|
 OPNET Technologies 7255 Woodmont Avenue Bethesda, MD 20814 Tel: 240-497-3000 Fax: 240-497-3001 E-mail: University@opnet.com Web: http://www.opnet.com OPNET is a registered trademark of OPNET Technologies © 2000 OPNET Technologies |
University: University
of Central Florida Name of Sponsoring Professor: Sheau-Dong Lang Department: Computer Science |
| |||||||
|
Research: Network traffic simulation for intrusion detection. Network security is an important issue faced by the IT industry nowadays. Among all the security problems, study of network intrusion and detection are especially difficult and urgent due to the inexpectancy and nonrepeatability of the real attack scenario. Hackers apply an array of techniques to cause disruption of normal system operations, but on the defense, the firewalls and practical intrusion detection systems (IDS) nowadays are only effective in defending known intrusions using their signatures, and far less than mature when faced with novel attacks. Thus, it is very promising if we are able to use simulator to replay the attack scenario and study their intrinsic characters, and then find the way to defeat it. Our work deals with simulation of intrusion traffic by explicitly generating data packets based on real-life TCPDUMP data that contain intrusion packets. The explicitly generated traffic in OPNET simulation allows research on data filtering and intrusion detection strategies. Some of our experimental studies of simulation using OPNET is described in the following figures. Both the efficiency and network performance of simulated networks is observed and reported.
Figure 1: The network model simulating Dosnuke intrusion (left); The attribute panel of the packet generator, with customized packet format and scripted packet inter-arrival times calculated from pre-processing the source data (right).
Figure 2. The inbound traffic of the firewall (left); Data traffic to Port 25 of the victim PC (right).
Figure 3 The simulation model for processTable attack and the underlying process for building the model. Frequency-based intrusion detection strategy. Frequency-based intrusion detection strategy searches for frequency patterns within the time series created by network traffic signals. This new strategy is aimed for, but not limited to, DOS and Probe attack. The detection method is based on the observation that such kind of attacks are most likely manipulated by scripted codes, which may result periodic patterns in either packet streams or the connection arrivals. Thus, by applying Fourier analysis to the time series created by network traffic signals, we could identify whether the periodic patterns exist in the traffic. The experimental results on the DARPA datasets indicated that the proposed intrusion detection strategy is effective in detecting certain anomalous traffic data from large-scale time series data that exhibit patterns over time. The advantage of the strategy does not depend on prior knowledge of attack signatures, thus it has the potential to supplement any signature-based Intrusion detection systems (IDS) and firewalls.
Figure 1: The frequency pattern on inter-arrival time of several connections including a ProccessTable attack and a Probe attack. The data comes from 1999 DARPA dataset. Studying the effect of transmission delays on our frequency-based strategy. We continue our previous work of using OPNET to simulate intrusions, and we evaluate our new frequency-based intrusion detection strategy in the OPNET model as well. In our studies the network traffic data that contain intrusion packets come from the DARPA's TCPDUMP files and from a network sniffer’s capture in a laboratory environment. We build a network model using OPNET to simulate the network traffic, which includes a firewall node that implements the new intrusion detection algorithm using the Discrete Fourier Transform (DFT). The main advantage of the DFT-based detection strategy is that it analyzes the network traffic and reveals suspicious frequency patterns which, when combined with other simple statistical features of the traffic data, often improves the effectiveness of signature-based intrusion detection systems. We report the experimental results of our algorithm as well as the study on the effect of transmission delay upon frequency by OPNET. The frequency-based intrusion detection strategy is based on the assumption that the packet delay caused by packet transmission will not significantly distort the spectrum of the packets inter-arrival time sequence from the original packet sending out time sequence. To test our assumption, we use OPNET to collect traffic patterns within two different network models.
Figure 1: Two OPNET model for the transmission delay study. (left) A simple LAN, where web client sent the traffic to three servers. We collect the inter-arrival time from web client and main server. (right) a WAN, where Dublin? sent the traffic to London? through a Internet cloud. We collect the packet arrive time from Dublin and London. The other traffic such as the email, ftp are created by the other 5 nodes and they are coexisted with the custom traffic. Figure2: The configuration panel of the Internet cloud in WAN model . Authored Papers:1. Shabana Razak, Mian Zhou, Sheau-Dong Lang, "Network Intrusion Simulation Using OPNET", in OPNETWORK Proceedings 2002. 2. Mian Zhou, Sheau-Dong Lang, "Network Intrusion Traffic Pattern Study Using OPNET", in OPNETWORK proceedings 2003. 3. Mian Zhou, Sheau-Dong Lang, "A Frequency-Based Approach to Intrusion Detection", in Proceedings of the Workshop on Network Security Threats and Countermeasures, July 2003. ¡¡
| |||||||||
| ¡¡ | ¡¡ | ¡¡ | ¡¡ | ||||||
¡¡
| ¡¡ |
