CHAPTER 1 INTRODUCTION

1. 1 CLOUD COMPUTING Cloud computing provides its user with many capabilities like accessing a large number of applications without the need for having a license, purchasing, installing or downloading any of these applications. It also reduces both running and installation costs of computers and software as there is no need to have any infrastructure. Users can access information anywhere; all they need is to connect to a network (usually the Internet). Cloud computing offers company an increased storage than traditional storage systems. 1.1.1 Cloud Deployment Models Deploying cloud computing can differ depending on requirements, and the following four deployment models have been identifi ed, each with specific characteristics that support the needs of the services and users of the clouds in particular ways: Private Cloud: The cloud infrastructure has been deployed, and is maintained and operated only for a specific organization. The cloud may be hosted within the organization or externally and is managed internally or by a third-party. This model does not benefit from the less hands-on management, nor from the economic advantages that make cloud computing such an intriguing concept. Public Cloud: The cloud infrastructure is made available to the public on a commercial basis by a cloud service provider. This enables a consumer to develop and deploy a service in the cloud with very little financial implications compared to the capital expenditure requirements normally associated with other deployment options. Community Cloud: The cloud infrastructure is shared among a number of organizations with similar interests and requirements. It can be managed internally or by a third party and hosted within the organization or externally. The costs are shared among fewer users than a public cloud. Hence a community cloud benefits from

medium costs as a result of a sharing policy. By means of comparison, with the private cloud the costs increase alongside the level of expertise needed. Hybrid cloud: It is a combination of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. By utilizing hybrid cloud architecture, companies and individuals are able to obtain degrees of fault tolerance combined with locally immediate usability without being entirely dependent on third party services. Hybrid Cloud architecture requires both on-premises resources and off-site (remote) server based cloud infrastructure. Hybrid clouds lack the flexibility, security and certainty of in-house applications. However, they provide the flexibility of in-house applications with the fault tolerance and scalability of cloud based services. 1.1.2 Cloud Computing Service Delivery Models Cloud computing providers offer three fundamental service models: Infrastructure as a Service (Iaas) : Cloud computing providers offer physical and virtual computers, extra storage networking devices etc. The virtual machines are run by hypervisors that is organized into pools and controlled by operational support systems. It is cloud users responsibilities to install operating system images on the virtual machines as well as their application software.

Fig1.1. Service Models of Cloud Computing.

Platform as a Service (Paas)

: It refers to computing platforms such as web

servers, databases operating systems and programming environments, where the cloud user uses a software or platforms offers by CSP. Software as a Service (SaaS) : Cloud users can use software that is already

installed and running on the cloud infrastructure. Thus, eliminating the need of installing and running the software on their own computers. Additionally, the need for software maintenance and support is eliminated. 1.1.3 Cloud Security Attacks Cloud computing involves three parties: Cloud Customer or user, Cloud Service Provider CSP and Cloud network (usually the Internet that can be considered as the transmission media of the cloud) as illustrated in figure 1.2.

Fig1.2 The three parties of cloud computing There are many security threats at different levels, such as threats at Cloud Service Provider CSP level, network Level and user/host level. These threats must be dealt with since it is necessary to keep the cloud up and running continuously. In this section we will study different types of attacks at different levels and the ways to reduce their damage of effect. 1.2 INTRUDER An Intruder is a person who attempts to gain unauthorized access to a system, to damage that system, or to disturb data on that system. The term "intruders" compromises more than just human attackers who manage to gain access to computer resources although the resource was not meant to be used by them in the first place. Apart from these human attackers who are popularly called "hackers", intruders can be computer programs that seem to be useful, but contain secret functionality to invade a system or a resource. . Programs containing viruses can act

as intruders too. Unauthorized intrusion into a computer system or network is one of the most serious threats to computer security. 1.2.1 Types of Intruders One of the two most publicized threats to security is the intruder (the other is viruses), often referred to as a hacker or cracker Anderson [ANDE80] identified three classes of intruders: Masquerader : An individual who is not authorized to use the computer and who penetrates a systems access controls to exploit a legitimate users account Misfeasor : A legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but misuses his or her privileges Examples of Intrusion: Performing a remote root compromise of an e-mail server Defacing a Web server Guessing and cracking passwords Copying a database containing credit card numbers Viewing sensitive data, including payroll records and medical information without authorization Running a packet sniffer on a workstation to capture usernames and passwords Using a permission error on an anonymous FTP server to distribute pirated software and music files Dialing into an unsecured modem and gaining internal network access Posing as an executive, calling the help desk, resetting the executives e-mail password, and learning the new password Using an unattended, logged-in workstation without permission 1.3 INTRUSION DETECTION Inevitably, the best intrusion prevention system will fail. A systems second line of defense is intrusion detection, and this has been the focus of much research in recent years. This interest is motivated by a number of considerations, including the following:

If an intrusion is detected quickly enough, the intruder can be identified and rejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved.

An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. Ofcourse, we cannot expect that there will be a crisp, exact distinction between an attack by an intruder and the normal use of resources by an authorized user. Rather, we must expect that there will be some overlap.

Fig 1.3 Profiles of Behavior of Intruders and Authorized Users

Figure1.3 suggests, in very abstract terms, the nature of the task confronting the designer of an intrusion detection system. Although the typical behavior of an

intruder differs from the typical behavior of an authorized user, there is an overlap in these behaviors.Thus, a loose interpretation of intruder behavior, which will catch more intruders, will also lead to a number of false positives, or authorized users identified as intruders. On the other hand, an attempt to limit false positives by a tight interpretation of intruder behavior will lead to an increase in false negatives, or intruders not identified as intruders. Thus, there is an element of compromise and art in the practice of intrusion detection.

CHAPTER 2 LITERATURE SURVEY

1. The paper entitled: A Scalable Approach to Attack Graph Generation Year: 2006 Authors: Xinming Ou, Wayne F. Boyer, Miles A. McQueen Attack graphs are important tools for analyzing security vulnerabilities in enterprise networks. Previous work on attack graphs has not provided an account of the scalability of the graph generating process, and there is often a lack of logical formalism in the representation of attack graphs, which results in the attack graph being difficult to use and understand by human beings. This paper presents a new approach to represent and generate attack graphs. We propose logical attack graphs, which directly illustrate logical dependencies among attack goals and configuration information. Advantages: It clearly specifies the causality relations between system configuration information and an attackers potential privileges. Improved scalability 2. The paper entitled: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Year: 2008 Authors: Guofei Gu, Junjie Zhang, and Wenke Lee Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., HTTP. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C&C server addresses. This detection approach can identify both the

C&C servers and infected hosts in the network. Our approach is based on the observation that, because of the pre-programmed activities related to C&C. Advantages: It has very promising detection accuracy Very low false positive rate. 3. The paper entitled: A New Alert Correlation Algorithm Based on Attack Graph Year: 2011 Authors: Sebastian Roschke, Feng Cheng, and Christoph Meinel Intrusion Detection Systems (IDS) have been proposed for years as an efficient security Measure. The problem of false positive alerts is a well known problem for many IDS. The number of false positive alerts increases as a single event may be detected and reported multiple times by different involved sensors. In this paper, an AG based correlation algorithm is proposed. The algorithm consists of a mapping of alerts to AG nodes, the alert aggregation function, a function for building an alert dependency graph, and a function for finding suspicious subsets using the Floyd-Warshall algorithm and the diameter value. The algorithm is implemented and tested based on real data. Advantages: This can improve the filtering without getting inaccurate in the results. 4. The paper entitled: Securing Cloud Servers against Flooding Based DDoZ Attacks Year: 2012 Authors: Niraj Suresh Katkamwar, Atharva Girish Puranik and Purva Deshpande Distributed denial-of-service (DDoS) attacks pose a serious threat to network security. There have been a lot of methodologies and tools devised to detect DDoS attacks and reduce the damage they cause. Still, most of the methods cannot simultaneously achieve Efficient detection with a small number of false alarms Real-time transfer of packets. 8

The DDoS attacks can be classified into following three main categories: Bandwidth Attacks Protocol Attacks Software Vulnerability

In this paper, we have used a distance-based DDoS technique which uses a simple but effective exponential smoothing technique to predict the mean value of distance in the next time period. The proposed technique relies on MMSE to support efficient traffic arrival rate prediction for separated traffic. We tested the technique in the Internet-like network implemented on NS2 with over 100 nodes. Advantages: The technique is effective. It can detect DDoS attacks with high detection rate. Low false positive rate. 5. The paper entitled: Detecting Spam Zombies by Monitoring Outgoing Messages Year: 2012 Authors: Zhenhai Duan, Peng Chen, Fernando Sanchez, In this paper, we developed an effective spam zombie detection system named SPOT by monitoring outgoing messages in a network. SPOT was designed based on a simple and powerful statistical tool named Sequential Probability Ratio Test to detect the compromised machines that are involved in the spamming activities. SPOT has bounded false positive and false negative error rates. we will develop three spam zombie detection algorithms. The first one is SPOT, which utilizes the Sequential Probability Ratio Test. The other two spam zombie detection algorithms are developed based on the number of spam messages and the percentage of spam messages sent from an internal machine. Advantages: It minimizes the number of required observations to detect a spam zombie.

CHAPTER 3 SYSTEM ANALYSIS

3.1 EXISTING SYSTEM In a cloud system, the attack is occurred in the cloud server. So, we cant find out the hacking process. All the systems are lost the data's under the server. The transaction will be delay. Such attacks are more effective in the cloud environment because cloud users usually share computing resources. e.g., being connected through the same switch, sharing with the same data storage and file systems, even with potential attackers. Disadvantage Not accuracy in the attack detection from attackers. No detection and prevention in virtual network environment. 3.2 PROPOSED SYSTEM In this project we proposed Network Intrusion detection and Countermeasure sElection in virtual network systems (NICE) to establish a defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion detection algorithms, indeed NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to compromise VMs, thus preventing zombie VMs. Advantage The alert attack graph approach using to detect and prevent the attack by correlating attack behavior and also suggests effective countermeasures. We devise NICE, a new multiphase distributed network intrusion detection and prevention framework in a virtual networking environment that captures and inspects the hackers details and it is stored in VM profiling.

10

CHAPTER 4 SYSTEM SPECIFICATION

4.1 HARDWARE REQUIREMENTS Processor Speed RAM Hard Disk Keyboard Mouse Monitor - Pentium IV - 3.0 GHz - 512 MB - 80 GB - Windows Standard Keyboard - Two or Three Button Mouse - SVGA

4.2 SOFTWARE REQUIREMENTS Operating System Software tool - Windows 7 or Windows XP - Cygwin

11

CHAPTER 5 SOFTWARE DESCRIPTION

5.1 About NS-2

NS-2 is an open-source simulation tool running on Unix-like operating systems . It is a discreet event simulator targeted at networking research and provides substantial support for simulation of routing, multicast protocols and IP protocols, such as UDP, TCP, RTP and SRM over wired, wireless and satellite networks. It has many advantages that make it a useful tool, such as support for multiple protocols and the capability of graphically detailing network traffic. Additionally, NS-2 supports several algorithms in routing and queuing. LAN routing and broadcasts are part of routing algorithms. Queuing algorithm includes fair queuing, deficit round robin and FIFO. 5.2 NS 2 Architecture

Fig.5.1 NS-2 Architecture

12

5.3 Features Of NS-2 Some of the features of NS-2 are as follows: Multiple interface support added Static Routing implemented for wireless nodes Co Channel interference added Adaptive data rate support for 802.11 BPSK Modulation Scheme Added Directional Antenna support added (More radiation pattern added in TENS1.2) Channel Number made configurable Addition of ARP entries through script 2-p protocol for point to point link added Several MAC parameters like RTS Threshold, Capture threshold made configurable

13

CHAPTER 6 PROJECT DESCRIPTION

6.1 ARCHITECTURE

Fig 6.1 NICE architecture within one cloud server cluster.

6.1.1 NICE-A NICE-A is a software agent implemented in each cloud server connected to the control center through a dedicated and isolated secure channel, which is separated from the normal data packets using Open Flow tunneling or VLAN approaches. It is a Network-based Intrusion Detection System (NIDS) agent installed in either Dom0 or DomU in each cloud server. It scans the traffic going through Linux bridges that control all the traffic among VMs and in/out from the physical cloud servers.

14

6.1.2 VM Profiling Virtual machines in the cloud can be profiled to get precise information about their state, services running, open ports, and so on. One major factor that counts toward a VM profile is its connectivity with other VMs. An attacker can use portscanning program to perform an intense examination of the network to look for open ports on any VM. So information about any open ports on a VM and the history of opened ports plays a significant role in determining how vulnerable the VM is. All these factors combined will form the VM profile. They are maintained in a database and contain comprehensive information about vulnerabilities, alert, and traffic. The data comes from: Attack graph generator : While generating the attack graph, every

detected vulnerability is added to its corresponding VM entry in the database. NICE-A : The alert involving the VM will be recorded in the VM

profile database. Network controller : The traffic patterns involving the VM are based on

five tuples (source MAC address, destination MAC address, source IP address, destination IP address, protocol) We can have traffic pattern, where packets emanate from a single IP and are delivered to multiple destination IP addresses, and vice versa. 6.1.3 Attack Analyzer The major functions of NICE system are performed by attack analyzer, which includes procedures such as attack graph construction and update, alert correlation, and countermeasure selection. The process of constructing and utilizing the SAG consists of three phases: Information gathering, attack graph construction, and potential exploit path analysis. With this information, attack paths can be modeled using SAG. Each node in the attack graph represents an exploit by the attacker. Each path from an initial node to a goal node represents a successful attack. NICE attack graph is constructed based on the following information:

Cloud system information Virtual network topology and configuration information 15

Vulnerability information

The attack analyzer also handles alert correlation and analysis operations. This component has two major functions: constructs ACG provides threat information

6.1.4 Workflow of attack Analyzer

Fig 6.2 Workflow of attack analyzer

1. After receiving an alert from NICE-A, alert analyzer matches the alert in the ACG. 2. If the alert already exists in the graph and it is a known attack (i.e., matching the attack signature), the attack analyzer performs countermeasure selection procedure and then notifies network controller immediately to deploy countermeasure or mitigation actions.

16

3. If the alert is new, attack analyzer will perform alert correlation and analysis and updates ACG and SAG. This algorithm correlates each new alert to a matching alert correlation set (i.e., in the same attack scenario). 4. A selected countermeasure is applied by the network controller based on the severity of evaluation results. 5. If the alert is a new vulnerability and is not present in the NICE attack graph, the attack analyzer adds it to attack graph and then reconstructs it. 6.1.5 Network Controller The network controller is a key component to support the programmable networking capability to realize the virtual network reconfiguration feature based on OpenFlow protocol. In NICE, within each cloud server there is a software switch, which is used as the edge switch for VMs to handle traffic in and out from VMs. The network controller is responsible for collecting network information of current OpenFlow network and provides input to the attack analyzer to construct attack graphs network controller is able to discover the network connectivity information from OVS and OFS. This information includes current data paths on each switch and detailed flow information associated with these paths, such as TCP/IP and MAC header. The network flow and topology change information will be automatically sent to the controller and then delivered to attack analyzer to reconstruct attack graphs. Another important function of the network controller is to assist the attack analyzer module. Network controller is also responsible for applying the countermeasure from attack analyzer. If a severe alert is triggered and identifies some known attacks, or a VM is detected as a zombie, the network controller will block the VM immediately.

17

CHAPTER 7 MODULE DESCRIPTION ANG ALGORITHM USED

7.1 Modules 7.1.1 Network Formation In this module we can construct a topology to provide communication paths for wireless adhoc network. Here the node will give the own details such as Node ID through which the transmission is done and similarly give the neighbor nodes details. Each node has the routing table for update its local information. Specify components of the mobile node: set val(chan) Channel/WirelessChannel ; set val(prop) Propagation/TwoRayGround ; set val(ant) Antenna/OmniAntenna ; set val(ll) LL ; set val(ifq) Queue/DropTail/PriQueue ; set val(ifqlen) 50 ; set val(netif) Phy/WirelessPhy ; set val(mac) Mac/802_11 ; set val(rp) DSDV ; set val(nn) 2 ; Basic setup Create simulator instance: set ns_ [new Simulator] # channel type # radio-propagation model # Antenna type # Link layer type # Interface queue type # max packet in ifq # network interface type # MAC type # ad-hoc routing protocol # number of mobilenodes

18

Open trace file and activate it: set tracefd [open wireless.tr w] $ns_ trace-all $tracefd Create topography and channel: set topo [new Topography] $topo load_flatgrid 500 500 set chan [new $val(chan)] Create the GOD object (General Operations Director): create-god $val(nn) Creating the nodes After setting the configuration options, the nodes are created: for {set i 0} {$i < $val(nn) } {incr i} { set node_($i) [$ns_ node ] $node_($i) random-motion 0 } Example: set node_(0) [$ns node] $node_(0) set X_ 1155 $node_(0) set Y_ 794 $node_(0) set Z_ 0.0 $ns initial_node_pos $node_(0) 75

19

Fig 7.1 Network Formation 7.1.2 Data Routing A router is a device that forwards data packets between computer networks, creating an overlay internetwork. Routing is the process of selecting best paths in a network along which to send network traffic. In this module source node sends a data packets to destination, through the shortest channel. The wireless channel is act as medium for transferring the data information. The shortest path problem is the problem of finding a path between two vertices (or nodes) in a graph such that the sum of the weights of its constituent edges is minimized. A routing protocol specifies how routers communicate with each other, disseminating information that enables them to select routes between any two nodes on a computer network. Routing algorithms determine the specific choice

20

of route. Each router has a priori knowledge only of networks attached to it directly. A routing protocol shares this information first among immediate neighbors, and then throughout the network. 7.1.3 Network Controller The traffic patterns involving the VM are based on five tuples (source MAC address, destination MAC address, source IP address, destination IP address, protocol). We can have traffic pattern, where packets emanate from a single IP and are delivered to multiple destination IP addresses, and vice versa. The network controller is a key component to support the programmable networking capability to realize the virtual network reconfiguration feature based on Open Flow protocol. The communication between cloud servers is handled by physical Open Flow-capable Switch. The network controller is responsible for collecting network information of current Open Flow network and provides input to the attack analyzer to construct attack graphs. 7.1.4 Control Center Control center connected to software switches on each cloud server. NICE-A is a software agent implemented in each cloud server connected to the control center through a dedicated and isolated secure channel, which is separated from the normal data packets using Open Flow tunneling or VLAN approaches. The network controller is responsible for deploying attack countermeasures based on decisions made by the attack analyzer. 7.1.5 Graph Design Based Result Graph is an essential part of display a result, so we plot a graph to show a various result comparison with packets, throughput, energy efficient, malicious node detection analysis. exec ./xgraph ENERGY.tr TRAFFIC.tr BANDWIDTH.tr -geometry 800x400 -t "PERFORMACE ANALYSIS ON QOS PARAMETERS" -x "NETWORKAREA" -y "PACKETDELIVERY RATIO" -bg white &

21

7.2 ALGORITHM USED 7.2.1 Alert Correlation Algorithm Alert Correlation algorithm is followed for every alert detected and returns one or more paths Si. For every alert ac that is received from the IDS, it is added to ACG if it does not exist. For this new alert ac, the corresponding vertex in the SAG is found by using function mapac. For this vertex in SAG, alert related to its parent vertex of type NC is then correlated with the current alert ac. This creates a new set of alerts that belong to a path Si in ACG or splits out a new path Si1 from Si with subset of Si before the alert a and appends ac to Si1. In the end of this algorithm, the ID of ac will be added to alert attribute of the vertex in SAG. It returns a set of attack paths S in ACG. Alert Correlation Algorithm Require: alert ac, SAG, ACG 1: if (ac is a new alert) then 2: create node ac in ACG 3: n1 vc 2 mapac 4: for all n2 2 parentn1 do 5: create edge (n2:alert; ac) 6: for all Si containing a do 7: if a is the last element in Si then 8: append ac to Si 9: else 10: create path Si1 fsubsetSi; a; acg 11: end if 12: end for 13: add ac to n1:alert 14: end for 15: end if 16: return S

22

7.2.2 Countermeasure Selection Algorithm Input to the algorithm is an alert, attack graph G, and a pool of countermeasures CM. The algorithm starts by selecting the node valet that Corresponds to the alert generated by a NICE-A. Before selecting the countermeasure, we count the distance of valet to the target node. If the distance is greater than a threshold value, we do not perform countermeasure selection but update the ACG to keep track of alerts in the system. For the source node valet, all the reachable nodes (includingthe source node) are collected into a set T . Because the alert is generated only after the attacker has performed the action, we set the probability of vAlert to 1 and calculate the new probabilities for all of its child (downstream) nodes in the set T. Now, for all t 2 T the applicable countermeasures in CM are selected and new probabilities are calculated according to the effectiveness of the selected countermeasures. The change in probability of target node gives the benefit for the applied countermeasure. In the next double for-loop, we compute the Return of Investment (ROI) for each benefit of the applied countermeasure. The countermeasure which when applied on a node gives the least value of ROI, is regarded as the optimal countermeasure. Finally, SAG and ACG are also updated before terminating the algorithm. The complexity of Algorithm 2 is OjV j _ jCMj, where jV j is the number of vulnerabilities and jCMj represents the number of countermeasures. Countermeasure Selection Algorithm Require: Alert;GE; V ; CM 1: Let vAlert Source node of the Alert 2: if Distance to TargetvAlert > threshold then 3: Update ACG 4: return 5: end if 6: Let T DescendantvAlert [ vAlert 7: Set PrvAlert 1 8: Calculate_Risk_Prob(T)

23

9: Let benefitjTj; jCMj_ ; 10: for each t 2 T do 11: for each cm 2 CM do 12: if cm: conditiont then 13: Prt Prt _ 1 _ cm: effectiveness 14: Calculate_Risk_Prob(Descendantt) 15: benefitt; cm_ _Prtarget node. (7) 16: end if 17: end for 18: end for 19: Let ROIjTj; jCMj_ ; 20: for each t 2 T do 21: for each cm 2 CM do 22: ROIt; cm_ benefitt;cm_ cost: cmintrusiveness:cm . (8) 23: end for 24: end for 25: Update SAG and Update ACG 26: return Select Optimal CMROI

24

CHAPTER 8 RESULTS

NETWORK FORMATION

25

START THE NICE PROCESS

SERVER PROCESS UTILIZATION

26

VIRSUS ENTER INTO THE CLOUD SERVER2

VIRUS INFECTS THE CLOUD SERVER2

27

NICE AGENT REPORT TO THE CONTROL CENTER

ATTACK ANALYZER COUNTERMEASURE THE PROBLEM

28

VIRUS REMOVED FROM THE CLOUD SERVER2

PERFORMANCE ANALYSIS OF QOS PARAMETERS

29

CHAPTER 9 CONCLUSION

CONCLUSION Here I have presented NICE, which is proposed to detect and mitigate collaborative attacks in the cloud virtual networking environment. NICE utilizes the attack graph model to conduct attack detection and prediction.It is used to improve the detection accuracy and defeat victim exploitation phases of collaborative attacks. The system performance evaluation demonstrates the feasibility of NICE.

30

APPENDIX I SAMPLE CODING

set val(chan) Channel/WirelessChannel

;# channel type

set val(prop) Propagation/TwoRayGround ;# radio-propagation model set val(netif) Phy/WirelessPhy set val(mac) Mac/802_11 ;# network interface type ;# MAC type ;# interface queue type ;# link layer type ;# antenna model ;# max packet in ifq ;# number of mobilenodes ;# routing protocol ;# Link repairing protocol ;# X dimension of topography ;# Y dimension of topography ;# time of simulation end

set val(ifq) Queue/DropTail/PriQueue set val(ll) set val(ant) LL Antenna/OmniAntenna

set val(ifqlen) 50 set val(nn) set val(rp) set val(rp) set val(x) set val(y) 33 NICE AMRIS 1500 1500

set val(stop) 10.0

set ns [new Simulator] set topo [new Topography]

$topo load_flatgrid $val(x) $val(y) create-god $val(nn) set tracefile [open out.tr w] $ns trace-all $tracefile set namfile [open out.nam w] $ns namtrace-all $namfile $ns namtrace-all-wireless $namfile $val(x) $val(y) set chan [new $val(chan)];#Create wireless channel$ns node-config -llType $val(ll) \-macType $val(mac) \ -ifqType $val(ifq) \-ifqLen $val(ifqlen) \ -antType $val(ant) \ -propType $val(prop) \-phyType $val(netif) \ -channel $chan \ -adhocRouting

31

AODV \ -topoInstance $topo \-agentTrace ON \ -routerTrace ON \ -macTrace ON \-movementTrace ON $ns color 0 darkgreen $ns color 1 darkgreen $ns color 2 red $ns color 3 brown $ns color 4 gray $ns color 5 black $ns color 6 blue $ns color 7 skyblue set node_(0) [$ns node] $node_(0) set X_ 1155 $node_(0) set Y_ 794 $node_(0) set Z_ 0.0 $ns initial_node_pos $node_(0) 75 set node_(1) [$ns node] $node_(1) set X_ 1022 $node_(1) set Y_ 674 $node_(1) set Z_ 0.0 $ns initial_node_pos $node_(1) 35 set node_(2) [$ns node] $node_(2) set X_ 1275 $node_(2) set Y_ 794 $node_(2) set Z_ 0.0 $ns initial_node_pos $node_(2) 35 set node_(3) [$ns node] $node_(3) set X_ 356 $node_(3) set Y_ 654 $node_(3) set Z_ 0.0 $ns initial_node_pos $node_(3) 35 set node_(4) [$ns node] $node_(4) set X_ 428 32

$node_(4) set Y_ 617 $node_(4) set Z_ 0.0 $ns initial_node_pos $node_(4) 35 set node_(5) [$ns node] $node_(5) set X_ 358 $node_(5) set Y_ 524 $node_(5) set Z_ 0.0 $ns initial_node_pos $node_(5) 35 set node_(6) [$ns node] $node_(6) set X_ 192 $node_(6) set Y_ 524 $node_(6) set Z_ 0.0 $ns initial_node_pos $node_(6) 35 set node_(7) [$ns node] $node_(7) set X_ 1275 $node_(7) set Y_ 676 $node_(7) set Z_ 0.0 $ns initial_node_pos $node_(7) 35 set node_(8) [$ns node] $node_(8) set X_ 877 $node_(8) set Y_ 515 $node_(8) set Z_ 0.0 $ns initial_node_pos $node_(8) 35 set node_(9) [$ns node] $node_(9) set X_ 511 $node_(9) set Y_ 524 $node_(9) set Z_ 0.0 $ns initial_node_pos $node_(9) 35 set node_(10) [$ns node] $node_(10) set X_ 1126 $node_(10) set Y_ 723 $node_(10) set Z_ 0.0 33

$ns initial_node_pos $node_(10) 35 set node_(11) [$ns node] $node_(11) set X_ 630 $node_(11) set Y_ 515 $node_(11) set Z_ 0.0 $ns initial_node_pos $node_(11) 35 $ns at 0.0 "$ns trace-annotate \" NICE Process started.....\"" $ns at 1.0 "$ns trace-annotate \" SERVER PROCESS UTILIZATION.....\"" $ns at 3.7 "$ns trace-annotate \" VIRUS INFECTS THE SERVER2 SO THE PROCESS IS VERY SLOW.....\"" $ns at 5.0 "$ns trace-annotate \" NICE AGENT REPORTS TO CONTROL CENTER.....\"" $ns at 7.2 "$ns trace-annotate \" ATTACK ANALYZER COUNTERMEASURES THE PROBLEM.....\"" proc NICE {malicious_node} { if(node_(31).rt_upd=true) { update_routing_table<<next_hop node id_no=X update_routing_table<<destination id_no=X select timer ""; select "node_() add-mark .white square" } else { update routing_table ""; } if(node_().rt_upd=false) { update_routing_table<<next_hop node id_no=20 update_routing_table<<destination id_no=18 select timer ""; 34

select route (msg*data) } else { update routing_table ""; } } proc controlmeasure {input skey} { upvar $skey key int n,e,d,p,q,u,m1,m2,h,m; if { [bitsize $key(n)] < [bitsize $input] } { puts "keysize [bitsize $key(n)] must be greater than text [bitsize nput]/$input" select risk_probality # e - public exponent } if {![info exists key(p)]} { return [rsa_slow_decrypt $input key] } else { # m1 = c ^ (d mod (p-1)) mod p set m1 [powm $input [fdiv_r $key(d) [sub_ui $key(p) 1]] $key(p)] # m2 = c ^ (d mod (q-1)) mod q set m2 [powm $input [fdiv_r $key(d) [sub_ui $key(q) 1]] $key(q)] # h = u * ( m2 - m1 ) mod q set h [sub $m2 $m1] 35

if {[cmp_si $h 0] < 0} set h [add $h $key(q)] } set h [fdiv_r [mul $key(u) $h] $key(q)] # m = m2 + h * p set m [add $m1 [mul $h $key(p)]] key =m1*m2/m return $m } proc encrypt_packet {ptext pkey} { upvar $pkey key set plen [binary format I [string length $ptext]] set md5 [binary format H32 [::md5::md5 $ptext]] # encrypt a packet # packet format: [md5][length][payload][padding] set ptext ${md5}${plen}$ptext return [encrypt $ptext key] encrypt m*h; } } set udp8 [$ns create-connection UDP $node_(27) LossMonitor $node_(26) 0] $udp8 set fid_ 1 $udp8 set class_ 1 set cbr7 [$udp8 attach-app Traffic/CBR] $cbr7 set packetSize_ 512 $cbr7 set interval_ .05 $ns at 1.0 "$cbr7 start" #$ns at 4.1 "$cbr7 stop" set udp9 [$ns create-connection UDP $node_(12) LossMonitor $node_(26) 0] $udp9 set fid_ 1 $udp9 set class_ 1 set cbr8 [$udp9 attach-app Traffic/CBR] $cbr8 set packetSize_ 512 36

$cbr8 set interval_ .05 $ns at 1.05 "$cbr8 start" #$ns at 4.1 "$cbr8 stop" set udp10 [$ns create-connection UDP $node_(13) LossMonitor $node_(10) 0] $udp10 set fid_ 1 $udp10 set class_ 1 set cbr9 [$udp10 attach-app Traffic/CBR] $cbr9 set packetSize_ 512 $cbr9 set interval_ .05 $ns at 1.1 "$cbr9 start" $ns at 3.75 "$cbr9 stop" set udp11 [$ns create-connection UDP $node_(10) LossMonitor $node_(0) 0] $udp11 set fid_ 1 $udp11 set class_ 1 set cbr10 [$udp11 attach-app Traffic/CBR] $cbr10 set packetSize_ 512 $cbr10 set interval_ .05 $ns at 1.15 "$cbr10 start" $ns at 3.75 "$cbr10 stop" set udp10 [$ns create-connection UDP $node_(13) LossMonitor $node_(10) 0] $udp10 set fid_ 1 $udp10 set class_ 1 set cbr9 [$udp10 attach-app Traffic/CBR] $cbr9 set packetSize_ 512 $cbr9 set interval_ .5 $ns at 3.8 "$cbr9 start" $ns at 7.5 "$cbr9 stop" set udp11 [$ns create-connection UDP $node_(10) LossMonitor $node_(0) 0] $udp11 set fid_ 1 $udp11 set class_ 1 set cbr10 [$udp11 attach-app Traffic/CBR] $cbr10 set packetSize_ 512 37

$cbr10 set interval_ .5 $ns at 3.8 "$cbr10 start" $ns at 7.5 "$cbr10 stop" set udp11 [$ns create-connection UDP $node_(14) LossMonitor $node_(25) 0] $udp11 set fid_ 1 $udp11 set class_ 1 set cbr10 [$udp11 attach-app Traffic/CBR] $cbr10 set packetSize_ 512 $cbr10 set interval_ .05 $ns at 5.0 "$cbr10 start" $ns at 7.0 "$cbr10 stop" set udp11 [$ns create-connection UDP $node_(25) LossMonitor $node_(8) 0] $udp11 set fid_ 1 $udp11 set class_ 1 set cbr10 [$udp11 attach-app Traffic/CBR] $cbr10 set packetSize_ 512 $cbr10 set interval_ .05 $ns at 5.05 "$cbr10 start" $ns at 7.0 "$cbr10 stop" set udp11 [$ns create-connection UDP $node_(8) LossMonitor $node_(16) 0] $udp11 set fid_ 1 $udp11 set class_ 1 set cbr10 [$udp11 attach-app Traffic/CBR] $cbr10 set packetSize_ 512 $cbr10 set interval_ .05 $ns at 5.1 "$cbr10 start" $ns at 7.0 "$cbr10 stop" set udp10 [$ns create-connection UDP $node_(13) LossMonitor $node_(10) 0] $udp10 set fid_ 1 $udp10 set class_ 1 set cbr9 [$udp10 attach-app Traffic/CBR] $cbr9 set packetSize_ 512 38

$cbr9 set interval_ .05 $ns at 7.6 "$cbr9 start" set udp11 [$ns create-connection UDP $node_(10) LossMonitor $node_(0) 0] $udp11 set fid_ 1 $udp11 set class_ 1 set cbr10 [$udp11 attach-app Traffic/CBR] $cbr10 set packetSize_ 512 $cbr10 set interval_ .05 $ns at 7.6 "$cbr10 start" proc finish {} { global ns tracefile namfile $ns flush-trace close $tracefile close $namfile exec ./xgraph ENERGY.tr TRAFFIC.tr BANDWIDTH.tr -geometry 800x400 -t "PERFORMACE ANALYSIS ON QOS PARAMETERS" -x "NETWORKAREA" -y "PACKETDELIVERY RATIO" -bg white & exec ./nam out.nam & exit 0 } for {set i 0} {$i < $val(nn) } { incr i } { $ns at $val(stop) "\$node_($i) reset" source z.tcl } $ns at $val(stop) "$ns nam-end-wireless $val(stop)" $ns at $val(stop) "finish" $ns at $val(stop) "puts \"done\" ; $ns halt" $ns run

39

REFERENCES

[1] X. Ou, W.F. Boyer, and M.A. McQueen, A Scalable Approach to Attack Graph Generation, Proc. 13th ACM Conf. Computer and Comm. Security (CCS 06), pp. 336-345, 2006. [2] G. Gu, J. Zhang, and W. Lee, BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, Proc. 15th Ann. Network and Distributed Sytem Security Symp. (NDSS 08), Feb. 2008. [3] S. Roschke, F. Cheng, and C. Meinel, A New Alert Correlation Algorithm Based on Attack Graph, Proc. Fourth Intl Conf. Computational Intelligence in Security for Information Systems, pp. 58-67, 2011

[4] Niraj Suresh Katkamwar, Atharva Girish Puranik

and Purva Deshpande,

Securing Cloud Servers against Flooding Based DDoZ Attacks,International Journal of Application or Innovation in Engineering & Management (IJAIEM),Nov. 2012.

[5] Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, Detecting Spam Zombies by Monitoring Outgoing Messages, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp. 198-210, Apr. 2012.

[6] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, A View of Cloud Computing, ACM Comm., vol. 53, no. 4, pp. 50-58, Apr. 2010. [7] Nidal M. Turab, Anas Abu Taleb Shadi R. Masadeh, CLOUD COMPUTING CHALLENGES AND SOLUTIONS, International Journal of Computer Networks & Communications (IJCNC) Vol.5, No.5, September 2013

40