Ant‐based distributed denial of service detection technique using roaming virtual honeypots
2016; Institution of Engineering and Technology; Volume: 10; Issue: 8 Linguagem: Inglês
10.1049/iet-com.2015.0497
ISSN1751-8636
AutoresRajalakshmi Selvaraj, Venu Madhav Kuthadi, Tshilidzi Marwala,
Tópico(s)Advanced Malware Detection Techniques
ResumoIET CommunicationsVolume 10, Issue 8 p. 929-935 Research ArticlesFree Access Ant-based distributed denial of service detection technique using roaming virtual honeypots Rajalakshmi Selvaraj, Corresponding Author Rajalakshmi Selvaraj rajalakshmi0878@gmail.com Department of Computer Science, BIUST, Palapye, Botswana Faculty of Engineering and BE, University of Johannesburg, Johannesburg, South AfricaSearch for more papers by this authorVenu Madhav Kuthadi, Venu Madhav Kuthadi Department of AIS, University of Johannesburg, Johannesburg, South AfricaSearch for more papers by this authorTshilidzi Marwala, Tshilidzi Marwala Faculty of Engineering and BE, University of Johannesburg, Johannesburg, South AfricaSearch for more papers by this author Rajalakshmi Selvaraj, Corresponding Author Rajalakshmi Selvaraj rajalakshmi0878@gmail.com Department of Computer Science, BIUST, Palapye, Botswana Faculty of Engineering and BE, University of Johannesburg, Johannesburg, South AfricaSearch for more papers by this authorVenu Madhav Kuthadi, Venu Madhav Kuthadi Department of AIS, University of Johannesburg, Johannesburg, South AfricaSearch for more papers by this authorTshilidzi Marwala, Tshilidzi Marwala Faculty of Engineering and BE, University of Johannesburg, Johannesburg, South AfricaSearch for more papers by this author First published: 01 May 2016 https://doi.org/10.1049/iet-com.2015.0497Citations: 8AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinkedInRedditWechat Abstract Nowadays, distributed denial of service (DDoS) becomes a major challenge in the network as it affects the network at multi-level. This leads to traffic overhead and wastage of bandwidth utilisation. In order to overcome these issues, ant-based DDoS detection technique using roaming virtual honeypots is proposed. In this technique, virtual roaming honeypot along with the multi-level secure architecture is used to collect the information about the various intruders at different levels in the network. Ant colony optimisation technique is used to detect the intruders based on the pheromone deposit on that considered area. A multi-level IP log table is used to detect the intruders at different levels of the network. Once the affected area is found, the information is sent to multi-level architecture to limit the spread of the affected area to the honeypot. This information is sent to the honeypot to make a defence system against the attackers. The advantage of the proposed technique is that it provides a full defence against DDoS at multi-level without creating any traffic overhead. 1 Introduction 1.1 Distributed denial of service (DDOS) attacks and issues DDoS attack becomes one of the critical security attacks due to its explicit threatening of Internet stability [1, 2]. DDoS attack depends on a distributed, collaborative large-scale denial of service (DoS) attacks. As DoS attacks are one-to-one attack, it influences only for the lower the target computer's configuration or smaller the network bandwidth [3]. Unlike DoS, DDoS exploits the huge resource asymmetry between the Internet and the victim. By its many-to-one attack dimension, DDoS can block victim thereby its defence level become irrelevant [1]. DDoS attack floods a large number of packets to overwhelm the victim by multiple compromised hosts (attackers) dispersing in the network simultaneously. The attack flows by significantly consuming target system's bandwidth or key resources preventing service provision to legitimate users resulting in unauthorised service deny from users posing a major security threat in the network. Recently, botnet is used as an attacking platform to form larger scale of flooding DDoS attacks, and attack flows become more distributed and even more harmful, making it increasingly hard to be detected effectively [4-6]. 1.2 Detecting DDOS attacks Furthermore, DDoS attack's strategies of hierarchical attack and IP spoofing can harden tracing the attackers difficult [1]. DoS mitigation is complex in a distributed environment, as it is of any form either ping of death or clone attack. The ping of death attack can be defined as every data packet contains ICMP header which sends ECHO REQUEST and ECHO REPLY. If the ICMP data header exceeds 65,536 bytes, it crashes the entire system. If an unauthorised client spoof the IP address of any authorised client to flood the network, then it is known as clone attack. The state-of-the-art DDoS detection algorithm is considered in which the detection infrastructure is located near saturated link in vicinity of victim. Though it simplifies the detection algorithm, local response is ineffective because the available bandwidth has already been consumed in upstream path [5]. DDoS attacks are identified, if a server or network is already down or exhausted for a while. It is difficult to distinguish the legitimate packets on normal traffic and packets sent by zombie computers. Hence, there is a lag in DDoS attack detection. As large number of packets is transmitted, more time is required to analyse each incoming packet. This can reduce the DDoS detection accuracy [6]. Though many researches are carried out for attack detection and prevention, there is no adequacy of effective and efficient solutions to intercept ongoing attack in a timely fashion [1]. 1.3 Role of honeypot in DDoS attack detection Honeypot is a resource used to carry out information exchange with the intruders. Honeypots are administrators for providing additional and more valuable information. However, they do not modify any information [3]. The honeypot is an effective tool for providing insights into new attacks and exploitation trends [7]. They can obtain accurate attack signatures and act as physical or virtual machines to detect worm signatures successfully [8]. Honeypot is a decoy system with a non-hardened operating system or one appearing to have several vulnerabilities for easy access to its resources. This system should be set up similar to the production servers in the corporation and loaded with numerous fake files, directories and other information that may look real. By legitimate files, the honeypot resembles to be a legitimate machine which makes the hacker to believe as they have gained access to important information. Honeypot provides an environment to trap the intruders or vulnerabilities accessed before an attack is made on real assets [9]. Honeypots are used to fool the intruders by utilising the captured intruder's information by recording every move, the last full check attack source, master the attacker's every move and then attacking with the corresponding defensive measures. Honeypot technology improves the time of detection and response capabilities to efficiently collect evidence of criminal intruders and provide a good tracking environment. The roaming honeypots scheme randomly designate a set of servers to be active for a certain time and remaining servers are used as honeypots thereby camouflaging honeypot locations within a pool of server replicas. Each server in the pool, in association with legitimate clients and remaining peer replicas, pretends as honeypot for specific intervals of time. Roaming hardens the attackers to identify active servers, thus makes them trapped in the honeypots [8]. The drawbacks of traditional honeypots began exposed together with three main areas. They are: (i) Honeypot can only attack against the surveillance and analysis. However, the bypass listening techniques could not help intrusion detection system (IDS) to monitor the entire network. (ii) Honeypot technology protection cannot be directly vulnerable information systems and attackers may exploit causing some security risk. (iii) The attacker activities on the encrypted channel increased data capture takes time to decipher, after this increase in aggressive behaviour to the analysis of the difficulties [3]. 1.4 Ant colony optimisation (ACO) Colony is one of the well-known behaviours of ant. The information about the discovered path is exchanged with each other by depositing some pheromone. If more ants walk for food, it will result in deposit of more pheromone. In practical, an ant walks randomly at the initial stage. Once they find food, ant return back to their colony and deposit some pheromone based on the passed trails. Hence, the remaining ants can easily find the path and follow the track instead of walking randomly. The deposited pheromone starts to evaporate. This can decrease the attraction. The navigation about the new intrusion is very much similar as ant finding food. If the intruders find something important, then most of them will visit again and again. Otherwise, they will visit very rarely or almost, it will not visit to non-significant target again. 1.5 Problem identification As the Internet is threatened by security attacks like DDoS, it is essential to provide a security system for safe communication. IDS using honeypot is implemented to fool the intruders and keep them far away from disturbing the reliability of a communication network. An efficient hop-by-hop honeypot mechanism is proposed in [8] to mitigate the spoofing distributed DoS attacks. Here, back propagation is performed to trace back the root of attacks. In addition, roaming honeypots scheme provides accurate attack signatures. On receiving attack packets, the roaming honeypot triggers the activation of a tree of honeypot sessions rooted at the honeypot under the attack toward attack sources. To reduce the delay, progressive back propagation is used to handle low-rate attacks such as on–off attacks with short bursts. However, there is no security system to protect the honeypots from unknown attacks, false negatives, false positives and so on. If an attacker breaks into honeypot, it will break the honeypot connections and make it a bouncer. For adding more security to the system, ACO algorithm is used to trace the track of intruders while detecting the intrusion [10]. When the attackers found something valuable in a root, they often use the same route. Hence, by tracing the track along with detecting intrusion detection, the honeypot can store the track of attackers. To solve the problem of attackers attacking the honeypot, we propose to develop a security system for the architecture called an ant-based DDoS detection technique using roaming virtual honeypots (ADTRVH). This technique can provide a full defence against DDoS at multi-level without creating any traffic overhead. This paper is organised as follows. Section 1 provides the introduction to the proposed technique. The literature survey is made in Section 2. The proposed solution is discussed in Section 3. Section 4 discusses about the simulation results. Finally, Section 5 concludes the paper. 2 Literature review Buvaneswari and Subha [5] have proposed an approach called IHoneycol to effectively mitigate the distributed DoS efficiently. By utilising firecol-IPS system and honeypot-IDS, IHoneycol provides a collaborative solution for the early detection of flooding DDoS attacks. It protects the subscribed customers and saves the valuable network resources by preventing the attack closer to the source and farther from destination. However, deployment of firecol routers becomes highly expensive and the honeypot server needs protection from various attacks. Our work eliminates the use of any external systems apart from roaming honeypots and provides complete protection to attacks against honeypots. Xuxian Jianga et al. [7] have presented Collapsar, a virtual machine-based architecture for network attack capture and detention. A Collapsar center accomplishes the role of hosting and managing a large number of high-interaction virtual honeypots in a local dedicated network. A wide diverse view of network attacks was provided by decentralised logical presence of honeypots. The centralised operation eliminates the honeypot necessity in every production network by enabling the dedicated administration and convenient event correlation. Collapsar realised the traditional honey farm vision and a new reverse honey farm vision, where the honeypots act as the vulnerable clients exploited by real-world malicious servers. However, tracking or tracing the attackers from the external domain is a challenging task. Hence, our work provides a complete tracking mechanism for intruders. Sherif Khattab et al. [8] have proposed an efficient hop-by-hop trace back mechanism called honeypot back propagation with a novel leverage of the roaming honeypots scheme to obtain accurate attack signatures. On receiving the attack packets, the honeypot triggers the activation of a tree of honeypot sessions rooted at the honeypot under attack toward attack sources. The tree formation is hierarchical with autonomous system level and router level. Honeypot back propagation supports the incremental deployment by providing incentives for ISPs even with partial deployment. Progressive back propagation was also proposed to cope with low-rate attackers like on–off attacks with short bursts since more time is taken by most of the trace back schemes against low-rate attackers for collecting the needed number of packets. However, there is no security system to protect the honeypots from unknown attacks, false negatives, false positives and so on. If an attacker breaks into honeypot, it will break honeypot connections. Our work provides complete protection to attacks against honeypots. Anoosha Prathapani et al. [11] have proposed an intelligent honeypot-based detection system (IHBD) to identify the black hole attackers in WMNs. The honeypot-based detection model helps in throughput enhancement in case of WMN with black hole MRs. It has a high detection rate and low false positive rate. However, this work focus on detecting only black hole attacks rather than other type of DoS attacks. However, our work considers more DDoS attacks apart from traditional attacks like black hole and worm holes. Prof. Smita Jawale et al. [12] have designed an architecture for intrusion detection using honeypot. The honeypot being a component coordinate with IDS to increase its flexibility, configurability and security. By enabling the user attempt to intrude the system, a honeypot notices the intruder's activity and generate intruder's signature. The absence of tools detecting honeypots is a major drawback in honeypot technologies. In addition, virtual honeypots based on virtualisation technology was proposed to hide honeypots. However, tracking or tracing the intrusive behaviours of attackers remain as a challenge. Hence, in our work, a complete tracking mechanism for intruders is provided. Harkeerat Singh Bedi et al. [13] have presented a game theoretic model and explored as a defence mechanism against the classic bandwidth consuming DoS/DDoS attacks on TCP-friendly flows. The attacker and defender interaction is modelled as a game in two attack scenarios: (i) a single attacking node for DoS and (ii) multiple attacking nodes for DDoS. The optimal firewall settings for blocking rogue traffic while allowing legitimate ones is hard for the defender to determine. However, the architecture is restricted to only WLAN networks when compared with our architecture which includes multiple domains. Chang-Lung Tsai et al. [10] have proposed a novel intrusion behaviour analysis mechanism relying on the design of honeypot and the diagnosis of ant colony algorithm. The monitor module, track module and analysis module are developed in that scheme to analyse the intrusive behaviour. The developed honeypot was updated with all of the architecture, database, directory and security parameters dynamically and timely to evade the probe test from the intruders. The pheromone deposited as discovered to record the traverse of an intrusion. The discovered file content, path and database will be updated for the appropriate measurement of intruder capability and the security setting will be enhanced timely that increase the difficulty of visiting or access again. Though it provides tracking of attackers, the information in system logs should be protected. Hence, our work provides a multi-level logging system to protect the system logs. Kumar Shridhar and Nikhil Gautam [14] have discussed about DDos attack and its prevention strategies. Honeypot approach deals with such attack, as it not only lures the attacker to attack the network but also alerts the network administrators of a possible intrusion by trailing the attacker. Honeypots can be used along with some other form of security such as IDS to increase its efficiency. Sivaprakasam and Nirmal sam [15] have proposed a collaborative system to eliminate the DDoS attack. The methods to show how such a system can be used in a defence in depth real-world network environment are discussed. The system is identified with different problems with current realisation and provided the solutions to manage with the scalability of the honeypot. This system achieves the promising results with the presented initial setup. However, this system is not applicable for middle-sized organisation. 3 Proposed solution 3.1 Overview In this paper, we propose to develop a security system for the architecture called an ADTRVH. We implement two technologies in this architecture to prevent attackers to make honeypot from attacking other systems by using the control of the connection and control of the spread of attacks [12]. Hence, a worm can be detected as an infected honeypot makes a lot of IP table logs. It blocks, when the limit is reached. The traffic exceeding the limit is dropped in the latter one. In addition, a mechanism for multi-level logging is used to protect the detailed information of the attackers in system logs. If the attacker hacks the honeypot, the system log will be saved by storing in remote log server. Nowadays, the advanced attackers can attack it, so the second layer sniffer server is used. Therefore, the system log information is retained after attacking the honeypots. The proposed defence system architecture is shown in Fig. 1. Fig. 1Open in figure viewerPowerPoint System architecture of proposed DDoS defence system 3.2 Construction of roaming virtual honeypot mechanism In the proposed technique, hop-by-hop along with the back propagation honeypot mechanism based on ACO technique (Section 3.3) is used to defend against spoofing DDoS. Fig. 2 represents how DDoS attack the whole network system. The hop-by-hop scheme starts at the router, which is next to the attack victim, however neighbouring routers upstream on the attack paths are identified using signature of attack packets. This process continues until victim area is reached. Fig. 2Open in figure viewerPowerPoint Representation of DDoS attack diagram In back propagation method, server S performs dual action i.e. server alternate between providing service and acting as honeypot based on the timing factor ρ. Each server S enters a honeypot epoch, once they are scheduled to be inactive. During a honeypot epoch, server S assumes that there is no reasonable traffic. Hence, any packet directed for S is defined as an attack packet. A honeypot epoch ends once server S come in active condition again. The honeypot epochs are selected based on the coordination between S and receiver R to avoid any kind of service interruption. The honeypot epochs are time windows in which a server receives pure attack packets. To identify the different intruders and keep the record of the affected area of the honeypots, ACO technique is used. ACO technique supports the back propagation method of honeypot. In this technique, the intruders are detected based on the density of the pheromone during track module. The report is analysed and sent to honeypot to defend against these types of affected area. 3.3 Ant colony optimisation This section describes about ACO technique, which is used to track the information about the attackers and maintain a record about various information such as susceptive intrusion, misuse and normal access. It tracks the information about the different intruders and maintains the record of all the unwanted actions such as susceptive intrusion, misuse and normal access. Even the complete path and traverse of each distance access including legal access and illegal intrusion get deposit with different pheromones and weight in the track module. Finally, all the information is analysed and transferred to honeypot to keep the record of the attackers. 3.3.1 Ant colony algorithm As ACO technique helps to track the information about the intrusion, it is applied to solve the problem of intrusive behaviour analysis. This section describes about the phases involved to find the intrusive behaviour and different iterative manipulations, which are described below. Phase 1: Initialisation phase Intrusion can spread randomly around the whole networking system. The initialisation phase involves the following steps: Step 1: Set pheromone to zero. Step 2: Once the intruders starts its work to discover about the target, the deposit of pheromone for successful attempt is indicated as PHS or PHSC. Step 3: If the attempt is failed, the deposit of pheromone will be recorded, which is represented as F_PHS. Step 4: The area of network without any privacy setting; that attempt of area is called as PHC. Table 1 gives a complete description about the different pheromone parameters to represent the different significant areas by the intruders. Table 1. Pheromone parameters Pheromone item Index Significance Notation attempt success PHS 1 highly confidential or classified intruder successfully visited or entered to highest confidential area PHSC 2 confidential or classified intruder successfully visited or entered to confidential area attempt failure F_PHS 3 highly confidential or classified intruder failed to visit highest confidential area F_PHSC 4 confidential or classified intruder failed to visit confidential area attempt PHC 5 general/without confidential visit of intrusion to those area without any request of permission or authority Phase 2: Discovery phase If the ant (intruders) finds their area of interest (confidential information), then it will perform the following action: It constructs the communication tunnel and establishes the backdoors. It performs an advanced search such as surfing the websites or searching the database. It hides the trail and omits the previous record. After that, it leaves the place immediately. All the above action will leave pheromone based on the different scenario described in Table 1. Phase 3: Reexamine phase If one ant finds the food, then the other ants will follow the same path. Hence, the density of pheromone will increase until all the food is carried out. Once all the food is carried out, the pheromone starts to evaporate gradually. The same action is performed by the intruders. If any intruders find some confidential area, then a group of organised intruders in terms of colony visit the same area in the network. To record each movement of intruders, each and every device, servers, files, directories and databases are considered as individual node mounted with a caption to indicate their different properties in the whole network system. Table 2 represents different caption and indexing that represent different devices which belong to same set such as to router 1 and router 2, which is indicated as R1 and R2. Table 2. Caption and index of some devices Hardware Software IS server IOS operating system IR router ID database ISW switch IAP application program IFW firewall IFD file document IT terminal ISP security parameter As there are many devices and nodes in the networking system, it can be observed that the movement of intruders from ith node to jth node is a type of stochastic process. In order to define the movement of intruders, the probability model is applied and the movement of intruders is measured according to the following equation (1)where IHi represents amount of pheromone deposited on the ith node. IHj represents the amount of pheromone deposited on the jth node and also α represents the power parameter, which is used for tuning. The amount of pheromones to be deposited is decided based on the analysis of Table 1. The variation of the density of pheromone on each of the node IH_DNi can be defined, according to the following equation (2)where k is the index, which denotes kth kind of pheromone as tabulated in Table 1, β represents evaporation factor which lies between the range zero and one. ρ represents timing factor, which gives an estimated time between two consecutive attempts of the ith node. The pheromone of each trail can be summarised according to the following equation (3)where j represents different nodes present on the trail. The pheromone is updated according to their attempts, evaporating factor and time duration. 3.4 Secure architecture of honeypot To avoid the spread of worm from honeypot to other system in the network, a secure architecture [12] is proposed. To provide advance security, honeypot architecture consists of following two main parts: Data control limit: The purpose of data control is to limit the spread of affected honeypot to whole network system. Multi-level IP log table (MLIP): It is used to protect the confidential information about the attackers in system logs. In Fig. 2, a logical flow of DDoS defence system in the network is shown. 3.4.1 Limiting the spread of attacks To avoid the spreading of affected honeypot in the whole network system, the following steps are executed. This action reduces the number of packet drops and improves the packet delivery ratio. After deploying and executing the ant-based tracking module, the amount of pheromone deposit is determined based on which the IP tables are updated to count the number of attack attempts on honeypot. Let the packet arrival rate be PAR and the traffic limit be TL. If PAR < TL, then Packet is allowed to enter the network Else Packet is blocked from entering the network End if 3.4.2 Multi-level IP log table It is used to protect the confidential information about the attackers in system logs [12]. MLIP is used to capture all the information about the unwanted activities of the intruders like compile, file, add, delete, changes, processes started and even key stroke in the system logs. (i) Variation of density of pheromone deposit is estimated using (ii). (ii) Based on step (i), the entire attacker's activity is stored in a record at multiple levels. (iii) The attacker's activity information is transmitted through UDP to the sniffer server which copy and write all the packets in bin and log files. Using the above steps, even if hackers destroy all the information collected in remote log server the information still survives in the binary log files. MLIP improves the security by means of detection accuracy. 4 Simulation results 4.1 Simulation model and parameters The network simulator (NS-2) [16] is used to simulate the proposed architecture. In the simulation, 100 nodes are used which are connected together in the simulation region for 10 s of simulation time. Here, a tree of 100 nodes are created which includes the components like honeypot servers, victims and attackers. The hop count and node degree are controlled by the hop-count distribution file and node-degree distribution file. The attackers are randomly fixed based on the attack concentration level (ACL) which is varied from 0 to 2. The value 0 corresponds to low (sparse), 1 corresponds to medium and 2 corresponds to high level (dense). The number of attackers targeting at the victims, is varied from 25 to 75. There are five honeypot servers with migration interval of 5 s. The targeted victims are five nodes, selected randomly. The honeypot servers are modelled by FTP servers. The legitimate traffic is constant bit rate with legitimate rate per node as 0.1 Mb. The simulation settings and parameters are summarised in Table 3. The simulation topology is shown in Fig. 3. Table 3. Simulation parameters number of nodes 100 number of servers 5 number of attack targets 5 attackers 25, 50 and 75 simulation time 50 s interval 1.0 ACL 0, 1 and 2 attacker rate 0.01 Mbps packet size 1000 Fig. 3Open in figure viewerPowerPoint Simulation topology 4.2 Performance metrics and results The proposed ADTRVH is compared with IHBD [11]. The performance is evaluated based on packet delivery ratio, end-to-end delay, throughput and false positives. 4.2.1 Based on attackers Here, the attackers launch DDoS flooding attacks towards the victim nodes as well as warm hole attacks directed at the honeypots. The number of attackers can be varied as 25, 50 and 75. Figs. 4-7 represent the results of delay, delivery ratio, throughput and false positives, respectively, for ADTRVH and IHBD techniques, when the attackers are increased. Fig. 4Open in figure viewerPowerPoint Attackers against delay Fig. 5Open in figure viewerPowerPoint Attackers against delivery ratio Fig. 6Open in figure viewerPowerPoint Attackers against throughput Fig. 7Open in figure viewerPowerPoint Attackers against false positive Obviously, the effect of attackers can increase the end-to-end delay, as depicted by Fig. 4. However, since ADTRVH uses ACO algorithm, the detection time is less. Hence, the delay of ADTRVH is 6% less than IHBD. When the number of attackers is increased from 25 to 100, it results in more packet drops thereby degrading the delivery ratio and throughput. This behaviour can be observed from Figs. 5 and 6. However, ADTRVH provides additional security for honeypots and ACO-based trace back mechanism, the delivery ratio and throughput of ADTRVH are higher than IHBD by 3 and 32%, respectively. Fig. 7 shows the false positives obtained for both the techniques, when the attackers are increased. The false positive percentage increases as the attackers are increased. However, ADTRVH shows better performance when compared with IHBD by attaining 34% less false positive percentage, as it uses trace back and multi-level log tables. 4.2.2 Based on ACL ACL specifies the placement of attacker nodes (ie) sparse or denser. The value 0 corresponds to low, 1 corresponds to medium and 2 corresponds to high level. The results are given for these three set of levels. The number of attackers is kept as 25 for all the levels. Figs. 8-10 present the results of delay, delivery ratio and false positives, respectively, for ADTRVH and IHBD techniques, when the ACL is varied. Fig. 8Open in figure viewerPowerPoint ACL against delay Fig. 9Open in figure viewerPowerPoint ACL against delivery ratio Fig. 10Open in figure viewerPowerPoint ACL against false positives The end-to-end delay increases slightly, as depicted in Fig. 8. As ADTRVH uses ACO algorithm, the detection time is less. Hence, the delay of ADTRVH is 11% less than IHBD. When ACL is increased, it results in more packet drops thereby degrading the delivery ratio. This behaviour can be observed from Fig. 9. However, ADTRVH provides the additional security for honeypots and ACObased trace back mechanism. The delivery ratio of ADTRVH is higher than IHBD by 4%. Fig. 10 shows the false positives obtained for both the techniques when the ACL is increased. The false positive percentage increases when ACL is increased. However, ADTRVH shows better performance when compared with IHBD by attaining 20% less false positive percentage, as it uses trace back and multi-level log tables. 5 Conclusion In this paper, we have proposed ADTRVH where the virtual roaming honeypot is used along with the multi-level secure architecture to collect the information regarding various intruders at different levels in the network. Based on ACO technique, the collected information is sent to the multi-level architecture to restrict the further connection of the intruders with honeypot or stop further spread of intruders. MLIP detects the intruders at different levels of the network. Once the affected area is found, the information is sent to multi-level architecture to cease the spread of the affected area to the honeypot by making a defence system against the intruders. Simulation results show that the proposed technique reduces the false positives and increases the packet delivery ratio and throughput. References 1Li L.Lee G.: ‘ DDoS attack detection and wavelets’. Proc. 12th Int. Conf. on Computer Communications and Networks, ICCCN, 2003 2Xu T.He D.Luo Y.: ‘ DDoS attack detection based on RLT features’. Int. Conf. on Computational Intelligence and Security, 2007 3Lei-Jun L.: ‘ A new type of DDoS defense system study’. 2nd IEEE Int. Conf. on Information and Financial Engineering (ICIFE), Chongqing, 2010 4Li Z.-L.Guang-MinYang H.D.: ‘ Global abnormal correlation analysis for DDoS attack detection’. IEEE Symp. on Computers and Communications, ISCC, 2008 5Buvaneswari M.Subha T.: ‘ IHONEYCOL: a distributed collaborative approach for mitigation of DDoS attack’. Int. Conf. on Information Communication and Embedded Systems (ICICES), Chennai, 2013 6Sanmorino A.Yazid S.: ‘ DDoS attack detection method and mitigation using pattern of the flow’. Int. Conf. of Information and Communication Technology (ICoICT), 2013 7Jianga X.Xua D.Wang Y.-M.: ‘Collapsar: AVM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention’, J. Parallel Distrib. Comput., 2006, 66, pp. 1165– 1180 (doi: 10.1016/j.jpdc.2006.04.012) 8Khattab S.Melhem R.Mossé D. et al.: ‘ Honeypot back-propagation for mitigating spoofing distributed denial-of-service attacks’. 20th Int. Parallel and Distributed Processing Symp., IPDPS, Rhodes Island, 2006 9Tian Z.-H.Fang B.-X.Yun X.-C.: ‘ An architecture for intrusion detection using honey pot’. Proc. of the Second Int. Conf. on Macbme Learning and Cybernetics, Wan, 2–5 November 2003 10Tsai C.-L.Tseng C.-C.Han C.-C.: ‘ Intrusive behavior analysis based on honey pot tracking and ant algorithm analysis’. 43rd Annual Int. Carnahan Conf. on Security Technology, Zurich, 2009 11Prathapani A.Santhananr L.Agrawal D.P.: ‘ Intelligent honeypot agent for blackhole attack detection in wireless mesh networks’. IEEE 6th Int. Conf. on Mobile Adhoc and Sensor Systems (MASS), Macau, 2009 12Jawale S.Mehta R.Mahalingam V. et al.: ‘ Intrusion detection system using virtual honeypots’. Int. J. of Engineering Research and Applications (IJERA), National Conf. on Emerging Trends in Engineering & Technology, March 2012 13Bedi H.S.Roy S.Shiva S.: ‘ Game theory-based defense mechanisms against DDoS attacks on TCP/TCP-friendly flows’. IEEE Symp. on Computational Intelligence in Cyber Security (CICS), Paris, 2011 14Shridhar K.Gautam N.: ‘A prevention of DDos attacks in cloud using honeypot’, Int. J. Sci. Res., 2012 15Sivaprakasam V.Nirmal sam S.: ‘Achieving higher network security by preventing DDOS attack using honeypot’, Int. J. Recent Adv. Eng. Technol., 2014, 2, (2) 16 Network Simulator. Available at http:///www.isi.edu/nsnam/ns 17Jain Y.K.Singh S.: ‘Honeypot based secure network system’, Int. J. Comput. Sci. Eng., 2011, 3, (2) 18Sharma N.Singh G.: ‘Intrusion detection system using shadow honeypot’, Int. J. Emerg. Technol. Adv. Eng., 2012, 2, (8) Citing Literature Volume10, Issue8May 2016Pages 929-935 FiguresReferencesRelatedInformation
Referência(s)