Design and Implementation of Artificial Immune System for Detecting Flooding Attacks

Najla Badie Ibraheem Al-Dabagh Ismael Ali Ali Department of Computer Science Department of Computer Science

College of CS and Mathematics, University of Mosul Faculty of Science, University of Zakho Mosul, Iraq Zakho, Iraq najladabagh@yahoo.com ismael.shilani@hotmail.com

ABSTRACT

The network based denial of service attacks (DoS) are still the big challenge to the researchers in the field of network security. This paper handles the popular DoS attack called TCP-SYN flood attack, and presents the design and implementation of an Artificial Immune system for Syn flood Detection, abbreviated by AISD, based on the Dendritic Cell Algorithm (DCA). The AISD system is able to detect the generated SYN flood attack and response to its generator in a real-time. Performance and accuracy of the system have been evaluated through five experiments. Results of the experiments showed the precision of intrusion detection process to the ratio of 100%, with a notable response speed, and this is shows the benefit and suitability of using artificial immune systems to the network security problems.

KEYWORDS: network security, fault tolerance, biocomputing, syn flooding attack, artificial immune system, dendritic cell algorithm

1. INTRODUCTION

The growing use of the networks and depending on them is in parallel of rising new security challenges expressed by the network attacks. Denial of Service (DoS) attack is the most significant class of attacks, which targets a specific service on the victim machine and denies its providing of service, by mostly targeting services that depend on the Transmission Control Protocol (TCP). The handled problem in this work is the TCP-SYN flood attack abbreviated by SYN flooding attack, in which the attacker floods the targeted service on the victim machine by a barrage of connection request packets of type SYN[1]. Artificial Immune Systems (AIS), are a

collection of algorithms inspired from functions and behaviors and models in the natural immune system of the human, after the meetings between computer scientists and immunologists [2]. Different approaches of AIS have been applied to solve problems of network security [3]. The algorithm used in AISD system is the Dendritic Cell Algorithm (DCA) [4]. This algorithm is a ‘2nd Generation’ AIS system, and is based on an abstract model of the behavior of dendritic cells (DCs) [5]. DCs have the most important role in detecting the malicious agents in the body. The AISD system focuses on some of the properties of the behavior of the DC cells, one of them is the property of compartmentalization.

Availability is often the most important attribute in service-oriented systems [6]. Because of the openness of the Internet and extended availability of intruding (hacking) tools many services on the Internet have been targeted by intruders in the form of DoS attacks. More than 90% of the DoS attacks are flooding attacks and use the TCP protocol [7]. Thus, hosts that provide TCP-based services like Hyper Text Transfer Protocol (HTTP) on the Internet are often targeted to DoS attacks. SYN flooding attacks between other DoS attacks received international attention. During February of 2000, Major Internet sites including CNN, Yahoo and Amazon suffered from SYN flood attacks, CNN and other victims claimed that the attack caused damages totaling 1.7 billions of dollars [8]. The aim of this paper is to apply the DCA algorithm to detect the SYN flooding attack and finding out its generator and at the same time to be tolerant with other hosts in the network. To achieve this goal the DCA algorithm can correlate different malicious and suspicious activities in the network in which the attack is occurs. Therefore the AISD system can detect internal intrusive activities with low computation efforts that make itself in safe to any flooding attacks. The same idea is available in the human body when a self and internal cell behavior is

978-1-61284-383-4/11/$26.00 ©2011 IEEE 381

changed to an anomalous way by internal or external reasons and cause damage in its neighborhood cells and the overall tissue.

2. RELATED WORK

Different approaches have been proposed, implemented, and worked on to detect the SYN flooding attacks, like state machines, firewalls, and classifiers. But Most of previous works in countering the attack focused on mitigating the flooding effect on the victim instead of detecting the attack and finding its generator. Bernstein et al. [9] developed SYN cookies which encode most of the TCP states and encrypt them into sequence numbers transmitted back to clients. The drawback of this schema is the overhead of computing the cookies during an attack. SynDefender firewall [10] works as a proxy server and intercepts the SYN requests from the clients and sends the SYN/ACK packet on the behalf of the server. However the weaknesses here are the additional workload and processing within the firewall which may not cope during a high rate attack. Schuba et al. [11] classified IP addresses in the network, by implementing a tool called Synkill which operates as a state machine. The disadvantage of this approach is when the attacker's IP addresses do not repeat. In this case Synkill cannot use the information contained in its database and state machine. SYN-Cache system [12] presented by Lemon, to reduce the time slot assigned to the received SYN packets in the server side, and the complete assignment of the Transmission Control Block (TCB), that keeps the information about the connection state, is delayed up on the final connection completion. The drawback of this work is showed through the discussions in the same work, that either in the case of normal behavior the normal connection process is delayed with notable time, because of the processing flow in the system. In the case of actual attack, also the system performance in building normal connections is reduced by the ratio of 15% comparing with the normal cases [12]. Xiao et al. [13] build a classifier for IP addresses known by DelAy pRoBing method (DARB), in which half-open connections are categorized to normal and abnormal half-open connections. The idea was based on the properties appear in normal half-open connections generated by the network congestion case, which are hidden in the abnormal half-open connections, by observing the time delay between the data transmission between client and server machines. All of these defense mechanisms are stateful, e.g. states are maintained for each TCP connection or state computation is required, which makes the defense mechanism itself vulnerable to flooding attacks. By using the DCA algorithm the designed AISD system will be more reliable and efficient in the detection process, by

having the characteristics in correlating environmental changes with the suspicious data in a time manner. Furthermore system avoided the dependence on TCP protocol states, and kept itself lightweight by working in listening mode.

3. BACKGROUND

Denial of service attacks consume the resources of a victim host or network that would otherwise be used for serving legitimate users. Before all a brief description of TCP protocol and the SYN flooding attack is required.

3.1. Transmission Control Protocol TCP

TCP/IP is the suite of networking protocols currently in use on the Internet, which is a connection-oriented, reliable transport protocol [14]. TCP establishes a connection in three steps process that called 3-way handshake as in Fig. 1.

When a SYN packet arrives at a destination port on which a TCP server in a LISTEN state, there is a backlog queue of finite size that keeps tracks of the number of concurrent connections that can be in a half-open connection state, called the SYN_RECIEVED state. This queue typically empties quickly since the ACK packet is expected to arrive in a in a few milliseconds after the SYN/ACK packet. When the maximum number of half-open connections per port is reached ( backlog queue is filled ) TCP protocol discards all new incoming connection requests until it either cleared or completed some of the half-open connections [15].

3.2. TCP SYN Flood Attack

The SYN flood attack exploits the TCP 3-way handshake mechanism and its limitation in maintaining limit half-open connections. Hence, any system connected to the Internet and providing TCP-based network services, such as a Web server, FTP server, or mail server, is potentially subject to this attack. The attacker host generates TCP SYN request packets with spoofed source IP addresses toward a victim host that is a server machine with TCP module in LISTENING state. TCP connection buffers of server are allocated and rapidly exhaust. Hence, new legitimate connection cannot be established causing all the new incoming SYN requests to be dropped. Furthermore, many other system resources, such as CPU and network bandwidth used to retransmit the SYN/ACK packets, are occupied. [11] Fig. 2. Under the normal conditions, when a server receives a SYN request, it sends a SYN/ACK packet back to the client and waits for client’s acknowledgment.

382

Figure 1. Tcp 3-Way Handshake Process

Figure 2. Tcp-Syn Flooding Attack

Before the SYN/ACK packet is acknowledged by the client, the connection remains in half-open state for aperiod of up to the TCP connection timeout. The half-open connection is not closed until the failure of two retransmissions. The server has built in its system memory a backlog queue to maintain all half-open connections.

The victim host sends a SYN/ACK packets back to the spoof-source address and then adds an entry to the connection queue. Since the SYN/ACK packets are destined for an incorrect (spoofed) or non-existed host, the next step of the 3-way handshake is never completed and the connection entry remains in the connection backlog queue until a timer expires, typically for about one minute [15]. By generating a barrage of TCP request packets from a spoofed host at a rapid pair, it is possible to fill up the connection queue and deny TCP services such as e-mail, file transfer, or web server to legitimate user. The challenge here is how to trace back the originator of the attack because the IP addresses in the source IP field in the generated packets are forged.

4. THE DENDRITIC CELL ALGORITHM DCA

The DCA is based on the work and position of the dendritic cells in natural immune systems as activators of the immune system [16]. It has been shown experimentally that Dendritic Cells (DCs) process danger signals and indicators of having disorder in the tissues. Before beginning with DCA algorithm there is some necessity to explain the function of biological dendritic cells, then the DCA algorithm will be clarified.

4.1. Dendritic Cells DCs

The immune system is a decentralized, robust, complex, and adaptive system. It performs its function through the self-organized interaction between a diverse set of cell populations. Classically, immunology has focused on the body’s ability to discriminate between protein molecules belonging to ‘self’ or ‘nonself’. This traditional theory is faced by the research performed by the immunologist Matzinger [5], to build a new model for the wok of the natural immune system. Hence, numerous problems have been uncovered with this paradigm. For example, if the immune system is tuned to respond only to non-self then why do autoimmune diseases occur? Why do intestines contain millions of bacteria, yet the immune system does not react against these colonies of non-self invaders? [17].The DCA algorithm is inspired from the behavior of dendritic cells whose primary role is as professional antigen presenting cell. DCs behave very differently among other natural immune system cells. Natural DC cells are APCs that are capable of fusing and processing multiple signals from separate sources, and whose purpose is to collect, process and present antigen to T-cells in Lymph nodes.

DCs exist in one of three states of differentiation at any one point in time, termed immature, semi-mature and mature [17]. The mechanism by which DCs processsignals is complicated and the three signal concentrations are fused within the cell to influence the resulting output. Fig. 3 outlines the various DC states, corresponding function, and the differentiation pathways [18]. The DCs differentiation direction is determined by the comparison between the output cumulative semi and cumulative mature values. PAMPs are molecules produced by microorganisms and are indicators of microbial presence or the case of abnormality. Safe signals (SS) are the opposite of danger signals (DS), and are released as a result of normal and planned cell death.

383

Figure 3. An Abstract View Of DC Maturation And Signals Required For Differentiation. CKs Denote

Cytokines

If the cumulative semi is greater than the cumulative mature, then the DC goes to semi-mature, otherwise it goes to mature. The semi-mature DC returns ‘0’ context to the sampled antigens, however the mature DC returns ‘1’ context to the sampled antigens. At the end, each antigen gets a binary string of mature contexts which can be calculated to get the anomaly coefficient value, termed the MCAV - mature context antigen value through the number of context ‘1’ divided by the number of all contexts. If the context is ‘1’, it means the DC handled an anomalous antigen, whereas if the context is ‘0’, the DC handled the normal antigen [16]. Inflammation signals are various immune-stimulating molecules can be released as a result of injury. DCs have the ability to correlate the signal information with the collected antigen to provide 'context' for the categorization of antigen. If the antigen are collected in an environment of danger and PAMP signals, the context of the cell is 'anomalous' and all antigen collected by the cell are deemed as potential intruders. Conversely, if the environment contains mainly safe signals, then the context of the cell is 'normal' and all collected antigen are deemed as nonthreatening. The context is used to determine if an antigen is derived from a potential invader [17].

4.2. Algorithm Overview

Artificial Immune Systems have been applied to problems in computer security since their development in 1990’s [19]. A recent addition to the AIS family is the DCA, which unlike other AISs does not rely on the pattern matching of strings (termed antigen). The DCA has been developed as part of an interdisciplinary project, known as the 'Danger Project' [20]. Several key properties of DC biology are used to form the abstract model, this model afterward used in producing the DCA. These properties are compartmentalization, differentiation, antigen

processing, signal processing and populations. Compartmentalization provides two separate areas; 'tissue', the sampling location and 'lymph node', the analyzing location. Whilst in the lymph nodes, DCs present antigen coupled with context signals, which is interpreted and translated into an immune response. In AISD system the focus is on the property of compartmentalization [17]. DCs are sensitive to differences in concentration of various molecules found in their tissue environment [21]. The DCA is a population based system, population of cells [17]. The purpose of a DC algorithm is to correlate different data-streams in the form of antigen and signals. It provides information representing how anomalous a group of antigen is through the generation of an anomaly coefficient value, termed the MCAV - mature context antigen value. The signals used are pre-normalized and pre-categorized, which respect the behavior of the system being monitored. The signal categorization is based on the four signal model, based on PAMP, danger, safe signals and inflammation. The co-occurrence of antigen and high/low signal values forms the basis of categorization for the antigen data [17].

The output signal value from the cell representing the costimulatory molecules (CSMs) is used as a marker of maturation, enforcing a limit on the time a cell spends sampling before migrating to the lymph node. The value for CSM is incremented in proportion to the quantity of input signals received. The input signals are combined to form CSMs using a simple weighted sum. Once CSM reaches a 'migration' threshold value, the cell ceases signal and antigen collection and is removed from the population for analysis [17]. Equation (1) shows the general form of the signal processing, where Pw are the PAMP related weights, Dw for danger signals and Sw for safe signals.

In the previous generic form of the signal processing equation; Pn, Dn and Sn are the input signal value of category PAMP (P), danger (D) or safe (S) for all signals (n) of that category, assuming that there are multiple signals per category. In this equation, I represents the inflammation signal. This sum is repeated three times, once per output signal. This is to calculate the interim output signal values for the CSM output, the semi-mature output and mature output signals. These values are cumulatively summed over time. Weights for this equation are shown in Table 1 [18]. Upon removal from the population the cell is replaced by a new cell, to keep the population level static. Each DC is assigned a different migration threshold. Pseudocode for the functioning of a single cell is presented in Algorithm 1, DCA-1[17].

384

Algorithm 1: DCA-1 Algorithm

Table 1. Weights Used For Signal Processing

Signals PAMPDanger Signal (DS)

Safe Signal (SS)

CSM 2 1 2Semi 0 0 3Mat 2 1 -3

Algorithm 2: DCA-2 Algorithm

The MCAV is mean value of context per antigen type. Pseudocode for the generation of the MCAV is given in Algorithm 2, DCA-2 [17]. The closer the MCAV is to one, the more likely it is that the majority of the antigen existed in the tissue at the same time as a set of signals. Antigens collected by the DC are logged, in combination with the context of the cells. An average context can be calculated for antigens of identical value or structure (type of antigen). The total fraction of mature antigen, per type of

antigen, is derived forming the MCAV coefficient. The nearer a MCAV is to 1; the more likely the antigen is anomalous, as it was frequently collected in a context with high values of danger signals and PAMPs repeatedly. The larger the actual number of antigen presented per type, the greater the confidence in the accuracy of the MCAV, perhaps resulting from increased antigen sample sizes [17].

5. THE PROPOSED AISD SYSTEM

The AISD system is capable of detecting the SYN flooding attack launcher, the invader machine in the network among other hosts by monitoring the behavior of the attacker machine, other machines in the network and at the common behavior of the network segment. These changes are observed by the means of predefined host and network attributes in relation with the specified attack. Such as thought in the danger theory, which a self cell is may seem to be dangerous and do ruinations in the tissue. The same scenario may be done by an insider intruder, a legitimate user of the system who uses the system in an unauthorized manner. In the case of the natural immune system the suppression is done on the harmful self-cell during the both of detection and response process. There are several components that participate in these processes like B-cells, T-cells and DC cells, but DC cells have the main role, by monitoring the cells in the tissue and observing abnormalities in cells.

5.1. System Design

The AISD system is consists of two parts based on the two parts or segments of the DCA algorithm, the DCA-1 and DCA-2. Fig. 4 illustrates modules of the AISD system and their distributions and relationships from a high level view.

5.1.1. module1_DCAThis module is based on the part DCA-1. It is replicated and distributed among all hosts in the under monitoring network segment, these modules can be considered as static agents of type low-level in the overall AISD system. The module module1_DCA monitors the behavior of the host that is in the responsibility of it and some general properties of the network segment, it doing all of that in background. This module executes all the instructions of the part DCA-1 of the algorithm; at the end it produces the context values for the host under its control and sends it jointly with the antigen-ID to the analysis center DCA-2.

5.1.2. module2_DCAThis module is considered to be the lymph-node of the network segment, and it had put in the central host in the network. The module2_DCA receives the sent data to it and analyze them to detect the intrusive host. This module

input: list of antigen plus context values per experimentoutput: MCAV coefficient per antigen type

for all antigen in total list do increment antigen count for this antigen type; if antigen context equals 1 then increment antigen type mature count; endendfor all antigen types doMCAV of antigen type = mature count / antigen count;End

input : Signals from all categories and antigen output: Antigen plus context values (0/1)initialiseDC;while CSM output signal < migration Threshold do get antigen; store antigen; get signals; calculate interim output signals; update cumulative output signals;endcell location update to lymph node;if semi-mature output > mature output then cell context is assigned as 0 ;else cell context is assigned as 1;end kill cell; replace cell in population;

385

executes all the instructions of the part DCA-2 of the algorithm; at the end it produces the MCAV values per antigen type. Based on the MCAV values the module2_DCA can discriminate anomalous host from other hosts in the network.

5.2. Signals

The designed DCA based system needs correct and appropriate data selection from problem domain for its input space, involving both of signals and antigens. Signals are mapped as the state of the hosts in the network and the general behavior of the network. Three signal categories are used to define the state of the host system PAMPs, DSs (danger signals) and SSs (safe signals) with other input signal IS (inflammatory signal) that represents the state of network stress. These signals are collected using a sniffing procedure in the module1_DCA module.The raw signals are derived from pre-selected attributes of the network interface card (NIC) then normalized to the input signals. The outcome of the normalized signals are in the range of 0-100 for the PAMP and DS with the SS having a reduced range, and the binary value for the IS signal. According to the descriptions of the four input signals of the module1_DCA that is the part DCA-1 of the algorithm, the following signals are selected from problem domain, SYN flooding attack:PAMP signal: obtained from data resources that

indicate the existence of SYN flooding attack from hosts.

DS signal: derived from the properties denote to the existence of changes in the host behavior. Low values of this signal may not be anomalous.

SS signal: also derived from the changes in the host behavior, but high-levels of this signal appears the changes are little in its influence.

IS signal: a simplified signal as a binary signal indicates the disturbance status in the network segment.

Figure 4. Modules Of The AISD System

The module1_DCA receives normalized input signals after the signal derivation and attribute selection processes. During different experiments that carried out and the mentioned description of the problem, it has been observed that the SYN flood attack has the ability to generate notable changes in the behavior of host it is going out and the general behavior of the network. The next description explains derivation of the four signals:PAMP Signal: this signal is derived by returning back

to the Fig. 1 and 2; it has been observed that during the occurrence of the attack there will be a notable change in the rates of outgoing SYN and ACK packets. But the absolute dependence on this variance in rate of packets will be an ineffective doing, because the attacker can easily defeat the intrusion detection system by simultaneous sending out the packets of type ACK from the host. Therefore another attribute has been taken, which is the variance in the rates of the outgoing SYN packets and the incoming SYN_ACK packets.

DS Signal: is derived from the property that outgoing number of packets of type SYN from the attacker will be increased.

SS Signal: this signal is derived on the fact that theaverage size of the outgoing packets from the attacker host is decreased down to 40 bytes during a limited time window. This signal plays a remarkable role in reducing false alarms in the intrusion detection process.

IS inflammatory signal: a binary signal that is indicative of presence of the state of annoyance in the network.

Signals are normalized after proper selection then passed to the module1_DCA. The step function has been used for obtaining the last signal values. The normalization range is between 0 and 100.

5.3. Antigens

The process of intrusion detection will be incomplete by only using the four signals; the module module1_DCA needs other data that are the name of antigens in order to be correlated with signals as suspicious data. There are antigen names allocated to each host in the network segment and they are expressed by IP addresses of the hosts. These antigen names are used in the analysis stage in the lymph node of the network segment or the central analysis host. This stage involves the calculation of the anomaly coefficient per antigen type, the MCAV value. The derivation of the MCAV values per antigen type in the range of zero to one. The more likely the antigen type to be anomalous is the closer to the value one.

386

6. IMPLEMENTING AISD SYSTEM

For implementation stage the AISD system programmed in C# 2008 with the .NET Framework Ver.3.5. The both Winsock and Multithreading concepts are employed. The experimental data contain the network flow data from online data captured from the Network Interface Cards (NIC). The overall system architecture has been implemented in client/server model. The module2_DCA in central analysis host is implemented in the server model, and the module1_DCA modules in the rest of the hosts are in the client model.

6.1. Implementing Module module1_DCA

This model is implemented in client model and placed on the NIC component of the host and has three submodules:Packet Sniffer: this submodule is reading all packets

passed through the NIC card, after putting it in promiscuous mode.

Signal Generator and Normalizer: this submodule computes, derives and normalizes the input signals to the module1_DCA, in a periodically manner. The prepared signals are logged in the temporary storing table called Tissue Signals Table (TST). The prepared signals are remained in this table in order to be used by the population of the DC cells.

Main module, population of DC cells: the previous two stages are regarded as the preparation of work of this stage. The instructions of the DCA-1 part of the DCA algorithm will be followed here. The outcomes of this submodule are antigen-names which are host IP addresses and context values of the DC cells, passed to the analysis center in the system central host.

6.2. Implementing Module module2_DCA

This module implements the second part of the DCA algorithm that is DCA-2, and programmed in the multithreaded server mode. This module continuously receives context values and antigen names and appends them to a table named Ag-Context Table (ACT). Simultaneously the module computes the MCAV values for hosts involved in the network segment.

7. EXPERIMENTS

The aim of these experiments is to test the efficiency and suitability of the designed AISD system in the intrusion detection process for internal intruding incidents. For achieving experiments some preparations and configurations are required to build the adequate environment.

7.1. Network Design and Configuration

All experiments are performed in a hypothetical and experimental laboratory network that mimics the global world network, the Internet. The system designed and implemented then tested under the Microsoft Windows Operating Systems, and the TCP/IP protocol suite of IPv4, and running under a Windows XP SP2. The attacker host, which is placed in a Local Area Network (LAN), targets the victim host, which is to be a web server on the presumed Internet, or an internal server. At the same time the system modules have been distributed beforehand on hosts of the LAN. The defined victim host which is the web server runs on windows server 2000. The exposed service is the Apache HTTP Server that hosts web sites on the victim machine.

7.2. Experimenting Scenario

The designed system tested in online mode. The experiments follow the following scenario:After configuring all hosts and properly distributing of

system modules among them, the designed network is turned on. The hosts in the internal network segment start their normal usage of the TCP protocol service in the web server, by browsing the sites hosted in it. In that meantime the AISD system modules are running on network hosts. The module2_DCA is put in the central analysis host, and the module1_DCA is put in the rest of hosts including the infected host, invader host.

During that the invader host starts its SYN flood attack against the victim machine, the web server, it can take up 10 minutes or as attacker wants. At that time the module1_DCA monitors its behavior, which implements a population of cells receives its input signals from the NIC card of the host. The main property of the packets send to the victim host is that the source IP addresses are faked and unreachable and may take one of the following forms:

a) Faked, unknown and unreachable IP address in the network,

b) Actual and known IP address in the network but however it is unreachable during the occurrence of the attack,

c) Actual, known and reachable IP address in the network, moreover it is not the real IP address of the attacker host.

The process of choosing the type of the source IP address is not significant to the attacker due to the same outcomes of the flooding attack, that the victim host will never complete the 3-way handshake process.

387

The rest of hosts are using the TCP service on the web server legally. It means the send packets hold the correct source IP addresses.

During that the modules of the designed system do their predetermined job. The modules of type module1_DCA monitoring the behavior of their assigned hosts and the common status of the network then sends the antigen names and context values to the module2_DCA, the analyzer center. The module2_DCA periodically analyze the received data from the hosts within 60 seconds.

And finally the MCAV values are calculated per each antigen type -hosts- by the module2_DCA. The host with MCAV value closer to 1 is the more likely host to be anomalous among other hosts, as it was frequently collected in a context with high values (concentrations) of PAMP and DS signals. Finally the attacker host is specified and declared by a notification alarm.

7.3. Results of Experiments

The AISD system has been passed through two series of experiments by following mentioned scenario. The first was to verify the precision usage of two parts of DCA algorithm; DCA-1 and DCA-2 by selecting the most accurate attributes of host and network behaviors and passing them to the algorithm as input signals. The second series of experiments was for testing the capabilities of the system in detecting the handled problem through obtaining the accordance in the intrusion detection process and avoiding the generation of false alarms in the system.

7.3.1. Testing precision of system inputsThe aim of these experiments is to change the mapping of input signals to the algorithm in order to evaluate the validity of the selected mapping. By performing different experiments like exchanging and swapping PAMP and SS signals the system response has low rate of false alarms. The Table 2 shows the done swapping of input signals to the algorithm and the ratio of observed true alarms per experiment.

The experiments have been showed that the first and selected swapping of signals is the most accurate for getting lowest ratio of false alarms from the designed intrusion detection system. Nevertheless there will be no high rates in missing detection accuracy in the (Exp.2), in the case of swapping PAMP and DS signals comparing to the third experiment (Exp.3), due to the same effect of both signals on the DC cell population. Unlike that, swapping PAMP and SS signals in the (Expr.3) led to the low performance of the system, because of the different processing they have in the signal processing function of the algorithm.

7.3.2. Testing detection accuracy of the systemAfter selecting the proper and adequate system inputs from experiments followed mentioned scenario, the detection is done by module2_DCA on invader host, after ending the first cycle of analyzing process that take 60 seconds after starting the attack.

The followed response mechanism comprised sending a command message from the module2_DCA exists in the central host of the network segment to the static agent module1_DCA exists in the invader host to reset that host or to turn it off, then the received command carried out by the module1_DCA after receiving it.

The module2_DCA also shows detection report for intrusion detection process in the network after performing the response process. The detection report includes; detection time, the faked IP address used by the attacker host, the anomaly coefficient MCAV value of the host and the selected response type. The Table 3 shows anomaly detection values in the five experiments.

The Table 3 shows MCAV values for two hosts in the network. Comp1 has normal behavior with the web server. Comp2 has abnormal behavior with the web server, and is the attacker host in the network segment.

The Comp2 has larger MCAV values indicates that the sent context values by the module1_DCA in the Comp2 to the module2_DCA contained the value 1 more than 0, unlike the sent values by the module1_DCA in the Comp1 to the module2_DCA that contained the value 0 more than 1 during a single analysis cycle. That means the behavior of the host Comp2 was anomalous among the behavior of other hosts during the attack.

This information is also displayed in Fig. 5. This can show the performance of the proposed DCA-based system to discriminate between abnormal and normal hosts in the internal network. The MCAV values for the Comp2 are higher than Comp1 in all experiments; hence the system has a tolerance to the Comp1 host.

Table 2. Swapping The Inputs Of The Algorithm

True Alarms Ratio

SafeInputSignal

DangerInputSignal

PAMP

InputSignal

Experiment

100%SSDSPSExp.180%SSPSDSExp.2

40%PSDSSSExp.3

388

Table 3. MCAV, Anomaly Values In Experiments

Figure 5. MCAV Values For Comp1 And Comp2 Hosts Per Experiments

8. CONCLUSIONS

In this paper, we have applied the DCA to the detection of a TCP SYN flooding attack. The paper describes the selected problem and the designed system AISD that detects the generator of the attack. The AISD system utilized some behaviors from hosts and general behavior of the network segment.

The components of AISD system replicated and distributed among hosts in the network segment with the central analysis module. The experimentation results showed AISD is sensitive to the SYN flooding attack and has the capabilities for discriminating between normal and abnormal behavior of hosts in an internal network.

Additionally, the selected mapped inputs are tested among other mapping types, and have the highest true alarm ratio and a significant effect on the results of the intrusion detection process.

After testing the performance of the system it has shown that the system has many characteristics like; in time detection and active response to the generator of the attack. It can also detect the abuses of the authorized users’ privileges with their hosts in the network segment. The system is also scalable that the system accepts any

new added hosts to the network. It is also lightweight that it is working in listening mode.

ACKNOWLEDGMENT

The authors gratefully acknowledge the department of computers sciences in the college of the computer science and mathematics, at the University of Mosul for encouraging and supporting this work by their facilities, the authors would like to thank them. The authors also would like to thank Dr. Omar Al-Dabbagh, Ali Husain and Zaid Abd-Alilah for useful comments, suggestion and directives.

REFERENCES

[1] B. Lim and Md. Safi Uddin, “Statistical-based SYN-flooding Detection Using Programmable Network Processor”, in Proceedings of IEEE International Conference on Information Technology and Applications ICITA, July 2005.

[2] L. De Castro and J. Timmis, ARTIFICIAL IMMUNE SYSTEMS: A NEW COMPUTATIONAL INTELLIGENCE APPROACH, 1st Edition, Springer-Verlag, London. UK., 2002.

[3] J. Kim, P. Bentley, U. Aickelin, J. Greensmith, G. Tedesco, and J. Twycross, “Immune System Approaches to Intrusion Detection - A Review”, In 3rd International Conference on Artificial Immune Systems ICARIS, 2004.

[4] J. Greensmith, "The Dendritic Cell Algorithm", PhD Thesis, University of Nottingham, 2007.

[5] P. Matzinger, "The Real Function of the Immune System", Available: http://cmmg.biosci.wayne.edu/asg/polly.html, 2004.

[6] S. Mukkamala, A. Sung and A. Abraham, "Cyber Security Challenges: Designing Efficient Intrusion Detection Systems and Antivirus Tools", Dept. of C.S., New Mexico Tech, USA, 2004.

[7] J. Lemon, "Resisting SYN flood DoS attacks with a SYN cache", In Proceedings of the BSDCon Conference, Feb.,2002.

[8] C. Nesson and A. Ramasastry, "Cybercrime", Technical Report, Berkman Center for Internet & Society, Harvard University, 2002.

[9] D. Bernstein and E. Shenk, "SYN cookies" Available: http://cr.yp.to/syncookies.html, 1996.

MCAV valuesExperiment

Comp2 (attacker)

Comp1 (normal)

0.8330.333Exp.10.5000.166Exp.21.0000.500Exp.30.6670.166Exp.41.0000.333Exp.5

389

[10] CPST Ltd., "TCP SYN Flooding Attack and the firewall-1: syndefender", Check Point Software Technologies Ltd. SynDefender:Available: http://www.checkpoint.com/products/firewall-1, 1996.

[11] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram and D. Zamboni, "Analysis of a Denial of Service Attack on TCP", In Proceedings of IEEE Symposium on Security and Privacy, pages 208–223, May 1997.

[12] Lemon J., "Resisting SYN flood DoS attacks with a SYN cache", In Proceedings of the BSDCon Conference, 11-14 Feb. 2002.

[13] Xiao B., Chen W., He Y. and Sha E., "An Active Detecting Method Against SYN Flooding Attack", Dept. of Computing The Hong Kong, Polytechnic University, Hung Hom, Kowloon, Hong Kong, 2004.

[14] B. A. Forouzan, TCP/IP PROTOCOL SUITE, 3rd Edition, networking series, The McGraw-Hill Companies, Inc., 2006.

[15] A. Noureldien and M. Izzeldin, "A Method for Defeating DoS/DDoS TCP SYN Flooding Attack The SYNDEF", College of Technological Sciences, Omdurman, Sudan, 2001.

[16] D. Dasgupta, and L. F. Niño, IMMUNOLOGICAL COMPUTATION: THEORY AND APPLICATIONS, 1st Edition, CRC press Taylor & Francis Group, LLC., 2009.

[17] J. Greensmith, U. Aickelin, and S. Cayzer, "Detecting Danger: The Dendritic Cell Algorithm", to appear in 'Robust Intelligent Systems' edited book, 2008.

[18] J. Greensmith, U. Aickelin, and J. Twycross, "Articulation and Clarification of the Dendritic Cell Algorithm", In ICARIS-06, LNCS 4163, pages 404-417, Oeiras, Portugal, 2006.

[19] D. Dasgupta, ARTIFICIAL IMMUNE SYSTEMS AND THEIR APPLICATIONS, 1st Edition, Springer – Verlag, 1999.

[20] U. Aickelin, P. Bentley, S. Cayzer, J. Kim , and J. McLeod, "Danger theory: The link between AIS and DS". In Proceedings of the 2nd International Conference on Artificial Immune Systems (ICARIS), LNCS 2787,pages 147-155. Springer-Verlag, 2003.

[21] J. Greensmith, U. Aickelin, and S. Cayzer, "Introducing Dendritic Cells as a Novel Immune-Inspired Algorithm for Anomaly Detection", In Proceedings Of the 4th International Conference on Artificial Immune Systems (ICARIS), LNCS 3627, pages 153–167. Springer-Verlag, 2005.

390