Network Attacks in Real Time Scenario Over Campus Network

meshing Attacks in Real Time Scenario Over Campus Ne bothrkAmit Mahajan* Vibhakar Mansotra**ABSTRACTThis physical composition presents translate of bombardments in real age scenario every(prenominal)place the campus profit. The attacks were monitored over a time and analyses were made. The paper discusses ab aside the dependency over the IDS/IPS signatures and proposes for a resolving which records the events with raw trade and visualizes the traffic to give better belowstanding of the fashion of the traffic flow over the profit.Keywords UTM, Attacks, Visualization, Afterglow, tcpdump.I INTRODUCTION interlockings give birth been under attack from the time Internet came into existence. There is consistently nigh urgencyiness of determination machine-accessible with the effect of these attacks. In the present situation of PC innovation, either institution undersurface have enormous machine frameworks of typical natures. With the advancement of technology, Organiza tions have started facing difficulties due to divers(prenominal) types of computer viruses and attacks. This resulted in tremendous loss of the knowledgeable assets deal data and utility of time. therefore there is an urgent need to study these attacks and profit br distributivelyes by authority of which unmatched entrust be able to devise preventive measures and thereby protect the internal assets.In view of the to a higher place objectives one has to sym cutize the networks and how they expand widely. Also one has to understand the attacks and br severallyes. Mostly the network is one of the sources of the viruses and attacks entirely quite often the local network is to a fault a study source of threats for campus networks. Generally administrators and organizations safe guard their networks from outside threats but the internal attacks and breaches are very crucial. The IDS/IPS ( ) are installed over the gateway train to s toilet the outgo and incoming traffic. Whe re these kind of mechanism to study the fashion of internal attacks is vague. One is very much interested in sagacious the kind of traffic flow, and its identification etc in the network. This kind of approach allow for help the user community to adopt preventive measures or in new(prenominal) words one has obtain a solution by studying the internal attacks and network breaches and thereby how to minimize and protect the internal assets . Analysis of the network can be used as a calamus to scan the network traffic. The behavior of the network may be understood through with(predicate) penetration tools, simulations etc. Alternatively a tool like IPS having capability of network behavior analysis also can be of great help in understanding the problem.SURVEY OF manoeuverAsmaa Shaker Ashoor and Sharad Gore in their explore assortediated the infringement spotting System and Intrusion Prevention System (IDS/IPS) technology which is used in the computer networks. They compare th e stability, performance and accuracy wise result of IDS and IPS. They highlighted that the major difference between the IDS / IPS is among their deployments over the network. IDS technology works on out band system which means it is not lined with the network path but IPS technology works on in-line with the system, means it can manoeuver through in between the wrenchs in real time.Jared Holsopple, Shanchieh Jay Yang, and Moises Sudit discusses virtually the bequest run-through for fighting cyber-attacks which are typically used by the Intrusion detection Sensors (IDS) to inactively detect and block multi-stage attacks. The algorithm, TANDI, helps in reducing the problem impediment by separating the simulations of the aggressors capability and op styleunity and thus fuses the two to determine the attackers intent. The results of the research demonst localize that the algorithm TANDI predicts that the future attack action precisely as long as it is not a twin(a) attack and which contains no internal threats. In the presence of the malicious attack events, the algorithm TANDI, will give alarm to the network analyst for provided analysis. This can be further analysed with the help of simulation.Nilima R. Patil and Nitin N. Patil in their paper discussed some the importance of attack graph to check the possible attacks in the network. development attack graph, analysis can be done effectively. This helps the administrators to further learn the attack graphs deeply to know where their system weaknesses lie. Accordingly help them to judge what kind of security measures can be opted for effective deployment. They study different ways to analyse attack graphs and to provide future scope for research on these attack graphs.Rosslin conjuration Robbles, Tai-hoon Kim, Seung Lee in their paper have shown that a second aim in addition to entrance fee chair onset confinement can dramatically enhance the security specially integrity and availability of a system in many situation. It showed that infringement confinement can effectively resolve the conflicting design goals of an intrusion detection system by achieving both a high rate of detection and a low rate of fallacys. Developing a more(prenominal) concrete isolation protocols will further be studied in the future research.Meera Gandhi and S.K Sri giganticava in their paper highlighted the importance of Intrusion detection in business sector and in active area of research. They describe IDS as important tool for information security. An IDS is intended to spot and fight with some common attacks over the network systems. In such systems log displays the careen of attacks to the administrator for ambiguous action. This system works as an observant gizmo in the event of attacks directed towards an entire network.In the light of the above unattached information a need has been felt to under arrive at correspondent type of work in the University of Jammu as well. This will he lp in study of attacks received by the network of the campus. The network is setup on optical lineament backbone with around hundred distributed switches across the campus. Which also has WI- FI wireless Connectivity with access points around 200 approx. Such an ICT facility forthcoming over the network is plays an important percentage in helping the students, researches, instructor and staff. The number of users in the UOJ campus network appxo 3000. Thus the analysis of the attacks is taken up in this campus.II EXPERIMENTAL SETUP USING UTMUniversity of Jammu is one of the start higher educational institutes in the state of Jammu and Kashmir, India. Whose vision is to be an internationally competitive academic and research institution? To achieve University of Jammu has lot of condense on the information technology. In 2003 university started its initiatives to be an IT enabled university by setting up a university campus network on optical fiber backbone. Later this network was further converged with Jammu University JU Wi-Fi. This facility is playing a very crucial role in order to help the students, teachers, researchers and administrative staff to use the ICT facilities available over the network. University of Jammu is having huge internet bandwidth connectivitys to cater the needs of the university fraternity. This internet bandwidth connectivitys constantly keeps on upgrading from time to time. At present university is having 40 mbps Internet bandwidth 11 OPTICAL FIBER lease line from reliance and 1 Giga optical fiber connectivity from National Knowledge net income. Students, researchers and pedagogy faculty are able to access the scholarly contents online from any location within the campus. There are around 37 departments comprising of breeding and centers other than administrative blocks which are connected through this optical fiber back bone network. alto catch up withher the three girls and boys soldieryels are also connected through the optical fiber backbone. There are around snow distributed switches (Cisco and Dlink) and approx. 200 indoor wireless access points (Linksys and Dlink) and 18 outdoor access points (Dlink) which are installed at the various locations of these departments / blocks of the university. All the equipments are connected through optical fiber backbone to the control room campus network of the university with Cisco catalyst switches 4507R, 4506.In order to maintain such vast network and ICT Facilities University has deployed a UTM device in the network. This UTM device helps the university it administrators to maintain the university campus network more efficiently. UTM installed at the university is a product from worlds pinch IT security company Cyberoam. This UTM is installed almost all the major academic institutes of the country. The UTM device has multiple solutions in a single box. It comprises of onus balancing of internet bandwidths, Antivirus and anti-spam scanning at the ga te way level, User identity establish firewall rules, gateway level IDS and IPS scanning and AAA assay-marks etc.This UTM device is installed between the ISPS Routers and Cisco catalyst switches so that the whole traffic gets scanned through the UTM device. All the policies are applied on the firewall rules as per the requirement of the University network.Figure 1 UTM Deployment in Gateway ModeWith the maturation in the University network and ICT facilities over this network, it is observed that the ratio of attacks also gets increased. These attacks sicken the performance of the University Network and other ICT facilities available. Thus to study the kind of attacks, their significance and a solution how to reduce them is proposed in this paper. UTM device installed in the University network is considered for collecting the IPS attacks data. Since it has the ability to get up the Attack reports, this will help the University IT administrators to see the trend of the attacks how they are generating and touching the system. The critical IPS attacks will be studied over a time to find the patterns of the attacks and their significance over the network exercises and ports to which they are associated. This study will help the university and other institutes which are employ the same UTM to fine-tune the rules and other parameters so that network bandwidth and other services performance does not get affected with the attacks and users of the ICT facilities should have performance oriented service.III DATA order of battle AND ANALYSIS USING UTMAs described in the previous about the network system university campus. The information on the number of IPS attacks has been collected since 1 July -2013 to 2-dec -2013 (22 weeks). The total number of attacks is 1301567. Out of these the type of attacks having frequency more than approx 100 is 1299646 hundred thousand. These 13 lakh IPS attacks have been classified into 5 categories broadly exemplar HTTP/ HTTPS, ICMP , UDP, FTP, TCP based on the signatures. The display of the number of IPS attacks belonging to each category is shown in variety-2Figure -2 Classifications of AttacksOut of the above 13 lakh of the attacks the top 14 critical attacks from the five major categories have been identify to 162810 by the IPS and them display is shown in figure-3From the figure-3 it may be noted that the boastful attack having a frequency greater than equal to 4.38% are 6 types (responses 403 forbidden type is 45.62% , 17.38 % weave misc handler access 8.57 % is https/ssl renegotion , 7.38% web php , 7.34% web cgi count , 4.38% info ftp bad login) . While rest of the 16 attacks less than 10 % are having very small frequencies. The percentage of attacks each of the 22 weeks is shown in the bar diagrams in figure series week 1hebdomad 2hebdomad 3Week 4Week 5Week 6Week7Week 8Week 9Week 10Week 11Week 12Week13 Week 14Week15 Week 16Week 17Week 18Week 19Week 20 Week 21Week 22Out of 22 weeks, the percentage of Attack Responses 403 nix is the most dominant one.Forbidden attack response is the highest attacks with 45.62% overall in the 22 weeks, this incidence is generated when a 403 error response code is returned to a client by a web server, which indicates that an effort is made to take an unofficial access to a web server or an application running on a web server. The 400 series error messages indicate an error on the part of the browser client reservation the signal to a web server. The 403 response shows a request for a forbidden resource which cannot be gain access to even with authentication identifications. Many events can show a determined effort to try photograph on the victims server. Certain applications do not perform strict checks when confirming the security of a client host linking to the services offered on a host server. It can lead to an unauthorized access and probably escalated rights to that of the administrator. Information stored on the machine will be compr omised and trust relationships established between the victim server and the other hosts that can be intercepted by an attacker. In such Attack Scenarios attacker can access the authentication mechanism and provide his/her own credentials to gain access. On the other hand the attacker can tip the weaknesses to gain the administrator access without any exploit code.While the other self-aggrandizing attacks are-ICMP canvass despatch This attack is generated when a Windows trace route (tracert) is detected. A trace route is be used to discover choke hosts and network topologies. A Windows trace route command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topologies.Web- MISC handler Attacks this attack is generated when an attempt is made to exploit a known vulnerability on a web server or a web application resident on a web server.The other attack which has very high severity level is the SNMP attack. From the figur e- 4 shown below , it is noted that there is a baksheesh in the number of attacks in the 8th (19-0ct-2013 and 9th week).It may be noted that this peak is due to SNMP attack responded by UDP with application whose activity is pronounced.Figure 4 shows16 different types of attacks out of 22 attacks per week are shownFigure 5 different types of major attacks per weekFigure 5 Shows 16 different types of attacks out of 22 attacks per week are shown over the entire period. Of these 6 are found to be more conspicuous invade-RESPONSES 403 Forbidden (ATK-RES403F) 71067, ICMP trace route (29205), WEB-MISC handler access (13959), SNMP request UDP (11954), SNMP public access UDP (11952), HTTPS/SSL Renegotiation make (7062)IV FRAME WORK FOR EVALUATION AT THE GATEWEY LEVEL TO necessitate THE ATTACKS USING RAW PACKETS GENERATED BY THE NETWORKTo study the attacks more affectively, a frame work was deployed using open source software like Ubuntu, tcpdump with visualizing software like afterglow to charm real time at the sum total switch. This will help to monitor and analyze the network traffic in real time scenario. Data was evaluated for two hundred thousand packets captured using tcpdump nnelr data.pcap l wc l at the root.This will capture the raw traffic for two hundred thousand packets for data analysis and visualization. The data captured by the tcpdump will be converted to a csv file with all fields.Tcpdump-vttttnnelr ju.pcap./tcpdump2csv.pltimestamp sourcemac destmac imbibe dip sport dport flags len proto ttl id offset tos ipflags ju.csv.The Csv file is then exported to Mysql database.load data infile ju.csv into table analysis fields modify by , lines terminated by n (timestamp, sourcemac, destmac, sourceip, destip, sourceport, destport, proto, tcpflags, length, ttl, ipid, iptos, ipflags, offset)Further, ju.csv file was converted to dot file, which was converted to png file.tcpdump -vttttnnelr Ju.pcap ./tcpdump2csv.pl./afterglow.pl-c color.properties Ju.dot flush Ju.dot neato -Tpng o Ju.pngFigure 6 shows Whole Traffic captured for networkFigure-6 shows that the outgoing traffic is greater than incoming traffic, which states that traffic is compromised. Therefore there is need to identify the port 80 traffic and identify the machines which are compromised. From figure 7 we identify visually that the out traffic on port 80 is very high. Therefore, needs to identify machines which are compromised.Figure 7 shows the out going traffic of port 80Figure -8 shows ATTACK from IP 192.176.2.25Figure-8 Shows visualization of machine with IP 192.176.2 25 that is connected over the network which is compromised and sending malicious traffic outside. This helps the administrators to identify the machine irrespective of any signatures within the IPS database. Similarly other machines can be identified.V CONCLUSION AND FUTURE SCOPEIDS/ IPS are installed in almost every organization but they are designed to work on signatures. To study attacks which ex ist other than signatures, we need to further do the analysis through the frame work created with high end hardware which is required to capture and analyze the traffic for longer duration. So that fine tuning of the IDS/IPS as per the campus network requirement will be done to further increase the network performance.VI REFERENCES1 Paxson. Bro A System for Detecting Network Intrudersin Real- Time. In Computer Networks, volume 31 (2324), pages 24352463, 19992 G. Stein, B. Chen, A.S. Wu, and K.A. Hua, DecisionTree Classifier for Network Intrusion Detection withGA- Based Feature Selection, Proc. 43rd ACMSoutheast regional Conf.Volume 2, Mar. 2005.3 Schwartz, Matthew, Beyond Firewalls and IPSMonitoring Network Behavior. February 2006,available on http//esj.com/articles/2006/02/07/beyond-Firewalls-and-ips-monitoring-networkbehavior.aspx4 S. J. Yang, J. Holsopple, and M. Sudit, Evaluating nemesisAssessment for Multi-stage Cyber Attacks, in Proceedingsof IEEE MILCOM 2nd IEEE Workshop on state of affairsManagement (SIMA), Washington, DC, Oct 23-25, 20065 Z. Yu and J. Tsai, An efficient intrusion detection systemusing a boosting-based learning algorithm. global daybook of Computer Applications in Technology, Vol. 27(4), 2007, 223-231.6 Meera Gandhi, S.K.Srivatsa Detecting and preventingAttacks using network intrusion detection systemsInternational Journal of Computer acquisition and Security,Volume (2) Issue (1) June 20097 Asmaa Shaker Ashoor, Prof. Sharad Gore, IntrusionDetection System (IDS) Intrusion Prevention System(IPS) Case Study. International Journal of Scientific Engineering Research Volume 2, Issue 7, July-20118 Rosslin John Robles, Tai-hoon Kim,SeungLee, A Studyon Intrusion Confinement for Internal Network, Journal ofSecurity Engineering), vol.5issue no1, P73, 20089 Patil, Nilima R. Patil, Nitin N, A comparative study ofnetwork vulnerability analysis using attack graph WorldJournal of Science Technology 2012, Vol. 2 Issue 3, p91*University of Jammu, e-mail id emailprotected , **University of Jammu, email id emailprotected1