EP2300 SNMP Project Report                     Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)1. SummaryThis projec...
EP2300 SNMP Project Report                     Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)iii. Class RouterInf,...
EP2300 SNMP Project Report                      Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)3. Clustering Algori...
EP2300 SNMP Project Report                       Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)After averaging, we...
EP2300 SNMP Project Report                    Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)   4. Analysis of Resu...
EP2300 SNMP Project Report                 Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)    B. Output from cluste...
EP2300 SNMP Project Report                 Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)5. AppendixA. UML Class d...
EP2300 SNMP Project Report                   Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)B. Console Output from ...
EP2300 SNMP Project Report                   Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)        Interface (3): ...
EP2300 SNMP Project Report                   Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)   [During the polling ...
EP2300 SNMP Project Report                     Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)Round:   19      Delt...
EP2300 SNMP Project Report                 Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)Cluster 2:      INITIAL C...
EP2300 SNMP Project Report                 Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)Cluster 1:      INITIAL C...
EP2300 SNMP Project Report                  Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)DBI: 0.89There was a DoS...
EP2300 SNMP Project Report                      Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)-Rounds: 4 9 11 17 1...
Upcoming SlideShare
Loading in …5
×

SNMP Project: SNMP-based Network Anomaly Detection Using Clustering

1,036 views

Published on

This document contains implementation report of a system that is able to monitor the network using SNMP and identify the specific possible attacks (DoS and port scan) using a cluster analysis. In the first task, the program discovers the topology of the network. After successful discovery phase, it will be able to monitor the link utilization (network link-states) for a specified period of time, and then detect the anomaly, using k-means clustering scheme [1]. These anomalies will be analyzed to recognize the attack. Moreover, this program also provides an advance feature, which is defined as optional task, as it executes online monitoring and detects the attacks using Davies-Bouldin Index as quality scoring measurement [2].
--

Please contact trough lailiaidi at gmail.com for download request

Published in: Technology
  • Be the first to comment

SNMP Project: SNMP-based Network Anomaly Detection Using Clustering

  1. 1. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)1. SummaryThis project aims to design and implement a system that is able to monitor the network using SNMP andidentify the specific possible attacks (DoS and port scan) using a cluster analysis. In the first task, theprogram discovers the topology of the network. After successful discovery phase, it will be able tomonitor the link utilization (network link-states) for a specified period of time, and then detect theanomaly, using k-means clustering scheme [1]. These anomalies will be analyzed to recognize the attack.Moreover, this program also provides an advance feature, which is defined as optional task, as itexecutes online monitoring and detects the attacks using Davies-Bouldin Index as quality scoringmeasurement [2].2. Software Design and MIB objectsA. The MIB objects which are used in this system are:i. During network crawling System Group and Interface Group (Interfaces table), as listed below:  sysName, OID 1.3.6.1.2.1.1.5. This MIB object is used to get the administratively assigned name of the router  ifIndex, OID 1.3.6.1.2.1.2.2.1.1. This MIB object is used to get the interface value of the router  ifDescr, OID 1.3.6.1.2.1.2.2.1.2. This MIB object is used to get the description of the specific interface that is discovered previously from the ifIndex MIB object request.  ipAdEntIfIndex, OID 1.3.6.1.2.1.4.20.1.2. This MIB object represent the index that identifies the interface to which it is applicable in the value ifIndex MIB object. Using this MIB Object, we can identify the Interfaces that exist in the IP routing table of the Router.  ipAdEntAddr, OID 1.3.6.1.2.1.4.20.1.1. This MIB object represents the IP address of the specific interface of the Router.ii. To discover the network topology, we identified the link level neighbor of each of the identified Router using MIB Objects in Interface Group (IP Routing tables), which is the ipRouteNextHop, OID 1.3.6.1.2.1.4.21.1.7. This MIB object represents the next hop IP address of a route in the router.iii. To identify the attacks, we used two MIB Objects in the Interface Group (Interfaces table) that relateto interface utilization of a route, thus it able to represent the link-states of the network, as listedbelow:  ifInOctets, OID 1.3.6.1.2.1.2.2.1.10. This MIB object represents the total number of octets received on the specific interface of the Router.  ifInUcastPkts, OID 1.3.6.1.2.1.2.2.1.11. This MIB object represents the amount of unicast packets delivered to a higher-layer protocol.B. Below is the design of the software in this SNMP-based network management system, including theclasses, key data structures and operations. A full-size class diagram is given in Appendix 5A. i. Class Start, the starting point to running the program. It contains the constant variables, used as default parameters to run the specific task, if user has not specified with command line arguments. ii. Class Router, represents the Managed node (Router), which contains:  hostname, which is String data type containing the hostname of the node  interfaces, which is Map of Integer (interface index) to RouterInf data structure containing the interfaces of a router  localIps, which is List of Strings containing the local IP addresses of a router  neighborIps, which is List of Strings containing the neighbor (next-hop) IP addresses of a router 1
  2. 2. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)iii. Class RouterInf, represents the network interface of the router, which contains:  The IP Address, called ip, which is String data type.  The description, called desc, which is String data type. iv. Class SNMPUtils, is static class that provide the SNMP values and operations that are needed to accomplish the task, which are:  OID, which is Map of Strings from the human readable OID names data type to Strings of OID numeric values, for the MIB objects of which are requested during the run of this program  open() and close(), opens and closes the SNMP session  getVarBind(), returns SNMP getNext MIB variable-value binding (value with its OID)  getVar(), returns SNMP getNext MIB value v. Class SNMPCrawler, responsible for the node and link discovery task of the test-bed network:  createRouter(), creates a router and add to global list of routers operation  addInterfaces(), discovers and adds a list of the Interfaces of a router  addNeigbors(), discovers and adds a list of the link level Neighbors of a router vi. Class SNMPPoller, provides polling operation to capture the link-states of routers:  poll and onlinePoll, operations used in Task 2, respective Task 3, to poll all routers for a specified period of time and quit, or to continuously poll and call Clusterer after w polling rounds.  xRounds and yRounds, which is Hashtable of integer data type to List of Long data structure. This Integer represent the round number, and the List of Long data structure contains the sum of ifInOctets, respective ifInUcastPkts, from every interface of each router in each round vii. Class PollingTread This class has composition relationship with Class SNMPPoller, which polls the information of the routers simultaneously in every round. vii. Class Clusterer, is a Thread that provides clustering calculation based on k-means clustering method and/or Davies-Bouldin Index and show the result. This class contains 2 data structures which represent the global-state of the network in every round, and operations which are:  deltXt and deltYt, the delta values of MIB object ifInOctets and MIB object ifInUcastPkts from all routers in every round, calculated from the average value of the sum of MIB object from all interfaces from all routers in round t  cluster(), the cluster formation operation, which is used to perform clustering until the it is convergence or reach the maximum iteration for convergence (10 iterations)  getNewCentroids(), calculates the centroids from a list of type Cluster  calcDbi(), DBI value operation, used to get the Davis-Boulman Index of the clusters in each calculation for the same dataset.  findAttacks(), identifies the DoS and port scan attacks. vii. Class Cluster This class has composition relationship with Class Clusterer, represent the cluster object, containing  CentroidX and CentroidY, the X, respective Y values of the centroid  Xs and Ys, holds all the X, respective Y values of all the points in this cluster  getNumPoints, returns the number of points in this cluster 2
  3. 3. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)3. Clustering Algorithm and Anomaly Detection Scheme/** Anomaly detection **/delXt = createDeltas(createAverages(xRounds, "X"));delYt = createDeltas(createAverages(yRounds, "Y"));numDeltas = delXt.size();List<Cluster> initClusters = new ArrayList<Cluster>();while(initCentroids.size() < k) { Cluster c = new Cluster(delXt.get(p),delYt.get(p)); initClusters.add(c);} }List<Cluster> clusters = cluster(initClusters);List<Cluster> newCentroids = getNewCentroids(clusters);int numIterations = 0;while (!haveSameCentroids(clusters, newCentroids)) { clusters = cluster(newCentroids); newCentroids = getNewCentroids(clusters); if (numIterations++ > MAX_CLUSTERING_ITERATIONS) break;} }double dbi = computeDbi(clusters);Our clustering algorithm is based off the instructions in the project description in sections 2.3b and 2.3c[3]. For all of our calculations we have kept track of the values for the x value (the sum of the ifInOctetsMIB values for every interfaces on a given router) and the y value (the sum of the ifInUcastPkts MIBvalues for every interface on a router) as separate variables, to the data structures as simple as possible,since they both change and are operated on independent of each other. At the end of the polling phasewe have two tables that hold all of the polled values, xRounds and yRounds. These tables have thepolling round number as keys, and the values are lists of the x or y values from all routers thatresponded with valid results for the corresponding polling round. This data, along with an integerinterval, specifying how often polling should occur, an integer k, to indicate the number of clustersthat should be created, and repeats, to indicate how many times we should recalculate the clusters fora different time period, are the inputs to the clustering function.The clustering algorithm begins by determining the average global state for each round, by summing upall values the list for that round, and then dividing by the number of responses in the list. This numbercan vary, if we have received a timeout when requesting a MIB value from a router. One of the biggestdesign choices for this project was to decide how to handle these timeouts. If we receive a timeoutfrom a router while trying to get information about one of the interfaces, we do not add the informationreceived from the other interfaces to the list for the round, so there will be one less entry in the list fromthis round. We have chosen to do this, because we assume that the null responses from the routersoccur independently of when an attack occurs (only as a result of too many students executing at onetime), so we do not want to bring down the global state average for that round and create somethingthat may look anomalous, but not because of an attack. Another facet of this decision was if wereceived a null during a poll of the x value from a router, but not during a poll of the y value, should weadd the y sum value to the y list, even though we are not adding the x value to the x list? We havedecided that because we are only dealing with global averages in this project, and not with theinformation from specific routers, that there is no reason why we cannot return one MIB sum value tohelp calculate the average. All of these conditions can be seen in the run() method of thePollingThread class, in SNMPPoller.java. 3
  4. 4. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)After averaging, we determine the changes in global state. This is done by finding the differencesbetween the averages, stored as deltXt and deltYt. Since we are storing all data for x and yseparately, there is the possibility that this lists could become different lengths. However, this couldonly occur if we were to get null responses from all routers for one of the values, but not the other, in agiven round. We consider this to be incredibly unlikely, so we assume the size of x list to be the same asthe size of the y list.In the next step, we run a loop to pick a new random points in the data set to be initial centroids (x(p),y(p)). Then we make a loop though all of the rounds, and for each point (x(t),y(t)), we record theEuclidean distance to all of the initial centroids. After calculating the distances, the point is then addedto a cluster with the centroid which is closest to itself. The clusters are stored as lists of type Cluster.Then we compute the new centroid for each cluster. This step is repeated until we get the samecentroids after an iteration (convergence), or until a maximum number of iterations (10) is met. Afterthe clusters are created, the Davies-Bouldin index (DBI) is computed for each clustering round. Thisentire clustering process is repeated repeats number of times, to compare values discovered fromclusterings with different random initial centroids./** Anomaly detection **/int largestCentroidCluster = clusters.getClusterWithLargestCentroid();long largestCentroid = clusters.get(LargestCentroidCluster).getCentroid();int secondLargestCentroidCluster = clusters.getClusterWithLargestCentroid();long secondLargestCentroid = clusters.get(LargestCentroidCluster).getCentroid();if(clusters.get(largestCentroidCluster).getNumPoints() < clusters.get(secondLargestCentroidCluster).getNumPoints()) { print ("There was a DoS attack in cluster: t" + largestCentroidCluster + 1) -Rounds: "); for(int i: clusters.get(largestCentroidCluster).getRounds()) { print(clustersRounds.get(largestCentroidCluster).get(i) + " "); } print ("nThere was a port scan attack in cluster: " + (secondLargestCentroidCluster + 1) - Rounds: "); for(int i=0; i<clustersRounds.get(secondLargestCentroidCluster).size(); i++) { print(clustersRounds.get(secondLargestCentroidCluster).get(i) + " "); }}The anomaly detection scheme (ADS) works by using the qualities listed in section 2.3d of the projectdescription. First, the top two clusters are picked by their centroid value, which means the two clusterswhose centroid is furthest from the origin. After that, we determine if attacks have happened, bytesting if the qualities of these two clusters agree with qualities laid out in the project description, that isto say, that if the largest of the two centroids has a smaller size, we call this a DoS Attack, and cantherefore call the other cluster a port scan attack. If these two clusters do not share these qualities, weconsider that it is indeterminate whether there was an attack or not. This can happen due to poorchoice of random initial centroids which prohibit the clusters from forming in predictable ways. Ourclusterer takes a variable integer repeats, which controls how many times we repeat the calculationswith different initial random centroids, that we are more accurately able to say during which roundsthere may have been an attack. We have decided to run the ADS on all clusterings, rather than just theclusterings with the lowest DBI, because we have found that the clusterings with the lowest DBI do notalways show the most accurate attack detection (see Section 4A). We do however determine andoutput which clustering has the lowest DBI, to conform to the requirements of Task 3. 4
  5. 5. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse) 4. Analysis of Results In this section we present plots of data produced from a run of the program in Task 2. Similar data is created from every in Task 3, with the difference that the lowest DBI is identified, and only that data is output to a file. For this run of the program , we have selected to do 15 clusterings to ensure a breadth of different results, and selected 3 unique clusterings to discuss here. For the plots we output data to files from our program and then use GnuPlot to create the images [4]. In section A, we see clustering round number 12. This round had the lowest DBI. However, we can see that the clusters were not very evenly distributed. We can tell that Cluster 1 (only one point, the centroid, so the red cross is covered by the light blue square), and Cluster 2 are likely anomalous, but maybe shouldn’t be clustered as they are. This is due to poor random initialization of the centroids. As the initial centroid became the only member of the Cluster 1 in the first iteration, even after subsequent iterations, it remained the only member of the cluster. In section B, we see clustering round number 13, with a somewhat higher DBI. In this round we still identify the attacks by the criteria given in section 2.3d of the project description, however by looking at the points, it appears that most of the anomalous points are clustered into Cluster 2, causing the algorithm to identify Cluster 1 as another anomalous cluster, even though many of its points appear to be in the normal range. In section C, we see clustering round 15, with a moderately low DBI. In this clustering we have identified two anomalous looking clusters, but were unable to identify either as a specific attack, because the cluster with the largest centroid also had the greatest size (contrary to the criteria). A. Output from clustering 12:Calculation number: 12Cluster 1: INITIAL CENTROID: (2441728310,207925532) CENTROID: (2441728310,207925532) Distance to origin: 2147483647 size:1Cluster 2: INITIAL CENTROID: (471870614,60886306) CENTROID: (214883629,107039622) Distance to origin: 240067604 size:44Cluster 3: INITIAL CENTROID: (1885516800,337995273) CENTROID: (1789368680,226861600) Distance to origin: 1803692451 size:4Cluster 4: INITIAL CENTROID: (1714528937,12997585) CENTROID: (749674099,115085316) Distance to origin: 758456250 size:24DBI: 0.51There was a DoS attack in cluster: 1 -Rounds: 9There was a port scan attack in cluster: 3 -Rounds: 4 11 17 18 5
  6. 6. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse) B. Output from clustering 13:Calculation number: 13Cluster 1: INITIAL CENTROID: (374573948,35643439) CENTROID: (805820188,111405014) Distance to origin: 813484635 size:19Cluster 2: INITIAL CENTROID: (660388911,93972355) CENTROID: (1919840606,223074386) Distance to origin: 1932757132 size:5Cluster 3: INITIAL CENTROID: (115915131,16393588) CENTROID: (112389070,105981524) Distance to origin: 154477786 size:28Cluster 4: INITIAL CENTROID: (253233972,55685827) CENTROID: (400624290,113025046) Distance to origin: 416262516 size:21DBI: 0.76There was a DoS attack in cluster: 2 -Rounds: 4 9 11 17 18There was a port scan attack in cluster: 1 -Rounds: 0 2 3 5 6 7 8 10 12 14 16 19 20 30 35 36 38 58 72 C. Output from clustering 15:Calculation number: 15Cluster 1: INITIAL CENTROID: (13258747,117923684) CENTROID: (148767001,101947479) Distance to origin: 180346635 size:33Cluster 2: INITIAL CENTROID: (704077379,56711499) CENTROID: (1580738673,176220052) Distance to origin: 1590530810 size:9Cluster 3: INITIAL CENTROID: (203160196,49844066) CENTROID: (580964867,78434420) Distance to origin: 586235562 size:29Cluster 4: INITIAL CENTROID: (171386150,79317073) CENTROID: (531160408,681158721) Distance to origin: 863775770 size:2DBI: 0.6Unable to positively identify attacks due to cluster sizes and centroid values. 6
  7. 7. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)5. AppendixA. UML Class diagram of the project Figure 1. Class Diagram of the designed software 7
  8. 8. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)B. Console Output from the run of the program discussed in Section 4 [aidl@brooklyn src]$ java Start -t 2 -r 15 –o 1Starting EP2300 SNMP assignment, Task 2 (Clustering Global States)Beginning crawl at IP: 192.168.1.10 (default)Crawled Router: R9 Interface (1): 192.168.1.10 FastEthernet0/0 Interface (2): 192.168.4.10 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.4.14 Neighbor: 192.168.1.15Crawled Router: R13 Interface (1): 192.168.4.14 FastEthernet0/0 Interface (2): 192.168.14.14 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.14.1 Neighbor: 192.168.4.10Crawled Router: R14 Interface (1): 192.168.1.15 FastEthernet0/0 Interface (2): 192.168.13.15 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.1.10 Neighbor: 192.168.13.3com.adventnet.snmp.snmp2.SnmpException: Time Synchronization has failed. at com.adventnet.snmp.snmp2.usm.USMUserEntry.timeSynchronize(USMUserEntry.java:1185) at com.adventnet.snmp.snmp2.usm.USMUtils.doTimeSync(USMUtils.java:2028) at com.adventnet.snmp.snmp2.usm.USMUtils.doTimeSync(USMUtils.java:1927) at com.adventnet.snmp.snmp2.usm.USMUtils.init_v3_parameters(USMUtils.java:1414) at SNMPUtils.getVarBind(SNMPUtils.java:92) at SNMPUtils.getVarBind(SNMPUtils.java:132) at SNMPCrawler.addNeighbors(SNMPCrawler.java:112) at SNMPCrawler.createRouter(SNMPCrawler.java:68) at SNMPCrawler.start(SNMPCrawler.java:44) at SNMPCrawler.<init>(SNMPCrawler.java:25) at Start.main(Start.java:133)Crawled Router: R0 Interface (1): 192.168.8.1 FastEthernet0/0 Interface (2): 192.168.14.1 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.8.2 Neighbor: 192.168.14.14Crawled Router: R2 Interface (1): 192.168.12.3 FastEthernet0/0 Interface (2): 192.168.13.3 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.13.15 Neighbor: 192.168.12.4Crawled Router: R1 Interface (1): 192.168.0.2 FastEthernet0/0 Interface (2): 192.168.8.2 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.8.1 Neighbor: 192.168.0.11Crawled Router: R3 Interface (1): 192.168.9.4 FastEthernet0/0 Interface (2): 192.168.12.4 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.12.3 Neighbor: 192.168.9.9Crawled Router: R10 Interface (1): 192.168.0.11 FastEthernet0/0 Interface (2): 192.168.7.11 FastEthernet0/1 8
  9. 9. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse) Interface (3): null Null0 Neighbor: 192.168.0.2 Neighbor: 192.168.7.8Crawled Router: R8 Interface (1): 192.168.9.9 FastEthernet0/0 Interface (2): 192.168.10.9 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.9.4 Neighbor: 192.168.10.12Crawled Router: R7 Interface (1): 192.168.3.8 FastEthernet0/0 Interface (2): 192.168.7.8 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.7.11 Neighbor: 192.168.3.5Crawled Router: R11 Interface (1): 192.168.10.12 FastEthernet0/0 Interface (2): 192.168.11.12 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.11.13 Neighbor: 192.168.10.9Crawled Router: R4 Interface (1): 192.168.3.5 FastEthernet0/0 Interface (2): 192.168.5.5 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.3.8 Neighbor: 192.168.5.6Crawled Router: R12 Interface (1): 192.168.2.13 FastEthernet0/0 Interface (2): 192.168.11.13 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.2.16 Neighbor: 192.168.11.12Crawled Router: R5 Interface (1): 192.168.5.6 FastEthernet0/0 Interface (2): 192.168.15.6 FastEthernet0/1 Interface (3): null Null0 Interface (4): 192.168.100.100 Loopback0 Neighbor: 192.168.5.5 Neighbor: 192.168.15.7Crawled Router: R15 Interface (1): 192.168.2.16 FastEthernet0/0 Interface (2): 192.168.6.16 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.6.7 Neighbor: 192.168.2.13Crawled Router: R6 Interface (1): 192.168.6.7 FastEthernet0/0 Interface (2): 192.168.15.7 FastEthernet0/1 Interface (3): null Null0 Neighbor: 192.168.15.6 Neighbor: 192.168.6.16Crawling completed: 40s[The network discovery of Task 1 is now completed and moving on to the polling of Task 2…]Beginning polling...Using interval : 2 seconds (default)Using timespan : 180 seconds (default)Using K-value : 4 (default)Will repeat calculations : 15 times 9
  10. 10. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse) [During the polling of Task 2 we frequently receive TimeSynchronizationExceptions outputted from the SNMP class that we do not control. Also, we output every time we get a null response from a router. We handle these nulls as discussed in Section 3. We receive many of these throughout the polling, so we have edited away most of this output for simplicity, but here is a sample] com.adventnet.snmp.snmp2.SnmpException: Discovery Failed at com.adventnet.snmp.snmp2.SnmpEngineEntry.discoverSnmpEngineID(SnmpEngineEntry.java:698) at com.adventnet.snmp.snmp2.usm.USMUtils.doDiscovery(USMUtils.java:1871) at com.adventnet.snmp.snmp2.usm.USMUtils.init_v3_parameters(USMUtils.java:1413) at SNMPUtils.getVarBind(SNMPUtils.java:92) at SNMPUtils.getVar(SNMPUtils.java:142) at PollingThread.run(SNMPPoller.java:197) com.adventnet.snmp.snmp2.SnmpException: Failed to authenticate the SecurityParameters for user 2G1332_student SnmpEngineEntry not found for address 192.168.10.12 port 161 at com.adventnet.snmp.snmp2.Snmp3Message.processMessage(Snmp3Message.java:1132) at com.adventnet.snmp.snmp2.SnmpSession.processPDUForVersion3(SnmpSession.java:2297) at com.adventnet.snmp.snmp2.SnmpSession.setPDUParams(SnmpSession.java:2134) at com.adventnet.snmp.snmp2.SnmpSession.send(SnmpSession.java:1974) at com.adventnet.snmp.snmp2.SnmpSession.syncSend(SnmpSession.java:2558) at SNMPUtils.getVarBind(SNMPUtils.java:109) at SNMPUtils.getVar(SNMPUtils.java:142) at PollingThread.run(SNMPPoller.java:197) SNMP EXCEPTION ON IP: 192.168.10.12 OID: .1.3.6.1.2.1.2.2.1.10.1 NPE in Polling Thread.run() - X - Router: R11 round:0 RESULT IS NULL!!! TIMEOUT!!! IP: 192.168.0.2 OID: .1.3.6.1.2.1.2.2.1.10.1 NPE in Polling Thread.run() - X - Router: R1 round:0 RESULT IS NULL!!! TIMEOUT!!! IP: 192.168.9.9 OID: .1.3.6.1.2.1.2.2.1.11.2 NPE in Polling Thread.run() - Y - Router: R8 round:0 RESULT IS NULL!!! TIMEOUT!!! IP: 192.168.0.11 OID: .1.3.6.1.2.1.2.2.1.10.2 NPE in Polling Thread.run() - X - Router: R10 round:1 RESULT IS NULL!!! TIMEOUT!!! IP: 192.168.9.9 OID: .1.3.6.1.2.1.2.2.1.11.2 NPE in Polling Thread.run() - Y - Router: R8 round:3 RESULT IS NULL!!! TIMEOUT!!! IP: 192.168.2.16 OID: .1.3.6.1.2.1.2.2.1.11.2 NPE in Polling Thread.run() - Y - Router: R15 round:3[End of sample of the errors… We now jump to poll completion, which begins with outputting the delta valuescreated from the global link-states we discovered during polling]Done polling (74 rounds): 216sRound: 1 Delta values (676248289,25047813)Round: 2 Delta values (518732205,69707029)Round: 3 Delta values (611057586,38984022)Round: 4 Delta values (615854761,10902145)Round: 5 Delta values (1714528937,12997585)Round: 6 Delta values (1140419653,186713705)Round: 7 Delta values (1190290703,59148273)Round: 8 Delta values (944308308,182602369)Round: 9 Delta values (642704189,9359653)Round: 10 Delta values (2441728310,207925532)Round: 11 Delta values (631360059,274612228)Round: 12 Delta values (1885516800,337995273)Round: 13 Delta values (1186561012,203413028)Round: 14 Delta values (524948788,288193238)Round: 15 Delta values (751719760,157507201)Round: 16 Delta values (296589241,75250562)Round: 17 Delta values (1110173658,21333530)Round: 18 Delta values (1664293503,165717608) 10
  11. 11. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)Round: 19 Delta values (1893135481,390735934)Round: 20 Delta values (716660127,596407796)Round: 21 Delta values (704077379,56711499)Round: 22 Delta values (474301583,5731296)Round: 23 Delta values (345660690,765909647)Round: 24 Delta values (578389504,246972096)Round: 25 Delta values (210776255,228074584)Round: 26 Delta values (249289848,205913351)Round: 27 Delta values (181309216,9536905)Round: 28 Delta values (135747952,199565599)Round: 29 Delta values (197541573,356299210)Round: 30 Delta values (21176490,184948620)Round: 31 Delta values (660388911,93972355)Round: 32 Delta values (471870614,60886306)Round: 33 Delta values (278383522,95271155)Round: 34 Delta values (37420732,161891933)Round: 35 Delta values (56636791,146153476)Round: 36 Delta values (895634506,29575242)Round: 37 Delta values (750450800,470387)Round: 38 Delta values (424665195,31493309)Round: 39 Delta values (636587427,24680096)Round: 40 Delta values (49593959,23426091)Round: 41 Delta values (115915131,16393588)Round: 42 Delta values (265811242,51863374)Round: 43 Delta values (524917957,40233073)Round: 44 Delta values (35145500,46103212)Round: 45 Delta values (467187496,127598320)Round: 46 Delta values (75268897,148930723)Round: 47 Delta values (381931973,67041728)Round: 48 Delta values (95511479,66281343)Round: 49 Delta values (33284764,43275525)Round: 50 Delta values (141795148,92786867)Round: 51 Delta values (339863732,124516950)Round: 52 Delta values (367192701,32836506)Round: 53 Delta values (13258747,117923684)Round: 54 Delta values (171386150,79317073)Round: 55 Delta values (192733861,50423466)Round: 56 Delta values (304023671,245948)Round: 57 Delta values (399287805,162308)Round: 58 Delta values (534606351,246896)Round: 59 Delta values (670542749,28956986)Round: 60 Delta values (380146409,47529811)Round: 61 Delta values (92925075,8801812)Round: 62 Delta values (127443602,56944295)Round: 63 Delta values (202964762,142709252)Round: 64 Delta values (458750223,170643896)Round: 65 Delta values (88486619,7202473)Round: 66 Delta values (169244056,55212656)Round: 67 Delta values (253233972,55685827)Round: 68 Delta values (39243653,103893047)Round: 69 Delta values (203160196,49844066)Round: 70 Delta values (27472574,234937466)Round: 71 Delta values (206672650,124642678)Round: 72 Delta values (374573948,35643439)Round: 73 Delta values (775543695,116296947)[ After outputting the delta values, the clustering algorithm begins]Calculation number: 1Cluster 1: INITIAL CENTROID: (75268897,148930723) CENTROID: (531160408,681158721) Distance toorigin: 863775770 size:2 11
  12. 12. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)Cluster 2: INITIAL CENTROID: (265811242,51863374) CENTROID: (580964867,78434420) Distance toorigin: 586235562 size:29Cluster 3: INITIAL CENTROID: (518732205,69707029) CENTROID: (1580738673,176220052) Distanceto origin: 1590530810 size:9Cluster 4: INITIAL CENTROID: (35145500,46103212) CENTROID: (148767001,101947479) Distance toorigin: 180346635 size:33DBI: 0.6Unable to positively identify attacks due to cluster sizes and centroid values.Calculation number: 2Cluster 1: INITIAL CENTROID: (374573948,35643439) CENTROID: (522807513,76506519) Distance toorigin: 528375759 size:26Cluster 2: INITIAL CENTROID: (474301583,5731296) CENTROID: (946176222,155346847) Distance toorigin: 958844140 size:9Cluster 3: INITIAL CENTROID: (1186561012,203413028) CENTROID: (1919840606,223074386)Distance to origin: 1932757132 size:5Cluster 4: INITIAL CENTROID: (21176490,184948620) CENTROID: (148942667,121383621) Distance toorigin: 192140317 size:33DBI: 0.71There was a DoS attack in cluster: 3-Rounds: 4 9 11 17 18There was a port scan attack in cluster: 2-Rounds: 5 6 7 12 14 16 19 35 72Calculation number: 3Cluster 1: INITIAL CENTROID: (21176490,184948620) CENTROID: (531160408,681158721) Distance toorigin: 863775770 size:2Cluster 2: INITIAL CENTROID: (181309216,9536905) CENTROID: (580964867,78434420) Distance toorigin: 586235562 size:29Cluster 3: INITIAL CENTROID: (380146409,47529811) CENTROID: (1580738673,176220052) Distanceto origin: 1590530810 size:9Cluster 4: INITIAL CENTROID: (49593959,23426091) CENTROID: (148767001,101947479) Distance toorigin: 180346635 size:33DBI: 0.6Unable to positively identify attacks due to cluster sizes and centroid values.Calculation number: 4Cluster 1: INITIAL CENTROID: (39243653,103893047) CENTROID: (148767001,101947479) Distance toorigin: 180346635 size:33Cluster 2: INITIAL CENTROID: (524948788,288193238) CENTROID: (623554579,392449562) Distance toorigin: 736774708 size:6Cluster 3: INITIAL CENTROID: (751719760,157507201) CENTROID: (1580738673,176220052) Distanceto origin: 1590530810 size:9Cluster 4: INITIAL CENTROID: (399287805,162308) CENTROID: (566758980,51288730) Distance toorigin: 569074929 size:25DBI: 0.88Unable to positively identify attacks due to cluster sizes and centroid values.Calculation number: 5Cluster 1: INITIAL CENTROID: (135747952,199565599) CENTROID: (531160408,681158721) Distance toorigin: 863775770 size:2Cluster 2: INITIAL CENTROID: (471870614,60886306) CENTROID: (642200879,84508717) Distance toorigin: 647737363 size:25Cluster 3: INITIAL CENTROID: (141795148,92786867) CENTROID: (179274839,93354752) Distance toorigin: 202125153 size:38Cluster 4: INITIAL CENTROID: (1714528937,12997585) CENTROID: (1639559299,195580867) Distanceto origin: 1651183384 size:8DBI: 0.59Unable to positively identify attacks due to cluster sizes and centroid values.Calculation number: 6 12
  13. 13. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)Cluster 1: INITIAL CENTROID: (750450800,470387) CENTROID: (1639559299,195580867) Distanceto origin: 1651183384 size:8Cluster 2: INITIAL CENTROID: (474301583,5731296) CENTROID: (642200879,84508717) Distance toorigin: 647737363 size:25Cluster 3: INITIAL CENTROID: (181309216,9536905) CENTROID: (179274839,93354752) Distance toorigin: 202125153 size:38Cluster 4: INITIAL CENTROID: (202964762,142709252) CENTROID: (531160408,681158721) Distance toorigin: 863775770 size:2DBI: 0.59Unable to positively identify attacks due to cluster sizes and centroid values.Calculation number: 7Cluster 1: INITIAL CENTROID: (35145500,46103212) CENTROID: (125609513,133119380) Distance toorigin: 183026006 size:29Cluster 2: INITIAL CENTROID: (141795148,92786867) CENTROID: (794448653,118183368) Distance toorigin: 803191117 size:19Cluster 3: INITIAL CENTROID: (127443602,56944295) CENTROID: (402050931,69039048) Distance toorigin: 407935462 size:20Cluster 4: INITIAL CENTROID: (670542749,28956986) CENTROID: (1919840606,223074386) Distanceto origin: 1932757132 size:5DBI: 0.72There was a DoS attack in cluster: 4-Rounds: 4 9 11 17 18There was a port scan attack in cluster: 2-Rounds: 0 2 3 5 6 7 8 10 12 14 16 19 20 30 35 36 38 58 72Calculation number: 8Cluster 1: INITIAL CENTROID: (1140419653,186713705) CENTROID: (1580738673,176220052)Distance to origin: 1590530810 size:9Cluster 2: INITIAL CENTROID: (206672650,124642678) CENTROID: (173328543,95873467) Distance toorigin: 198077019 size:37Cluster 3: INITIAL CENTROID: (249289848,205913351) CENTROID: (531160408,681158721) Distance toorigin: 863775770 size:2Cluster 4: INITIAL CENTROID: (615854761,10902145) CENTROID: (613765445,83661868) Distance toorigin: 619441142 size:25DBI: 0.59Unable to positively identify attacks due to cluster sizes and centroid values.Calculation number: 9Cluster 1: INITIAL CENTROID: (704077379,56711499) CENTROID: (967923491,172555343) Distance toorigin: 983184230 size:9Cluster 2: INITIAL CENTROID: (27472574,234937466) CENTROID: (154557992,121475778) Distance toorigin: 196582139 size:34Cluster 3: INITIAL CENTROID: (381931973,67041728) CENTROID: (539230996,71544657) Distance toorigin: 543956528 size:25Cluster 4: INITIAL CENTROID: (1893135481,390735934) CENTROID: (1919840606,223074386)Distance to origin: 1932757132 size:5DBI: 0.69There was a DoS attack in cluster: 4-Rounds: 4 9 11 17 18There was a port scan attack in cluster: 1-Rounds: 5 6 7 12 14 16 19 35 72Calculation number: 10Cluster 1: INITIAL CENTROID: (202964762,142709252) CENTROID: (117457850,237870111) Distance toorigin: 265289532 size:12Cluster 2: INITIAL CENTROID: (206672650,124642678) CENTROID: (220474127,53230079) Distance toorigin: 226808910 size:28Cluster 3: INITIAL CENTROID: (1140419653,186713705) CENTROID: (1919840606,223074386)Distance to origin: 1932757132 size:5Cluster 4: INITIAL CENTROID: (467187496,127598320) CENTROID: (709438867,111675265) Distance toorigin: 718174679 size:28 13
  14. 14. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)DBI: 0.89There was a DoS attack in cluster: 3-Rounds: 4 9 11 17 18There was a port scan attack in cluster: 4-Rounds: 0 1 2 3 5 6 7 8 10 12 13 14 16 19 20 21 23 30 31 35 36 38 42 44 57 58 63 72Calculation number: 11Cluster 1: INITIAL CENTROID: (127443602,56944295) CENTROID: (148767001,101947479) Distance toorigin: 180346635 size:33Cluster 2: INITIAL CENTROID: (1186561012,203413028) CENTROID: (1077897973,113797691)Distance to origin: 1083888349 size:6Cluster 3: INITIAL CENTROID: (1714528937,12997585) CENTROID: (1919840606,223074386) Distanceto origin: 1932757132 size:5Cluster 4: INITIAL CENTROID: (524948788,288193238) CENTROID: (554150316,118094414) Distance toorigin: 566594090 size:29DBI: 0.63There was a DoS attack in cluster: 3-Rounds: 4 9 11 17 18There was a port scan attack in cluster: 2-Rounds: 5 6 7 12 16 35Calculation number: 12Cluster 1: INITIAL CENTROID: (2441728310,207925532) CENTROID: (2441728310,207925532)Distance to origin: 2147483647 size:1Cluster 2: INITIAL CENTROID: (471870614,60886306) CENTROID: (214883629,107039622) Distance toorigin: 240067604 size:44Cluster 3: INITIAL CENTROID: (1885516800,337995273) CENTROID: (1789368680,226861600)Distance to origin: 1803692451 size:4Cluster 4: INITIAL CENTROID: (1714528937,12997585) CENTROID: (749674099,115085316) Distance toorigin: 758456250 size:24DBI: 0.51There was a DoS attack in cluster: 1-Rounds: 9There was a port scan attack in cluster: 3-Rounds: 4 11 17 18Calculation number: 13Cluster 1: INITIAL CENTROID: (374573948,35643439) CENTROID: (805820188,111405014) Distance toorigin: 813484635 size:19Cluster 2: INITIAL CENTROID: (660388911,93972355) CENTROID: (1919840606,223074386) Distanceto origin: 1932757132 size:5Cluster 3: INITIAL CENTROID: (115915131,16393588) CENTROID: (112389070,105981524) Distance toorigin: 154477786 size:28Cluster 4: INITIAL CENTROID: (253233972,55685827) CENTROID: (400624290,113025046) Distance toorigin: 416262516 size:21DBI: 0.76There was a DoS attack in cluster: 2-Rounds: 4 9 11 17 18There was a port scan attack in cluster: 1-Rounds: 0 2 3 5 6 7 8 10 12 14 16 19 20 30 35 36 38 58 72Calculation number: 14Cluster 1: INITIAL CENTROID: (534606351,246896) CENTROID: (1919840606,223074386) Distanceto origin: 1932757132 size:5Cluster 2: INITIAL CENTROID: (399287805,162308) CENTROID: (805820188,111405014) Distance toorigin: 813484635 size:19Cluster 3: INITIAL CENTROID: (253233972,55685827) CENTROID: (400624290,113025046) Distance toorigin: 416262516 size:21Cluster 4: INITIAL CENTROID: (88486619,7202473) CENTROID: (112389070,105981524) Distance toorigin: 154477786 size:28DBI: 0.76There was a DoS attack in cluster: 1 14
  15. 15. EP2300 SNMP Project Report Amy Skinner (skinner@kth.se) - Laili Aidi (aidi@kthse)-Rounds: 4 9 11 17 18There was a port scan attack in cluster: 2-Rounds: 0 2 3 5 6 7 8 10 12 14 16 19 20 30 35 36 38 58 72Calculation number: 15Cluster 1: INITIAL CENTROID: (13258747,117923684) CENTROID: (148767001,101947479) Distance toorigin: 180346635 size:33Cluster 2: INITIAL CENTROID: (704077379,56711499) CENTROID: (1580738673,176220052) Distanceto origin: 1590530810 size:9Cluster 3: INITIAL CENTROID: (203160196,49844066) CENTROID: (580964867,78434420) Distance toorigin: 586235562 size:29Cluster 4: INITIAL CENTROID: (171386150,79317073) CENTROID: (531160408,681158721) Distance toorigin: 863775770 size:2DBI: 0.6Unable to positively identify attacks due to cluster sizes and centroid values.The calculation with the mininum Davies-Bouldin Index occurred in clustering round: 12 with DBI: 0.51[As mentioned in Section 4, we ran 15 calculations to ensure that we could find significantly unique clusteringsto discuss – ordinarily this is set to the default of 3 clusterings. In Task 3, we would have already begun the nextround of polling before clustering, and this would repeat every w rounds] C. References [1] k-means clustering http://en.wikipedia.org/wiki/K-means_clustering [2] Davies–Bouldin index http://en.wikipedia.org/wiki/Davies–Bouldin_index [3] EP2300 SNMP Project Description http://www.s3.kth.se/lcn/courses/EP2300/snmp_project_2011.pdf [4] GnuPlot http://www.gnuplot.info/ 15

×