Providing security to the networks is the main task for the administrators and they are struggling a lot to ensure the maximum security to the network in all the possible aspects. Among lot of security threats among the networks and applications intruders has a significant role to play and in this context there are many intruder detection techniques and they are discussed in the literature review section of this project. Most of the intruder detection techniques concentrate on the intruder traffic that was generated across the network and there is no ample work done towards the intruder frequency and the corresponding affect on the network.
In this context a frequency based intruder detection process is identified in this project and OPNET modeler is used as the tool to simulate the proposed design as discussed in the design chapter. Scenarios are required to estimate the performance of the proposed design and thus three scenarios are created, where the first scenario has normal working network conditions with no intruder attack nodes, second scenario has two intruder node attacks and the third scenario has three attack nodes. DSR is the routing protocol used in the simulation process and few metrics of DSR are used to estimate the behavior of the intruders by increasing their frequency and the overall result analysis is done and is as given below.
It is observed that the route discovery time taken by the first scenario is negligible when compared to the other two scenarios. The route discovery time taken by the two node attacks scenario is very high and almost the maximum taken in this context is around 1.6 seconds and this indicates that, there is lot of packet loss in this situation. It is also observed that the route discovery time taken by the three node attacks scenario is also more when compared with the first scenario and less than the two node attacks scenario and this is due to the reason that, when the third node starts working all the required damage to the route is done and thus no more route discovery options are executed and thus this value is less than the second scenario.
This indicates that if there are some intruder attacks on the nodes, automatically the route discovery time is increased and finally the actual route is lost and thus lot time is consumed to identify the desired route for the communication and in this manner the frequency of the intruders will affect the overall performance of the network and they can be eliminated by comparing the route discovery time metrics.
The total routing traffic sent across the network is more with the three intruder attack nodes as in general the intruders will more routing traffic across the network and with this the overall performance of the network is highly impacted due to this routing traffic on the network. It is also observed that an equal amount of traffic is sent by the normal scenario but it is less than the two attack nodes scenario as the two intruder attack nodes impose more routing traffic and due to the three attack nodes traffic is not sent across the network and from this it can be understood that the routing process is completely halted due to the three attack nodes. Thus from this analysis it can be concluded that if there are more frequency of the intruder attack nodes more routing traffic is sent across the network and the overall performance of the network is affected a lot and thus based on this traffic sent the actual intruder actions can be detected. .
Due to the impact of the intruder actions on the network more traffic is relieved at the destination and the server will received more intruder traffic when compared to the normal traffic. When the traffic received is more the server will discard all the routing packets from the non attack nodes and thus the communication is completely violated in this context. It can also be discovered that there is no traffic received from the two node attacks as the traffic sending and traffic received is complete halted and thus there is no traffic relieved in this context. From this analysis it is clear that if the traffic received is more than the intruder actions are more and in this way based on the intruder actions can be detected.
At the beginning of the simulation there are some cache replied due to the normal scenarios and later the total number of cache replies sent by the second scenario where there are two attack nodes and the cache replies sent by the third scenario where there are three attack nodes is more and these replies are sent till end of the communication process. In general where there are more cache replies across the network it indicates that there is lot of intruder traffic on the network and even if the frequency of the intruder attacked nodes increases the total number of cache replies are increases and thus there is lot of congestion across the network and also the total number of packet drops are increase exponentially.
Thus when all the three scenarios are compared, more cache replies are sent when there are three attack nodes and thus it can be concluded that based on these number of cache replies the overall intruders on the network can be detected and prevented further. Initially there is some packet drop across the network even in the case of no attack nodes and this drop is due to the normal traffic conditions and the kind of the application is used across the network to generate the required traffic and in general the packet drop should be limited and the same proved across the simulation. When the three intruder attack nodes scenario is considered the packet drop is more as the intruder packets are more and due to these packets the actual packets are lost and in this process all the nodes will lose the actual data packets and in this context the total number of packets dropped is increased and this drop will continue till end of the simulation.
There is no packet drop with two attack nodes and this is mainly due to the reason that when all the important data packets are lost by the three intruders attack nodes, there is no scope to drop the data packets and thus the packet drop is not recorded in this process. The total route errors sent with the no attacks scenario us very less when compared to the three attack nodes scenario and this is due to the reason that when there are some intruder attacks on the network, more route discovery attributes are set and due to this the average number of router errors are more and they are sent across the network.
When the server receives the route errors it will start processing these requests and in this process will keep the normal nodes on hold for long time and due to this even the packet drop is also increased a lot. It can be observed from the comparison result that when there are two attack nodes there are no route errors across the network and from this it can be concluded that the routing process is completely stopped when the three attack nodes has manipulated the traffic and there is no traffic to be processed with two attack nodes.
Future work
Future work to be done to improve the research and simulation in few aspects is given below
- DSR is used as the routing protocol and in future the scope of the simulation can be increased at different routing protocols level and they can be compared and analyzed to estimate the best routing protocol for intruder detection
- Different intruder actions can be introduced at the global level in future to improve the scope of the application
- In future more number of attack nodes can be created and the frequency based intruder detection can be analyzed in a better manner.
- In future NS2 simulation can be done to execute the DFT based equations for intruder detection, where are currently only an user interface level modifications are done to the routing protocol parameters and thus it can be considered as the limitation of this simulation