BACK TO MAIN


©1996-2011 All Rights Reserved. Online Journal of Bioinformatics.  You may not store these pages in any form except for your own personal use. All other usage or distribution is illegal under international copyright treaties. Permission to use any of these pages in any other way besides the  before mentioned must be gained in writing from the publisher. This article is exclusively copyrighted in its entirety to OJB publications. This article may be copied once but may not be, reproduced or  re-transmitted without the express permission of the editors. Linking: To link to this page or any pages linking to this page you must link directly to this page only here rather than put up your own page.



Online Journal of Bioinformatics

REFEREE FORM



Please complete and remit to Editorial office, Online Journal of Bioinformatics


Title: Intrusion Detection System to Detect DDOS Attacks in Gnutella Hybrid P2P Networks Using Artificial Immune Systems
Author(s):Mueen Uddin1, Azizah Abdul Rahman2
ID Number: QA232


The Editorial board must ensure that the OJB publishes only papers which are scientifically sound. To achieve this objective, the referees are requested to assist the Editors by making an assessment of a paper submitted for publication by:

 

(a) Writing a report as described in GENERAL STATEMENTS (Below),
(b} Check the boxes shown below under 1. and  2.

     ( YES or NO) [N.B.A "NO" assessment must be supported by specific comment in the report.
(c)  Make a recommendation under 3.

 

The Editor-in-Chief would appreciate hearing from any referee who feels that he/she will be unable to review a manuscript within four weeks.

 

1.  CRITERIA FOR JUDGEMENT (Mark "Yes" or "No").

          

            General statements

           

            What is this work about? Describes/reviews Gnutella program and Human immune system and then proposes anomaly and signature-based

                           intrusion detection. An simulated immune system is proposed to minimize IDS attack. The work purports to present an algorithm to improve detection of DDoS by

                    somehow arbitrarily mapping of human immune system with Gnutella peer to peer network according to author’s perception

            Does it add any value to current knowledge? May be of some use to prevent DDos, of main interest here is proposed mapping to immune system and why.

            Is it innovative? NC

 

Yes/No answers.

 

Is the work scientifically sound?  NC

Is the work an original contribution? Y
Are the conclusions justified on the evidence presented? NO
Is the work free of major errors in fact, logic or technique? Y
Is the paper clearly and concisely written?NO
Do you consider that the data provided on the care and use of animals (See Instructions to Contributors) is sufficient to establish that the animals used in the experiments were well looked after, that care was taken to avoid distress, and that there was no unethical use of animals? NA


2.  PRESENTATION (Mark "Yes" or "No").
 

Does the title clearly indicate the content of the paper?  NO (see below)
Does the abstract convey the essence of the article? (NO see below)
Are all the tables essential? Y
Are the figures and drawings of good quality? NO
Are the illustrations necessary for an understanding of the text?  Y
Is the labelling adequate? Y


3. RECOMMENDATIONS(Mark one with an X)
 

Not suitable for publication in the OJB
Reassess after major changes

Reassess after suggested changes X
Accept for publication with minor changes
Accept for publication without changes


4. REPORT   This is quite a novel subject for this journal which deals mainly with an IT problem, not Bioinformatics. However the idea of mapping a secure network to an artificial immune system is within the scope of consideration for this journal. The work purports to present an algorithm to improve detection of DDoS by m
apping of human immune system with Gnutella peer to peer network according to author’s/literature’s perception. Gnutella and immune system are reviewed in detail, and that readers of OJB are NOT FAMILIAR with the subject and is thus appropriate (INTRODUCTION). The authors need to CLEARLY answer the following. What is the purpose of this work?, Why have you mapped the immune system in the way you did (ref), and what advantage has this mapping had over conventional methods (you could use the simulation as an example)? The grammar is poor throughout and far too many and long for corrections by staff at this journal. Some of the graphics (figs 1,2 and 3) are not of good quality and will have to be re-submitted. The crux of this work is in the IDS detection, the ensuing method, genetic algorithm and simulation and authors should concentrate on this part of the work in their discussion. The title is not appropriate (see suggestions). The ABSTRACT is not precise, in this section, please describe reason, method and result only (see suggestions). Again, authors need to justify mapping system used with appropriate references. There is no discussion section which is replaced with the method, simulation and results. The conclusion section is mostly redundant (see suggested) and suggest only “The proposed system used anomaly and signature-based detection. Each time an attack was identified, a new generation was added to the detectors dataset. As false positives decreased, attack detection increased.” Reassess after suggested changes X WB

 

 

 

Original submission

ABSTRACT

Distributed Denial of service (DDoS) attacks are an increasing threat to the Internet

community. Intrusion detection systems have become a key component in ensuring                 

the safety of systems and networks. As networks grow in size and speed continues to

increase, it is crucial that efficient scalable techniques should be developed for IDS

systems. This paper presents an analysis of the Gnutella protocol, a type of the peerto-

peer networking model that currently provides decentralized file-sharing

capabilities to its users and the distinction between server and client is pale. Due to

                                                                                   dependence on a central unit, creates many vulnerabilities and security breaches

and makes it hard to create security. In this paper a collaborative intrusion detection

system is proposed to detect DDoS attacks by the inspiration of artificial immune

system. Since intrusion detection system is located on all leaf peers in Gnutella

network, this system is a fully distributed system. It is clear that the function of

artificial immune system is distributional, collaborative, robust, complex adaptive

system. It increases the precision of attack discovery and decreases false positive

rate. Therefore in this paper, after detecting attack with adopting some alternatives,

the effect of attack is minimized and function of the system is optimized. The

simulation of Gnutellasim is used to simulate a sample network and the scenario of

attack. To analyze and achieve the function of suggested network in training phase,

tcpdump and gtk-gnutella tools are used to create the packets of the Gnutella in a

new dataset.

Keywords: Gnutella hybrid peer to peer network, artificial immune system, DDoS

attack, signature based IDS, anomaly based IDS.

 

 

Suggested

. Distributed Denial of Service (DDoS) attacks are an increasing threat to the Internet community. Intrusion detection systems have become a key component in ensuring the safety of systems and networks. As networks grow in size and speed, efficient scalable techniques should be available for IDS systems. Gnutella is a peer to-peer networking model that currently provides decentralized file-sharing capabilities to its users but the distinction between server and client is pale. Due to Gnutella’s dependence on a central unit, the program is vulnerable to security breaches. An intrusion detection system to detect DDoS attacks by simulating artificial immune system is herein described. The proposed system used anomaly and signature-based detection. Each time an attack is identified, a new generation is added to the detectors dataset. As false positives decrease, attack detection increases.

 

Keywords: Gnutella hybrid peer to peer network, artificial immune system, DDoS attack, signature based IDS, anomaly based IDS.

 

Original

INTRODUCTION

Traditional network file systems provide reliable way for users on a LAN to pool and

share data. Internet-wide file sharing is still in its infancy. Software developers and

researchers are struggling to find new ways to reliably, efficiently and securely share

data across wide area networks that are plagued by high latency, bottlenecks, and

unreliable or malicious nodes.Computer networks are changing and developing very

quickly either in architecture context or software context of the network and these

changes affect the network traffic. The assessment of the network traffic has always

been discussed by researchers [38].

P2P computing is the sharing of computer resources and services by direct exchange

between systems. These networks are mostly used for sharing and finding the

contents of any type of data. These networks takes advantage of existing computing

power, computer storage and networking connectivity, allowing users to leverage

                                                 Some of the major applications of P2P

networks are File Sharing, Distributed computation Ad Hoc network and

collaborative applications [39].

Gnutella is a decentralized P2P file-sharing model developed in the early 2000 by

                                                                 eated the WinAMP

MP3 player). This protocol is used to share and download any type of files. It

provides decentralized architecture to store and retrieve files from the network [39,

40]. The Gnutella protocol defines the way in which servants communicate over the

network. It consists of a set of descriptors used for communicating data between

servants and a set of rules governing the inter-servant exchange of descriptors. Due

to its distributed nature, a network of servants that implements the Gnutella

protocol is highly fault-tolerant, as operation of the network will not be interrupted

if a subset of servants goes offline [4].

All Gnutella communication happens on top of the TCP/IP protocol. Once a TCP/IP

connection is established between two servants, the Gnutella connection string

                                              \n\                                   

                                                             servant responding to this

                                          \n\                by establishing a

valid Gnutella connection between these two servants. Any other response to the

original connection string will be taken as a communication-rejection by the initiator

servant.

After a connection is established, two servants communicate with each other by

exchanging Gnutella protocol descriptors. Gnutella protocol also defines the rules for

how these descriptors are exchanged between nodes.

Table 1: Gnutella Descriptors Overview

Descriptor Description

Ping Used to actively

discover hosts on

network. A servant

receiving Ping

descriptor is

expected to

respond with one or

more Pong

descriptors.

Pong The response to a

Ping. Includes the

address of

connected Gnutella

servant &

information

regarding data it is

making available to

the network.

Query The primary

mechanism for

searching the

distributed

network. A servant

receiving a Query

descriptor will

respond with a

Query Hit if a match

is found against its

local data set.

Query Hit The response to a

Query. This

descriptor provides

recipient with

enough information

to acquire data

matching the

corresponding

Query.

Push A mechanism that

allows firewalled

servant to add file

based data to

network.

Traffic in Gnutella hybrid peer to peer network can be examined from different

aspects such as, the distribution of packet entrance in time unit, the interval

between packet entrance and the distribution of packet size. If the number of

packets exceeds the threshold value, network resources will be saturated, because

the nodes (servants) in Gnutella hybrid peer to peer network , leave the network or

join in anytime [18,20,4]. As a result these nodes will be exposed to DDoS attacks

and such behaviors should be detected and prevented. In order to prevent, detect,

encounter and stop these attacks, security should be recognized and created over

the network [19].

Figure 1 Gnutella P2P Decentralized Model

Some of the noticeable factors in vulnerability of Gnutella hybrid P2P network are

the flooding created when multiple messages (Packets) are sent at the same time

over the network without knowing the exact destinations; and the decentralized

nature of gnutella network [24].

The main strategy to resolve security vulnerabilities problem in peer to peer network

is to use intrusion detection system. By employing IDS at different layers in the

network, it is possible to detect suspicious ways and potential attacks in Gnutella

hybrid P2P networks. These security breaches can be trounce by firstly preventing

                                                                                     

apply and implement intrusion detection systems in the network to detect

intrusions. As these networks are continuously changing with different topologies

inside the network, the strategies to detect intrusions are also changing gradually, it

is therefore becomes essential that IDS system be dynamic in nature to meet the

ever changing demands of the security constraints over time [32].

The possibilities of attacks are enormous in P2P networks. Some of most common

attacks are: [4]

1. Rational attacks

2. File Poisoning

3. Sybil Attacks

4. Eclipse Attacks

5. DDoS

This paper will focus on DDoS attacks. A Denial-Of-Service attack is an attack on a

computer or a network that causes the loss of a service [4]. There exist many forms

or methods to perpetrate a DOS attack. In the case of P2P networks, the most

common form of a DOS attack is an attempt to flood the network with bogus

packets, thereby preventing legitimate network traffic. Another method is to drown

the victim in fastidious computation so that it is too busy to do answer any other

queries. DOS attacks are far more efficient if multiple hosts are involved in the

attack, we then speak of a DDOS attack (distributed denial-of-service) [14, 41].

In a DDOS attack, the attacking computers are often personal computers with

broadband connections that have been compromised by a virus or Trojan. The

perpetrator can then remotely control these machines (qualified as zombies or

slaves) and direct an attack at any host or network. Finally, a DDOS attack can be

even further amplified by using uncompromised hosts as amplifiers. The zombies

                                                                                

                                                                                    

answering packets to the victim. This is known as a reflection attack [41]. These

types of attacks can be managed in Gnutella networks. As DDoS attack contains a

large number of distributed machines, the development of defensive nodes would

be effective in discovering DDoS attack [19,25].

DDoS attacks take advantage of the hosts on the Internet with poor security. The

perpetrators breaks into such hosts, install slave programs, and at the right time

instruct thousands of these slave programs to attack a particular target. Since this

attack does not exploit a security problem at the target, no mechanism currently

exists to defend against such an attack. Collaborative discovery requires that

heterogeneous nodes be adhered and it guarantees high scalability and security

against attacks.

Figure 2 Structure of DDoS Attack

Considering the features of distributed systems and examining the different

mechanisms of human immune system, we can reveal some similarities between

these two seemingly different contexts. The similarities are inspired by human

immune system to identify effective intrusion in distributed systems [7,10,16]. The

proposed IDS system uses artificial immune system to define different algorithms.

The proposed model defines its operations in several levels with heterogeneous

function of peers.

This paper addresses some of the human properties more concretely and

emphasizes the innate and adaptive systems framework in proposed networks. The

rest of this paper is organized as follows. Section 2 describes intrusion detection

system in detail related to the context of the paper. Section 3 briefly introduces

human immune system. Section 4 explores the process of suggested IDS and debates

around artificial immune algorithms. Section 5 discusses and describes brief analysis

of the results and details of datasets used for performing analysis. Finally in section

6, the paper is concluded with a discussion of proposed intrusion detection system

and artificial immune system.

RELATED WORK

Distributed Denial of service (DDoS) attacks are large and increasing threat to the

Internet community. The need to protect against and mitigate the effects of DDoS

attacks have been recognized by both the commercial and research world for some

years. There has been much work done on detecting attackers and isolating attack

streams. The majority of researches examining attacks just focus on one system but

                                                      

A recent study [42] observed 12,805 attacks on more than 5,000 distinct Internet

hosts in more than 2,000 distinct DNS domains over a three week period. Most

attacks are short with 90% lasting less than an hour. A DDoS attack response must be

quick; much quicker than picking up the phone and calling system administrators

autonomous systems. DD-police protects Gnutella peer to peer network against DoS

                                                                                           

                                                                                     

model. In peer to peer network with its high dynamic nature, nodes leave & join a

                                                                                 15].

In the context of exploiting the features of human immune system for the security of

computer networks, Forrest performed the first researches to discriminate between

self and nonself in network artificial immune system. Then Hofmeyr designed an

artificial immune system called ARTIS. This system is not very efficient because

collaboration and information exchange among nodes is not considered and

intrusion detection is done separately in each computer.

LISYS is one of the first structures for artificial immune systems that is designed for a

simple local network and can learn network traffic and identified anomaly traffic.

This system detects seven common network attacks with less than 100 detectors and

the length of detector is 49 bits [30,36].

The purpose of Cfengine system is to automatically configure large number of

systems on heterogeneous nodes. Furthermore, as long as a new discordance does

not happen, the intrusion detection system is passive. In order to increase scalability,

Cfengine intrusion detection system updates the average of system efficiency, the

number of each service input and output connection and packet characteristic

[5,6,13]. Results of Cfengine show that danger signal potentially affects false positive

rate and also memory detectors improve detection rate.

IMMUNE SYSTEM

The immune system is a network of cells, tissues, and organs that work together to

                                                                                    

(germs) tiny infection causing organisms such as bacteria, viruses, parasites, and

fungi. Because the human body provides an ideal environment for many microbes,

they t                                                                                 

to seek out and destroy them. The immune system is amazingly complex. It can

recognize and remember millions of different enemies, and it can produce secretions

and cells to match up with and wipe out each one of them [37].

The cells and molecules that are responsible for immunity forms immune system and

their comprehensive and coordinated reply against foreign materials is called

immune response.

There are two major branches of immune system.

1. Innate Immune Systems

2. Adaptive immune Systems.

Innate Immune Systems:

The innate immune system is an unchanging mechanism that detects and destroys

certain invading organisms [11]. These systems form the first line of defense against

microbes and it consists of cellular and biochemical defensive mechanisms that exist

even before infection and are ready to response to infections quickly. This

mechanism has an almost equal response against continual infections. Innate

immunity mechanisms are unique for the structures that are common among related

microbes and they may not distinguish the small differences of non self.

Adaptive immune Systems

The adaptive immune system responds to previously unknown foreign cells and

builds a response to them that can remain in the body over a long period of time.

This remarkable information processing biological system has caught the attention of

computer science in recent years [11]. These systems are stimulated after exposure

to a microorganism. Their defensive power increases after each encounter with a

special microbe. These systems evolve in response and also proportionate to

infections. Apparent features of adaptable immunity systems are: enormous

response to definite molecules, the ability to remember and stronger response to

continual collision to a special kind of microbe [1,24].

Adaptive immune system identifies and responses with a large number of microbe

and non microbe substances. In addition, it has a great capacity in distinguishing

between different microbes and macromolecules even with very close structures.

Foreign substances that induce exclusive immune responses are the target for such

responses and are called antigen. Adaptive immunity systems are further subdivided

into humoral immunity and cellular immunity also known as cell mediated immunity.

ARTIFICIAL IMMUNE SYSTEM

                                                                                           

that immune system maintains a network of interconnected B-Cells. De Castro and

Timmis define artificial immune systems (AIS) to be adaptive systems, inspired by

theoretical immunology and observed immune functions, principles and models,

which are applied to problem solving. They are systems developed using the human

immune system as inspiration, rather than creating a comprehensive model, in an

attempt to capture some or all of the features it provides. In most instances

however, only a few principles from immunology are used.

Table1. Mapping of human immune system with Gnutella peer to peer network

Gnutella peer to

peer network

Human immune

system

Intrusion detection

system

Bone marrow &

thymus

Leaf peer primary lymphoid

organs

Ultra Peer Secondary

lymphoid organs

Detector Antibody

Intrusion Antigen

Normal traffic Self

Abnormal traffic Non self

APPARENT FEATURES OF ADAPTIVE IMMUNITY RESPONSES

There are many features of the immune system, including variety, adaptation,

immunological memory and protection against auto-immune attacks. The following

section will explain these features in detail and show how they can be modeled in

                  e systems and then used to solve real-world problems. Some of the

typical problems amenable to being solved by Artificial Immune Systems are security

vulnerability issues in P2P networks suing IDS systems and Data Mining issues using

collaborative filtering and clustering [11]. All humoral and cellular immunity systems

responses against foreign antigens that have some basic features that characterize

the lymphocytes which create this response [1,8,28].

Generally the features of human immune system that are applied in the proposed

system are as follows:

Variety:

The total number of lymphocytes antigenic features in a person called lymphocyte

repertoire are in great number. This feature of lymphocyte repertoire is called

variety which is the outcome of diversity in the structures of connection areas to the

antigen in lymphocyte antigenic receptors. In other words various lymphocyte clones

are different from each other in terms of the antigenic receptors structure and

consequently antigenic features. So the produced repertoire has a lot of varieties.

In the proposed system when an attack template is detected, it is forwarded to all

connected Ultra Peers in the network. Then the proposed genetic algorithm will be

applied for optimizing the attack template. The proposed algorithm then will be

applied to all detected templates and are collectively known as attack dataset and

the whole process is called variety.

Immunological Memory:

The collision of an immunity system to a foreign antigen increases its ability to

respond to the same antigen again. The responses that are created against the

second or next collisions to a kind of antigen are called secondary immunity

responses and usually are faster and stronger than the first immunity response

against the same kind of antigen. These memory cells have specific features that

cause them to operate more effectively, in response to an omission of antigen, than

naive lymphocytes that had previous collision to them.

Contraction and Homeostasis:

After the simulation of antigen, all natural immune responses decrease as the time

progresses. Therefore the immune system returns to repose state and this trend is

called constancy or homeostasis. The omission of stimulus causes the death of

lymphocytes by means of apoptosis. If the same mechanism is applied in P2P

networks, then after detecting the attack, Leaf peers go to the suspended mode until

the network becomes stable called repose state.

Major Histocompatibility Cells (MHC)

Major activities of T lymphocytes consists defense against in-cell microbes and

activation of other cells such as macrophage and B lymphocytes. Therefore the

recognition of transplant as self or nonself is a genetic feature. Those genes that are

in charge of receiving the transplanted tissues as self or nonself are called

histocompatibility between people. All MHC molecules have some specific and

common features that are of great importance in presentation of antigen and its

recognition by T lymphocytes. In the proposed system negative selection algorithm

for training phase running on all Leaf Peers also uses the same MHC properties of the

human immune system.

PROPOSED INTRUSION DETECTION SYSTEM

The proposed IDS system consists of combination of different algorithms used to

investigate security breaches in Gnutella hybrid P2P networks. It uses both anomaly

and signature based intrusion detection techniques with combination of artificial

immune system to detect different attacks templates.

INTRUSION DETECTION SYSTEM

Amongst worms defensive mechanisms, Intrusion Detection systems (IDS) are the

most widely deployed techniques that utilize the self-duplicating repetitive nature of

computer worms to detect the patterns and signatures of theses malicious codes in

the network traffic. Some of the IDS functionalities are:

1. Monitoring and analyzing both user and system activity

2. Analyzing system configurations and vulnerabilities

3. Assessing system and file integrity

4. Ability to recognize patterns typical of attacks

5. Analysis of abnormal activity patterns

6. Tracking user policy violations

These systems based on the parameters used for detection, can be broadly divided

to signature based and anomaly based systems [32].

Signature-based IDS

Signature-based detection is normally used for detecting known attacks. No

knowledge of normal traffic is required but a signature database is needed for this

type of detection systems. For worm detection, this type of system does not care

how a worm finds the target, how it propagates itself or what transmission scheme it

uses. The system takes a look at the payload and identify whether or not it contain a

worm.

One big challenge of signature-based IDS is that every signature requires an entry in

the database, and so a complete database might contain hundreds or even

thousands of entries. Each packet is to be compared with all the entries in the

database. This can be very resource- consuming and doing so will slow down the

throughput and making the IDS vulnerable to DoS attacks. Some of the IDS evasion

tools use this vulnerability and flood the signature based IDS systems with too many

packets to the point that the IDS cannot keep up with the traffic, thus making the IDS

time out and drop packets and as a result, possibly miss attacks [23]. Further, this

type of IDS is still vulnerable against unknown attacks as it relies on the signatures

currently in the database to detect attacks.

Anomaly-based IDS

Anomaly based systems detect abnormal behaviors and generate alarms based on

the abnormal patterns in network traffic or application behaviors. Typical

anomalous behaviors that may be captured include 1) misuse of network

protocols such as overlapped IP fragments and running a standard protocol on a

stealthy port; 2) uncharacteristic traffic patterns, such as more UDP packets

compared to TCP ones, and 3) suspicious patterns in application payload.

The biggest challenges of anomaly based detection systems is defining what a

normal network behavior is, deciding the threshold to trigger the alarm, and

preventing false alarms. The users of the network are normally human, and

people are hard to predict. If the normal model is not defined carefully, there will

be lots of false alarms and the detection system will suffer from degraded

performance.

Proposed IDS System

The proposed IDS will be located in all Leaf Peers in Gnutella hybrid P2P network; the

system detects and announces the existence of attack or presence of intrusions to

other Ultra Peers by means of distributive Ultra Peer warning. Consequently the

stated system discovers the network intrusions by cooperation between Leaf Peer

and Ultra Peer. To explain the working of proposed system it will be explored from

four different aspects these are:

1. IDS Detection Method

2. IDS Detection Activities

3. IDS Detection Network

4. IDS Detection frequency

IDS Detection Method

Intrusion detection system distinguishes between behaviors based detection also

known as anomaly based and knowledge based often known signature-based

detections. To detect the intrusion, algorithms of artificial immune system like

negative selection and clonal selection will be used to achieve the desired objectives.

In fact, new and unknown attacks are detected. Anomaly traffic and normal traffic

are distinguished using danger theory.

The proposed system is designed by combining the two techniques. In the training

phase anomaly based intrusion detection systems will be used to detect abnormal

behaviors while in the testing phase signature based intrusion detection will be used

to actually detect the intrusions.

IDS Detection Activities

With the saturation of network resources in a short time and prediction of attack

possibility, the node (Leaf Peer or Ultra Peer) in the suggested intrusion detection

system warns its Ultra Peers to confront attacks. Therefore, on surrounding Ultra

Peer become aware of possible attack. Invaded peers would be suspended since they

are not resistant against attack and they are protected to some extent. This system

has an active attitude by detecting and announcing Leaf Peer and Ultra Peer new

behaviors.

IDS Detection Network

Intrusion detection system can be divided into multiple groups depending on the

type of network to be used for performing the detection. In Gnutella hybrid P2P

networks IDS are categorized into two main categories i.e. network intrusion

detection system (NIDS) and host intrusion detection system (HIDS). NIDS is installed

                              nd examines the traffic of the network from which it

passes. Since Ultra Peer in Gnutella hybrid peer to peer network plays the role of

gateway and distinguishes anomaly traffic from normal traffic. The Ultra Peer sends

attack strategy to other Ultra Peers after identifying and proving attack.

HIDS performs on different nodes based on collecting network traffic information.

These pieces of information are separately analyzed in each node and the results are

used to immune the activities of the aforementioned node. Obviously the proposed

intrusion detection system is located on all Leaf Peer so this system performs

distributively. The results generated, informs other nodes in Gnutella hybrid peer to

peer network of the existence of attacker nodes.

Detection Frequency

Leaf Peers perform intrusion detection continuously while Ultra Peers would be

                              Stress                          

Figure 3 Taxonomy of proposed intrusion detection system

METHODOLOGY OF PROPOSED INTRUSION DETECTION SYSTEM

The proposed system uses different functions to detect intrusion especially DDoS

attack which is the main focus of this paper. Each peer does more than one function,

like creating alarm in the proposed system, a process should be followed that

requires several functions mentioned below:

Creation of Template:

Leaf Peer records the templates of messages it receives in a short time span but if

the volume of received messages is more than the threshold value specified in that

particular time span then, a new template will be formed containing information

related to source IP address, the destination IP address (local) and the time interval

between Gnutella packets and will be sent as the template of possible attack;

otherwise the produced template be out aside.

Sending & Receiving of Attack Template

After possible attack template is formed by Leaf Peer, other peers in the network are

informed about the possible occurrence of this attack. If Ultra Peer returns Stress

Reply message, Leaf Peer will inform about possible attack occurrence by sending

Stress message to all peers. The possible attack template is sent to Ultra Peer by

Template message.

Identification of Attack Based on Received Template

After receiving the possible attack template using Template message, Ultra Peer

starts the activity of conforming received template to the template of available

attacks in dataset. 30 percent conformity shows that an attack has happened.

Sending Attack Template to Other Ultra Peers

When an attack is diagnosed and confirmed the Ultra Peer sends the attack template

to other Ultra Peers, so that they would be informed of the occurrence of the attack

and they should increase their detection rate.

Classification of Attack Type

After an attack has been confirmed the next step is to classify it between anomaly

traffic and normal traffic, an attitude should be chosen that by receiving numerous

Gnutella messages in definite time intervals and saturating bandwidth, considers the

peer sent traffic as attack traffic or anomaly traffic. The classification of an attack is a

two step process, in first step Leaf Peers distinguish between normal traffic and

possible abnormal traffic. This process is called discrimination self/nonself [17].

While in the 2nd step, Ultra Peers distinguish between possible normal traffic and

abnormal traffic, this process is done by applying danger theory [13,21].

Threshold Value Limit

If the number of message sent are more than bandwidth occupied threshold value

and attack occurrence is announced as well then, sending and receiving message to

the Ultra Peer can be prevented and the rate of sent messages can be reduced by

adopting some measures. In fact invaded peers would be suspended since they are

not resistant against attack and they are protected to some extent, in a way that

they just accept high priority packets that are sent by surrounding Ultra Peers.

Development of new generation of detector (Genetic algorithm)

The templates with most conformity of attacks are most likely to happen again in

near future and such templates are used in the selection phase of genetic algorithm.

In fact ranking method is used, in a way that detectors are ranked based on number

of conformity and then template selection would be done according to rank based

fitness.

It is important to use a competitive method to select best attack templates for

selection. This method works in a way that a small subcategory of attack templates is

randomly chosen and then competes together. Finally in this competition, one of

them is chosen based on affinity level [22]. After selecting best templates (with more

conformity) by crossover operator and with the purpose of producing better

templates, new templates would be created. After the function of attack templates

crossover, mutation includes the change of zero to one. On the other hand, the

function is applied in a lymphocyte repertoire to protect the different forms of the

distinctness of attack templates.

ARTIFICIAL IMMUNE ALGORITHM

As human immune system performs actively and distributively, artificial immune

system algorithms are extremely used in proposed system to develop the purpose

specified. The major features of human immune system are inspected to detect

intrusion and how it reacts against intrusions [14,28]. It will be used in Gnutella

hybrid P2P network to confront DDoS attacks. In the proposed IDS system negative

selection algorithm is used in training phase and it function as follows:

Negative Selection Algorithm

Gnutella network packets are captured by tcpdump monitoring tool [3] and gtkgnutella

file sharing software [2]. These packets are considered as self dataset. After

that some detectors (immature detectors) are produced by random Gaussian

function and by comparing these two datasets, any detector that do not correspond

                                                                                          

detector(mature detectors). In this stage, the number of detectors is investigated. If

this number increases, the accuracy of detection goes up and computational

overload increases too [9,12].

Figure 4 Negative Selection Algorithm

After receiving each Gnutella packet, the source IP address, the local destination IP

address and average time interval between two consecutive sent packets will be

added to the template. Then the size of bandwidth occupied will be examined. If it

does not reach the default threshold, the template will be faded out of existence and

a new template will be made.

Otherwise, the possibility of attack occurrence will be announced to connect Ultra

Peers. Leaf Peer after making sure of the existence of each Ultra Peer sends the

template of possible attack to each Ultra Peer. In this stage, Leaf Peer announces the

possibility of attack occurrence and distinguishes between abnormal traffic and

normal traffic. Leaf Peer will be suspended for a definite time span to prevent the

reception of any packet or message. When this time span ends, Leaf Peer will return

to its initial state.

Ultra Peer announces its existence to Leaf Peer by receiving the possibility of attack

occurrence and after receiving the template of possible attack, will compare with

nonself dataset. If the template conforms to each detector, Ultra Peer broadcasts it

to other Ultra Peers as a detector. Then Ultra Peer creates conformed detectors

once again, increases their affinity and if detectors aren't conformed, Ultra Peer will

Use gtk-gnutella file sharing to

produce Gnutella normal traffic

Use tcpdump monitoring tools to

capture packets

Gnd                        

Gad                         et

detector dataset)

          

Dth                      

1: while number of d less than Dth

                                 

with uniform Gaussian random

function

3: if Gnd contains d then

4: drop d

5: else

6: d insert into Gad

7: end if

8: end while

                                                                                               

change its main structure.

According to the number of conformities, detector state changes from mature stage

                                                                                    

type and beneficial life time are inspected. As each kind of detector has a definite life

time, those detectors whose life time is ended are deleted from detectors dataset.

Genetic algorithm is used to improve detectors in the proposed system. Genetic

algorithm also causes variety in nonself templates in active stage, in a way based on

clonal selection algorithm, those cells that identify detector grow and those cells that

are not able to identify detector die.

As Leaf Peer and Ultra Peer operate in a collaborative and parallel manner and

                                                                                             on

are separately inspected.

Figure 5 Leaf Peer Functions (Test Phase)

Gp: Gnutella Packet

BWd: percentage of Leaf Peer

Bandwidth depletion

BWth: Threshold of Leaf Peer

Bandwidth depletion

01: While peer is in active mode

02:                            

Gp

03: if BWd   th then

04: forwards msg-stress

along connected Ultra Peers

05: else

06: Drop T

07: end if

08: if received msg-sressreply

then

09: forwards T to certain

Ultra Peers

10: stand in suspend

mode for time span

11: end if

12: end while

Figure 6 Ultra Peer Function (Test Phase)

DDOS ATTACK ANALYSIS

Distributed DoS (DDoS) attacks are a flooding attack of many attacking hosts (agents)

with distributed and coordinated control. Figure 2 shows the structure of a DDoS

attack; one or more attackers control handlers and each handler controls multiple

agents. Handlers and agents are extra layers introduced to increase the rate of

packet traffic as well as to hide the attackers from view. Each agent can choose the

size and type of packets as well as the duration of flooding. While the victim may be

able to identify some agents and have them taken off-line, the attacker can monitor

the effects of the attack and create new agents accordingly [35].

To simulate the results a discrete event simulator will be used to simulate the results

of Gnutella peer to peer file sharing. Gnutellasim is suitable for Gnutella network and

is installed on PDNS and ns2.27. In order to evaluate the suggested system, gtkgnutella-

0.96.8-2 file sharing client [2] and tcpdump-4.1.1 monitoring software [3] is

used to generate and record Gnutella traffic.

Simulation Preliminaries

One challenge in intrusion detection is finding good data sets for experiments and

testing. Our objective was to control the data set, so we chose to collect data from

an internal restricted Gnutella peer to peer network. In this environment, we can

Ta: Template of attack

Tc: number of conformity with Ta

Tttl: time to live for every detector

01: while Ultra Peer is in active mode

02:             p

03: if Gp.Type is msg_stress

then

04: forwards

msg_stressreply along Leaf Peer

05: end if

06: Ta                      

07: if Gad contains Ta then

08: increment Tc

09: set Tttl to zero

10: update Gad with Ta

11: forward Ta along

every Ultra Peers in network

12: Run GA .Algorithm

on Gad

13: end if

14: end while

understand all of the connections, and we can limit DDoS attacks. We install firewall

of ISA server in the entrance of our network. Then external connections must pass

through a firewall. The Dataset used for performing the experiments and analysis is

related to Gnutella peer to peer network traffic. The proposed scenario includes 23

peers that are divided into 5 Ultra Peers and 18 Leaf Peers.

Simulation Results Analysis

Gnutella Protocol v. 0.6 will be used for performing the simulations. In IDS systems,

self is defined as the set of normal pair wise TCP/IP connections between Leaf Peer

and Ultra Peer and nonself is the set of connections. When enormous numbers of

Gnutella packets are transmitted over the network they are not observed normally

on the network.

The efficiency of proposed system is analyzed based on the following criteria:

Negative Selection Time

Some immature detectors are produced by random Gaussian function and this

dataset compares with Gnutella normal dataset. If any detectors do not match with

normal traffic template, it will be added to the mature detectors' list. Output of

training file is a mature detectors' dataset. Figure 7 shows the time of negative

selection in proportion to the number of detectors. By increasing the number of

mature detectors, negative selection time will be increase too but, detection

precision is optimized. Because of using genetic algorithm, the time of negative

selection is more beneficial than LISYS algorithm.

0

5

10

15

20

0 25 35 45 55 75 Negative selection time

Number of detector

Evaluation producing mature detector time

Figure 7 Production Time of Mature Detector

Detection Precision

In order to increase the detection precision, false positive should be reduced. This

research will identify parameters that appear most important for minimizing false

positives, as well as how to maximize the percentage of detecting intrusions.

The percentage of attack detection will be measured by proportion of discovered

attack occurrences to all attack occurrences. dt R denotes the corresponding false

positives rate. d T

is the number of attacks that be discovered and a T

is the total

number of attacks.

100    

a

d

dt T

T

R

In fact false positive is the sending of alarm message by intrusion detection system in

the time that attack has not happened. p T is the total number false positive alarms

and a T is the total number of attacks.

100    

a

p

fp T

T

R

The proposed system is adopted to describe the tradeoff between the detection rate

and false positive rate. Therefore, we evaluate the best attitude coherent to these

factors for yielding optimum resolves.

Number of Detectors

To study the effect of mature detectors on the percentage of attack discovery and

false positive, the parameter of activation discovery is considered 6, crossover

operator 0.4 and mutation operator 0.005. These two factors are evaluated by the

change in the number of detectors in number of different conformity bits. With

increase in number of detectors, the percentage of attack discovery goes up on the

one side and the false positive increases on the other side. In a way that in all the

forms of conformity bits, 75 detectors show the most efficient response for

detecting attack. But due to computation over load, the number detectors are

commonly not very high. In LISYS algorithm, the number of detectors is 100. Figure 8

proves this.

0.000

0.200

0.400

0.600

0.800

1.000

8 10 12 14 16 18

percentage of detection

number of bits matching

Evaluation Detection(number of detector)

25 detector 35 detector 45 detector 55 detector 75 detector

Fig.8 Detection with Different Number of Detector

Bit Matching Algorithm

Some detectors in this IDS system are usually implemented as strings, whose

function is to classify new strings as normal or abnormal by matching them in some

forms. The perfect matching is rare in the immune system. So, we use a partial

matching rule known as r-contiguous bits matching. Under this rule, two strings

                                                                     

Our observations in figure 9 show that immune system as inspiration for detecting

intrusion is the best approaches. To study the effect of mature detectors on the

percentage of attack discovery and false positive, the parameter of activation

discovery is considered 6, crossover operator 0.6 and mutation operator 0.005.

These two factors are evaluated by the change in the number of detectors in the

number of different conformity bits. The number of strings a detector matches

increases exponentially as the value of r decreases. For example, 8 conformity bits is

the best resolve for attack detection rate but is the worst result for false positive

rate. After checking these factors, we use 12 conformity bits and LISYS algorithm to

elect the number.

0.000

0.200

0.400

0.600

0.800

1.000

8 10 12 14 16 18

percenatge of detection

number of bits matching

Evaluation Detection(r-bits contiguous

matching)

Figure 9 (A) Evaluation Detection

0%

5%

10%

15%

20%

8 10 12 14 16 18

percentage of false positive

number of bits matching

Evaluation False Positive(r-contiguous bits

matching)

Fig. 9 (b) Evaluation False Positive

Activation Threshold Values

Activation threshold shows detector's condition in mature, active and memory state.

Activation thresholds are a mechanism designed to reduce false positives. To test

our expectations, we studied the effect of changing the activation threshold on the

                                                                                     

proper amount of activation threshold is evaluated with 75 detectors, crossover

operator 0.6 and mutation operator 0.005.

In fact the less this amount, the sooner the detector goes to the activation stage,

therefore generation production will be more and the better discovery will occur.

Also this parameter decreases the false positive. 6 and 8 activation threshold has the

same attack discovery percentage with small differences. For the number of

conformity bits 16, 14 and 18, the activation threshold of 8 is better but LISYS

algorithm suggests 10 activation thresholds. Figure 10 illustrates how the number of

false positives lessens as the activation threshold increases.

0.0000

0.2000

0.4000

0.6000

0.8000

1.0000

8 10 12 14 16 18

percentage of detection

number of bits matching

Evaluation Detection(Activation Threshold)

6 activation 8 activaiton 10 activation

Figure 10 (A) Evaluation Detection

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

8 10 12 14 16 18

percentage of false positive

number of bits matching

Evaluation False positive(Activation Threshold)

6 activation 8 activaiton 10 activation

Figure 10 (B) Evaluation False Positive

As Gnutella peer to peer network has two versions: Gnutella 0.4 and Gnutella 0.6. In

Gnutella 0.6 network, peers with high processing strength are used which are called

Ultra Peers. So in this system, both versions of Gnutella peer to peer network with

one-point crossover operator and two-point crossover operator are examined for

intrusion detection [18,20,27,31]. Simulation results indicate the superiority of

intrusion detection in Gnutella 0.6 hybrid peer to peer network by two-point

crossover operator in comparison to other forms. As the number of detectors

increases, more attacks will be discovered. Figure 6 denote comparison of two

version Gnutella network by different crossover operator.

Figure 11 (A) Comparison of attack detection percentage to the number of

detectors for Gnutella 0.4

0%

20%

40%

60%

80%

0 25 35 45 55 75

percentage of detection Number of detector

Evaluation

Detection(Gnutella 0.4)

two-point crossover operator

one-point crossover operator

without crossover operator

Figure 11 (B) Comparison of attack detection percentage to the number of

detectors for Gnutella 0.6

Delay

The time of attack occurrence in proportion to the time that intrusion detection

system reacts against attack. In the proposed system, the average identification time

of each attack is 15 seconds.

CONCLUSION

Since creating security in distributed networks is complicated, to obtain the

maximum of security and possible attacks discovery, it is required to use the

advantages of various techniques of intrusion detection. The proposed system used

the two approaches of intrusion detection, anomaly-based and signature-based.

Each time that an attack is identified by Genetic algorithm, a new generation is

created that will be added to detectors dataset. In fact the template of new attacks

is discovered and this approach increases the ability and power of the system. As

false positive decreases, attack detection precision increases. The proposed IDS uses

artificial immune system to minimize the influence of attack by identifying the attack

which ultimately increases functional efficiency to an accepted level. In addition, the

proposed system inspects nodes cooperation and provides an efficient way of

properly using the algorithms of artificial immune system. The simulation results

0%

50%

100%

150%

200%

250%

0 25 35 45 55 75

percentage of detection

Number of detector

Evaluation

Detection(Gnutella 0.6)

two-point crossover operator

one-point crossover operator

without crossover operator

clearly show that the used method for this purpose not only has adaptability,

scalability, flexibility and variety but also has high accuracy and correctness.

REFERENCES

1. Artificial immune system(AIS): http://www.artificial-immune-system.org

2. gtk-gnutella: http://www.gtk-gnutella.com

3.                                                                                            Swiss Federal

Institute of Technology (ETH) Zurich, 2005

4.                                                                                                          

Architecture Group (SWAG) Department of Computer Science University of Waterloo Ontario N2L 3G1

Canada.

5. U. Aickelin, P. Bentley, S. Cayzer, J. Kim and J. McLeod. "Danger Theory: The Link between

Artificial Immune Systems and Intrusion Detection Systems." Proceedings 2nd International

Conference on Artificial Immune Systems, 2003: 147-155.

6. U. Aickelin and J.Greensmith. "The deterministic dendritic cell algorithm." In Proceeding of the 7th

International Conference on Artificial Immune Systems (ICARIS). , 2008: 291 302.

7. U. Aickelin, J. Greensmith and J. Twycross. "Immune system approaches to intrusion detection - a

review." in Proceeding of the Third International Conference on Artificial Immune Systems. Number

3239 in Lecture Notes in Computer Science, 2004: 316 329.

8. A. Okine, D. Dasgupta and Nii. "Immunity-based systems: A survey." In proceedings of the IEEE

International Conference on Systems, Man, and Cybernetics, 1997: 369-374.

9. P.J Bentley and J. Kim. "Evaluating negative selection in an artificial immune system for network

intrusion detection." Proceedings of GECCO, 2001: 1330   1337.

10. P.J Bentley and J. Kim. "Towards an artificial immune system for network intrusion detection: An

investigation of dynamic clonal selection." In the Congress on Evolutionary Computation (CEC-2001),

Seoul, Korea, 2001: 1244 1252.

11. U. Aickelin# and D. Dasgupta                                   University of Nottingham,

Nottingham, 2004

12. L.J. Cannady and J. Gonzalez. "A self-adaptive negative selection approach for anomaly detection."

In Proceedings of the 2004 Congress of Evolutionary Computation, 2004: 1561-1568.

13. S. Cayzer and U. Aickelin. "Danger theory and its applications to AIS." In Proceeding of the Second

Internation Conference on Artificial Immune Systems (ICARIS-02), 2002: 141-148.

14. R. Chang. "Defending Against Flooding-Based Distributed Denial-of-Service Attacks." IEEE

Communications Magazine, 2001: 42-51.

15. E. Athanasopoulos, K.G. Anagnostakis, and E. Markatos. "Misusing unstructured p2p systems to

perform dos attacks: The network that never forgets." in Proceedings of the 4th International

                                                                 , 2006.

16. F. S. de Paula, L. N. de Castro, and P. L. de Geus. "An intrusion detection system using ideas from

the immune system." In Proceeding of IEEE Congress on Evolutionary Computation (CEC-2004), 2004:

1059-1066.

17. S. Forrest, A. Perelson, S. Allen, L.R. Cherukuri. "Self-Nonself Discrimination in a Computer." in

Proceeding IEEE Symposium on Research in Security and Privacy, IEEE Computer Society Press, 1994:

202 212.

18. M. Foster, I. Ripeanu. "Mapping the Gnutella network." in Proc. 1st International Workshop on

Peer-to-Peer Systems, Cambridge, MA, 2002: 85-93.

19. G.Oikonomou, P. Reiher, M. Robinson, and J. Mirkovic. "A framework for collaborative DDOS

defense." in Proceedings of the 2006 annual computer security applications conference, 2006: 33-42.

20. M. Garcia, Y.Beverly and Hector. "Designing a super-peer network." In Proceeding of 19th

International Conference on Data Engineering, 2003: 49-61.

21. J. Greensmith, J. Twycross, and U. Aickelin. "Dendritic cells for anomaly detection." In Proceeding

of the Congress on Evolutionary Computation (CEC), 2006: 664 671.

22. J. Guan, D.X. Liu, and B.G. Cui. "An induction learning approach for building intrusion detection

models using genetic algorithms." in Proceedings of Fifth World Congress on Intelligent Control and

Automation WCICA, vol. 5, 2004: 4339-4342.

23. J. B. Raven Alder, Adam Doxtater, James Foster, Toby Kohlenberg, & Michael Rash, "Snort 2.1

Intrusion Detection," 2nd ed. Rockland, MA: Syngress (Distributed by O'Reilly and Associates), 2004.

24. L. Xiao, Y. Liu, and L.M. Ni. "Improving Unstructured Peer-to-Peer Systems by Adaptive Connection

Establishment." IEEE Transactions on Computers, 2005.

25. J. Mirkovic, G. Prier and P. Reihe. "Alliance formation for DDoS defense."                          

                                                                 , 2003: 11-18.

26. Q. Lv, S. Ratnasamy, and S. Shenker. "Can heterogeneity make gnutella scalable?" in Proceedings

of the 1st International Workshop on Peerto-Peer Systems (IPTPS), Cambridge, MA, USA, 2002.

27. S. Stepney, R. Smith, J. Timmis, and A. Tyrrell. "Towards a conceptual framework for artificial

immune systems." In Proceeding of the 3rd International Conference on Artificial Immune Systems

(ICARIS), LNCS 3239, 2004: 53-64.

28.                                                                                    teur), 125C,

pp373-389, 1974

29. S. Singh. "Anomaly detection using negative selection based on the r-contiguous matching rule." in

Proceedings of the 1st International Conference on Artificial Immune Systems (ICARIS'-02), 2002: 99-

106.

30. S. Spinellis and D. Androutsellis. "A Survey of Peer-to-Peer Content Distribution Technologies." in

ACM Computing Surveys, vol. 36, 2004: 335-371.

31. Stolfo, W. Lee and J. Salvatore. "A framework for constructing features and models for intrusion

detection systems." ACM Transactions on Information and System Security (TISSEC), vol. 3, 2000: 227-

261.

32. U. Mueen, K. Khowaja, A.R. Azizah. "Dynamic Multi Layer signature based IDS using Mobile

Agents", International Journal of Network Security and its Applications Vol 2. No.4. 2010, 129-141.

33. Z. Ge, D. Figueiredo, S. Jaiswal, J. Kurose, and D. Towsley. "Modeling peer-peer file sharing

systems."                                            , 2003: 2188-2198.

34. F. Forrest and S. Esponda. "Detector coverage under the r-contiguous bits matching rule." 2002

35. Dietrich, S., Long, N., and Dittrich, D. Analyzing distributed denial of service tools: the shaft case. In

Proceedings of USENIX (Dec 2000).

36. E. Meshkova, J. Riihijärvi, M. Petrova and P. Mähönen. "A survey on resource discovery

mechanisms, peer-to-peer and service discovery frameworks." computer networks,Department of

Wireless Networks, RWTH Aachen University, Kackertstrasse 9, D-52072 Aachen, Germany, 2008:

2097 2128.

37.                                                                   tment of Health and Human

Services National Institutes of Health, 2003.

38.                                   -to-                                                      

39.                                                               

40. Gomes. "Gnutella keeps growing and growing" Online. WSJ Interactive Edition,

http://www.zdnet.com/zdnn/stories/news/0,4586,2766234,00.html. May 2001

41. Thomas D¨ubendorfer, Arno Wagner: Past and Future Internet Disasters: DDoS attacks.

42. Moore, D., Voelker, G. M., and Savage, S. Inferring internet denial of service activity. In

Proceedings of Usenix Security Symposium (August 2001).

 

 

 

INTRODUCTION

 

Traditional network file systems provide a reliable way for users on a LAN to pool and share data. Internet-wide file sharing is still in its infancy. Software developers and researchers are struggling to find new ways to reliably, efficiently and securely share data across wide area networks that are plagued by high latency, bottlenecks, and unreliable or malicious nodes. Computer networks are changing and developing very quickly either in architecture context or software context of the network and these changes affect the network traffic [38].

 

P2P computing is the sharing of computer resources and services by direct exchange between systems. These networks are mostly used for sharing and finding the contents of any type of data. These networks takes advantage of existing computing power, computer storage and networking connectivity, allowing users to leverage Some of the major applications of P2P networks are File Sharing, Distributed computation Ad Hoc network and collaborative applications [39].

 

Gnutella is a decentralized P2P file-sharing model developed in 2000AD. This protocol is used to share and download any type of files. It provides decentralized architecture to store and retrieve files from the network [39, 40]. The Gnutella protocol defines the way in which servants communicate over the network. It consists of a set of descriptors used for communicating data between servants and a set of rules governing the inter-servant exchange of descriptors. Due to its distributed nature, a network of servants that implements the Gnutella protocol is highly fault-tolerant, as operation of the network will not be interrupted if a subset of servants goes offline [4].

 

All Gnutella communication happens on top of the TCP/IP protocol. Once a TCP/IP connection is established between two servants, the Gnutella connection string “GNUTELLA CONNECT/<protocol version string>\n\n” may be sent by one of the clients (the current protocol version string is “0.4”). The servant responding to this connection may respond with GNUTELLA OK\n\n” message thereby establishing a valid Gnutella connection between these two servants. Any other response to the original connection string will be taken as a communication-rejection by the initiator servant.

 

After a connection is established, two servants communicate with each other by exchanging gnutella protocol descriptors. Gnutella protocol also defines the rules for how these descriptors are exchanged between nodes

 

Traffic in Gnutella hybrid peer to peer network can be examined from different aspects such as, the distribution of packet entrance in time unit, the interval between packet entrance and the distribution of packet size. If the number of packets exceeds the threshold value, network resources will be saturated, because the nodes (servants) in Gnutella hybrid peer to peer network , leave the network or join in anytime [18,20,4]. As a result these nodes will be exposed to DDoS attacks and such behaviors should be detected and prevented. In order to prevent, detect, encounter and stop these attacks, security should be recognized and created over the network [19].

 

 

 

Figure 1. Gnutella P2P Decentralized Model

 

Some of the noticeable factors in vulnerability of Gnutella hybrid P2P network are the flooding created when multiple messages (Packets) are sent at the same time over the network without knowing the exact destinations; and the decentralized nature of gnutella network [24]. The plain strategy to resolve security vulnerabilities problem in peer to peer network is to use intrusion detection system. By employing IDS at different layers in the network, it is possible to detect suspicious ways and potential attacks in Gnutella hybrid P2P networks. These security breaches can be trounce by firstly preventing apply and implement intrusion detection systems in the network to detect intrusions. As these networks are continuously changing with different topologies inside the network, the strategies to detect intrusions are also changing gradually, it is therefore becomes essential that IDS system be dynamic in nature to meet the ever changing demands of the security constraints over time [32].

 

The possibilities of attacks are enormous in P2P networks. Some of most common attacks are: [4]

1. Rational attacks

2. File Poisoning

3. Sybil Attacks

4. Eclipse Attacks

5. DDoS

 

A Denial-Of-Service attack is an attack on a computer or a network that causes the loss of a service [4]. There exist many forms or methods to perpetrate a DOS attack. In the case of P2P networks, the most common form of a DOS attack is an attempt to flood the network with bogus packets, thereby preventing legitimate network traffic. Another method is to drown the victim in fastidious computation so that it is too busy to do answer any other queries. DOS attacks are far more efficient if multiple hosts are involved in the attack, we then speak of a DDOS attack (distributed denial-of-service) [14, 41].

 

In a DDOS attack, the attacking computers are often personal computers with broadband connections that have been compromised by a virus or Trojan. The perpetrator can then remotely control these machines (qualified as zombies or slaves) and direct an attack at any host or network. Finally, a DDOS attack can be even further amplified by using uncompromised hosts as amplifiers. The zombies answering packets to the victim. This is known as a reflection attack [41]. These types of attacks can be managed in Gnutella networks. As DDoS attack contains a large number of distributed machines, the development of defensive nodes would be effective in discovering DDoS attack [19,25].

 

DDoS attacks take advantage of the hosts on the Internet with poor security. The perpetrators breaks into such hosts, install slave programs, and at the right time instruct thousands of these slave programs to attack a particular target. Since this attack does not exploit a security problem at the target, no mechanism currently exists to defend against such an attack. Collaborative discovery requires that heterogeneous nodes be adhered and it guarantees high scalability and security against attacks.

 

 Figure 2 Structure of DDoS Attack

 

Considering the features of distributed systems and examining the different mechanisms of human immune system, we can reveal some similarities between these two seemingly different contexts. The similarities are inspired by human immune system to identify effective intrusion in distributed systems [7,10,16]. The proposed IDS system uses artificial immune system to define different algorithms. The proposed model defines its operations in several levels with heterogeneous function of peers.

 

This paper addresses some of the human properties more concretely and emphasizes the innate and adaptive systems framework in proposed networks. The rest of this paper is organized as follows. Section 2 describes intrusion detection system in detail related to the context of the paper. Section 3 briefly introduces human immune system. Section 4 explores the process of suggested IDS and debates around artificial immune algorithms. Section 5 discusses and describes brief analysis of the results and details of datasets used for performing analysis. Finally in section 6, the paper is concluded with a discussion of proposed intrusion detection system and artificial immune system.

 

Distributed Denial of service (DDoS) attacks are large and increasing threat to the Internet community. The need to protect against and mitigate the effects of DDoS attacks have been recognized by both the commercial and research world for some years. There has been much work done on detecting attackers and isolating attack streams. The majority of researches examining attacks just focus on one system but a recent study [42] observed 12,805 attacks on more than 5,000 distinct Internet hosts in more than 2,000 distinct DNS domains over a three week period. Most attacks are short with 90% lasting less than an hour. A DDoS attack response must be quick; much quicker than picking up the phone and calling system administrators autonomous systems. DD-police protects Gnutella peer to peer network against DoS model. In peer to peer network with its high dynamic nature, nodes leave & join a 15].

 

In the context of exploiting the features of human immune system for the security of computer networks, Forrest performed the first research to discriminate between self and non-self in network artificial immune system. Hofmeyr designed an artificial immune system called ARTIS. This system is not very efficient because collaboration and information exchange among nodes is not considered and intrusion detection is done separately in each computer. LISYS is one of the first structures for artificial immune systems that is designed for a simple local network and can learn network traffic and identified anomaly traffic. This system detects seven common network attacks with less than 100 detectors and the length of detector is 49 bits [30,36].

 

The purpose of Cfengine system is to automatically configure large number of systems on heterogeneous nodes. Furthermore, as long as a new discordance does not happen, the intrusion detection system is passive. In order to increase scalability, Cfengine intrusion detection system updates the average of system efficiency, the number of each service input and output connection and packet characteristic [5,6,13]. Results of Cfengine show that danger signal potentially affects false positive rate and also memory detectors improve detection rate.

 

 

Immune system

The immune system is a network of cells, tissues, and organs that work together to (germs) tiny infection causing organisms such as bacteria, viruses, parasites, and fungi. Because the human body provides an ideal environment for many microbes, they to seek out and destroy them. The immune system is amazingly complex. It can recognize and remember millions of different enemies, and it can produce secretions and cells to match up with and wipe out each one of them [37]. The cells and molecules that are responsible for immunity forms immune system and their comprehensive and coordinated reply against foreign materials is called immune response. There are two major branches of immune system, the innate and adaptive.

 

Innate Immune Systems:

The innate immune system is an unchanging mechanism that detects and destroys certain invading organisms [11]. These systems form the first line of defense against microbes and it consists of cellular and biochemical defensive mechanisms that exist even before infection and are ready to response to infections quickly. This mechanism has an almost equal response against continual infections. Innate immunity mechanisms are unique for the structures that are common among related microbes and they may not distinguish the small differences of non self.

 

Adaptive immune Systems

The adaptive immune system responds to previously unknown foreign cells and builds a response to them that can remain in the body over a long period of time. This remarkable information processing biological system has caught the attention of computer science in recent years [11]. These systems are stimulated after exposure to a microorganism. Their defensive power increases after each encounter with a special microbe. These systems evolve in response and also proportionate to infections. Apparent features of adaptable immunity systems are: enormous response to definite molecules, the ability to remember and stronger response to continual collision to a special kind of microbe [1,24].

 

Adaptive immune system identifies and responses with a large number of microbe and non microbe substances. In addition, it has a great capacity in distinguishing between different microbes and macromolecules even with very close structures. Foreign substances that induce exclusive immune responses are the target for such responses and are called antigen. Adaptive immunity systems are further subdivided into humoral immunity and cellular immunity also known as cell mediated immunity.

 

Artificial immune system

De Castro and Timmis define artificial immune systems (AIS) to be adaptive systems, inspired by theoretical immunology and observed immune functions, principles and models, which are applied to problem solving. They are systems developed using the human immune system as inspiration, rather than creating a comprehensive model, in an attempt to capture some or all of the features it provides. In most instances however, only a few principles from immunology are used.

 

Table 2. Mapping of human immune system with Gnutella peer to peer network

 

 

 

 

Apparent features of adaptative immune responses

There are many features of the immune system, including variety, adaptation, immunological memory and protection against auto-immune attacks. The following section will explain these features in detail and show how they can be modeled in e systems and then used to solve real-world problems. Some of the typical problems amenable to being solved by Artificial Immune Systems are security vulnerability issues in P2P networks suing IDS systems and Data Mining issues using collaborative filtering and clustering [11]. All humoral and cellular immunity systems responses against foreign antigens that have some basic features that characterize the lymphocytes which create this response [1,8,28]. Generally the features of human immune system that are applied in the proposed system are as follows:

 

Variety:

The total number of lymphocytes antigenic features in a person called lymphocyte repertoire are in great number. This feature of lymphocyte repertoire is called variety which is the outcome of diversity in the structures of connection areas to the antigen in lymphocyte antigenic receptors. In other words various lymphocyte clones are different from each other in terms of the antigenic receptors structure and consequently antigenic features. So the produced repertoire has a lot of varieties.

 

In the proposed system when an attack template is detected, it is forwarded to all connected Ultra Peers in the network. Then the proposed genetic algorithm will be applied for optimizing the attack template. The proposed algorithm then will be applied to all detected templates and are collectively known as attack dataset and the whole process is called variety.

 

Immunological Memory:

The collision of an immunity system to a foreign antigen increases its ability to respond to the same antigen again. The responses that are created against the second or next collisions to a kind of antigen are called secondary immunity responses and usually are faster and stronger than the first immunity response against the same kind of antigen. These memory cells have specific features that cause them to operate more effectively, in response to an omission of antigen, than naive lymphocytes that had previous collision to them.

 

Contraction and Homeostasis:

After the simulation of antigen, all natural immune responses decrease as the time progresses. Therefore the immune system returns to repose state and this trend is called constancy or homeostasis. The omission of stimulus causes the death of lymphocytes by means of apoptosis. If the same mechanism is applied in P2P networks, then after detecting the attack, Leaf peers go to the suspended mode until the network becomes stable called repose state.

 

Major Histocompatibility Cells (MHC)

Major activities of T lymphocytes consists defense against in-cell microbes and activation of other cells such as macrophage and B lymphocytes. Therefore the recognition of transplant as self or nonself is a genetic feature. Those genes that are in charge of receiving the transplanted tissues as self or nonself are called histocompatibility between people. All MHC molecules have some specific and common features that are of great importance in presentation of antigen and its recognition by T lymphocytes. In the proposed system negative selection algorithm for training phase running on all Leaf Peers also uses the same MHC properties of the human immune system.

 

Intrusion detection system

The proposed IDS system consists of combination of different algorithms used to investigate security breaches in Gnutella hybrid P2P networks. It uses both anomaly and signature based intrusion detection techniques with combination of artificial immune system to detect different attacks templates. Amongst worms defensive mechanisms, Intrusion Detection systems (IDS) are the most widely deployed techniques that utilize the self-duplicating repetitive nature of computer worms to detect the patterns and signatures of theses malicious codes in the network traffic. Some of the IDS functionalities are:

 

1. Monitoring and analyzing both user and system activity

2. Analyzing system configurations and vulnerabilities

3. Assessing system and file integrity

4. Ability to recognize patterns typical of attacks

5. Analysis of abnormal activity patterns

6. Tracking user policy violations

 

These systems based on the parameters used for detection, can be broadly divided to signature based and anomaly based systems [32].

 

Signature-based IDS

Signature-based detection is normally used for detecting known attacks. No knowledge of normal traffic is required but a signature database is needed for this type of detection systems. For worm detection, this type of system does not care how a worm finds the target, how it propagates itself or what transmission scheme it uses. The system takes a look at the payload and identify whether or not it contain a worm.

 

One big challenge of signature-based IDS is that every signature requires an entry in the database, and so a complete database might contain hundreds or even thousands of entries. Each packet is to be compared with all the entries in the database. This can be very resource- consuming and doing so will slow down the throughput and making the IDS vulnerable to DoS attacks. Some of the IDS evasion tools use this vulnerability and flood the signature based IDS systems with too many packets to the point that the IDS cannot keep up with the traffic, thus making the IDS time out and drop packets and as a result, possibly miss attacks [23]. Further, this type of IDS is still vulnerable against unknown attacks as it relies on the signatures currently in the database to detect attacks.

 

Anomaly-based IDS

Anomaly based systems detect abnormal behaviors and generate alarms based on the abnormal patterns in network traffic or application behaviors. Typical anomalous behaviors that may be captured include 1) misuse of network protocols such as overlapped IP fragments and running a standard protocol on a stealthy port; 2) uncharacteristic traffic patterns, such as more UDP packets compared to TCP ones, and 3) suspicious patterns in application payload. The biggest challenges of anomaly based detection systems is defining what a normal network behavior is, deciding the threshold to trigger the alarm, and preventing false alarms. The users of the network are normally human, and people are hard to predict. If the normal model is not defined carefully, there will be lots of false alarms and the detection system will suffer from degraded performance.

 

Proposed IDS System

The proposed IDS will be located in all Leaf Peers in Gnutella hybrid P2P network; the system detects and announces the existence of attack or presence of intrusions to other Ultra Peers by means of distributive Ultra Peer warning. Consequently the stated system discovers the network intrusions by cooperation between Leaf Peer and Ultra Peer. To explain the working of proposed system it will be explored from four different aspects these are:

 

1. IDS Detection Method

2. IDS Detection Activities

3. IDS Detection Network

4. IDS Detection frequency

 

IDS Detection Method

Intrusion detection system distinguishes between behaviors based detection also known as anomaly based and knowledge based often known signature-based detections. To detect the intrusion, algorithms of artificial immune system like negative selection and clonal selection will be used to achieve the desired objectives. In fact, new and unknown attacks are detected. Anomaly traffic and normal traffic are distinguished using danger theory. The proposed system is designed by combining the two techniques. In the training phase anomaly based intrusion detection systems will be used to detect abnormal behaviors while in the testing phase signature based intrusion detection will be used to actually detect the intrusions.

 

IDS Detection Activities

With the saturation of network resources in a short time and prediction of attack possibility, the node (Leaf Peer or Ultra Peer) in the suggested intrusion detection system warns its Ultra Peers to confront attacks. Therefore, on surrounding Ultra Peer become aware of possible attack. Invaded peers would be suspended since they are not resistant against attack and they are protected to some extent. This system has an active attitude by detecting and announcing Leaf Peer and Ultra Peer new behaviors.

 

IDS Detection Network

Intrusion detection system can be divided into multiple groups depending on the type of network to be used for performing the detection. In Gnutella hybrid P2P networks IDS are categorized into two main categories i.e. network intrusion detection system (NIDS) and host intrusion detection system (HIDS). NIDS is installed and examines the traffic of the network from which it passes. Since Ultra Peer in Gnutella hybrid peer to peer network plays the role of

gateway and distinguishes anomaly traffic from normal traffic. The Ultra Peer sends attack strategy to other Ultra Peers after identifying and proving attack.

 

HIDS performs on different nodes based on collecting network traffic information. These pieces of information are separately analyzed in each node and the results are used to immune the activities of the aforementioned node. Obviously the proposed intrusion detection system is located on all Leaf Peer so this system performs distributively. The results generated, informs other nodes in Gnutella hybrid peer to peer network of the existence of attacker nodes.

 

Detection Frequency

Leaf Peers perform intrusion detection continuously while Ultra Peers would be The proposed system uses different functions to detect intrusion especially DDoS attack which is the main focus of this paper. Each peer does more than one function, like creating alarm in the proposed system, a process should be followed that requires several functions mentioned below:

 

METHOD

 

Creation of Template:

Leaf Peer records the templates of messages it receives in a short time span but if the volume of received messages is more than the threshold value specified in that particular time span then, a new template will be formed containing information related to source IP address, the destination IP address (local) and the time interval between Gnutella packets and will be sent as the template of possible attack; otherwise the produced template will be out aside.

 

 

                             

                         

 

 

 

Figure 3 Taxonomy of proposed intrusion detection system

 

Sending & Receiving of Attack Template

After an attack, a template is formed by Leaf Peer, other peers in the network are informed about the possible occurrence of this attack. If Ultra Peer returns Stress Reply message, Leaf Peer will inform about possible attack occurrence by sending Stress message to all peers. The possible attack template is sent to Ultra Peer by Template message.

 

Identification of Attack Based on Received Template

After receiving the possible attack template using Template message, Ultra Peer starts the activity of conforming received template to the template of available attacks in dataset. 30 percent conformity shows that an attack has happened.

 

Sending Attack Template to Other Ultra Peers

When an attack is diagnosed and confirmed the Ultra Peer sends the attack template to other Ultra Peers, so that they would be informed of the occurrence of the attack and they should increase their detection rate.

 

Classification of Attack Type

After an attack has been confirmed the next step is to classify it between anomaly traffic and normal traffic, an attitude should be chosen that by receiving numerous Gnutella messages in definite time intervals and saturating bandwidth, considers the peer sent traffic as attack traffic or anomaly traffic. The classification of an attack is a two step process, in first step Leaf Peers distinguish between normal traffic and possible abnormal traffic. This process is called discrimination self/nonself [17]. While in the 2nd step, Ultra Peers distinguish between possible normal traffic and abnormal traffic, this process is done by applying danger theory [13,21].

 

Threshold Value Limit

If the number of message sent are more than bandwidth occupied threshold value and attack occurrence is announced as well then, sending and receiving message to the Ultra Peer can be prevented and the rate of sent messages can be reduced by adopting some measures. In fact invaded peers would be suspended since they are not resistant against attack and they are protected to some extent, in a way that they just accept high priority packets that are sent by surrounding Ultra Peers.

 

Development of new generation of detector (Genetic algorithm)

The templates with most conformity of attacks are most likely to happen again in near future and such templates are used in the selection phase of genetic algorithm. In fact ranking method is used, in a way that detectors are ranked based on number of conformity and then template selection would be done according to rank based fitness.

 

It is important to use a competitive method to select best attack templates for selection. This method works in a way that a small subcategory of attack templates is randomly chosen and then competes together. Finally in this competition, one of them is chosen based on affinity level [22]. After selecting best templates (with more conformity) by crossover operator and with the purpose of producing better templates, new templates would be created. After the function of attack templates crossover, mutation includes the change of zero to one. On the other hand, the function is applied in a lymphocyte repertoire to protect the different forms of the distinctness of attack templates.

 

Artificial immune algorithm

As human immune system performs actively and distributively, artificial immune system algorithms are extremely used in proposed system to develop the purpose specified. The major features of human immune system are inspected to detect intrusion and how it reacts against intrusions [14,28]. It will be used in Gnutella hybrid P2P network to confront DDoS attacks. In the proposed IDS system negative selection algorithm is used in training phase and it function as follows:

 

Negative Selection Algorithm

Gnutella network packets are captured by tcpdump monitoring tool [3] and gtkgnutella

file sharing software [2]. These packets are considered as self dataset. After that some detectors (immature detectors) are produced by random Gaussian function and by comparing these two datasets, any detector that do not correspond  detector(mature detectors). In this stage, the number of detectors is investigated. If this number increases, the accuracy of detection goes up and computational overload increases too [9,12].

 

After receiving each Gnutella packet, the source IP address, the local destination IP address and average time interval between two consecutive sent packets will be added to the template. Then the size of bandwidth occupied will be examined. If it does not reach the default threshold, the template will be faded out of existence and a new template will be made. Otherwise, the possibility of attack occurrence will be announced to connect Ultra Peers. Leaf Peer after making sure of the existence of each Ultra Peer sends the template of possible attack to each Ultra Peer. In this stage, Leaf Peer announces the possibility of attack occurrence and distinguishes between abnormal traffic and normal traffic. Leaf Peer will be suspended for a definite time span to prevent the reception of any packet or message. When this time span ends, Leaf Peer will return to its initial state.

 

Ultra Peer announces its existence to Leaf Peer by receiving the possibility of attack occurrence and after receiving the template of possible attack, will compare with nonself dataset. If the template conforms to each detector, Ultra Peer broadcasts it to other Ultra Peers as a detector. Then Ultra Peer creates conformed detectors once again, increases their affinity and if  detectors aren't conformed, Ultra Peer will change its main structure. According to the number of conformities, detector state changes from mature stage type and beneficial life time are inspected. As each kind of detector has a definite life time, those detectors whose life time is ended are deleted from detectors dataset.

 

Figure 4. Negative selection algorithm

                                                                                    

Genetic algorithm is used to improve detectors in the proposed system. Genetic algorithm also causes variety in nonself templates in active stage, in a way based on clonal selection algorithm, those cells that identify detector grow and those cells that are not able to identify detector die.

As Leaf Peer and Ultra Peer operate in a collaborative and parallel manner and on are separately inspected.

 

Figure 5 Leaf Peer Functions (Test Phase)

 

 

Figure 6 Ultra Peer Function (Test Phase)

 

Ddos attack analysis

Distributed DoS (DDoS) attacks are a flooding attack of many attacking hosts (agents) with distributed and coordinated control. Figure 2 above showed the structure of a DDoS attack; one or more attackers control handlers and each handler controls multiple agents. Handlers and agents are extra layers introduced to increase the rate of packet traffic as well as to hide the attackers from view. Each agent can choose the size and type of packets as well as the duration of flooding. While the victim may be able to identify some agents and have them taken off-line, the attacker can monitor the effects of the attack and create new agents accordingly [35]. To simulate the results a discrete event simulator will be used to simulate the results of Gnutella peer to peer file sharing. Gnutellasim is suitable for Gnutella network and is installed on PDNS and ns2.27. In order to evaluate the suggested system, gtkgnutella- 0.96.8-2 file sharing client [2] and tcpdump-4.1.1 monitoring software [3] is used to generate and record Gnutella traffic.

 

Simulation Preliminaries

One challenge in intrusion detection is finding good data sets for experiments and testing. Our objective was to control the data set, so we chose to collect data from an internal restricted Gnutella peer to peer network. In this environment, we can Ta: Template of attack understand all of the connections, and we can limit DDoS attacks. We install firewall of ISA server in the entrance of our network. Then external connections must pass through a firewall. The Dataset used for performing the experiments and analysis is related to Gnutella peer to peer network traffic. The proposed scenario includes 23 peers that are divided into 5 Ultra Peers and 18 Leaf Peers.

 

Simulation Results Analysis

Gnutella Protocol v. 0.6 will be used for performing the simulations. In IDS systems, self is defined as the set of normal pair wise TCP/IP connections between Leaf Peer and Ultra Peer and nonself is the set of connections. When enormous numbers of Gnutella packets are transmitted over the network they are not observed normally on the network. The efficiency of proposed system is analyzed based on the following criteria:

 

Negative Selection Time

Some immature detectors are produced by random Gaussian function and this dataset compares with Gnutella normal dataset. If any detectors do not match with normal traffic template, it will be added to the mature detectors' list. Output of training file is a mature detectors' dataset. Figure 7 shows the time of negative selection in proportion to the number of detectors. By increasing the number of mature detectors, negative selection time will be increase too but, detection precision is optimized. Because of using genetic algorithm, the time of negative selection is more beneficial than LISYS algorithm.

 

 

Figure 7 Production Time of Mature Detector

 

Detection Precision

In order to increase the detection precision, false positive should be reduced. This research will identify parameters that appear most important for minimizing false positives, as well as how to maximize the percentage of detecting intrusions. The percentage of attack detection will be measured by proportion of discovered attack occurrences to all attack occurrences. Rdt denotes the corresponding false positives rate. Td is the number of attacks that be discovered and Ta is the total number of attacks.

 

In fact false positive is the sending of alarm message by intrusion detection system in the time that attack has not happened. Tp is the total number false positive alarms and Ta is the total number of attacks.

 

 

The proposed system is adopted to describe the tradeoff between the detection rate and false positive rate. Therefore, we evaluate the best attitude coherent to these factors for yielding optimum resolves.

 

Number of Detectors

To study the effect of mature detectors on the percentage of attack discovery and false positive, the parameter of activation discovery is considered 6, crossover operator 0.4 and mutation operator 0.005. These two factors are evaluated by the change in the number of detectors in number of different conformity bits. With increase in number of detectors, the percentage of attack discovery goes up on the one side and the false positive increases on the other side. In a way that in all the forms of conformity bits, 75 detectors show the most efficient response for detecting attack. But due to computation over load, the number detectors are commonly not very high. In LISYS algorithm, the number of detectors is 100. Figure 8 illustrates this.

 

 

Fig.8 Detection with Different Number of Detector

 

Bit Matching Algorithm

Some detectors in this IDS system are usually implemented as strings, whose function is to classify new strings as normal or abnormal by matching them in some forms. The perfect matching is rare in the immune system. So, we use a partial matching rule known as r-contiguous bits matching. Under this rule, two strings match only if they are identical in at least ‘r’ contiguous locations.

 

Our observations in figure 9 show that immune system as inspiration for detecting intrusion is the best approaches. To study the effect of mature detectors on the percentage of attack discovery and false positive, the parameter of activation discovery is considered 6, crossover operator 0.6 and mutation operator 0.005. These two factors are evaluated by the change in the number of detectors in the number of different conformity bits. The number of strings a detector matches increases exponentially as the value of r decreases. For example, 8 conformity bits is the best resolve for attack detection rate but is the worst result for false positive rate. After checking these factors, we use 12 conformity bits and LISYS algorithm to

elect the number.

 

 

Figure 9 (A) Evaluation Detection

 

Fig. 9 (b) Evaluation False Positive

Activation Threshold Values

Activation threshold shows detector's condition in mature, active and memory state. Activation thresholds are a mechanism designed to reduce false positives. To test our expectations, we studied the effect of changing the activation threshold on the proper amount of activation threshold is evaluated with 75 detectors, crossover operator 0.6 and mutation operator 0.005.

In fact the less this amount, the sooner the detector goes to the activation stage, therefore generation production will be more and the better discovery will occur.

 

Also this parameter decreases the false positive. 6 and 8 activation threshold has the same attack discovery percentage with small differences. For the number of conformity bits 16, 14 and 18, the activation threshold of 8 is better but LISYS algorithm suggests 10 activation thresholds. Figure 10 illustrates how the number of false positives lessens as the activation threshold increases.

 

 

Figure 10 (A) Evaluation Detection

 

 

Figure 10 (B) Evaluation False Positive

 

As Gnutella peer to peer network has two versions: Gnutella 0.4 and Gnutella 0.6. In Gnutella 0.6 network, peers with high processing strength are used which are called Ultra Peers. So in this system, both versions of Gnutella peer to peer network with one-point crossover operator and two-point crossover operator are examined for intrusion detection [18,20,27,31]. Simulation results indicate the superiority of intrusion detection in Gnutella 0.6 hybrid peer to peer network by two-point crossover operator in comparison to other forms. As the number of detectors increases, more attacks will be discovered. Figure 6 denote comparison of two

version Gnutella network by different crossover operator.

 

 

 

Figure 11 (A) Comparison of attack detection percentage to the number of detectors for nutella

 

 

Figure 11 (B) Comparison of attack detection percentage to the number of detectors for

                         Gnutella 0.6.

 

 

Delay

The time of attack occurrence in proportion to the time that intrusion detection system reacts against attack. In the proposed system, the average identification time of each attack is 15 seconds.

CONCLUSION

 

The proposed system used anomaly and signature-based detection. Each time an attack is identified, a new generation is added to the detectors dataset. As false positives decrease, attack detection increases.

 

 

 

REFERENCES

 

1. Artificial immune system(AIS): http://www.artificial-immune-system.org

2. gtk-gnutella: http://www.gtk-gnutella.com

3. Swiss Federal Institute of Technology (ETH) Zurich, 2005

4. Architecture Group (SWAG) Department of Computer Science University of Waterloo Ontario

    N2L 3G1 Canada.

5. U. Aickelin, P. Bentley, S. Cayzer, J. Kim and J. McLeod. "Danger Theory: The Link between

    Artificial Immune Systems and Intrusion Detection Systems." Proceedings 2nd International

    Conference on Artificial Immune Systems, 2003: 147-155.

6. U. Aickelin and J.Greensmith. "The deterministic dendritic cell algorithm." In Proceeding of

    the 7th International Conference on Artificial Immune Systems (ICARIS). , 2008: 291 302.

7. U. Aickelin, J. Greensmith and J. Twycross. "Immune system approaches to intrusion

     detection – a review." in Proceeding of the Third International Conference on Artificial

    Immune Systems. Number 3239 in Lecture Notes in Computer Science, 2004: 316 329.

8. A. Okine, D. Dasgupta and Nii. "Immunity-based systems: A survey." In proceedings of the

    IEEE International Conference on Systems, Man, and Cybernetics, 1997: 369-374.

9. P.J Bentley and J. Kim. "Evaluating negative selection in an artificial immune system for

    network intrusion detection." Proceedings of GECCO, 2001: 1330   1337.

10.  P.J Bentley and J. Kim. "Towards an artificial immune system for network intrusion

         detection: An investigation of dynamic clonal selection." In the Congress on Evolutionary

        Computation (CEC-2001), Seoul, Korea, 2001: 1244 1252.

11.  U. Aickelin# and D. Dasgupta,  University of Nottingham, Nottingham, 2004

12.  L.J. Cannady and J. Gonzalez. "A self-adaptive negative selection approach for anomaly

        detection." In Proceedings of the 2004 Congress of Evolutionary Computation, 2004: 1561-

        1568.

13.  S. Cayzer and U. Aickelin. "Danger theory and its applications to AIS." In Proceeding of the

        Second Internation Conference on Artificial Immune Systems (ICARIS-02), 2002: 141-148.

14.  R. Chang. "Defending Against Flooding-Based Distributed Denial-of-Service Attacks." IEEE 

        Communications Magazine, 2001: 42-51.

15.  E. Athanasopoulos, K.G. Anagnostakis, and E. Markatos. "Misusing unstructured p2p systems

        to perform dos attacks: The network that never forgets." in Proceedings of the 4th

        International, 2006.

16.  F. S. de Paula, L. N. de Castro, and P. L. de Geus. "An intrusion detection system using ideas

        from the immune system." In Proceeding of IEEE Congress on Evolutionary Computation

        (CEC-2004), 2004: 1059-1066.

17.  S. Forrest, A. Perelson, S. Allen, L.R. Cherukuri. "Self-Nonself Discrimination in a Computer."

        In Proceeding IEEE Symposium on Research in Security and Privacy, IEEE Computer Society

        Press, 1994: 202 212.

18.  M. Foster, I. Ripeanu. "Mapping the Gnutella network." in Proc. 1st International Workshop

        On Peer-to-Peer Systems, Cambridge, MA, 2002: 85-93.

19.  G.Oikonomou, P. Reiher, M. Robinson, and J. Mirkovic. "A framework for collaborative DDOS

        defense." in Proceedings of the 2006 annual computer security applications conference, 

        2006: 33-42.

20.  M. Garcia, Y.Beverly and Hector. "Designi ng a super-peer network." In Proceeding of 19th

        International Conference on Data Engineering, 2003: 49-61.

21.  J. Greensmith, J. Twycross, and U. Aickelin. "Dendritic cells for anomaly detection." In

       Proceeding of the Congress on Evolutionary Computation (CEC), 2006: 664 671.

22.  J. Guan, D.X. Liu, and B.G. Cui. "An induction learning approach for building intrusion

        detection models using genetic algorithms." in Proceedings of Fifth World Congress on

         Intelligent Control and Automation WCICA, vol. 5, 2004: 4339-4342.

23.   J. B. Raven Alder, Adam Doxtater, James Foster, Toby Kohlenberg, & Michael Rash, "Snort 2.1   Intrusion Detection," 2nd ed. Rockland, MA: Syngress (Distributed by O'Reilly and

         Associates), 2004.

24.   L. Xiao, Y. Liu, and L.M. Ni. "Improving Unstructured Peer-to-Peer Systems by Adaptive

         Connection Establishment." IEEE Transactions on Computers, 2005.

25.   J. Mirkovic, G. Prier and P. Reihe. "Alliance formation for DDoS defense, 2003: 11-18.

26.   Q. Lv, S. Ratnasamy, and S. Shenker. "Can heterogeneity make gnutella scalable?" in

        Proceedings of the 1st International Workshop on Peerto-Peer Systems (IPTPS), Cambridge,

        MA, USA, 2002.

27.  S. Stepney, R. Smith, J. Timmis, and A. Tyrrell. "Towards a conceptual framework for

        artificial immune systems." In Proceeding of the 3rd International Conference on Artificial

        Immune Systems (ICARIS), LNCS 3239, 2004: 53-64. 28. teur), 125C, pp373-389, 1974

29.  S. Singh. "Anomaly detection using negative selection based on the r-contiguous matching

        rule." In Proceedings of the 1st International Conference on Artificial Immune Systems

        (ICARIS'-02), 2002: 99-106.

30.  S. Spinellis and D. Androutsellis. "A Survey of Peer-to-Peer Content Distribution

        technologies." In ACM Computing Surveys, vol. 36, 2004: 335-371.

31.  Stolfo, W. Lee and J. Salvatore. "A framework for constructing features and models for

        intrusion detection systems." ACM Transactions on Information and System Security

        (TISSEC), vol. 3, 2000: 227-261.

32.  U. Mueen, K. Khowaja, A.R. Azizah. "Dynamic Multi Layer signature based IDS using Mobile

        Agents", International Journal of Network Security and its Applications Vol 2. No.4. 2010,

        129-141.

33.  Z. Ge, D. Figueiredo, S. Jaiswal, J. Kurose, and D. Towsley. "Modeling peer-peer file sharing

        systems.", 2003: 2188-2198.

34.  F. Forrest and S. Esponda. "Detector coverage under the r-contiguous bits matching rule."

        2002

35.  Dietrich, S., Long, N., and Dittrich, D. Analyzing distributed denial of service tools: the shaft

        case. In Proceedings of USENIX (Dec 2000).

36.   E. Meshkova, J. Riihijärvi, M. Petrova and P. Mähönen. "A survey on resource discovery

         mechanisms, peer-to-peer and service discovery frameworks." computer

         networks,Department of Wireless Networks, RWTH Aachen University, Kackertstrasse 9, D-

         52072 Aachen, Germany, 2008: 2097 2128.

37.   Department of Health and Human Services National Institutes of Health, 2003.

40.   Gomes. "Gnutella keeps growing and growing" Online. WSJ Interactive Edition,

        http://www.zdnet.com/zdnn/stories/news/0,4586,2766234,00.html. May 2001

41.  Thomas D¨ubendorfer, Arno Wagner: Past and Future Internet Disasters: DDoS attacks.

42.   Moore, D., Voelker, G. M., and Savage, S. Inferring internet denial of service activity. In

        Proceedings of Usenix Security Symposium (August 2001).