2nd International Conference on Engineering Innovations and Solutions (2’ICEIS-2017)

Seventh Sense Research Group www.internationaljournalssrg.org Page 1

A Distributed Malicious Attack Detection and

Prevention Approach Using Honeypots in

Ad-hoc Networks

M. Shanthalakshmi Assistant professor

Department of Computer Science and Engineering

SRM University

Chennai, India

Devraj Gogoi Department of Computer Science and Engineering

SRM University

Chennai, India

devrajgogoi16@gmail.com

Mayank Chhabra Department of Computer Science and Engineering

SRM University

Chennai, India

chhabramayank.95@gmail.com

Seemaant Rana Department of Computer Science and Engineering

SRM University

Chennai, India

seemaantrana07@gmail.com

Shivam Thakur

Department of Computer Science and Engineering

SRM University

Chennai, India

mr.shivamthakur@yahoo.com

Abstract— Malicious attacks on computer networks

has become a serious concern in the world of

information technology. Various malware protection

softwares and programs are specifically developed to

combat intrusions and other malware. In order to

efficiently detect and prevent malicious attacks, an

intrusion detection system manager is designed to

monitor a network or systems for malicious activities. It

performs an analysis of the entire network and

identifies the traffic of known attacks. Once an attack is

detected, alerts are sent to the administrator or

concerned service provider. Intrusion detection systems

can also be designed using custom tools such as

honeypots. Honeypots in an ad-hoc network is used to

collect the information about the various intruders in a

network. This paper deals with the detection and

prevention of distributed malicious attacks in ad-hoc

networks using honeypots.

Keywords— Malicious attacks, honeypots, intrusion

detection system, ad-hoc network

I. INTRODUCTION

Malicious attacks or malware gather sensitive information and gain access to secured networks or computer systems. Various intrusion detection techniques are developed to stop any operations the malware may attempt on the system before they occur, including activities which might trigger unexpected network behavior. Anti-malware programs can combat malware by providing real time protection against the installation of malicious

software on a computer. An intrusion detection system manager monitors a network or systems for malicious activity. Any malicious activity is reported either to an administrator or to the concerned service provider. An intrusion detection and prevention approach using honeypots in ad-hoc networks is proposed in this paper.

II. PROBLEM STATEMENT

Computer networks are vulnerable to different types of cyber-attacks. Although many cyber security techniques have been proposed, the increase in frequency of cyber-attacks is a major concern for the computing world. Most intrusion or malware detection techniques and softwares lack the required credibility and efficiency to stop distributed attacks or detect the intruders. An attack is perpetrated by intruders with bad intentions while others perform penetration testing on an organization information system to find out if all foreseen controls are in place. Some of the most common network attacks are as follows [9]:

A. Denial of service attacks

A denial of service attack attempts to make a resource, such as a web server, unavailable to users. A common approach is to overload the resource with illegitimate requests for service. It is one of the most common attacks used by intruders to manipulate a network.

2nd International Conference on Engineering Innovations and Solutions (2’ICEIS-2017)

Seventh Sense Research Group www.internationaljournalssrg.org Page 2

B. Brute force attacks

A brute force attack is a trial-and-error attempt to guess a system’s password. One in four network attacks is a brute-force attempt. Automated software are specifically designed to guess hundreds or thousands of password combinations.

C. SSL attacks

SSL attacks are specifically used by attackers to intercept or manipulate data that is sent over an encrypted connection. A successful attack enables access to the classified information or data. SSL attacks are a major concern to cyber security.

D. Botnet attacks

A botnet is a program which represents a group of fake computers that are controlled remotely by one or more malicious attackers. Attackers use botnets for malicious activity, or rent the botnet to perform malicious activity for others.

Therefore, to prevent such attacks, an intrusion detection system manager (IDS manager) is designed to detect various intruders in a network. A honeypot is also designed to record all the details of the attackers. An IDS is used instead of a firewall because a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls also limits access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS manager is designed to evaluate a suspected intrusion once it has taken place and signal an alarm. It also watches for attacks that originate from within a system.

III. RELATED WORK

Seyyed Meysam Tabatabaie Nezhad, Mahboubeh Nazari and Ebrahim A. Gharavol [1] have described a novel DoS and DDoS detection algorithm, in which the number of packets time series variance is fixed using the Box-Cox transformation. This choice causes a better prediction based on an ARIMA model.

Weijiang Liu, Wenyu Qu, Jian Gong and Keqiu Li [2] have proposed a Vector Bloom Filter (VBF) and designed the corresponding algorithm to identify superpoints. The experimental results demonstrate that the VBF can precisely and efficiently detect superpoints. Treating an IP address as a bit string, designing hash functions based on bitwise operators is an available method.

Rajalakshmi Selvaraj, Venu Madhav Kuthadi and Tshilidzi Marwala [3] have presented an Ant-based distributed denial of service detection technique where the virtual roaming honeypot is used along with the multi-level secure architecture to collect the information regarding various intruders at different levels in the network. Based on ACO technique, the collected information is sent to the multi-level

architecture to restrict the further connection of the intruders with honeypot or stop further spread of intruders.

Taejin Ha, Seunghyun Yoon, Aris Cahyadi Risdianto, JongWon Kim, and Hyuk Lim [4] have proposed a technique for suspicious flow forwarding for multiple intrusion detection systems on software defined networks. The intrusion detection performance highly depends on how the suspicious traffic flows are distributed among the multiple IDSs. The proposed algorithm distributes the flows to multiple IDSs according to their routing paths. If two flows are close to each other in terms of the routing path, they are forwarded to the same IDS.

Quang Duy La, Tony Q. S. Quek, Jemin Lee, Shi Jin and Hongbo Zhu [5] have proposed a game theoretic model to analyse the problem of deceptive attack and defence in a honeypot-enabled network. The presented game model and simulation results showed that when facing a high concentration of active attackers, it is in the defender’s best interest to heavily deploy honeypots.

Jian-Ming Chang, Po-Chun Tsou, Isaac Woungang, Han-Chieh Chao and Chin-Feng Lai [6] have proposed a new mechanism called the Collaborative Bait Detection Approach for detecting malicious nodes in MANETs under Gray/collaborative black hole attacks.

Yogendra Kumar Jain and Surabhi Singh [7] have presented the concept of honeypots in depth and also how it might be useful to the field of network security. Honeypots are decoy systems which are used gather information about the attacker. Honeypots are commonly used to prevent distributed denial of service attacks. They provide a learning tool for system administrators and also stimulate challenges concerning intrusion detection systems.

Navita Sharma and Gurpreet Singh [8] have proposed an intrusion detection system using shadow honeypot. The shadow honeypot collects data from IDS and check the packet whether it is malicious or not. If packet is malicious then it transfers to shadow honeypot. The state changes effected by the malicious attack are returned to its safe state. This proposed system may improve the overall security of the system by detect malicious attacks efficiently.

IV. PROPOSED FRAMEWORK

An intrusion detection system manager is designed to monitor a network or systems for malicious activities or policy violations. It performs an analysis of the entire network and identifies the traffic of known attacks. Once an attack is identified, alerts are sent to the administrator or concerned service provider. IDS uses back propagation algorithm to trace back the root of attacks and also to handle low rate attacks such as on-off attacks .

2nd International Conference on Engineering Innovations and Solutions (2’ICEIS-2017)

Seventh Sense Research Group www.internationaljournalssrg.org Page 3

Intrusion detection systems manager is specifically designed using custom tools and honeypots. Honeypots in an ad-hoc network is used to collect the information about the various intruders at a multi-level architecture. The router maintains the routing table and transfers files by using Dijkstra’s shortest path algorithm. If any malicious nodes are found, the IDS Manager initiates testing phase and an attacker profile is generated by the honeypot. If no malicious nodes are found then the router forwards the file to the required destination. The end user sends an acknowledgement to the sender once the file is received.

Figure 1: Architecture diagram of proposed framework

A. Working

Distributed malicious attacks can be detected and prevented efficiently with the help of the intrusion detection system manager along with other components as stated below:

1) IDS Manager: The Intrusion Detection System

(IDS) manager is responsible for filtering the

malicious data and traffic data. IDS uses back

propagation algorithm to trace back the root of

attacks and also to handle low rate attacks such as on-

off attacks with short bursts. It consists of two phases:

the reading phase and the test phase.

a) Reading Phase: The normal profile

Generation module is performed in the reading phase

to generate profiles for various types of legitimate

traffic records and the generated legitimate normal

profiles are stored in a database.

b) Testing Phase: The tested profile Generation

module is used in the Test Phase to build profiles for

individual traffic records. Then, the tested profiles are

handed over to the intrusion detection component,

which compares the individual tested profiles with

the respective stored normal profiles.

2) Service Provider: The Service Provider

browses the required file, initializes nodes with

digital signature and uploads to the end user (node a,

node b, node c, node d, node e, node f) via Router. It

also manages and stores the traffic records of various

nodes.

3) Router: The Router is responsible for

forwarding the data file in shortest distance to the

destination using Dijkstra shortest path algorithm. It

consists of group of nodes, the each and every node

consist of Bandwidth and Digital Signature. If router

had found any malicious or traffic node in the router

then it forwards to the IDS Manager. In Router we

can also assign the bandwidth for the nodes as well as

view the node details with their Sender IP, Injected

data, Digital Signature, Bandwidth and status.

4) Attacker: In this module, the attacker can

inject fake messages and generate the signatures. It

can also choose any router nodes to attack as well as

change the bandwidth of the nodes . Once a message

has been successfully injected, it prompts the attacker

to continue or exit.

5) End User: In this module, the End users

receives the data file from the Service Provider which

is sent via Router. If malicious activities are found in

the router then it forwards to the IDS manager to

filter the content and adds to the attacker profile.

6) Honeypot: A honeypot can be defined as a

server that is configured to detect an intruder by

mirroring a real production system. It appears as an

ordinary server doing work, but all the data stored in

it is fake. The honeypot records all actions and

interactions with users/attackers. Since honeypots

don't provide any legitimate services, all activities are

malicious.

Figure 2: Sequence diagram of proposed framework

2nd International Conference on Engineering Innovations and Solutions (2’ICEIS-2017)

Seventh Sense Research Group www.internationaljournalssrg.org Page 4

B. Algorithms

1) Dijkstra’s algorithm: The Dijkstra Algorithm

is used to find the shortest path from a source to all

destinations in a directed graph. It also determines a

spanning tree for the graph. Since, finding the

shortest path in a network is a commonly encountered

problem, the proposed approach uses Dijkstras

algorithm to establish a short and secured

transmission path between source and destination.

2) Back propagation algorithm: The backward

propagation algorithm is a common method of

training artificial neural networks and used in

optimizing a network. The algorithm repeats a two

phase cycle, propagation and weight update. When an

input is provided to the network, it is propagated

forward through the network until it reaches the

destination. The output of the network is then

compared to the required output using a loss function,

and an error value is calculated. Back propagation

uses the obtained error values to calculate the

gradient of the loss function with respect to the

weights in the network. IDS uses back propagation

algorithm to trace back the root of attacks and also to

handle low rate attacks such as on-off attacks with

short bursts. To implement the algorithm explicit

formulas are required for the gradient of the function.

The back propagation learning algorithm can be

divided into two phases: propagation and weight

update. [11]

a) Propagation: Each propagation involves the

following steps:

Forward propagation of a input through the

network in order to generate the network's

output value.

Backward propagation of the propagation's

output activations through the network using

the training pattern target in order to

generate the difference between the targeted

and actual output values of all output and

hidden neurons i.e. delta.

b) Weight update: For each weight, the

following steps are followed:

The weight's output delta and value are

multiplied to find the gradient of the weight.

A ratio of the weight's gradient is subtracted

from the weight. The sign of the gradient of a weight indicates

whether the error varies directly with, or inversely to, the weight. Therefore, the weight must be updated in the opposite direction, descending the gradient. With the help of back propagation algorithm, attacks can be detected efficiently by the IDS manager.

3) Threat Detection and Prevention algorithm:

Threat Detection and Prevention algorithm is

implemented to detect the various kinds of malicious

activities in an ad-hoc network. It does not only

detect but also prevents them manipulating the

network. This approach is capable to detect all kinds

of attacks like signature based, anomaly based

attacks, distributed service denial attacks and

intrusion based attacks. This system does not think

that malicious user will be outsider or external user

but it may be known or registered user who wants to

access classified data. It consists of mainly two

phases namely : reading phase and testing phase . It

detects and classifies the various kinds of attacks in

the testing phase. This system evaluates the malicious

activity level on every user and tracks as well

accurately. If the network exhibits normal flow of

data, then it initiates reading phase and then transfers

the data to the required destination or end user.

V. RESULTS AND DISCUSSION

In the proposed framework, the router network consists of various nodes such as N1, N2, N3, N4, N5 etc. These nodes are used to transfer files or other documents from source to destination using Dijktras shortest path algorithm. The Intrusion detection system manager or IDS manager checks for any malicious activity in the router nodes. Back propagation algorithm is used to check for any loss of data packets in router nodes. The service provider acts as the sender of any file or document to the required destination or end user.

Figure 3: Router network representation

If any intrusion or malicious activities are detected the IDS manager initiates testing phase and creates an attacker profile in the honeypot. The honeypot is used to store various information (such as IP address, date, time etc.) of the intruders of the network. Then, the IDS manager transfers the data packet to a safe nearest node and continues to traverse through the network.

If no malicious activities are found, then the IDS manager initiates reading phase and transfers the data file to the required destination. The end user sends an acknowledgement to the service provider upon completion of transfer.

2nd International Conference on Engineering Innovations and Solutions (2’ICEIS-2017)

Seventh Sense Research Group www.internationaljournalssrg.org Page 5

Figure 4: Router nodes details

VI. CONCLUSION

In this paper we present a malicious attack detection and prevention approach using honeypots in ad-hoc networks. As a network can be threatened by security attacks such as DDoS, Brute force attacks etc. it is essential to provide a security system for safe transmission of data. An Intrusion Detection System (IDS) manager is designed to evaluate a suspected intrusion once it has taken place and signals an alarm. The honeypot records all actions and interactions with attackers/users. The Router consists of group of nodes which is responsible for forwarding the data file in shortest distance to the destination using Dijkstra’s shortest path algorithm. With the help of this approach, attacks can be detected and prevented efficiently in a network.

References

[1] Seyyed Meysam Tabatabaie Nezhad,

Mahboubeh Nazari and Ebrahim A. Gharavol,

“A Novel DoS and DDoS Attacks Detection

Algorithm Using ARIMA Time Series Model

and Chaotic System in Computer networks”.

IEEE Communications Letters, IEEE 2015.

[2] Weijiang Liu, Wenyu Qu, Jian Gong and Keqiu

Li, ”Detection of Superpoints Using a Vector

Bloom Filter”, IEEE transactions on information

forensics and security , IEEE 2015.

[3] Rajalakshmi Selvaraj, Venu Madhav Kuthadi

and Tshilidzi Marwala, “Ant-based distributed

denial of service detection technique using

roaming virtual honeypots” IET

Communications IET Commun., 2016, Vol. 10,

Iss. 8.

[4] Taejin Ha, Seunghyun Yoon, Aris Cahyadi

Risdianto, JongWon Kim, and Hyuk Lim,

“Suspicious Flow Forwarding for Multiple

Intrusion Detection Systems on Software

Defined Networks” IEEE Network -

November/December 2016.

[5] Quang Duy La, Tony Q. S. Quek, Jemin Lee,

Shi Jin and Hongbo Zhu, “Deceptive Attack and

Defense Game in Honeypot-enabled Networks

for the Internet of Things” IEEE internet of

things journal, IEEE 2016.

[6] Jian-Ming Chang, Po-Chun Tsou, Isaac

Woungang, Han-Chieh Chao and Chin-Feng

Lai, “Defending against Collaborative Attacks

by Malicious Nodes in MANETs: A

Cooperative Bait Detection Approach” IEEE

systems journal, IEEE 2014.

[7] Yogendra Kumar Jain and Surabhi Singh,”

Honeypot based Secure Network System”

International Journal on Computer Science and

Engineering (IJCSE), Vol. 3 No. 2 Feb 2011.

[8] Navita Sharma and Gurpreet Singh, “Intrusion

Detection System Using Shadow Honeypot”

International Journal of Emerging Technology

and Advanced Engineering, volume 2, Issue 8,

August 2012.

[9] Calyptix:

http://www.calyptix.com/topthreats/top-7-

network-attack-types-2016

[10] Wikipedia:

https://en.wikipedia.org/wiki/Intrusion_detectio

n_system

[11] Wikipedia:

https://en.wikipedia.org/wiki/Backpropagation