on computers or flowing on
networks. The generic idea to protect data and thwart the
malicious attackers is computer security. The introduction of
distributed system has highly affected the security [11].
There are several forms of vulnerabilities and vigorous
threats to expose the security of the systems. To take
important security measures and enhancing the secure needs
for organizations, several mechanisms are implemented.
Mechanisms also cause to invite the attackers to play with
privacy and confidentiality of users. One of the major threats
for privacy of data is intervention of rogue DHCP server.
The first sign of problem associated with rogue DHCP
server is discontinuation of network service. The static and
portable devices start experiencing due to network issues.
The issues are started by assigning the wrong IP address to
requested clients to initiate the session. The malicious
attackers take advantages of rogue DHCP server and sniff
the traffic sent by legitimate users.
Rogue DHCP server spreads the wrong network
parameters that create the bridge for attackers to expose
confidentiality and privacy. Trojans like DNS-changing
installs the rogue DHCP server and pollutes the network. It
provides the chances for attackers to use compromised
resources on network. Rogue DHCP server creates several
problems to expose the privacy of legitimate users. Three
important attacks are shown in Figure 2. The paper focuses
on two of most important issues.
Fig. 2: Behavior of DHCP Rogue during the attack
1. Sniffing the network traffic
It is brutal irony in information security that the features
which are used to protect the static and portable devices to
function in efficient and smooth manner; and from other
side same features maximize the chances for attackers to
compromise and exploit the same tools and networks. Hence
packet sniffing is used to monitor network traffic to prevent
the network from bottleneck and make an efficient data
18 Abdul Razaque . Khaled Elleithy
transmission. Attackers exercise same resources for
collecting information for illegal use. Rogue DHCP server
substantiates those malicious attackers to expose privacy of
users. When networks are victim of rogue DHCP servers
that provide very important information related to IP
address, domain name system and default gateway to
attackers.
All of this information helps intruders to sniff traffic of
legitimate users. Suppose rogue DHCP server is introduced
on secure environment to collect the confidential
information. That server destroys all sorts of havoc on
secure network. In best case scenario, it simply issues wrong
IP address to each user, resulting all the traffic on the
network is started to be monitored on bases of issued wrong
IP address. In worst case scenario, rogue DHCP server sets
default gateway as IP address of malicious attacker’s proxy.
In this case, attacker can sniff the traffic and wreak the
privacy of users shown in Figure 3.
Fig. 3: Sniffing the traffic and masquerading attack
Rogue DHCP server also helps the intruders to capture the
MAC address of legitimate users. It causes the sniffing the
traffic through switch. In this case, attackers spoof IP
addresses of both sender and receiver and play role as man-
of-middle to sniff the traffic and extract important contents
of communication. It causes great attack on privacy of users.
2. Denial of service attack ( DOS)
Intruders that get support through rogue DHCP server also
use DOS attacks after sniffing the confidential contents of
traffic. Due to DOS attack, the access of important services
for legitimate users is blocked. Intruders often crash the
routers, host, servers and other computer entity by sending
overwhelming amount of traffic on the network. Rogue
DHCP server creates friendly environment for intruders to
launch DOS attacks because intruders need small effort for
this kind of attack. It is also difficult to detect and attack
back to intruders. In addition, it is also easy to create floods
on internet because it comprises of limited resources
including processing power, bandwidth and storage
capabilities. Rogue DHCP can make flooding attack at
domain name system (DNS) because target of intruders is to
prevent the legitimate users from resolving resource
pertaining to zone under attack [12] [13] & [16].
These attacks on DNS have obtained varying success
while disturbing resolution of names related to targeted
zone. Rogue DHCP server can take advantages of inevitable
human errors during installation, configuration and
developing the software. It creates several types of DOS
attack documented in literature [20]. [22] & [24]. Intruders
with support of Rogue DHCP server make three types of
fragile or smurf, SYN Flood, ping of death and DNS attacks.
These attacks are vulnerable and dangerous for security
point of view shown in Figure 4.
Fig.4: denial of service attack (DOS) attack
Proposed solution (multi – frame signature – CUM -
anomly based intrusion detection system)
Networks are being converged rapidly and thousands of
heterogeneous devices are connected. The devices integrated
in large networks, communicate through several types of
protocols and technologies. This large scale heterogeneous
Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP) to Improve…………….. 19
environment invites intruders to expose the security of users.
Hence, IDS are introduced to recognize the patterns of
attacks, if they are not fixed strategically, many attackers
cross the IDS by traversing through alternate route in
network.
Many signature-based IDS are available to detect the
attacks but some of new attacks cannot be identified and
controlled. Anomaly-based IDS is another option but it can
only detect new patterns of attack. The MSAIDS resolves
the issues of DHCP rogue. The proposed framework
consists of detecting server that controls IDS and its related
three units: (i) DHCP verifier unit (ii) signature database and
(iii) anomaly database.
During each detection process, intrusion detection starts
matching from DHCP verifier, if any malicious activity is
detected that stops process otherwise checks other two units
until confirms whether activity is malicious or not. Figure 5
shows the MSAIDS.
Fig. 5: Multi-frame signature-cum-anomaly based IDS
The detecting server (DS) is responsible to check inbound
and outbound traffic for issuance of IP address. The DS gets
IP request (inbound traffic) from routers and forwards to
DHCP server after satisfactory checkup. When any IP
address is released for requested node then applies DHCP
detecting algorithm for validation of DHCP server and
detecting types of attack shown in algorithm 1.
Algorithm 1: Verify DHCP server and detecting the
attack
1. Input: MF =(FD, FS,FA & I)
2. Output : For every strategy I € FA, I € FS, D € FD)
3. D = Each valid DHCP Server
4. IP= Internet protocol address
5. N= Number of mobile devices
6. FD= Frame DHCP server
7. If D € FD
8. IP N
9. endif
10. S= Number of available signatures in signature
based Intrusion detection system (SIDS)
11. FS= Frame of signatures
12. FS SIDS
13. I= Number & Types of attacks
14. For ( I=S; I FS; I++)
15. If I FS
16. SIDS attack alert
17. endif
18. endfor
19. A= Number of signatures available in Anomaly
based Intrusion detection system AIDS
20. FA= F r a m e o f AI D S
21. FA AIDS
22. For ( I =A; I FA ; I ++)
23. If I FA
24. AIDS raises alert
25. If ( I FS & I FA)
26. No alert ( No attack)
27. endif
28. endif
29. endfor
1. The monitoring process of detecting system DS
i. Pre-selected rule refers to those patterns, which are
already stored in DS that helps to identify the
inbound traffic.
ii. Post-selected rule refers to those patters which are
stored for detection of legitimate DHCP server that
helps to identify outbound traffic.
iii. Parameterized rule refers to many ingredients that
help to set selected rules with unique value
presented in the following:
a. Validity ingredient:
It helps to detect the attack if intruder modifies the contents of
message.
b. Time interval ingredient:
It helps to detect two types of attacks which are exhaustion
attack and negligence attack. In exhaustion attack, the
attacker increases message-sending rate. In negligence
attack, attacker does not send message. In addition, time
interval for two consecutive messages is extended or
lessened than allowed amount of time,
c. Flooding ingredient:
It helps to identify the attack on the basis of noise and
disturbance to be created in the communication channel.
d. Retransmission ingredient:
It helps to determine the attack, if retransmission does not
occur before specified timeout period.
e. High transmission radio range ingredients:
20 Abdul Razaque . Khaled Elleithy
It helps to determine SYN flood and wormhole attack, when
intruder uses powerful radio, sending a message to further
located node.
f. Pattern replication ingredient:
It helps to detect the attack when same patterns are repeated
several time, it blocks the DOS attacks.
All of these ingredients collectively help to DS to detect
the attacks and figure 6 shows the process how to determine
valid IP address and attack.
Fig. 6: Detecting attack and issuance of safe IP
DS also controls multi frames that comprises of central IDS
and integrated with three layers that control the misuse
detection.
2. Central IDS
The aim of central IDS is to control and store messages
received from DS. It works as middleware for DS and other
layers to send the verification request and receive the alerts.
The main function of central IDS is to update and manage
the policy according to attack. If it needs any change in
attack detection that is employed on all layers. The central
IDS implements updated policy is shown in figure 7.
Fig. 7: Policy of Central IDS for network
3. DHCP Verifier
DHCP verifier is the top layer that distinguishes between
rogue DHCP and original DHCP server. The signatures of
original DHCP servers are stored at the DHCP verifier. It
checks the validity of DHCP server which issues the IP
address for client. On basis of stored signatures, DHCP
server is identified whether it is rogue or original DHCP
server. Top layer produces the unique alert sign for both
DHCP rogue and original DHCP. Top layer gets parameters
for verification from central IDS. DHCP verifier running on
top layer is also responsible to return an alert to central IDS.
4. Signature based detection layer
Signature-based detection is middle layer that detects known
threats. It compares signatures with observed events to
determine the possible attacks. Some known attacks are
identified on basis of implemented security policy. For
example, if telnet tries to use “root’ username that is
violating the security policy of organization that is
considered known attack. If operating system has 645 status
code values that is indication of host’s disabled auditing and
refers as attack.
If attachment is with file name “freepics.exe” that is alert
of malware. Middle layer is effective for detection of known
threats and using well-defined signature patterns of attack.
The stored patterns are encoded in advance to match with
network traffics to detect attack. This layer compares log
entry with list of signatures by deploying string comparison
operation. If signature based layer does not detect any
network, anomaly based detection layer initiates the process.
For example, if request is made for web page and message is
received with status code of 403, it shows that request is
declined and such types of processing cannot be tailored
with signatures based layer. The figure 8 shows the
combination of IDS rules applied to determine various types
of attacks with support of MSAIDS.
Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP) to Improve…………….. 21
Fig. 8: IDS rules for detection the attacks
The base of IDS comprises of five fundamental rules which
support to IDS to determine attack. These rules include
detection paradigm, location for audit source, frequency
usage, method for detection and behavior of detection
method.
All of these rules help to detect types of the attack which
are created due to rogue DHCP server.
5. Anomaly based detection layer
Lower layer is anomaly based detection that identifies
unknown and DOS attacks. It works on pick-detect method.
This method monitors inbound and outbound traffic
received through central IDS. Packets are evaluated.
Adaptive thresholds and mean values are set. It calculates
metrics and compares with thresholds [26] & [27].
On basis of comparisons, it detects various types of
anomalies including false positive, false negative, true
positive and true negative. If pick-detect methods
determines true positive and false negative then it sends alert
to Central IDS. The process of determining the anomalies is
given in algorithm 2.
Algorithm 2: Detecting the types of alerts with AIDS
1. FS= Frame of signatures
2. FS = SIDS
3. Si = False Negative
4. Sj= True negative
5. Sk= True positive
6. Sk= False positive
7. 0 = don’t match & 1= matchm
8. Sijkl = 1/d Sijkl m=1
9. Sij = { 0, if i & j
10. No false negative & true positive
11. Sij = { 1, if i & j
12. false negative & true positive
13. Alert of attack
14. Skl = { 0, if k & l [ do not match] & 1, if k & l
[match]
15. Alert of true negative & false positive
16. No sign of attack
17. endif
18. endif
19. endif
20. endif
In addition to determine and calculate true positive, true
negative, false positive and false negative, the following
derivation helps:
Here True positive=TP; False negative=FN; False
positive=FP; True negative=TN; Precision=p; overall
probability= OP
We know that
)1(/ FPTPTPP
)2(/ TNFNFPTPTNTPOP
)3()( FNTPPTP
Substitute the values of precision in equation no (2)
Therefore,
)4()(/ FNTPFPTPTPTP
OR
)5(/)()*( FPTPFNTPTPTPTP
OR
FPTPFNTPTPTP /)*(
2
The equation (5) shows the true positive (TP), meaning that
is sign of attack and alarm occurs
Now, find the false negative to apply overall probability
formula:
We know that overall probability formula that is given as
follows:
)6()(
/
TNTPTNFNFPTPOPTP
TNFNFPTPTNTPOP
Substitute the value of OP in equation (6):
)7()(
/
TNTPTNFNFPTPTN
FNFPTPTNTPTP
)8(
/*)(*)(
*)(*)(
TNTPTNFNFP
TPTNTNTPFNTNTP
FPTNTPTPTNTP
Multiplying the values:
)9()(
*()**(
)**()(
2
2
TNFNFPTPTNTP
TNTNTPFNTNFNTP
FPTNFPTPTNTPTP
22 Abdul Razaque . Khaled Elleithy
Re-arranging:
)**()
(()*(
)**()*(
2
2
FNTNFNTPTNFN
FPTPTNTPTNTNTP
FPTNFPTPTPTNTP
Multiplying the (TP + TN) to the right hand side:
)10()**(
****
**()*(
)**()*(
2
22
2
FNTNFNTP
TNTPTNTNFNTPFNTNFP
TPFPTPTNTPTNTNTP
FPTNFPTPTPTNTP
OR
FNTNFNTP
TNTPTNTNFNTPFNTNFP
TPFPTPTNTPTNTNTP
FPTNFPTPTPTNTP
**
****
***
***
2
22
2
Re-arranging the terms:
FNTNFNTP
TNTPTNTNFNTPFNTNFP
TPFPTPTNTPTNTNTP
FPTNFPTPTPTNTP
**
****
***
***
2
22
2
Simplifying the terms by using addition and subtraction
function:
)11(** TNFNTNFN
Finding the value of FN
)12(/* TNTNFNFN
Divide TN with FN *TN to get FN
)13(FNFN
OR
0FNFN
If we get zero value that shows the false negative and
considered as attack but no sign of alarm because of 0.
The false positive (FP) is derived from true positive (TP). If
We know that about the value of TP:
FPTPFNTPTPTP /)*(
2
Cross by multiplication to both sides:
)14()()( 2FNTPTPFPTPTP
Multiplying TP to the left hand side:
)15()*(* 22 FNTPTPFPTPTP
Re-arrange the terms:
)16(**
** 22
FPTPTPFN
TPFPTPTPTPFN
Calculate the FP from equation (16):
)17(/* TPFPTPFN
OR
TPFNTPFP /
The equation (17) shows the false positive; there is no sign
of attack but alarm raised.
Applying equation (10) to find the true negative (TN).
Here,
)18(/*
**
**
FNTNFNTN
TNFNTNFN
TNFNTNFN
Dividing FN*TN by FN to find TN
)19(TNTN
OR
0
TNTN
The value of TN is also zero that means there is no sign of
alarm and no attack occurs.
To detect attack and non-attack situation for TN and FN;
we use algorithm 3 to determine sign of attack.
Algorithm 3: Determine the sing of attack or non-sign of
attack
I. We select random odd prime number for TN and any even
number for FN.
2. The value of FN must not be exceeded than TN.
3. Therefore, FN > 1 & FN< TN
4. Here, FN= {2, 4, 6, 8…} & TN= {3, 5, 7, 11, 13…}
5. Here sign of attack = ST, d = not exposed & b = exposed.
6. b and d has constant value 1.
7. Thus, ST = TN/ (TN+ d)/ FN (FN +b)
8. If value of ST > 1, it means there is no sign of attack, if
the value of ST < 1 that is sign of attack.
9. endif
Assume FN = 2 & TN =3
BY applying the sign of attack formula:
ST = TN/ (TN+ d)/ FN (FN +b)
Substitute the values in given formula.
ST = 3/ (3+ 1) / 2(2+1)
ST = 9/8
ST= 1.125
ST > 1
Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP) to Improve…………….. 23
Here, ST > 1 means there is no sign of attack and we will be
able to determine that is True negative (TN).
The behavior of TN, FN, FP& TP is shown in table 1
with respect to sign.
Table 1: showing the behavior of attack
parameters Behavior
True Negative (TN) No sign of alarm and no attack
False Negative (FN) No sign of alarm but attack
True positive ( TP) Sign of alarm and attack detected
False positive ( FP) Sign of alarm but no attack
Simulation Setup
The previous sections have presented evidence of the
problems to be created by rogue DHCP server and including
solutions to control over these problems. This section
focuses on simulation setup and type of scenario. The
unique and extensive testing method require for simulation
of rogue DHCP server. To validate the MSAID, the
proposed solution has been implemented by using three
methods: test bed simulation, discrete simulation in C++ and
ns2 simulation.
The test bed simulation provides real time results in
controlled and live user environments. This kind of
simulation gives complete understanding about behavior of
several types of attacks. All operations associated with
MSAIDS approach and other three existing approaches:
Dynamic multi-layer signature based IDS (DMSIDS), ant
colony optimization based IDS (ACOIDS) & Signature
based IDS provide recital idea. Test bed simulation helps to
detect various affects and conditions in real environment.
Therefore, output of simulated framework is as close to
reality as possible. The used parameters for only test bed
simulation are given in table 2.
In addition, stressed network traffic load creates several
exceptional conditions that motivate to test idea on Linux
and window NT operating systems. It is little bit harder to
collect data in live environments by using test bed
simulation due to some logistical issues. Most of operating
systems do not provide the tracing facilities but regardless of
problems, we would like to obtain result in standardized
method by using different programs on different operating
systems. MSAIDS has fully support of algorithms and data
structure that discover the potential attacks and perturb the
intrusions before the attacks.
The performance highly depends on robust tracing
facility and algorithms, which help to identify the intrusion.
As the first step is to analyze performance of proposed
algorithms and used mathematical model. However, overall
target is to obtain accurate statistical data in highly loaded
network. Test bed simulation does not provide 100% result.
To fulfill requirements of tracing and collecting accurate
data, same scenario is simulated in ns2 and discrete
simulation c++.
Table 2: Simulation parameters for test bed experiment
NameofparametersSpecification
MySQLdatabaseMySQL5.5
TypeofIDSRulebasedIDS
GDLibrarygd2.0.28
SnortV2
ApachewebserverApachehttp2.0.64Released
PHP
PHP5.3.8(Generalpurposeserver
sidelanguage)
ADODB
Release5.12(abstractionlibraryfor
PHPandPython)
ACIDACIDPRO7
Stick
Stickbeatsdetectiontoolusedby
hackers
NikitoNikitov.2.1.4
IDSenabledsystem
Memory:512MB
Operatingsystem:Linux
PCInetworkcard:10/100Mbps
CPU:PIIIwith600MHz
Attackersystem
Memory:1.5GB
Operatingsystem:Linux
PCInetworkcard:10/100/1000
Mbps
CPU:AMDGeodeLXrunning
2.4/5GHz
The mean value is calculated for three kinds of simulations
with help of following theorem.
Theorem 1:
Assume x = test bed simulation;
y= discrete simulation in C++ & ns2 simulation.
R is the proposed approach MASIDS.
Thus, Let f: [x, y] R is the continuous function for
closed interval [x, y]
Therefore
Let f: [x, y] R is the differentiable continuous function
for open interval (x, y)
Here x< y.
Hence z exists in (x, y)
Such that
yx yfxf
xf
)()(
)(
'
The second important step is in context of IDS what is the
most important response, if once possible attack has been
detected? It is really broader topic and beyond of scope of
24 Abdul Razaque . Khaled Elleithy
this research. The proposed method is not panacea but at
least detects masquerading, DOS and race condition attacks
to be generated by DHCP rogue in MCL. The paper
emphasizes how to fit proposed method to control attacks of
rogue DHCP server in MCL environment.
Figure 9 is NAM screenshot of ns2 for MSAIDS, in
which node-3 is rogue DHCP server that assigns fake IP.
Node-4 is attacker that tries to capture traffics. Node-5 is
MSAIDS (proposed approach) that makes an attack of node-
4 (attacker) in vain. Hence, sender and receiver exchange
data successfully.
The scenario is highly congested with large amount of
traffic in real but standardized environment.
Fig. 9: NAM screenshot of a MSAIDS
Analysis of result and discussion
The training period of experiment covers four classes of
attacks probe, DOS, U2R and R2L. All attacks are included
in database during training period of test bed simulation.
Ns2 and discrete simulation in C++ provides tracing facility
to collect accurate data. The MSAIDS scans all rules of
snort. We also add new rules explained in proposed section.
The testing period targets one concise scenario. The scenario
is simulated by using same parameters for all three existing
approaches including proposed MSAIDS. The attacks are
generated by using stick, covering all types of signatures and
anomaly based attacks.
The training period provides quite interesting results
because frequently generated attacks are of different
numbers. The maximum number of attacks pertains to R2L
category. The more attacks are also counted on MSAIDS as
compare with other three existing techniques are shown in
from figure 10 to 13.
If attack is not generated then it is counted as normal
traffic. The frequency of single and group characters is
displayed when packets reach at the attacker machine. It is
observed on the basis of output that different types of
detected attacks are generated due to rogue DHCP server.
Fig. 10: Capturing capability of Dos attacks of MSAIDS VS other
techniques
The DOS attacks are detected when packet does not reach at
destination and received no acknowledgment. The sign of
probe attack is addition of new data in existing amount of
data bytes. U2R is sign of maximum connection duration.
R2L attacks are little bit complex to detect.
Fig. 11: Capturing capability of R2L attacks of MSAIDS VS other
techniques
Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP) to Improve…………….. 25
Fig. 12: Capturing capability of U2R attacks of MSAIDS VS other
techniques
We apply method comprises of service requested and
duration of connection for network and attempt-failed login
is used for host. It increases the traffic generation rate. From
other side, it provides highest capturing rate.
Fig. 13: Capturing capability of Probe attacks of MSAIDS VS other
techniques
The statistical results show that MSAIDS will substantiate to
medical field for diagnosing several disease and especially
for heart and cancer. The major breakthrough of this
research is to detect true positive and false negative attacks
because they are very hard to capture.
Due to these anomalies, confidentiality of any system is
exploited and privacy of user is exposed.
Fig. 14: Receiving and analyzing packets capability of MSAIDS
Fig. 15: Receiving and analyzing packets capability of DMSIDS
The proposed method also captures the real worm attacks
and all other looming attacks. Figure 14 to 17 shows
receiving and packet analysis capturing capability for our
approach and other known approaches.
26 Abdul Razaque . Khaled Elleithy
Fig.16: Receiving and analyzing packets capability ACOIDS
Fig. 17: Receiving and analyzing packets capability SBIDS
The major advantage of MSAIDS approach is to detect all
types of anomalies and unknown threats efficiently. The
systems are mostly infected due to new sort of malwares
because they consume the processing resources of system. If
resources of system are utilized by unnecessary programs
then MCL is highly affected. In consequence, collaboration
process is disrupted.
MSAIDS also detects activity for any specific session. It
creates specific alarm for each type of anomalies.
Furthermore, deployed algorithms and new addition of rules
in ordinary IDS improves the performance and restores the
privacy of users. The implementation of MSAIDS is
supported with sound architectural design that is also robust
and persists attacks when to be detected. Statistical data
shows 99.996% overall effectiveness of MSAID.
The major advantage of MSAIDS approach is to detect all
types of anomalies and unknown threats efficiently. The
systems are mostly infected due to new sort of malwares
because they consume the processing resources of system. If
resources of system are utilized by unnecessary programs
then MCL is highly affected. In consequence, collaboration
process is disrupted.
MSAIDS also detects activity for any specific session. It
creates specific alarm for each type of anomalies.
Furthermore, deployed algorithms and new addition of rules
in ordinary IDS improves the performance and restores the
privacy of users. The implementation of MSAIDS is
supported with sound architectural design that is also robust
and persists attacks when to be detected. Figures 18 to 21
plot the results of generated and capturing capability of
signature based attacks
Fig. 18: Generated VS Captured capability of SBIDS
Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP) to Improve…………….. 27
Fig.19: Generated VS Captured capability of ACOIDS
Fig. 20:Generated VS Captured capability of DMSIDS
Fig.21: Generated VS Captured capability of MSAIDS
The proposed MSAIDS approach produces 2.269 to 49.11
higher capturing-rates than other existing techniques shown
in figure 22.
Fig. 22: Overall capturing capability of MSAIDS VS different techniques
The more interesting work of this research is detailed
description of all types of anomalies separately in form of
false positive, false negative, true positive and true negative.
These parameters give concrete idea to use features for
various types of applications in real environment.
28 Abdul Razaque . Khaled Elleithy
Figure 23 shows collective mean values of all types of
anomalies.
Fig. 23: Unknown (Anomaly-based) attacks capturing capability of
MSAIDS VS different techniques
Conclusion
In this paper, multi-frame signature-cum anomaly-based
intrusion detection systems (MSAIDS) is introduced.
MSAIDS handles malicious activities of DHCP rogue
server. The paper targets well-known nasty threats generated
by DHCP rogue. The attacker uses rogue DHCP server for
sniffing of legal users. The current mechanism of IDS does
not support to control the attacks specially Dos attacks.
DHCP rogue is obviously very simple but collapse the
network creating nastier attacks such as: Sniffing network
traffic, masquerading attack, shutting down the systems and
DOS attacks.
The paper gives detailed clarification of these attacks and
discusses the attack generation process of rogue DHCP
server. To control this issue, novel approach comprising of
algorithms, mathematical modeling and addition of new
rules in current IDS has been proposed. To authenticate
proposal, it is simulated by using three different types of
simulators: Testbed, ns2 and C++ Discrete simulation. On
basis of simulation result, we achieve interesting findings.
MSAIDS not only improves capturing performance but
detects generated attacks of rogue DHCP. It also
significantly reduces the false alarms.
Finally, we compare the performance of MSAIDS with
other existing technique that produces the results 2.269 to
49.11 % more.
In future, an application of this approach will be
deployed in medical field to detect the viral attacks to secure
the heart from myocarditis attacks. The work will also bring
substantial progress in field of mobile collaborative learning.
References
1. AdityaVidyarthi and A. S. Saxena, "Conceiving a intrusion
detection system in the network by mobile agents”
,International Journal of Computer Science and
Communication Vol. 2, No. 2, July-December 2011, pp. 497-
499
2. MueenUddin, Kamran Khowaja, Azizah Abdul Rehman,
"Dynamic Multi-Layer Signature Based Intrusion Detection
System Using Mobile Agents", International Journal of
Network Security & Its Applications (IJNSA), Vol.2, No.4,
October 2010.
3. S. Janakiraman, V. Vasudevan, "ACO based Distributed
Intrusion Detection System", International Journal of Digital
Content Technology and its Applications Volume 3,
Number 1, March 2009.
4. D. Boughaci, H. Drias, A. Dendib, Y. Bouznit, and B.
Benhauou, “Distributed intrusion detection framework
based on autonomous and mobile agents”, Proceedings of
the International Conference on Dependability of Computer
Systems, pp. 248-255, May, 2006.
5. MikroTik, "DHCP Client and Server", document revision
2.7, V2.9, 2005.
6. Dayong Ye, QuanBai, and Minjie Zhang, “P2P Distributed
Intrusion Detections by using Mobile Agents”, Seventh
IEEE/ACIS International Conference on Computer and
Information Science, IEEE Computer Society, pp. 259-265,
IEEE, 2008.
7. Microsoft Windows DHCP Team Blog,"Rogue DHCP
Server"from website: detectionhttp://blogs.technet.com /03/rogue-
dhcp-server-detection.aspx.
8. Overview of DHCP Snooping, “Catalyst 6500 Series Switch Cisco
IOS Software Configuration Guide, Release 12.2SX", 2010.
9. . Sherri Davidoff, ”How to defend against rogue DHCP
server malware”, published first time on 2009. From
website: www.searchsecurity.techtarget.com.
10. DalilaBoughau, HabibaDrias, Ahmed Bendib,
YoucefBouznit and BelaidBenhamou, “A Distributed
Intrusion Detection Framework based on Autonomous and
Mobile Agents”, Proceedings of the International
Conference on Dependability of Computer Systems
(DEPCOS RELCOMEX’06), IEEE Computer Society, IEEE
2006.
11. William stallings' " Network security essentials:
Applications and standards, Fourth Edition.
12. Hitesh Ballani, Paul Francis, “Mitigating DNS DoS
Attacks”, ACM, CCS’08, Alexandria, Virginia, USA,
October 27-31, 2008.
13. “UltrDNSDDoS Attack, Washington Post,” May
2005,http://blog.washingtonpost.com/securityfix/2006/05
/ blue security surrenders but s.html.
14. Rafeeq Ur Rehman,“Intrusion Detection Systems with
Snort Advanced IDS Techniques Using Snort, Apache,
MySQL, PHP, and ACID”, Prentice Hall PTR Upper Saddle
River, New Jersey 07458.
15. MueenUddin, Kamran Khowaja, Azizah Abdul Rehman,
“Dynamic Multi-Layer Signature Based Intrusion Detection
System Using Mobile Agents”, International Journal of
Network Security & Its Applications (IJNSA), Vol.2, No.4,
October 2010.
16. Akamai DDoS Attack, Internet Security News,” Jun
2004,http://www.landfield.com/isn/mail-archive/2004/
Jun/0088.html.
Controlling Attacks of Rogue Dynamic Host Configuration Protocol (DHCP) to Improve…………….. 29
17. SaidatAdebukolaOnashoga, Adebayo D. Akinde,, Adesina
Simon Sodiya,”A Strategic Review of Existing Mobile
Agent-Based Intrusion Detection Systems”, Issues in
Informing Science and Information Technology Volume 6,
2009.
18. AdityaVidyarthi and A. S. Saxena, “ Conceiving a intrusion
detection system in the network by mobile agents”
International Journal of Computer Science and
Communication Vol. 2, No. 2, July-December 2011, pp. 497-
499.
19. Dewan Md. Farid, NouriaHarbi, Mohammad
ZahidurRahman, “ Combining naïve bayes and decision
tree for daptive intrusion detection” International Journal of
Network Security & Its Applications (IJNSA), Volume 2,
Number 2, April 2010, PP. 12-25.
20. K. Park and H. Lee. “ On the effectiveness of probabilistic
packet marking for IP trace back under denial of service
attack”, In the proceeding IEEE INFOCOM, Anchorage,
AK, April 2001.
21. Sapna S. Kaushik, Dr. Prof.P.R.Deshmukh, “Detection of
Attacks in an Intrusion Detection System”, International
Journal of Computer science and information technologies
(IJCSIT) ISSN: 0975-9646, Vol. 2 (3), 2011.
22. L. Garber. Denial of Service attacks rips the Internet. IEEE
Computer, 33, 4:12–17, Apr. 2000.
23. B. Abdullah*, Abd-alghafar, Gouda I. Salama, A. Abd-
alhafez, “performance evaluation of a genetic algorithm
based approach to network intrusion detection system”,
13th International Conference on Aerospace Scientific and
aviation technology (ASAT- 13, May 26 – 28, 2009.
24. D. Moore, G. M. Voelker, and S. Savage. Inferring Internet
denial-of-service activity. In Proc. USENIX Security
Symposium, Washington D.C, Aug. 2001.
25. Yan Yang and Mohamed S. Kamel, “An aggregated
clustering approach using multi-ant colonies algorithms”,
The Journal of the Pattern Recognition Society, Elsevier,
Vol. 39, pp. 1278-1289, 2006.
26. G. Helmer, J.S.K. Wong, V. Honavar, and L. Miller,
“Automated discovery of concise predictive rules for
intrusion detection,” Journal of Systems and Software, vol.
60, no. 3, 2002, pp. 165- 175.
27. R.C. Chen, and S.P. Chen, “Intrusion detection using a hybrid
support vector machine based on entropy and TF-IDF,” International
Journal of Innovative Computing, Information, and Control (IJICIC),
vol. 4, no. 2, 2008, pp. 413-424.
28. Theodor Werner Danzfuss, "The technology of casually connected
collaboration", magister scientia (computer Science) Faculty of
Engineering, University of Pretoria, January 2009.
29. Ch.Bouras,G.horing, V. Horing, V.Triantafillou, Th.Tsiatsos,"
Architectures Supporing e-Learning through Collaborative Virtual
Environments: the Case of INVITE", 2000.
30. Jorge Barbosa, Rodrigo Hahn, Debora N.F.Barbosa, Claudio
F.R.Geyer," Mobile andUbiquitous Computing in an Innovative
Undergraduate Course", SIGCSE07, March 7-10, 2007, Covington,
Kentucky, USA.
31. Kwang Lee, Abdul Razaque" Suggested Collaborative Learning
Applications for Mobile Devices", HCI International, (Book Chapter),
Hilton Orlando Bonnet Creek, Orlando, Florida, USA, 2011 9-14 July
2011.
32. Mildard Marcelo, Perez Juan, Hope Ulrich, C-Notes,"
Designing a mobile and wirelss application to support
collaborative Knowledge Building, Proceedings of IEEE
International Workshop on Wirelss and Mobile
Technologies in Education, August 29-30,2002, Vaxjo,
Sweden.
33. Yu-Liang, R.T. (2005), “Mobile learning: current trend and
future challenges,” in Proceeding of Fifth International
Conference on Advanced Learning technologies, pp. 603-
607, 2005.
34. ergio Martin, Ivica Boticki, George Jacobs, Manuel Castro
and Juan Peire," Work in Progress - Support for Mobile
Collaborative learning applications, 40th ASEE/IEEE
Frontiers in Education Conference, 2010, Washington, DC.
... It makes use of the Dynamic Host Configuration Protocol (DHCP), a network protocol that allows an IP address from a given range of numbers to be automatically assigned to a computer by a server. Rogue server attacks are launched by attackers in the form of Sniffing and Reconnaissance attacks, among others [29,30]. To create rogue servers in the system under study, a code was written in JavaScript which consists of three rogue servers and each made to listen to allocated ports 50,300, 50,302 and 50,305 respectively. ...
Article
Network analytics is of key importance for the proper management of network resources as the rate of Internet traffic continues to rise. The aim of this paper is to investigate the performance of different network traffic capture tools for extracting features and to evaluate the performance of eight Machine Learning (ML) algorithms in the classification of (1) applications; (2) states and (3) anomalies. Six Internet applications were considered along with four PC states and two network anomalies. The network was monitored by three traffic capture tools: PRTG, Colasoft Capsa and Wireshark and classification was performed using the Weka Toolkit. The performance of the eight ML classifiers was determined based on several metrics. The Colasoft Capsa feature set gave the highest accuracy for the classification of applications while same was achieved with features from PRTG for the classification of the four states considered. For anomaly classification, the ML algorithms showed almost similar classification behavior when the Colasoft Capsa or PRTG feature set was used.
... Understanding the network protocol means solving the network problems in an efficient manner so that we can secure the path on which packets are transmitted along with the data. So network security becomes an important concern as it makes the packets less vulnerable to different types of attacks like rogue DHCP attack [1]. ...
Article
Full-text available
For different computers to communicate on the same network or on different networks they need to know one another's IP address or MAC address. Involving the IP address and MAC address has led to a challenging task for a network analyst to secure the communication. There are various ways to mitigate the attacks in application, transport and network layers of a network. Mitigating the attacks in data link layer is a challenging task for a network analyst as adequate security is not assigned to a data link layer. DHCP and DNS are the most widely used in host configuration and they work in data link layer. Mostly these protocols are vulnerable to number of attacks like in DHCP the attacks are DHCP Starvation attack and Rogue DHCP attack while in DNS the attacks are DNS Hijacking Attack and DNS Cache Poisoning Attack. These protocols have been investigated in this research where DHCP and DNS packets have been captured and analysed them with the help of Wireshark. Mainly we have analysed how IP address is assigned to a client from a DHCP Server and how packets are exchanged between the DHCP client and DHCP Server and DNS is used for resolution of URL into IP address.
Article
Full-text available
2 Gwalior, India. Here we present a framework of distributed Intrusion Detection System (IDS), supported by mobile agents, which senses intrusion both from inside and outside the network division. Mobile agents act as via channel to control the remote sniffers and they collect, clean network data as well as detect known attacks. Remaining data is sent back for analysis to the main station for the detection of new attacks. Data Mining is used for data analysis and for the detection of new intrusive behaviors in this proposed work. The two main branches of it are: Network Intrusion Detection Component which is based on data mining and the platform for mobile agent.
Article
Full-text available
Intrusion Detection Systems (IDS) is defined as a c omponent that analyses system and user op- erations in computer and network systems in search of activities considered undesirable from se- curity perspectives. Applying mobile agent (MA) to intrusion detection design is a recent devel- opment and it is aimed at effective intrusion detec tion in distributed environment. From the litera- ture, it is clear that most MA-based IDS that are a vailable are not quite effective because their time to detection is high and detect limited intrus ions.This paper proposes a way of classifying a typical IDS and then strategically reviews the exis ting mobile agent-based IDSs focusing on each of the categories of the classification, for exampl e architecture, mode of data collection, the tech- niques for analysis, and the security of these inte lligent codes. Their strengths and problems are stated wherever applicable. Furthermore, suggested ways of improving on current MA-IDS de- signs are presented in order to achieve an efficien t mobile agent-based IDS for future security of distributed network.
Conference Paper
Full-text available
This work is intended to describe a framework aimed to address the challenges in the development of mobile Collaborative Learning applications. Firstly, the paper offers an overview of some of the main principles of Collaborative Learning that will be the basis of the framework, which is based on three main pillars: collaboration and communication among students; context-awareness (gathering users' data, such as geo-location, movements, academic information, and history) to provide personalize information and services; and interoperability with e-learning as many organizations use them. Evaluation will be conducted with a group of students of a “Professional Expert Course on Mobile Programming” that will use the framework to build their applications.
Article
The main functions of an Intrusion Detection System (IDS) are to protect computer networks by analyzing and predicting the actions of processes. Though IDS has been developed for many years, the large number of alerts makes the system inefficient. In this paper, we proposed a classification method based on Support Vector Machines (SVM) with a weighted voting schema to detect intrusions. First, the entropy and TF-IDF (term frequency and inverse documents frequency) features are extracted from processes. Next, entropy and TF-IDF features are sent to the SVM model for learning and testing. Finally, we use a voting schema named Weighted Voting SVM (WV-SVM) to determine whether a process is an intrusion. Our experiments demonstrate improved efficiency. ICIC International
Conference Paper
Due to the thrive of mobile network and portable device, distance learning is evolved from desktop computer to mobile device. Mobile learning is the use of mobile or wireless devices for learning while the learner is on the move. In this study, the strengths of mobile learning supported by industrial and academic projects are elaborated. These also mark the current status of mobile learning. On the basis of the characteristic and scenario of current mobile learning, challenging issues from the perspective of cognitive learning are addressed to reflect the fundamental needs for effective mobile learning. These addressed issues serve as the initiation for the needs of academic evaluation and solid theoretic framework for the implementation of mobile learning from the view of cognitive science, instead of technological evolution.
Article
This paper presents a multi-ant colonies approach for clustering data that consists of some parallel and independent ant colonies and a queen ant agent. Each ant colony process takes different types of ants moving speed and different versions of the probability conversion function to generate various clustering results with an ant-based clustering algorithm. These results are sent to the queen ant agent and combined by a hypergraph model to calculate a new similarity matrix. The new similarity matrix is returned back to each ant colony process to re-cluster the data using the new information. Experimental evaluation shows that the average performance of the aggregated multi-ant colonies algorithms outperforms that of the single ant-based clustering algorithm and the popular K-means algorithm. The result also shows that the lowest outliers strategy for selecting the current data set has the best performance quality.
Article
This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described.We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.
Conference Paper
This paper considers DoS attacks on DNS wherein attackers flood the nameservers of a zone to disrupt resolution of resource records belonging to the zone and consequently, any of its sub-zones. We propose a minor change in the caching behavior of DNS resolvers that can significantly alleviate the impact of such attacks. In our proposal, DNS resolvers do not completely evict cached records whose TTL has expired; rather, such records are stored in a sepa- rate "stale cache". If, during the resolution of a query, a resolver does not receive any response from the nameservers that are re- sponsible for authoritatively answering the query, it can use the information stored in the stale cache to answer the query. In effect, the stale cache is the part of the global DNS database that has been accessed by the resolver and represents an insurance policy that the resolver uses only when the relevant DNS servers are unavailable. We analyze a 65-day DNS trace to quantify the bene- fits of a stale cache under different attack scenarios. Further, while the proposed change to DNS resolvers also changes DNS seman- tics, we argue that it does not adversely impact any of the funda- mental DNS characteristics such as the autonomy of zone operators and hence, is a very simple and practical candidate for mitigating the impact of DoS attacks on DNS.