Academic Paper: N. B. I. Al-Dabagh and I. A. Ali, "Design and implementation of artificial immune system for detecting flooding attacks," in High Performance Computing and Simulation (HPCS), 2011 International Conference on, 2011, pp. 381-390.
2. changed to an anomalous way by internal or external
reasons and cause damage in its neighborhood cells and
the overall tissue.
2. RELATED WORK
Different approaches have been proposed, implemented,
and worked on to detect the SYN flooding attacks, like
state machines, firewalls, and classifiers. But Most of
previous works in countering the attack focused on
mitigating the flooding effect on the victim instead of
detecting the attack and finding its generator. Bernstein et
al. [9] developed SYN cookies which encode most of the
TCP states and encrypt them into sequence numbers
transmitted back to clients. The drawback of this schema
is the overhead of computing the cookies during an attack.
SynDefender firewall [10] works as a proxy server and
intercepts the SYN requests from the clients and sends the
SYN/ACK packet on the behalf of the server. However
the weaknesses here are the additional workload and
processing within the firewall which may not cope during
a high rate attack. Schuba et al. [11] classified IP
addresses in the network, by implementing a tool called
Synkill which operates as a state machine. The
disadvantage of this approach is when the attacker's IP
addresses do not repeat. In this case Synkill cannot use the
information contained in its database and state machine.
SYN-Cache system [12] presented by Lemon, to reduce
the time slot assigned to the received SYN packets in the
server side, and the complete assignment of the
Transmission Control Block (TCB), that keeps the
information about the connection state, is delayed up on
the final connection completion. The drawback of this
work is showed through the discussions in the same work,
that either in the case of normal behavior the normal
connection process is delayed with notable time, because
of the processing flow in the system. In the case of actual
attack, also the system performance in building normal
connections is reduced by the ratio of 15% comparing
with the normal cases [12]. Xiao et al. [13] build a
classifier for IP addresses known by DelAy pRoBing
method (DARB), in which half-open connections are
categorized to normal and abnormal half-open
connections. The idea was based on the properties appear
in normal half-open connections generated by the network
congestion case, which are hidden in the abnormal half-
open connections, by observing the time delay between
the data transmission between client and server machines.
All of these defense mechanisms are stateful, e.g. states
are maintained for each TCP connection or state
computation is required, which makes the defense
mechanism itself vulnerable to flooding attacks. By using
the DCA algorithm the designed AISD system will be
more reliable and efficient in the detection process, by
having the characteristics in correlating environmental
changes with the suspicious data in a time manner.
Furthermore system avoided the dependence on TCP
protocol states, and kept itself lightweight by working in
listening mode.
3. BACKGROUND
Denial of service attacks consume the resources of a
victim host or network that would otherwise be used for
serving legitimate users. Before all a brief description of
TCP protocol and the SYN flooding attack is required.
3.1. Transmission Control Protocol TCP
TCP/IP is the suite of networking protocols currently in
use on the Internet, which is a connection-oriented,
reliable transport protocol [14]. TCP establishes a
connection in three steps process that called 3-way
handshake as in Fig. 1.
When a SYN packet arrives at a destination port on which
a TCP server in a LISTEN state, there is a backlog queue
of finite size that keeps tracks of the number of concurrent
connections that can be in a half-open connection state,
called the SYN_RECIEVED state. This queue typically
empties quickly since the ACK packet is expected to
arrive in a in a few milliseconds after the SYN/ACK
packet. When the maximum number of half-open
connections per port is reached ( backlog queue is filled )
TCP protocol discards all new incoming connection
requests until it either cleared or completed some of the
half-open connections [15].
3.2. TCP SYN Flood Attack
The SYN flood attack exploits the TCP 3-way handshake
mechanism and its limitation in maintaining limit half-
open connections. Hence, any system connected to the
Internet and providing TCP-based network services, such
as a Web server, FTP server, or mail server, is potentially
subject to this attack. The attacker host generates TCP
SYN request packets with spoofed source IP addresses
toward a victim host that is a server machine with TCP
module in LISTENING state. TCP connection buffers of
server are allocated and rapidly exhaust. Hence, new
legitimate connection cannot be established causing all the
new incoming SYN requests to be dropped. Furthermore,
many other system resources, such as CPU and network
bandwidth used to retransmit the SYN/ACK packets, are
occupied. [11] Fig. 2. Under the normal conditions, when
a server receives a SYN request, it sends a SYN/ACK
packet back to the client and waits for client’s
acknowledgment.
382
3. Figure 1. Tcp 3-Way Handshake Process
Figure 2. Tcp-Syn Flooding Attack
Before the SYN/ACK packet is acknowledged by the
client, the connection remains in half-open state for a
period of up to the TCP connection timeout. The half-
open connection is not closed until the failure of two
retransmissions. The server has built in its system memory
a backlog queue to maintain all half-open connections.
The victim host sends a SYN/ACK packets back to the
spoof-source address and then adds an entry to the
connection queue. Since the SYN/ACK packets are
destined for an incorrect (spoofed) or non-existed host,
the next step of the 3-way handshake is never completed
and the connection entry remains in the connection
backlog queue until a timer expires, typically for about
one minute [15]. By generating a barrage of TCP request
packets from a spoofed host at a rapid pair, it is possible
to fill up the connection queue and deny TCP services
such as e-mail, file transfer, or web server to legitimate
user. The challenge here is how to trace back the
originator of the attack because the IP addresses in the
source IP field in the generated packets are forged.
4. THE DENDRITIC CELL ALGORITHM
DCA
The DCA is based on the work and position of the
dendritic cells in natural immune systems as activators of
the immune system [16]. It has been shown
experimentally that Dendritic Cells (DCs) process danger
signals and indicators of having disorder in the tissues.
Before beginning with DCA algorithm there is some
necessity to explain the function of biological dendritic
cells, then the DCA algorithm will be clarified.
4.1. Dendritic Cells DCs
The immune system is a decentralized, robust, complex,
and adaptive system. It performs its function through the
self-organized interaction between a diverse set of cell
populations. Classically, immunology has focused on the
body’s ability to discriminate between protein molecules
belonging to ‘self’ or ‘nonself’. This traditional theory is
faced by the research performed by the immunologist
Matzinger [5], to build a new model for the wok of the
natural immune system. Hence, numerous problems have
been uncovered with this paradigm. For example, if the
immune system is tuned to respond only to non-self then
why do autoimmune diseases occur? Why do intestines
contain millions of bacteria, yet the immune system does
not react against these colonies of non-self invaders? [17].
The DCA algorithm is inspired from the behavior of
dendritic cells whose primary role is as professional
antigen presenting cell. DCs behave very differently
among other natural immune system cells. Natural DC
cells are APCs that are capable of fusing and processing
multiple signals from separate sources, and whose purpose
is to collect, process and present antigen to T-cells in
Lymph nodes.
DCs exist in one of three states of differentiation at any
one point in time, termed immature, semi-mature and
mature [17]. The mechanism by which DCs process
signals is complicated and the three signal concentrations
are fused within the cell to influence the resulting output.
Fig. 3 outlines the various DC states, corresponding
function, and the differentiation pathways [18]. The DCs
differentiation direction is determined by the comparison
between the output cumulative semi and cumulative
mature values. PAMPs are molecules produced by
microorganisms and are indicators of microbial presence
or the case of abnormality. Safe signals (SS) are the
opposite of danger signals (DS), and are released as a
result of normal and planned cell death.
383
4. Figure 3. An Abstract View Of DC Maturation And
Signals Required For Differentiation. CKs Denote
Cytokines
If the cumulative semi is greater than the cumulative
mature, then the DC goes to semi-mature, otherwise it
goes to mature. The semi-mature DC returns ‘0’ context to
the sampled antigens, however the mature DC returns ‘1’
context to the sampled antigens. At the end, each antigen
gets a binary string of mature contexts which can be
calculated to get the anomaly coefficient value, termed the
MCAV - mature context antigen value through the number
of context ‘1’ divided by the number of all contexts. If the
context is ‘1’, it means the DC handled an anomalous
antigen, whereas if the context is ‘0’, the DC handled the
normal antigen [16]. Inflammation signals are various
immune-stimulating molecules can be released as a result
of injury. DCs have the ability to correlate the signal
information with the collected antigen to provide 'context'
for the categorization of antigen. If the antigen are
collected in an environment of danger and PAMP signals,
the context of the cell is 'anomalous' and all antigen
collected by the cell are deemed as potential intruders.
Conversely, if the environment contains mainly safe
signals, then the context of the cell is 'normal' and all
collected antigen are deemed as nonthreatening. The
context is used to determine if an antigen is derived from
a potential invader [17].
4.2. Algorithm Overview
Artificial Immune Systems have been applied to problems
in computer security since their development in 1990’s
[19]. A recent addition to the AIS family is the DCA,
which unlike other AISs does not rely on the pattern
matching of strings (termed antigen). The DCA has been
developed as part of an interdisciplinary project, known as
the 'Danger Project' [20]. Several key properties of DC
biology are used to form the abstract model, this model
afterward used in producing the DCA. These properties
are compartmentalization, differentiation, antigen
processing, signal processing and populations.
Compartmentalization provides two separate areas; 'tissue',
the sampling location and 'lymph node', the analyzing
location. Whilst in the lymph nodes, DCs present antigen
coupled with context signals, which is interpreted and
translated into an immune response. In AISD system the
focus is on the property of compartmentalization [17].
DCs are sensitive to differences in concentration of
various molecules found in their tissue environment [21].
The DCA is a population based system, population of
cells [17]. The purpose of a DC algorithm is to correlate
different data-streams in the form of antigen and signals. It
provides information representing how anomalous a group
of antigen is through the generation of an anomaly
coefficient value, termed the MCAV - mature context
antigen value. The signals used are pre-normalized and
pre-categorized, which respect the behavior of the system
being monitored. The signal categorization is based on the
four signal model, based on PAMP, danger, safe signals
and inflammation. The co-occurrence of antigen and
high/low signal values forms the basis of categorization
for the antigen data [17].
The output signal value from the cell representing the
costimulatory molecules (CSMs) is used as a marker of
maturation, enforcing a limit on the time a cell spends
sampling before migrating to the lymph node. The value
for CSM is incremented in proportion to the quantity of
input signals received. The input signals are combined to
form CSMs using a simple weighted sum. Once CSM
reaches a 'migration' threshold value, the cell ceases signal
and antigen collection and is removed from the population
for analysis [17]. Equation (1) shows the general form of
the signal processing, where Pw are the PAMP related
weights, Dw for danger signals and Sw for safe signals.
In the previous generic form of the signal processing
equation; Pn, Dn and Sn are the input signal value of
category PAMP (P), danger (D) or safe (S) for all signals
(n) of that category, assuming that there are multiple
signals per category. In this equation, I represents the
inflammation signal. This sum is repeated three times,
once per output signal. This is to calculate the interim
output signal values for the CSM output, the semi-mature
output and mature output signals. These values are
cumulatively summed over time. Weights for this equation
are shown in Table 1 [18]. Upon removal from the
population the cell is replaced by a new cell, to keep the
population level static. Each DC is assigned a different
migration threshold. Pseudocode for the functioning of a
single cell is presented in Algorithm 1, DCA-1[17].
384
5. Algorithm 1: DCA-1 Algorithm
Table 1. Weights Used For Signal Processing
Signals PAMP
Danger
Signal
(DS)
Safe
Signal
(SS)
CSM 2 1 2
Semi 0 0 3
Mat 2 1 -3
Algorithm 2: DCA-2 Algorithm
The MCAV is mean value of context per antigen type.
Pseudocode for the generation of the MCAV is given in
Algorithm 2, DCA-2 [17]. The closer the MCAV is to one,
the more likely it is that the majority of the antigen existed
in the tissue at the same time as a set of signals. Antigens
collected by the DC are logged, in combination with the
context of the cells. An average context can be calculated
for antigens of identical value or structure (type of
antigen). The total fraction of mature antigen, per type of
antigen, is derived forming the MCAV coefficient. The
nearer a MCAV is to 1; the more likely the antigen is
anomalous, as it was frequently collected in a context with
high values of danger signals and PAMPs repeatedly. The
larger the actual number of antigen presented per type, the
greater the confidence in the accuracy of the MCAV,
perhaps resulting from increased antigen sample sizes [17].
5. THE PROPOSED AISD SYSTEM
The AISD system is capable of detecting the SYN
flooding attack launcher, the invader machine in the
network among other hosts by monitoring the behavior of
the attacker machine, other machines in the network and at
the common behavior of the network segment. These
changes are observed by the means of predefined host and
network attributes in relation with the specified attack.
Such as thought in the danger theory, which a self cell is
may seem to be dangerous and do ruinations in the tissue.
The same scenario may be done by an insider intruder, a
legitimate user of the system who uses the system in an
unauthorized manner. In the case of the natural immune
system the suppression is done on the harmful self-cell
during the both of detection and response process. There
are several components that participate in these processes
like B-cells, T-cells and DC cells, but DC cells have the
main role, by monitoring the cells in the tissue and
observing abnormalities in cells.
5.1. System Design
The AISD system is consists of two parts based on the two
parts or segments of the DCA algorithm, the DCA-1 and
DCA-2. Fig. 4 illustrates modules of the AISD system and
their distributions and relationships from a high level view.
5.1.1. module1_DCA
This module is based on the part DCA-1. It is replicated
and distributed among all hosts in the under monitoring
network segment, these modules can be considered as
static agents of type low-level in the overall AISD system.
The module module1_DCA monitors the behavior of the
host that is in the responsibility of it and some general
properties of the network segment, it doing all of that in
background. This module executes all the instructions of
the part DCA-1 of the algorithm; at the end it produces the
context values for the host under its control and sends it
jointly with the antigen-ID to the analysis center DCA-2.
5.1.2. module2_DCA
This module is considered to be the lymph-node of the
network segment, and it had put in the central host in the
network. The module2_DCA receives the sent data to it
and analyze them to detect the intrusive host. This module
input: list of antigen plus context values per experiment
output: MCAV coefficient per antigen type
for all antigen in total list do
increment antigen count for this antigen type;
if antigen context equals 1 then
increment antigen type mature count;
end
end
for all antigen types do
MCAV of antigen type = mature count / antigen count;
End
input : Signals from all categories and antigen
output: Antigen plus context values (0/1)
initialiseDC;
while CSM output signal < migration Threshold do
get antigen;
store antigen;
get signals;
calculate interim output signals;
update cumulative output signals;
end
cell location update to lymph node;
if semi-mature output > mature output then
cell context is assigned as 0 ;
else
cell context is assigned as 1;
end
kill cell;
replace cell in population;
385
6. executes all the instructions of the part DCA-2 of the
algorithm; at the end it produces the MCAV values per
antigen type. Based on the MCAV values the
module2_DCA can discriminate anomalous host from
other hosts in the network.
5.2. Signals
The designed DCA based system needs correct and
appropriate data selection from problem domain for its
input space, involving both of signals and antigens.
Signals are mapped as the state of the hosts in the network
and the general behavior of the network. Three signal
categories are used to define the state of the host system
PAMPs, DSs (danger signals) and SSs (safe signals) with
other input signal IS (inflammatory signal) that represents
the state of network stress. These signals are collected
using a sniffing procedure in the module1_DCA module.
The raw signals are derived from pre-selected attributes of
the network interface card (NIC) then normalized to the
input signals. The outcome of the normalized signals are
in the range of 0-100 for the PAMP and DS with the SS
having a reduced range, and the binary value for the IS
signal. According to the descriptions of the four input
signals of the module1_DCA that is the part DCA-1 of the
algorithm, the following signals are selected from problem
domain, SYN flooding attack:
PAMP signal: obtained from data resources that
indicate the existence of SYN flooding attack from
hosts.
DS signal: derived from the properties denote to the
existence of changes in the host behavior. Low values
of this signal may not be anomalous.
SS signal: also derived from the changes in the host
behavior, but high-levels of this signal appears the
changes are little in its influence.
IS signal: a simplified signal as a binary signal
indicates the disturbance status in the network segment.
Figure 4. Modules Of The AISD System
The module1_DCA receives normalized input signals
after the signal derivation and attribute selection processes.
During different experiments that carried out and the
mentioned description of the problem, it has been
observed that the SYN flood attack has the ability to
generate notable changes in the behavior of host it is
going out and the general behavior of the network. The
next description explains derivation of the four signals:
PAMP Signal: this signal is derived by returning back
to the Fig. 1 and 2; it has been observed that during the
occurrence of the attack there will be a notable change
in the rates of outgoing SYN and ACK packets. But the
absolute dependence on this variance in rate of packets
will be an ineffective doing, because the attacker can
easily defeat the intrusion detection system by
simultaneous sending out the packets of type ACK
from the host. Therefore another attribute has been
taken, which is the variance in the rates of the outgoing
SYN packets and the incoming SYN_ACK packets.
DS Signal: is derived from the property that outgoing
number of packets of type SYN from the attacker will
be increased.
SS Signal: this signal is derived on the fact that the
average size of the outgoing packets from the attacker
host is decreased down to 40 bytes during a limited
time window. This signal plays a remarkable role in
reducing false alarms in the intrusion detection process.
IS inflammatory signal: a binary signal that is
indicative of presence of the state of annoyance in the
network.
Signals are normalized after proper selection then passed
to the module1_DCA. The step function has been used for
obtaining the last signal values. The normalization range
is between 0 and 100.
5.3. Antigens
The process of intrusion detection will be incomplete by
only using the four signals; the module module1_DCA
needs other data that are the name of antigens in order to
be correlated with signals as suspicious data. There are
antigen names allocated to each host in the network
segment and they are expressed by IP addresses of the
hosts. These antigen names are used in the analysis stage
in the lymph node of the network segment or the central
analysis host. This stage involves the calculation of the
anomaly coefficient per antigen type, the MCAV value.
The derivation of the MCAV values per antigen type in
the range of zero to one. The more likely the antigen type
to be anomalous is the closer to the value one.
386
7. 6. IMPLEMENTING AISD SYSTEM
For implementation stage the AISD system programmed
in C# 2008 with the .NET Framework Ver.3.5. The both
Winsock and Multithreading concepts are employed. The
experimental data contain the network flow data from
online data captured from the Network Interface Cards
(NIC). The overall system architecture has been
implemented in client/server model. The module2_DCA
in central analysis host is implemented in the server model,
and the module1_DCA modules in the rest of the hosts are
in the client model.
6.1. Implementing Module module1_DCA
This model is implemented in client model and placed on
the NIC component of the host and has three submodules:
Packet Sniffer: this submodule is reading all packets
passed through the NIC card, after putting it in
promiscuous mode.
Signal Generator and Normalizer: this submodule
computes, derives and normalizes the input signals to
the module1_DCA, in a periodically manner. The
prepared signals are logged in the temporary storing
table called Tissue Signals Table (TST). The prepared
signals are remained in this table in order to be used by
the population of the DC cells.
Main module, population of DC cells: the previous two
stages are regarded as the preparation of work of this
stage. The instructions of the DCA-1 part of the DCA
algorithm will be followed here. The outcomes of this
submodule are antigen-names which are host IP
addresses and context values of the DC cells, passed to
the analysis center in the system central host.
6.2. Implementing Module module2_DCA
This module implements the second part of the DCA
algorithm that is DCA-2, and programmed in the
multithreaded server mode. This module continuously
receives context values and antigen names and appends
them to a table named Ag-Context Table (ACT).
Simultaneously the module computes the MCAV values
for hosts involved in the network segment.
7. EXPERIMENTS
The aim of these experiments is to test the efficiency and
suitability of the designed AISD system in the intrusion
detection process for internal intruding incidents. For
achieving experiments some preparations and
configurations are required to build the adequate
environment.
7.1. Network Design and Configuration
All experiments are performed in a hypothetical and
experimental laboratory network that mimics the global
world network, the Internet. The system designed and
implemented then tested under the Microsoft Windows
Operating Systems, and the TCP/IP protocol suite of IPv4,
and running under a Windows XP SP2. The attacker host,
which is placed in a Local Area Network (LAN), targets
the victim host, which is to be a web server on the
presumed Internet, or an internal server. At the same time
the system modules have been distributed beforehand on
hosts of the LAN. The defined victim host which is the
web server runs on windows server 2000. The exposed
service is the Apache HTTP Server that hosts web sites on
the victim machine.
7.2. Experimenting Scenario
The designed system tested in online mode. The
experiments follow the following scenario:
After configuring all hosts and properly distributing of
system modules among them, the designed network is
turned on. The hosts in the internal network segment
start their normal usage of the TCP protocol service in
the web server, by browsing the sites hosted in it. In
that meantime the AISD system modules are running
on network hosts. The module2_DCA is put in the
central analysis host, and the module1_DCA is put in
the rest of hosts including the infected host, invader
host.
During that the invader host starts its SYN flood attack
against the victim machine, the web server, it can take
up 10 minutes or as attacker wants. At that time the
module1_DCA monitors its behavior, which
implements a population of cells receives its input
signals from the NIC card of the host. The main
property of the packets send to the victim host is that
the source IP addresses are faked and unreachable and
may take one of the following forms:
a) Faked, unknown and unreachable IP address in the
network,
b) Actual and known IP address in the network but
however it is unreachable during the occurrence of
the attack,
c) Actual, known and reachable IP address in the
network, moreover it is not the real IP address of
the attacker host.
The process of choosing the type of the source IP
address is not significant to the attacker due to the
same outcomes of the flooding attack, that the victim
host will never complete the 3-way handshake process.
387
8. The rest of hosts are using the TCP service on the web
server legally. It means the send packets hold the
correct source IP addresses.
During that the modules of the designed system do
their predetermined job. The modules of type
module1_DCA monitoring the behavior of their
assigned hosts and the common status of the network
then sends the antigen names and context values to the
module2_DCA, the analyzer center. The
module2_DCA periodically analyze the received data
from the hosts within 60 seconds.
And finally the MCAV values are calculated per each
antigen type -hosts- by the module2_DCA. The host
with MCAV value closer to 1 is the more likely host to
be anomalous among other hosts, as it was frequently
collected in a context with high values (concentrations)
of PAMP and DS signals. Finally the attacker host is
specified and declared by a notification alarm.
7.3. Results of Experiments
The AISD system has been passed through two series of
experiments by following mentioned scenario. The first
was to verify the precision usage of two parts of DCA
algorithm; DCA-1 and DCA-2 by selecting the most
accurate attributes of host and network behaviors and
passing them to the algorithm as input signals. The second
series of experiments was for testing the capabilities of the
system in detecting the handled problem through
obtaining the accordance in the intrusion detection process
and avoiding the generation of false alarms in the system.
7.3.1. Testing precision of system inputs
The aim of these experiments is to change the mapping of
input signals to the algorithm in order to evaluate the
validity of the selected mapping. By performing different
experiments like exchanging and swapping PAMP and SS
signals the system response has low rate of false alarms.
The Table 2 shows the done swapping of input signals to
the algorithm and the ratio of observed true alarms per
experiment.
The experiments have been showed that the first and
selected swapping of signals is the most accurate for
getting lowest ratio of false alarms from the designed
intrusion detection system. Nevertheless there will be no
high rates in missing detection accuracy in the (Exp.2), in
the case of swapping PAMP and DS signals comparing to
the third experiment (Exp.3), due to the same effect of
both signals on the DC cell population. Unlike that,
swapping PAMP and SS signals in the (Expr.3) led to the
low performance of the system, because of the different
processing they have in the signal processing function of
the algorithm.
7.3.2. Testing detection accuracy of the system
After selecting the proper and adequate system inputs
from experiments followed mentioned scenario, the
detection is done by module2_DCA on invader host, after
ending the first cycle of analyzing process that take 60
seconds after starting the attack.
The followed response mechanism comprised sending a
command message from the module2_DCA exists in the
central host of the network segment to the static agent
module1_DCA exists in the invader host to reset that host
or to turn it off, then the received command carried out by
the module1_DCA after receiving it.
The module2_DCA also shows detection report for
intrusion detection process in the network after
performing the response process. The detection report
includes; detection time, the faked IP address used by the
attacker host, the anomaly coefficient MCAV value of the
host and the selected response type. The Table 3 shows
anomaly detection values in the five experiments.
The Table 3 shows MCAV values for two hosts in the
network. Comp1 has normal behavior with the web server.
Comp2 has abnormal behavior with the web server, and is
the attacker host in the network segment.
The Comp2 has larger MCAV values indicates that the
sent context values by the module1_DCA in the Comp2 to
the module2_DCA contained the value 1 more than 0,
unlike the sent values by the module1_DCA in the Comp1
to the module2_DCA that contained the value 0 more than
1 during a single analysis cycle. That means the behavior
of the host Comp2 was anomalous among the behavior of
other hosts during the attack.
This information is also displayed in Fig. 5. This can show
the performance of the proposed DCA-based system to
discriminate between abnormal and normal hosts in the
internal network. The MCAV values for the Comp2 are
higher than Comp1 in all experiments; hence the system
has a tolerance to the Comp1 host.
Table 2. Swapping The Inputs Of The Algorithm
True
Alarms
Ratio
Safe
Input
Signal
Danger
Input
Signal
PAM
P
Input
Signal
Experiment
100%SSDSPSExp.1
80%SSPSDSExp.2
40%PSDSSSExp.3
388
9. Table 3. MCAV, Anomaly Values In Experiments
Figure 5. MCAV Values For Comp1 And Comp2
Hosts Per Experiments
8. CONCLUSIONS
In this paper, we have applied the DCA to the detection of
a TCP SYN flooding attack. The paper describes the
selected problem and the designed system AISD that
detects the generator of the attack. The AISD system
utilized some behaviors from hosts and general behavior
of the network segment.
The components of AISD system replicated and
distributed among hosts in the network segment with the
central analysis module. The experimentation results
showed AISD is sensitive to the SYN flooding attack and
has the capabilities for discriminating between normal and
abnormal behavior of hosts in an internal network.
Additionally, the selected mapped inputs are tested among
other mapping types, and have the highest true alarm ratio
and a significant effect on the results of the intrusion
detection process.
After testing the performance of the system it has shown
that the system has many characteristics like; in time
detection and active response to the generator of the
attack. It can also detect the abuses of the authorized
users’ privileges with their hosts in the network segment.
The system is also scalable that the system accepts any
new added hosts to the network. It is also lightweight that
it is working in listening mode.
ACKNOWLEDGMENT
The authors gratefully acknowledge the department of
computers sciences in the college of the computer science
and mathematics, at the University of Mosul for
encouraging and supporting this work by their facilities,
the authors would like to thank them. The authors also
would like to thank Dr. Omar Al-Dabbagh, Ali Husain
and Zaid Abd-Alilah for useful comments, suggestion and
directives.
REFERENCES
[1] B. Lim and Md. Safi Uddin, “Statistical-based SYN-
flooding Detection Using Programmable Network
Processor”, in Proceedings of IEEE International
Conference on Information Technology and Applications
ICITA, July 2005.
[2] L. De Castro and J. Timmis, ARTIFICIAL IMMUNE
SYSTEMS: A NEW COMPUTATIONAL
INTELLIGENCE APPROACH, 1st Edition, Springer-
Verlag, London. UK., 2002.
[3] J. Kim, P. Bentley, U. Aickelin, J. Greensmith, G. Tedesco,
and J. Twycross, “Immune System Approaches to
Intrusion Detection - A Review”, In 3rd International
Conference on Artificial Immune Systems ICARIS, 2004.
[4] J. Greensmith, "The Dendritic Cell Algorithm", PhD
Thesis, University of Nottingham, 2007.
[5] P. Matzinger, "The Real Function of the Immune System",
Available: http://cmmg.biosci.wayne.edu/asg/polly.html,
2004.
[6] S. Mukkamala, A. Sung and A. Abraham, "Cyber Security
Challenges: Designing Efficient Intrusion Detection
Systems and Antivirus Tools", Dept. of C.S., New Mexico
Tech, USA, 2004.
[7] J. Lemon, "Resisting SYN flood DoS attacks with a SYN
cache", In Proceedings of the BSDCon Conference, Feb.,
2002.
[8] C. Nesson and A. Ramasastry, "Cybercrime", Technical
Report, Berkman Center for Internet & Society, Harvard
University, 2002.
[9] D. Bernstein and E. Shenk, "SYN cookies" Available:
http://cr.yp.to/syncookies.html, 1996.
MCAV values
Experiment
Comp2
(attacker)
Comp1
(normal)
0.8330.333Exp.1
0.5000.166Exp.2
1.0000.500Exp.3
0.6670.166Exp.4
1.0000.333Exp.5
389
10. [10] CPST Ltd., "TCP SYN Flooding Attack and the firewall-1:
syndefender", Check Point Software Technologies Ltd.
SynDefender:Available:
http://www.checkpoint.com/products/firewall-1, 1996.
[11] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A.
Sundaram and D. Zamboni, "Analysis of a Denial of
Service Attack on TCP", In Proceedings of IEEE
Symposium on Security and Privacy, pages 208–223, May
1997.
[12] Lemon J., "Resisting SYN flood DoS attacks with a SYN
cache", In Proceedings of the BSDCon Conference, 11-14
Feb. 2002.
[13] Xiao B., Chen W., He Y. and Sha E., "An Active Detecting
Method Against SYN Flooding Attack", Dept. of
Computing The Hong Kong, Polytechnic University, Hung
Hom, Kowloon, Hong Kong, 2004.
[14] B. A. Forouzan, TCP/IP PROTOCOL SUITE, 3rd Edition,
networking series, The McGraw-Hill Companies, Inc.,
2006.
[15] A. Noureldien and M. Izzeldin, "A Method for Defeating
DoS/DDoS TCP SYN Flooding Attack The SYNDEF",
College of Technological Sciences, Omdurman, Sudan,
2001.
[16] D. Dasgupta, and L. F. Niño, IMMUNOLOGICAL
COMPUTATION: THEORY AND APPLICATIONS, 1st
Edition, CRC press Taylor & Francis Group, LLC., 2009.
[17] J. Greensmith, U. Aickelin, and S. Cayzer, "Detecting
Danger: The Dendritic Cell Algorithm", to appear in
'Robust Intelligent Systems' edited book, 2008.
[18] J. Greensmith, U. Aickelin, and J. Twycross, "Articulation
and Clarification of the Dendritic Cell Algorithm", In
ICARIS-06, LNCS 4163, pages 404-417, Oeiras, Portugal,
2006.
[19] D. Dasgupta, ARTIFICIAL IMMUNE SYSTEMS AND
THEIR APPLICATIONS, 1st Edition, Springer – Verlag,
1999.
[20] U. Aickelin, P. Bentley, S. Cayzer, J. Kim , and J. McLeod,
"Danger theory: The link between AIS and DS". In
Proceedings of the 2nd International Conference on
Artificial Immune Systems (ICARIS), LNCS 2787,pages
147-155. Springer-Verlag, 2003.
[21] J. Greensmith, U. Aickelin, and S. Cayzer, "Introducing
Dendritic Cells as a Novel Immune-Inspired Algorithm for
Anomaly Detection", In Proceedings Of the 4th
International Conference on Artificial Immune Systems
(ICARIS), LNCS 3627, pages 153–167. Springer-Verlag,
2005.
390