Embedded Intrusion Detection and Authority Management System Abindas PK, Parthasarthi R Department of Electronics and Communication, Park College of Engineering and Technology, Kaniyur, Coimbatore-641659 email@example.com firstname.lastname@example.orgAbstract individuals face double threat from inside and outside . Many domestic enterprises call for internetEmbedded systems are becoming a main solution to security device and software. The device at home andmany specific tasks because of this high stability, abroad can not be used in the establishment ofminimal power consumption, portability and internet security extensively because their high price,numerous useful. Nowadays, many new applications complex operation, depending on operating systemare developed using embedded system. This paper and low independence. With the development ofpresents the possible usage, design and embedded technology the processing ability ofimplementation on embedded Linux platform system embedded chip is more and more strong and the costfor Intrusion Detection (Smurf Attack Detect). By is more and more low. Embedded operating systemapplying these methods the embedded system is able has been used in many fields such as industrialto identify Smurf attack and analyze ICMP traffic. In control and amusement games . If we adoptorder to monitor network transmission effectively embedded technology in internet security productsand safely and detect suspicious behavior in the the cost will be decreased greatly and real-timenetwork, the intrusion detection software was processing ability will be improved greatly.solidified in embedded hardware development board Embedded system is a system that is designed toThe system adopted real-time linux operating system serve specific tasks. Almost all embedded systemsused in the field of industrial widely, achieved real- come in compact size, so users are able to use themtime detection and prevention to hacking attack as additional parts to other devices or to constructincluding port scans, buffer overflow attacks specific applications with them. Embedded systemsbackdoor attack, DOS attacks, and other information- have many advantages like high efficiency, long lifegathering network ,and so on, reduced development usage, and economical energy consumption.costs, increased data processing speed. It is Embedded systems have become ubiquitous as can besignificant that network security product develop on found in many new devices and systems such asembedded Linux has a very high market potential. cellular phones, PDAs and wireless networks.Keywords― Embedded System, Computer II. Smurf Attacksecurity, DDoS Attack, Smurf Attack, Intrusion Smurf Attack is a type of well known DdoS attackDetection; Authority Management, Cyber Security where an attacker exploits packets unprotected computers on Internet to direct a flood of ICMP I. Introduction echoreply messages towards the victim computer. Primarily Smurf Attack exploits the ICMP messages With the development Internet has been an that are among the most commonly used diagnosticsindispensable tool in people’s life and work. Internet tools frequently used to troubleshoot problems in ahas brought out many conveniences and efficiency network . A computer system that receives anbut the security threaten that brought by internet and ICMP echo request message is to respond by sendinglocal area network bothered human all the time. The an ICMP echo reply message back to the sender. Theinformation that transmitted in traditional internet packet format used by the ICMP echo request andwas proclaimed in writing therefore user’s accounts, echo reply shown in Fig. 1 By the value of the typepasswords and business secrets can be filched by field the ICMP echo request and echo reply messagesothers easily. Most of enterprises and institution, are identified. The echo request has the TYPE filed value = 8 where as the echo reply has the TYPE field
value = 0. The OPTIONAL DATA field holds datathat are returned to the sender by the receiver of theping messages. The IDENTIFIRE and theSEQUENCE NUMBER fields are used to match therequest and reply messages.0 7 8 151631TYPE CODE (0) CHECKSUMIDENTIFIER SEQUENCE NUMBER OPTIONAL DATA Figure 2. Smurf Attack Diagram ----------------------------------- The above diagram shows a structure of SmurfFigure 1 ICMP Echo Request/Reply Message Format Attack. The attacker sends a stream ICMP echo packets to the router at 128kbps. The attackerBoth ICMP echo request and ICMP echo reply modifies the packets by changing the source IPmessages are used in Smurf Attack. A perpetrator address to be that of the victim’s computer so repliessends a large amount of ICMP echo (ping) traffic to to the echo packets will be sent to the address. Thethe IP broadcast addresses, all of it having a spoofed destination address of the packets is a broadcastsource address of a victim. If the routing device address of the so-called bounce site.delivering traffic to those broadcast addressesperform the IP broadcast to layer 2 broadcastfunctions most host on that IP network will take the IV. System ArchitectureICMP echo request and reply to it with an echo reply The internet use behaviors in many small andeach, multiplying the traffic by the number of hosts medium enterprises are investigated. The result wasresponding. If the broadcast domain has N number of shown as following :computers then for each echo request message sent to 1) Internet transaction is easy at contrast. Dispatch e-the broadcast domain, N number of echo reply mail and browse net page (https, telnet and ftp).messages are generated and sent not to the original 2) The external bandwidth is no more than 10M onsender but to the victim’s computer (due to the general but interior internet was constructed byspoofed source address in the ICMP echo request Ethernet whose bandwidth is more than 100M.messages). In effect, the broadcast domain helps 3) Internet security request is visible but the hardwareamplify and direct the DDoS attack traffic towards a cost is low and it has a firewall on general.victim computer. If more than one broadcast domains 4) It only needs one internet manager so the laborare involved then such DDoS attack traffic can be cost is low.amplified even further and the victim computer is Based on investigate result, a firewall cooperateflooded with a large number of ICMP echo reply with a Lightweight IDS(Intrusion Detect System)messages resulting in bandwidth exhaustion and also network security system scheme is bought forwardthe resource exhaustion of the victim computer. aiming at small and medium enterprises network security. III. Smurf Attack Diagram A. System Architecture AnalyseSmurf Attack is a nasty type of DDoS attack. The Fig.3 is the system architecture. The intrusionattacker sends a large amount of ICMP packet to a detection system locates between intranet andbroadcast address and uses a victim IP address as the internet so it can detect the intrusion from internetsource IP so the replies from all the devices that and the attacks from intranet.respond to the broadcast address will flood thevictim. The attacker can use low-bandwidthconnection to kill high-bandwidth connections. Fig 2shows the diagram of Smurf attack.
Linux 2.4.18 Kernel is a kernel version which is widely used in the field of the foreign embedded development. It supports more types of CPU, and its performance is stable. 2) The Choice of Programming Language The main factors of the choice of Programming Language are illuminated as follows: Generality; Degree of portability; Execution efficiency; Maintainability. The system has been developed with standard C++. GCC is used as compile and connection tool. D. Experimental Setup Experiments to simulate attack involving real computer systems were designed. In these experiments, a Smurf-attack was generated in a controlled environment. A Linux Ubuntu-based Figure 3. System architecture of IDS computer was used as the victim computer of the Smurf-attack. Table 1 shows the detail experimentalB. Choice of hardware plat setup information. The core component of embedded system is thevarious embedded processor. Difference ofembedded system design is very large so the choice Table 1 Desktop Experimental Setupof processor is variable. The following main factorsmust take into account when we choose the Processor Intel (R) core (TM)2 Duoprocessor: 1) Processing ability 2) Technical index 3)Power dissipation 4) Software support tool 5) Clock Frequency 2.20 GHzWhether have inner debug tool 6) Whether the Operating System Ubuntu 2.6.20-16-genericsupplier affords evaluation board L1 I-Cache 32k The other factors that should be considered are L1 D-Cache 32kmanufacture scale, market goal, and software L2 Cache 2048kreliability to hardware. Main memory size 2 075772k Development board of this embedded system is a FSB (Front side bus) 365.56Mini embedded board and it configures with the Memory Bus 609.26embedded processor with low power dissipation (thepower dissipation is no more than 1W), supports tworates 500MHz and 0 433MHz, supports DDR EMSmemory, equips abundance and intact peripheral V. Result and Discussionfunction, accords with the system design scheme, can Embedded detector has been implemented on Linuximprove the running speed and reliability of 2.4.18 Single Board Computer (SBC) and programmedembedded intrusion detection system. in C. Developing as a low-end detector is to have the benefit that the system modules are natively more secureC. Choice of Software Environment with substantially good system performance. In1) Choice of Operating System addition, a lot of legacy C library code can be easily The difference of hardware will affect the ported. At first, ICMP traffic in the LAN waschoice of Operating System. The CPU of low-end monitored and analyzed to know what ICMP messageswithout MMU (Memory Management Unit) should go through the entire network interface, whether there isuse the uClinux Operating System, while relative much more echo reply than echo request and alsohigh-end hardware could use common embedded whether the reply message arrive within the short periodLinux operating system. uClinux and common Linux of time or not. Then to know the overall picture ofhave their respective advantages and disadvantages . LAN traffic information, a web based EmbeddedHow to choose an Operating System which suites for Network Monitor System which has been developed indevelopment of a project is a key problem. our lab was run for 24 hours in order to get traffic information. Figure 4 shows the detail statistical resultsComprehensively considered, this subject adoptsLinux 2.4.18 Kernel as the bottom Operating System. about network traffic information.
VI. Conclusion This paper presents Embedded Detector for Smurf Attack Detection integrated into Low-end embedded Linux platform Single Board Computer (SBC). Based on testing performed, the developed detector is found to be performing at par with Ubuntu Linux Desktop which runs same application. Thus we can conclude that low-end embedded Linux platform which integrates open source TCP/IP network protocol is suitable for IPV4 application. Apart from that the inherited features of portability, low power, and low constant small size would make such product competitive. The system adopts real time linux operating system widely used in the industrial control field. It can offer real-time monitoring for network Figure 4. Traffic Information transmission. Once detect the attack come from inside and outside, it can accurately display its dataIt is well known that the Smurf Attack comes from target and sources, alarm to the manager in time andICMP protocol (echo request and echo reply). The response real-time, cut off the connection of theEmbedded Detector can be used to scan all the classes attack, and ensure the normal operation and safety ofof IP addresses (A, B, C). The new systems successfully the network. The system has powerful function anddetect Smurf attack from switch monitor port. For the simple operation interface. It can be widely used inexperimental test, Smurf Attack from the same gateway financial, education, government agency, militarysegment by Linux Based desktop computer was and middle-small enterprises and institutions.deployed. At the end, the system will send all thedetected information into a file. Thus, the newEmbedded Detector system is considered to be a Referencessecurity scanner  Zhaoyuehua, Jiangjun, Caiguixian. The Design and Implementation of Intrusion Detection in Table 2 New system scan information embedded system Application of Electronic Type of IP Detect Information Time Technique, vol.32, pp:62-64, May 2006. Network  Jiaxiaojian, Yurong, Meishuiliang. The DesignClass A 10.172.1.255 169 32 min and Implementation of Intrusion DetectionClass B 10.172.1.255 301 46 min recovery system based on network processor.Class C 10.172.1.255 397 57 min Application of Electronic Technique, vol.32, pp.39-42, September 2006.  J. Xu and W. Lee, “Sustaining Availability of Web Table 3 Desktop-based scan information Services under Distributed Denial of Service Type of IP Detect Information Time Attacks,” IEEE Transactions on computers, Vol. Network 52, Feb 2003Class A 10.172.1.255 169 32 min  J. Turley. The Essential Guide to semiconductors.Class B 10.172.1.255 301 46 min Prentice hall, 2003, Professional technicalClass C 10.172.1.255 397 57 min Reference, Upper Saddle River, NJ 07458, www.phptr.com  Lee Gerber, “Denial of Service Attacks Rip the Internet,” IEEE Computer, April 2000Table 2 and 3 shows the detail attack detectionresults. Table 2 shows low-end Embedded Detector  “Smurf IP Denial-of-Service Attacks,” CERT®results and the new system are capable to detect Advisory CA-1998-01, March 2000.malicious activities. The new system is compared http://www.cert.org/advisories/CA-1998-01.htmlwith desktop pc and detect time was considered.  D. Tennenhouse. ” Embedding the Internet:Because of low speed Embedded System can not run Proactive Computing,” Comm. Of the ACM, May,fast but can detect attacks as like high speed desktop. 2000The performance of the new system is evaluated by  Siliva Farraposo, Laurent Gallon, Philippecomparing the CPU status and memory usage before Owezarski, “Network Security and DoS Attacks,”and during execution of the program. Feb – 2005