See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/239499071

Java-Based Intrusion Detection System in a Wired Network

Article  in  International Journal of Computer Science and Information Security, · November 2011

CITATIONS READS

5 7,334

2 authors:

Eugène C. Ezin Hervé G. Akakpo Djihountry

Training and Research Institute in Computer Science & Institute of Mathematics a… 1 PUBLICATION   5 CITATIONS   
88 PUBLICATIONS   382 CITATIONS   
SEE PROFILE
SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Fraud detection in degrees using Neo4j View project

human activity recogntion View project

All content following this page was uploaded by Eugène C. Ezin on 21 May 2014.

The user has requested enhancement of the downloaded file.

 (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

Java-Based Intrusion Detection System in a Wired

Network
Eugène C. Ezin #1 , Hervé Akakpo Djihountry #2
#
Institut de Mathematiques et de Sciences Physiques
Unité de Recherche en Informatique et Sciences Appliquees
University of Abomey-Calavi
BP 613 Porto-Novo, Republic of Benin
1
eugene.ezin@imsp-uac.org
2
herve.akakpo@imsp-uac.org

Abstract—Intrusion Detection has become an integral part of users or external perpetrators. Some intrusion detection sys-
the information security process. The cost involved in protecting tems monitor a single computer, while others monitor several
network resources is often neglected when compared with the computers connected by a network.
actual cost of a successful intrusion, which strengthens the need to
develop more powerful intrusion detection systems. Many existing Intrusion detection systems detect intrusions by analyzing
systems for intrusion detection are developed in C, Objective-C, information about user activities from sources such as audit
Tcl, C++ programming languages. records, system tables, and network traffic summaries. In
In this paper, we design and develop a network intrusion short, intrusion detection systems can also be used to monitor
detection system using Java programming language. We simulate network traffic, thereby detecting if a system is being targeted
the land attack, the flooding attack and the death’s ping attack
to show the effectiveness of the proposed system in which packets by a network attack such as a denial of service attack.
in the network are captured online as they come on the network The primary aim of intrusion detection system is to protect
interface. the availability, confidentiality and integrity of crytical net-
Keywords-component—Intrusion Detection System (IDS), JpCap worked information systems. Intrusion detection systems are
library, Network Security. defined by both the method used to detect attacks and the
placement of the intrusion detection system on the network.
I. I NTRODUCTION The objective of an intrusion detection system is to provide
With the proliferation of networked computers and the data security and ensure continuity of services provided by a
Internet, their security has become a primary concern. This network [5].
rapid advancement in the network technologies includes higher Two major approaches are used by intrusion detection
bandwidths and ease of connectivity of wireless and mobile systems: misuse detection and anomaly detection.
devices. In 1980, Anderson proposed that audit trails should Intrusion detection system may perform either misuse de-
be used to monitor threats [1]. The importance of such data tection or anomaly detection and may be deployed as either a
was not been understood at that time and all the available network-based system or a host-based system. This description
system security procedures were focused on denying access to of intrusion detection system leads to four general groups:
sensitive data from an unauthorized source. Latter, Dorothy [2] misuse-host, misuse-network, anomaly-host, and anomaly-
proposed the concept of intrusion detection as a solution to the network.
problem of providing a sense of security in computer systems. Some intrusion detection systems combine qualities from
This intrusion detection model is independent of system, type all these categories by implementing both misuse and anomaly
of intrusion and application environment. detection, and are known in literature as hybrid systems [6].
Intrusion detection according to Bace is the process of Even though Gupta in [7] gives an overview on robust and
intelligently monitoring the events occuring in a computer efficient intrusion detection systems, the intrusion detection
system or network, analyzing them for signs of violations problem is a hard one since no security is absolutely guarantee
of the security policy [3]. In short, intrusion detection is the for ever.
process of monitoring computers or networks for unauthorized The goal of this paper is to propose a model for intrusion de-
entrance, activity, or file modification. Intrusion detection tection with three different positions for the intrusion detection
systems refer to those systems which are designed to monitor system using Java programming language. The Jpcap library
an agent’s activity to determine if the agent is exhibiting is used in the implementation. So doing, the overall system has
unexpected behavior. Intrusion detection model was proposed more chance to detect an attack. To show the effectiveness of
by Denning [2]. A more precise definition is found in [4] in the overall system, three different attacks are simulated.
which an intrusion detection system is a system that attempts The paper is organized as follows: section II presents
to identify intrusions, which we define to be unauthorized uses, different phases of an attack. Section III gives an overview on
misuses, or abuses of computer systems by either authorized the two approaches to intrusion detection. Section IV presents

33 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
 (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

some intrusion detection systems. Section V presents the such as a back door to a product to gain unauthorized access
design of the intrusion detection system we proposed through to information or to a system function at a later date.
subsection V-A which describes the functional components
of the authentification process. Subsection V-B describes the D. Inside Attack
functional description of the proposed system. Architectures An insider attack involves someone from inside, such as a
and possible locations of the proposed network intrusion disgruntled employee, attacking the network. Insider attacks
detection system are given in subsection V-D. A description can be malicious or not. Malicious insiders intentionally
of the plateform is given in section V-E while section V-F eavesdrop, steal, or damage information; use information in
describes the involved open source tools to realize the network a fraudulent manner; or deny access to other authorized users.
intrusion detection system. Section VI presents the global No malicious attacks typically result from carelessness, lack of
architecture. knowledge, or intentional circumvention of security for such
II. T YPES OF ATTACK reasons as performing a task.
Classes of attack might include passive monitoring of E. Close-In Attack
communications, active network attacks, close-in attacks, ex-
ploitation by insiders, and attacks through the service provider. A close-in attack involves someone attempting to get phys-
Information systems and networks offer attractive targets and ically close to network components, data, and systems in
should be resistant to attack from the full range of threat order to learn more about a network. Close-in attacks consist
agents, from hackers to nation-states. A system must be able of regular individuals attaining close physical proximity to
to limit damage and recover rapidly when attacks occur. There networks, systems, or facilities for the purpose of modifying,
are eleven types of attack namely: passive attack, active attack, gathering, or denying access to information. Close physical
distributed attack, insider attack, close-in attack, phishing proximity is achieved through surreptitious entry into the
attack, password attack, buffer overflow attack, hijack attack, network, open access, or both.
spoofing attack, exploit attack. One popular form of close-in attack is social engineering
in a social engineering attack, the attacker compromises the
A. Passive Attack network or system through social interaction with a person,
A passive attack monitors unencrypted traffic and looks through an electronic mail or phone. Various tricks can be
for clear-text passwords and sensitive information that can used by the individual to reveal information about the security
be used in other types of attacks. Passive attacks include of company. The information that the victim reveals to the
traffic analysis, monitoring of unprotected communications, hacker would most likely be used in a subsequent attack to
decrypting weakly-encrypted traffic, and turing authentifica- gain unauthorized access to a system or network.
tion information such as passwords. Passive interception of
network operations enables adversaries to see upcoming ac- F. Phishing Attack
tions. Passive attacks result in the disclosure of information or In phishing attack the hacker creates a fake web site that
data files to an attacker without the consent or knowledge of looks exactly like a popular site. The phishing part of the attack
the user. is that the hacker then sends an e-mail message trying to trick
the user into clicking a link that leads to the fake site. When
B. Active Attack
the user attempts to log on with their account information, the
In an active attack, the attacker tries to bypass or break into hacker records the username and password and then tries that
secured systems. This can be done through stealth, viruses, information on the real site.
worms, or Trojan horses. Active attacks include attempts to
circumvent or break protection features, to introduce malicious G. Password Attack
code, and to steal or modify information. These attacks are
mounted against a network backbone, exploit information In a password attack an attacker tries to crack the passwords
in transit, electronically penetrate an enclave, or attack an stored in a network account database or a password-protected
authorized remote user during an attempt to connect to an file. There are three major types of password attacks: a
enclave. Active attacks result in the disclosure or dissemination dictionary attack, a brute-force attack, and a hybrid attack.
of data files, deny of service, or modification of data. A dictionary attack uses a word list file, which is a list of
potential passwords. A brute-force attack is when the attacker
C. Distributed Attack tries every possible combination of characters.
A distributed attack requires that the adversary introduce
H. Buffer Overflow Attack
code, such as a Trojan horse or back-door program, to a trusted
component or software that will later be distributed to many Buffer overflow attack is produced when the attacker sends
other companies and users. Distribution attacks focus on the more data to an application than is expected. A buffer overflow
malicious modification of hardware or software at the factory attack usually results in the attacker gaining administrative
or during distribution. These attacks introduce malicious code access to the system in a command prompt or shell.

34 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
 (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

I. Hijack Attack Misuse-detection based intrusion detection systems can only

In a hijack attack, a hacker takes over a session between you detect known attacks.
and another individual and disconnects the other individual In [9], the following advantages and disadvantages of mis-
from the communication. You still believe that you are talking use detectors can be found.
to the original party and may send private information to the 1) Advantages of misuse detectors: misuse detectors are
hacker by accident. very efficient at detecting attacks without signaling false
alarms. They can quickly detect specially-designed intrusion
J. Spoofing Attack tools and techniques and provide systems’ administrators an
In a spoofing attack, the hacker modifies the source address easy tool to monitor their systems even if they are not security
of the packets he or she is sending so that they appear to be experts.
coming from someone else. This may be an attempt to bypass 2) Disadvantages of misuse detectors: misuse detectors
firewall rules. can only detect attacks known beforehand. For this reason
the systems must be updated with newly discovered attack
K. Exploit Attack signatures. Misuse detectors are designed to detect attacks that
In this type of attack, the attacker knows a security problem have signatures introduced to the system only. When a well-
within an operating system or a piece of software and leverages known attack is changed slightly and a variant of that attack
that knowledge by exploiting the vulnerability. is obtained, the detector is unable to detect this variant of the
same attack.
III. D IFFERENT A PPROACHES TO I NTRUSION D ETECTION
Many classifications exist in literature about intrusion de- B. Anomaly Detection
tection [7], [8].
Anomaly detection will search for something rare or unsual
The basic types of intrusion detection are host-based and
by applying statistical measures or artificial intelligence to
network-based. Host-based systems were the first type of
compare current activity against historical knowledge. Com-
intrusion detection systems to be developed and implemented.
mon problems with anomaly-based systems are that, they
These systems collect and analyze data that originate in a
often require extensive training data for artificial learning
computer that hosts a service, such as a Web server. Once
algorithms, and they tend to be more computaionnaly expen-
this data is aggregated for a given computer, it can either
sive, because several metrics are often maintained, and these
be analyzed locally or sent to a separate/central analysis
need to be updated against every system’s activites. Several
machine. Instead of monitoring the activities that take place
approaches apply artificial neural networks in the intrusion
on a particular network, network-based intrusion detection
detection system that has been proposed [10].
analyzes data packets that travel over the actual network.
These packets are examined and sometimes compared with Anomaly detection based intrusion detection systems can
empirical data to verify their nature: malicious or benign. detect known attacks and new attacks by using heuristic
Because they are responsible for monitoring a network, rather methods.
than a single host, network-based intrusion detection systems Anomaly detection-based intrusion detection systems are
tend to be more distributed than host-based intrusion detection separated into many sub-categories in the literature including
system. The two types of intrusion detection systems differ statistical methodologies [11] data mining [12], artificial neural
significantly from each other, but complement one another networks [13], genetic algorithms [14] and immune systems
well. The network architecture of host-based is agent-based, [15]. Among these sub-categories, statistical methods are the
which means that a software agent resides on each of the most commonly used ones in order to detect intrusions by
hosts that will be governed by the system. In addition, more analyzing abnormal activities occurring in the network.
efficient host-based intrusion detection systems are capable In [9], advantages and disadvantages of misuse detectors
of monitoring and collecting system audit trails in real time can be found.
as well as on a scheduled basis, thus distributing both CPU 1) Advantages of anomaly detection: anomaly-based intru-
utilization and network overhead and providing for a flexible sion detection systems, superior to signature-based ones, are
means of security administration. able to detect attacks even when detailed information of the
Two other approaches encountered in literature concerning attack does not exist. Anomaly-based detectors can be used to
intrusion detection systems for detecting intrusive behavior are obtain signature information used by misuse-based intrusion
misuse detection and anomaly detection. detection systems.
2) Disadvantages of anomaly detection: anomaly-based
A. Misuse Detection intrusion detection systems generally flag many false alarms
Misuse detection relies on matching known patterns of just because user and network behavior are not always known
hostile activity against databases of past attacks. They are beforehand. Anomaly-based approach requires a large set of
highly effective at identifying known attacks and vulnera- training data that consist of system event log in order to
bilities, but rather poor at identifyning new security threats. construct a normal behavior profile.

35 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
 (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

C. Hybrid Intrusion Detection Snort is an open-source project and it has an architecture mak-
The hybrid intrusion detection system is obtained by com- ing it possible to integrate new functionalities at the time of
bining packet header anomaly detection and network traffic compilation [17], [18].
anomaly detection which are anomaly-based intrusion detec- D. NIDS BRO
tion systems with the misuse-based intrusion detection system.
Snort is an example of an open-source project for hybrid Bro is an open source Unix based network intrusion de-
intrusion detection. The hybrid intrusion detection system is tection system [19]. It is a stand-alone system for detecting
said to be more powerful than the signature-based on its own network intruders in real-time by passively monitoring a
because it uses the advantages of anomaly-based approach for network link over which the intruder’s traffic transits. Bro is
detecting unknown attacks [9]. conceptually divided into an event engine that reduces a stream
of (filtered) packets to a stream of higher-level network events,
IV. P RESENTATION OF SOME I NTRUSION D ETECTION and an interpreter for a specialized language that is used to
S YSTEMS express a site’s security policy.
There are many implemented intrusion detection systems E. IDS Prelude
around the world. Sobirey web site [16] presents more than
Prelude has a modular architecture and is distributed. Mod-
ninety intrusion detection systems. Some are proprietary (free
ular, because its components are independent, and can be
or commercial) and others are open source. Commercial
easily updated. Distributed, because these independent com-
intrusion detection systems belong to specialized societies in
ponents interact with each other. This allows to have different
network security such as Cisco System, Computer Associates,
components installed on various machines and to reduce the
Intrusion.com, Network Associates, etc. In the following sub-
overloaded applications. These various components are the
sections, we will present some open source intrusion detection
probes and the managers. The probes can be of two types:
systems such as HIDS OSSEC, HIDS Samhain, NIDS Snort,
network or room. A probe network analyzes all the traffic, to
NIDS BRO, IDS Prelude. This choice is motivated by the fact
detect possible signatures’ attacks. The local probe ensures the
that intrusion detection system we developed is open source
monitoring of only one machine, and it analyzes the system’s
using Java technologies.
behavior to detect attempts of internal vulnerabilities. The
A. HIDS OSSEC probes announce the attempts of attacks by alarms. These
OSSEC which stands for open source security is an open alarms are received by the manager who interprets and stores
source host-based intrusion detection system. It performs log them.
analysis, file integrity checking, policy monitoring, rootkit V. D ESCRIPTION OF THE P ROPOSED D ESIGN OF
detection, real-time alerting and active response. It was ini- I NTRUSION D ETECTION S YSTEM
tially developed to analyze journal files on servers. Nowadays,
This description concerns the authentification process and
OSSEC is able to analyze different journal file formats such
the network intrusion detection system proposed.
as those of Apache, syslog, snort.
A. Functional Description of the Authentification Process
B. HIDS Samhain
The system administrator requests for connection to the
The Samhain host-based intrusion detection system (HIDS)
proposed network intrusion detection system. After three un-
provides file integrity checking and log file monitor-
successful tests the system is disconnected. The following
ing/analysis, as well as rootkit detection, port monitoring,
sequences must be carried out:
detection of rogue SUID executables, and hidden processes.
• the system presents the authentification form,
Samhain been designed to monitor multiple hosts with po-
• the administrator enters his/her login and password,
tentially different operating systems, providing centralized
• the system checks the login and the password,
logging and maintenance, although it can also be used as a
• the system allows the administrator to have an access to
stand-alone application on a single host. Samhain is an open-
source multiplatform application for POSIX systems (Unix, the proposed network intrusion detection or the system
Linux, Cygwin/Windows). doesn’t allow the administrator after three unfruitful tests.
Figure 1 presents the identification process of the system
C. NIDS Snort administrator.
Snort is the most commonly used signature-based intrusion
B. Functional Description of the NIDS Proposed
detection system and the most downloaded. It is a fast,
signature-based and open-source intrusion detection system When the authentification occurs successfully, the graphical
which produces alarms using misuse rules. It uses binary interface of the network intrusion detection system proposed
tcpdump-formatted files or plain text files to capture network is posted. The following sequences must be then carried out:
packets. Tcpdump is a software program that captures network • request for choice of an interface network by the admin-
packets from computer networks and stores them in tcpdump- istrator,
formatted files. Snort has a language to define new rules. • posting of the interfaces available on the system;

36 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
 (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

D. Architecture and location of the Network Intrusion Detec-

System
tion Systems
System administrator The proposed architecture of the network intrusion detection
1. Request of connection
is depicted in Figure 3.
2. Output of the authentification form
0
1
1
0 0
1
1
0
3. Entering the login and password 0
1 0
1
000000000
111 000000
111111000
111
Firewall
111111
NIDS NIDS
4. Checking procedure
0
1 11
00 Internet 1
0
0
1
1
0 00
11 11
00
0
1 00
11
5. Access to the proposed NIDS 000000000
111111111 0000000000
1111
111111 Web browser
Loop until three
or unfruitful tests
6. Back to the authenfication form Internal network NIDS

Demilitarized zone

Fig. 1. Functional description of the proposed network intrusion detection.

Web server Mail server

• choice of the interface followed by the network packets
capturing process,
Fig. 3. Proposed architecture and different locations of the proposed network
• capturing network packets and analyzing specifically of intrusion detection system.
the aforesaid packets,
• alarm’s generation as soon as an intrusion is detected,
• querying the database, E. Plateform Description
• heuristic analysis, The network intrusion detection we developed is tested on
• generating the alarms. x86 architecture machines. It is also possible to run it in other
• recording alarms, plateforms. The programming language chosen is Java. This is
• recording of the packets. motivated by little literature in the field of network instrusion
Figure 2 presents details about the functional description on detection development in such a language. Many existing
the proposed network intrusion detection system. intrusion detection systems are developed in C, Objective-C,
C++, Tcl.
F. Presentation of the Open Source Tools Used
System DBMS
Many open source tools are used to implement the network
System Administrator
intrusion detection system we are proposing. Among them
Authentification
WinPcap, JpCap, JavaMail, MySQL. The following subsec-
1. Asking for network card selection tions give an overiew on each of them.
2. Showing the selection form 1) Presentation of the WinPcap: Packet CAPture is a
3. network card selected
programming interface that allows to capture the traffic over
4. Packet captured and networks. Under UNIX/Linux PCAP is implemented through
5. Alarm its analysis
6. Query to the database
the library libcap. The library WinPcap is the Windows version
7. Response from the database
of the library libcap. Supervision tools can use pcap (or
WinPcap) to capture packets over the network; and to record
8. Analysis
9. Alarm captured packets in a file and to read saved file.
10. Recording of the alarm
2) Presentation of the JpCap: Jpcap is an open source
11. Recording of the paquet library for capturing and sending network packets from Java
applications [20]. It provides facilities to:
• capture raw packets live from the wire,
• save captured packets to an offline file, and read captured
Fig. 2. Functional description of the proposed network intrusion detection.
packets from an offline file,
• automatically identify packet types and generate cor-
responding Java objects (for Ethernet, IPv4, IPv6,
C. Attacks in Concern by the implemented System ARP/RARP, TCP, UDP, and ICMPv4 packets),
The proposed network intrusion detection system is in- • filter the packets according to user-specified rules before
tended to detect numerous attacks. Since it is not possible to dispatching them to the application,
design an intrusion detection system for every type of attack, • send raw packets to the network.
we design it for deny of service attack, Web server attack, Jpcap is based on libpcap/winpcap, and is implemented in C
buffer overflow attack. and Java programming languages.

37 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
 (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

Jpcap can be used to develop many kinds of network ap- NETWORK

First
plications, including network and protocol analyzers, network level
monitors, traffic loggers, traffic generators, user-level bridges Network packets’ capture
and routers, network intrusion detection systems, network
scanners, security tools. Second
Level
3) Presentation of the JavaMail: The JavaMail API1 pro-
Decoding captured packets
vides classes that model a mail system. JavaMail classes and
interfaces are set within four packages namely javax.mail, Third
java.mail.internet, javax.mail.event, and javax.mail.search. level
Alarm Pattern matching in each
Packet
The javax.mail package defines classes that are common to all information
information captured packet

mail systems. The javax.mail.internet package defines classes

that are specific to mail systems based on Internet standards Fourth
level
such as MIME, SMTP, POP3, and IMAP. The JavaMail API
includes the javax.mail package and subpackages. Different intrusion detection methods

The JavaMail API is a JDK2 which is

Fifth
downloadable from the SUN website at the URL level
Output
http://java.sun.com/products/javamail. The JavaMail API
is used in this project to alert the system administrator by
electronic mail when severe intrusions are detected over the Fig. 4. Global architecture of the proposed network intrusion detection.
network.
4) Presentation of the MySQL: MySQL [21] is one of the
most used database management system over the world. It is A. Description of the Implemented Database
used in this work to implement a relational database that stores The MySQL is used as the relational database management
information about captured packets and generated alarms once system. The implemented database has four database’s tables:
an intrusion is detected over the network. Table TCPCAPTURES is used to record information about
captured TCP packets. Table UDPCAPTURES is used to
VI. G LOBAL A RCHITECTURE P ROPOSED record information about captured UDP packets. Table ICM-
PCAPTURES is used to record information about captured
Figure 4 presents the global architecture of the proposed ICMP packets. Finally, the table DONNEESALERTES is
network intrusion detection system. It is made of five levels. used to record information about different detected intrusions.
The first level corresponds to the network listening process
and captures packets over this network. At the second level, B. Implementation Description
the packet decoding is done to transmit extracted information The proposed network intrusion detection system is imple-
to the third level. The intrusion’s search in each packet is done mented according to the following five steps, namely listening
at the third level by scanning IP addresses, destinations ports, to the network and capturing the packets, decoding the packets,
etc. This information is recorded into a database. At this level, detecting specific attacks, detecting process heuristically, and
each packet is analyzed to detect a pattern for specific attacks. printing the output module.
An alarm is observed when an intrusion pattern is observed.
1) Listening to the network and capturing the packets: At
A table of the database records different generated alarms to
this first step, a sniffor is developed using Jpcap library already
help an administrator to check the type of attacks. The fourth
presented in subsection V-F2. In a Ethernet network, each
level corresponds to the main part of the tool. At this level, we
system has a network card which has its own physical address.
implement four dedicated processors for heuristic analysis and
The network card examines each packet over the network and
a processor to look for patterns. It is possible to implement
catches it once intended to the host machine. One withdraws
more or less dedicated processors. The last level is dedicated
from this package the various layers such as Ethernet, IP, TCP,
to the alarms’ management and their output mode. In our case,
etc. to forward information it contains to the application. When
we implement visual alarms and those to be sent by electronic
a network card is configured in the promiscious mode thanks
mail in the administrator account.
to the Jpcap library, all packets are captured without being out
from the traffic.
VII. I MPLEMENTATION AND S IMULATION The sniffer is therefore implemented using the Jpcap library
through the following steps:
The implementation description will take into account the
database that stores the captured packets and generated alarms • seeking and printing all network interfaces available

after intrusions’ detection. on the host machine thanks to the method JpcapCap-
tor.getDeviceList(),
1 Application Programming Interface. • selecting of the network interface to be used by the
2 Java Development Kit. sniffer,

38 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
 (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

• activating of the network interface onto the proscimous

mode thanks to JpcapCaptor.openDevice(),
• starting the packets capturing process through the inter-
face PacketReceiver
2) Decoding the packets: Packet decoding process also is
based on the Jpcap library. The decoder receives one after
another all the packets from the sniffer and finds their category
(TCP, UDP, ICMP, etc.) by comparing them to different avail-
able classes in the Jpcap library namely IPPacket, TCPPacket,
UDPPAcket, ICMPPacket, etc. For instance, if the concerned
packet is TCP, the decoder collects its source and destination
addresses, source and destination ports, data field and TCP
flag.
3) Detecting specific attacks: In the proposed architecture,
intrusion detection is done at levels 3 and 4. At level 3, a
first search of intrusion is done based on the patterns while
at level 4 three modules namely deny of service, Bruteforce,
Trojan based upon heuristic analysis are done. Fig. 5. Graphical user interface of the proposed network intrusion detection
The heuristic deny of service will serve to detect attacks system.
contained in many packets, which leads to deny of service.
There exist numerous attacks of type deny of service. In this
work, for the simulation, we are interested in attacks by land,
flood, and death’s ping.
4) Heuristic detection process: Patterns are stored in a
database and scanned for intrusion detection. Fig. 6. LAND attack detection by the implemented network intrusion
5) Output module: This module is executed once an attack detection system.
is detected. It has three distinct modes. The first one is an
alarm that informs about intrusion detection. The second mode
uses one table in the database for recording attacks through a 2) Second experiment with hping tool by simulating flood
graphical user interface. The third mode is an alarm through attack: Flood attacks are simulated towards the host machine
an electronic mail sent to the system administrator. This last with 192.168.1.114 as victim through the command
mode uses the Javamail library. # hping3 -S -p 80 –flood 192.168.1.114
C. Graphical User Interface Figure 7 presents the behavior of the implemented network
intrusion detection system.
Figure 5 presents the graphical user interface of the devel-
oped network intrusion detection system.
D. Simulation
Our testing methodology is based on simulating computer
users - intruders as well as normal users while the intru-
sion detection system is running. We employed the hping3 Fig. 7. Flood attack detection by the implemented network intrusion detection
to simulate users in our experiment. Three experiments are system.
carried out to test the proposed network intrusion detection
system we installed on a server. The user is simulated by using 3) Third experiment with hping tool by simulating death’s
the hping that generates and analyses TCP/IP packets and ping attack: Death ping attacks are simulated towards the host
supports protocols such as TCP, UDP, ICMP, RAW-IP with machine with 192.168.1.114 as victim through the command
traceroute mode and many other features [22]. The tool hping # hping3 -l -c 20 192.168.1.114
is installed on one host of the network to simulate different Figure 8 presents the behavior of the implemented network
attacks towards other machines in the same network. Three intrusion detection system.
experiments are carried out.
1) First experiment with hping tool by simulating the LAND
attack: TCP packets with the same source and destination IP
address are sent over the network to simulate the LAND attack
through the command
# hping3 -n -c 2 -a 192.168.1.123 192.168.1.123 Fig. 8. Death’s ping attack detection by the implemented network intrusion
Figure 6 presents the behavior of the implemented network detection system.
intrusion detection system.

39 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
 (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

VIII. C ONCLUSION F URTHER W ORKS [10] K. Tan, “The application of neural networks to unix computer security,”
IEEE International Conference on Neural Networks, vol. 1, pp. 476–481,
In this work, we have proposed an intrusion detection 1995.
system implemented in Java. This system has been tested [11] H. S. Javitz and A. Valdes, “The sri ides statistical anomaly detector,”
IEEE Symposium on Research in Security and Privacy, pp. 316–376,
by simulating three types of attack: land attack, flooding 1991.
attack and death ping attack. The proposed system detects [12] S. Noel et al., Modern intrusion detection, data mining, and degrees
all these attacks correctly. The proposed network intrusion of attack guilt, in applications of data mining in computer security.
Kluwer Academic Publisher, 2002.
detection system is extensible and portable and many other [13] N. Debar et al., “A neural network component for an intrusion detection
functionalities can be implemented. Nevertheless, it presents systems,” in IEEE symposium on security and privacy, 1992, pp. 240–
some drawbacks. First the proposed system takes into account 250.
[14] L. M. Gassata, “The artificial immune model for network intrusion
only the scenario approach. The behavioral approach will be detection,” in First international workshop on the recent advances in
examined in the future. intrusion detection, 1998.
Evaluating an intrusion detection system is a difficult task. [15] J. Kim and P. Bentley, “The artificial immune model for network intru-
sion detection,” in Seventh European congress on intelligent techniques
Indeed, it can be difficult even impossible to identify the set and soft computing (EUFIT99), 1999.
of all possible intrusions that might occur at the site where [16] M. Sobirey. (2011, Jan.) Intrusion detection systems. [Online].
a particular intrusion detection system is employed. To start Available: http://www-rnks.informatik.tu-cottbus.de/sobirey/ids.html
[17] M. Roesch, “Snort lightweight intrusion detection for networks.”
with, the number of intrusion techniques is quite large [23]. [18] R. Russel, Snort intrusion detection 2.0. Rockland, MA: Syngress
Then, the site may not have access to information about Publishing, Inc, 2003.
all intrusions that have been detected in the past at other [19] D. Burgermeister and J. Krier. (2010, Dec.)
Système de détection d’intrusion. [Online]. Available:
locations. Also, intruders can discover previously unknown http://www.dbprog.developpez.com/securite/ids/IDS.pdf
vulnerabilities in a computer system, and then use new intru- [20] K. Fujii. (2007, Jan.) Jpcap tutorial. [Online]. Available:
sion techniques to exploit the vulnerablities. Another difficulty http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/tutorial/index.html
[21] C. Thibaud, MySQL 5: installation, mise en oeuvre, administration et
in evaluating an intrusion detection system is that although it programmation. Edition Eyrolles, 2006.
can ordinary detect a particular intrusion, it may fail to detect [22] N. Cheswick and S. Bellovin, Firewalls and Internet Security: Repelling
some intrusion when the overall level of computing activity the Willy Hacker. Pearson Education Inc., 2003.
[23] P. G. Neumann and D. Parker, “A summary of computer misuse
in the system is high. This complicates the task of thoroughly techniques,” in 12th National Computer Security Conference, Baltimore,
testing the intrusion detection system. MD, 1989, pp. 396–407.
In our future work, we will also compare the performance [24] E. C. Ezin, “Implementation in java of a cryptosystem using a dynamic
huffman coding and encryption methods,” International Journal of
of the proposed network intrusion detection with already ex- Computer Science and Information Security, vol. 9, no. 3, pp. 154–159,
isting intrusion detection systems based upon the methodology 2011.
developed by Puketza [8]. We will also combine the proposed
intrusion detection system and the Java-based cryptosystem AUTHORS ’ PROFILES

using a dynamic huffman coding and encryption methods we Eugène C. Ezin received his Ph.D
developed in [24]. So doing, the security is reinforced to avoid degree with highest level of distinction
intruder to discover plaintext data. in 2001 after research works carried
out on neural and fuzzy systems for
ACKNOWLEDGMENTS speech applications at the International
We thank anonymous reviewers for their review efforts. We Institute for Advanced Scientific Studies
also appreciate comments from our colleagues. in Italy. Since 2007, he has been a
senior lecturer in computer science. He
R EFERENCES is a reviewer of Mexican International
[1] J. P. Anderson, “Computer security threat monitoring and surveillance,” Conference on Artificial Intelligence.
Fort Washington, Pennsylvania, James P Anderson Co, Tech. Rep., 1980. His research interests include neural network and fuzzy
[2] D. Denning, “An intrusion-detection model,” IEEE Transaction on systems, high performance computing, signal processing,
Software Engineering, vol. 13, no. 2, pp. 222–232, 1997.
[3] R. G. Bace, Intrusion Detection. Technical Publising, 1995.
cryptography, modeling and simulation.
[4] B. Mukherjee et al., “Network intrusion detection,” IEEE Network,
vol. 8, no. 3, pp. 26–41, 1994. Hervé Guy Akakpo received his
[5] K. Ramamohanarao et al., “The curse of ease of access to the internet,”
3rd International Conference on Information Systems Security.
MSc in computer science with highest
[6] N. Bashah et al., World Academy of Science, Engineering and Technol- level of distinction in 2011. He is cur-
ogy. World Academy of Science, 2005. rently employed at the Caisse Autonome
[7] K. K. Gupta, “Robust and efficient intrusion detection systems,” Ph.D.
dissertation, The University of Melbourne, Department of Computer
d’Amortissement. and affiliated to the
Science and Software Engineering, January 2009. Institut de Mathématiques et de Sciences
[8] N. J. Puketza et al., “A methodology for testing intrusion detection Physiques within the master program of
systems,” IEEE Transaction on Software Engineering, vol. 22, no. 10,
pp. 719–729, 1996.
computer science for tutoring the course
[9] M. A. Aydin et al., “A hybrid intrusion detection system design for on networking. His research interests include information
computer network security,” Computer and Electrical Engineering, system and network security.
vol. 35, pp. 517–526, 2009.

40 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
View publication stats