A Defense Security Approach For Infrastructures Against Hacking 1

CHAPTER 1INTRODUCTION

Currently, the advances in communication technologies as an underlying infrastructure has become essential assist to the business industry, which eases the access to information, and exchanging of data. It has become the crucial requirement for them to handle and deliver data at very high speed and efficiency. But reliance on these technologies comes with great risk. The initial design of communication protocols was mainly to meet main requirements such as speed, performance, efficiency and reliability. But security was not a concern at that time. One of the major security concern is Hacking. Hacking is a term used to describe the attitude and behavior of group of people who are greatly involved in technical activities which, more commonly today than in previous years, result in gaining unauthorized access. Hacking on computer systems might lead to loss of money, leak of sensitive information and loss of reputation. Much of security solutions are suggested and practically deployed to reduce the risk of hacking. However, recent successful hacking attempts prove inability of these systems to address that issue.The aim is to design a dynamic security approach in order to defend hacking. This security approach is designed to eliminate the possibility of hacking by targeting the three pre-hacking steps: footprinting, scanning and enumeration at network level. These are the basic three steps of hacking which gives detailed understanding about the targeted infrastructure. The core concept is to make the underlying communication infrastructure hard to be investigated; thus, nearly impossible to break. The conceptual design of this approach addresses hacking by providing ambiguity and obfuscation in the communication within the infrastructure, which targets the three pre-hacking steps.

1.1 Summary The rest of the seminar report is structured as follows: chapter 2 represents the general background of hacking and three pre-hacking phases and chapter 3 represents related security approaches and their limitations and Chapter 4 describes the proposed trusted graph approach and its design. Chapter 5 presents the demonstration of the proposed approach. Chapter 6 presents the conclusion.

CHAPTER 2

GENERAL BACKGROUND

Attacking is a general term refers to all non-authorized activities directed towards technologies in general whether for causing the damage or breaking into systems. Hacking is the most sophisticated attack classified under the attack category aimed to study all technologies aspects in most infrastructures and explore vulnerabilities with them. Hacking means gaining an unauthorized access to computer and network resources with malicious intent. People who hack computers are known as hackers. Hackers break into computer systems by exploiting security vulnerabilities, such as poor configuration of web servers, disabled security controls or poorly chosen passwords. The basic need to participate in hacking is obtaining broad knowledge about operating systems, network, communication protocols, security postures and applications errors.

2.1 The Behavior of Hackers

Before the real fun for the hacker begins, three essential pre-hacking steps must be performed. They are:

Footprinting Scanning Enumeration

2.1.1 Footprinting The initiation of whole process of hacking is called Footprinting. It is a crafted technique in gathering information. This phase is the first of three pre-hacking phases hackers use to learn as much as possible about a target before attempting first attack. It consist of collecting data about target from all possible sources online and offline. A hacker at this stage is trying to understand how a potential victim operates. It is related to narrowing down the target of interest and investigating every entity related to the target. At this step, the hacker obtains a unique profile about their target. Footprinting is one of the most important steps and it must be performed accurately and in a controlled fashion.

2.1.2 Scanning

By the previous step, the hacker obtains a unique profile about their target. That unique profile lists out enough information about the victim such as list of IP addresses and network blocks. From that point, the hacker starts sending packets to their victims system look for some the point of entry. Hackers perform scanning until they discover one or more targets. Hackers stop scanning and move to enumeration whenever they want based on the purpose of their attack.

2.1.3 Enumeration

At the final stage, the hacker has effectively recognized points of entry. Before they form their hacking strategies, they intensely probe the spotted services looking for known weaknesses or discovering new vulnerabilities. Enumeration often starts with operating system identification, followed by application identification, then extracting information from the discovered services. Enumeration then, is the discovery and listing of potential attack targets. Enumeration is a process which includes active engagement and direct queries with the targets systems, giving it a higher level of intrusiveness compared with scanning.

Fig.1 Pre-hacking phases

CHAPTER 3

RELATED SECURITY APPROACHES

In this section, the various security approaches existing to defend hacking are described. There are many security solutions used for defending hacking. These solutions are generally classified under two general categories. They are:

Passive Defense Systems Active Defense Systems

3.1 Passive Defense Systems

Passive Defense Systems are security approaches that preclude or minimize all defined or common cyber attacks in the first place when there are hacking attempts. The Passive Defense Systems that are under consideration here are: Firewalls Intrusion Detection System(IDS)

3.1.1 Firewalls

Firewalls are crucial elements in network security andare safety-critical systems that secure most private networks. A Firewall can be said to be a software or hardware device installed at the point where network connection enters an internal network . Sets of rules are applied to control the type of networking traffic flowing in and out of the systems which are called policy. Firewall security systems are designed to stop unwanted or suspected traffics from flowing into the internal network. This would ensure that hackers have no access to the internal network. Thus, the basic function of a firewall is to regulate the flow of traffic between computer networks of different trust levels. The function of a firewall is to examine each incoming and outgoing packet and decide whether to accept or to discard the packet based on its policy. The conceptual model of a firewall provides the ability to manage every sub-network separately and gives every department the capability to manage their own sub-network according to their policies and requirements. This management feature escalates the importance of firewalls as a building block of any network design. To make a decision about a packet; the packet must be examined under a sequence of rules. Then, the firewall generates the decision, which is applied to the packet. Firewalls as security technology fall into four types based on the filtering algorithm and the operation layer (IP, Transport or Application layers) and they are: Packet filtering, Circuit gateway, Application gateway and hybrid firewalls.

3.1.1.1 Limitations of Firewalls

Despite the fact that firewall is one of the building blocks in any network design, there are limitations on using them as the one and only line of defense. Some of them are:

Technical capability of firewall designers - Depending on the technical capability of firewall designers, errors might be introduced if a firewall designer is not highly trained and experienced. The succession of malicious viruses and worms such as Blaster and Sapphire implies that most of firewall breaches are caused by configuration errors.

Firewall policy error - Due to the lack of tools for analyzing firewall policies, most firewalls on the Internet have been plagued with policy errors. A firewall policy error either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal business processes, which in turn could lead to irreparable, if not tragic, consequences.

Cannot protect against inside attacks - Even the modern design of firewalls, which demands the distribution of firewalls within the organizations network, it fails because of the complex protection requirements. What makes the situation even worse is that every host has limited users and all of them are treated as trustworthy users, the possibility of getting inside attack such as IP network spoofing, packet sniffing and denial-of-service is still possible.

3.1.2 Intrusion Detection System (IDS)

The goal of intrusion detection is to identify unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. Intrusion detection provides real time warnings for computer information system by monitoring and analyzing any attempts to access the system. Intrusion detection will fire an alarm when attackers try to exploit vulnerabilities of software for opening a backdoor to it. The conceptual model of IDS was introduced to be a real-time defense system to detect intruders inside networks, unauthorized use, abuse and misuse of computer systems. Basically, it has been designed and proposed under the assumption that a normal users behavior is completely different than an intruder. So, the gap between their behaviors is the key for spotting an intrusion. IDS has the ability to analyze, detect intrusion, recognize the source of attack and alleviate the effect of most of unexplored attacks. IDS obtains data from different sources, which constructs a network infrastructure (networks and hosts), and that differentiation creates a classification for IDS. The classification consists of: Network-based IDS, Host-based IDS and Hybrid IDS. Host based IDS adds an extra layer of security for a host. It uses operating system information to determine attacks such as user logs and software activity. Network based IDS is monitoring the network traffic at some place on the network. It checks each packet to detect illegitimate traffic.There are basically two types of detection techniques: Anomaly detection technique Misuse detection techniqueAnomaly detection technique applies the concept of collecting users profiles and defines them as normal behaviors or normal patterns. Then, in real time, IDS analyzes current users sessions and maps them with defined normal behaviors to recognize abnormal activities. The normal behavior varies depending on the workload and number of operations and activities operated by users.Misuse detection technique defines the basic techniques used by attackers and models them into the system under the term signatures. In that case, the system processes all streamed audit files searching for these signatures.3.1.2.1 Limitations of Intrusion Detection Systems Anomaly Intrusion Detection system has large number of false positive alerts. Furthermore, the dynamic feature which is supposed to detect new forms of attacks is very difficult in reality. In other words, it detects only the modeled attacks and disregards any new invented attacks. Due to attackers abilities to change some information to deceive IDS such as port number, sequence number or protocol indicator, it can pass IDS and provide the same result without being noticed. False positive alerts can cause overload in the victims network. A hacker injects the targets network with common modeled attacks causing an IDS to generate detection alerts which regularly leads to overload the network. This attacking strategy is utilized to hide the real breaching path to the systems by shuffling it with the fake false positive alerts simply to avoid seizing the attention for the real attack.3.2 Active Defense SystemsActive Defense Systems are considered more advanced security approaches that detect common and some new intrusions and actively respond to these attacks. The Active Defense Systems that are under consideration here are: Intrusion Detection and Prevention System (IDP) Honeypot3.2.1 Intrusion Detection and Prevention System (IDP)One of the main limitations of IDS is its non-defendable mechanism as it recognizes attacks, but does not do any single action in return. IDP shares the same mechanisms as IDS but it not only recognizes attacks and generates alerts, it performs actions against it. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. IDP can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.etc.3.2.1.1 Limitations of Intrusion Detection and Prevention System (IDP)As IDP inherits most of the design specifications and concepts; consequently, it inherits the drawbacks of the IDS as well. This configuration causes to recognize a large scale of normal activities as suspicious activities. This issue is defined as false negative rate. 99% of the reported alerts by IDS/IDP are not related to the security aspects.3.2.2 HoneypotThe limitations of the previously said security solutions lead to the introduction of honeypot. The honeypot provides a new method by luring hackers to a system and then analyzing their activities from the start. This approach effectively complements other well-known intrusion detection and prevention technologies. The fundamental concept of designing Honeypot is to study hackers behaviors and assist the efforts made against hackers, besides firewalls, IDSs and IDPs. The basic concept is very simply, a collection of resources that have no reliance on the main operations of the original network and have no authorization mechanism and these resources are made to be breached by hackers; thus, their behaviors and techniques are recorded to gear up against them with proper security postures. If that network does not get hacked, it has no value for security researchers.One of the use of honeypot system is to lead targeted hackers to valueless networks to observe their activities and record them and mainly these resources must appear realistic. Then, it is a Honeypot system responsibility to record a hackers behavior through background applications, capturing the transferred packets between the hacker and the Honeypot system; besides analyzing and interpretation of the collected data. Honeypot acts as a security supplement for IDS contributes to solve the major drawbacks in IDS which are the false positive and false negative rates. IDS combined with Honeypot may cut the number of false positive and false negative rates to %10 of the same production of IDS alone.3.2.2.1 Limitations of Honeypot Sometimes the trap (the deception) has limited resources due to the simulation process. Specifically, the simulated trap may have the ability to interact with few numbers of connections at one time compared with the actual capability of the real system. This issue is one fine indicator for hackers that they have been deceived. Honeypot logs are stored locally; thus, escalates the risk of tampering logs file to serve hackers deeds. For high interaction, a high interaction honeypot has high cost and complicated configuration process in which if it has not configured probably, it eventually causes a low efficiency and utilization for the trap. Most of honeypot is set to work in one segment making it very easy for hackers to detect them. Actually, the benefit gained from these traps is none. Hackers notice these traps and avoid presenting their tools and methodologies for breaching which leaves honeypot useless. It is hard of honeypot to differentiate between legitimate users and hackers. Actually, it misses any attacks that does not enter the trap and goes directly to the victims system.

These limitations of the above said security approaches lead to the new dynamic security approach which will be discussed in the following chapter.

CHAPTER 4

PROPOSED APPROACH DESIGN

The given security approach creates a confusion of the communication within the intended infrastructure and provide a meaninglessness of the communication; thus, hard to be investigated and breached. It facilitates communication within the infrastructure in a most confused method. In this approach, the hacker cannot understand the communication logic and obtain nothing even if they eavesdropped in the communication between all nodes, it is impossible for them to form hacking strategies and thus nearly impossible to perform any task. The given approach consists of trusted graphs.

4.1 Trusted Graph Approach

Despite the difficulties and complexity of hacking techniques, most of hacking attempts can be addressed if the three pre-hacking steps (footprinting, scanning and enumeration) are addressed. To reach the objectives, a security approach is proposed that addresses the basic three pre-hacking steps by creating a confusion of the communication within the intended infrastructure and provide a meaninglessness of the communication; thus, hard to be investigated and breached. These steps are referred to as understanding in which hackers seek for knowledge and information before starting the attack.

4.1.1 Approach DesignThe security within infrastructure can be affected with countless factors. One of the factors is the security for endpoints under the assumption that the security assurance of endpoints reflects to the security level for the whole infrastructure. However, the bottom line of that assumption is not always correct. One of the foundations of this approach is that the security for an infrastructure is heavily related to the network security and intercommunication between all endpoints whether it is internal or external. It is impossible to exclude the security of endpoints out of the design of the infrastructure since they are crucial elements. The foundation is that the security of endpoints is significantly related to the security of the network in which if the network is protected, consequently endpoints are saved from network hacking. The lists of foundations are:

The security within the infrastructure is not a responsibility for one server or some endpoints. In fact, it is reflected to all elements involved in that infrastructure. In other words, if a single element becomes compromised the entire infrastructure is in high risk and might suffer the consequences. The protection responsibility is not a duty of some elements in the infrastructure; it is cooperation between all endpoints, which provides the approach with high security standard.

Due to security threats and the major weakness in the security solutions, the need for an active defense system became vital. Basically, the weaknesses within current security postures are mainly caused by not understanding the nature and complexity of hacking techniques which limit their ability to provide a dynamic security approach for the entire infrastructure. In fact, there are limited researches made in that direction. The foundation is that for a complete protection against hacking and most common attacks, a secure active defense system is to be designed that protects the infrastructure in advance before hacking takes place, and defends it in case of intrusion.

The basic fundamental concept in this approach is to facilitate communication within the infrastructure in a most confused method. The idea is that if hackers cannot understand the communication logic and obtain nothing even if they eavesdropped in the communication exchange between all nodes inside the infrastructure, it is impossible for them to form hacking strategies and thus nearly impossible to perform any task.

The approach consists of mainly four parts. They are: Trusted Graph Dynamic Protocol Decoder Monitor Engine Understanding Agents

4.1.2 Trusted Graph

A trusted graph is not an actual engine that executes some tasks or functions. In fact, it is a definition of the logic communication sequences within all endpoints inside the infrastructure. It is a behavior of a trusted user. The trusted graph forces all endpoints within the infrastructure to follow a sequence of communication which facilitates obfuscation and meaninglessness of the communication. In normal network setup in most networks, a packet must travel from a sender and a receiver passing by number of routers and networks. The packet contains the source and destination addressees in abstract format, which are significantly important for routers to deliver this packet. One of the weaknesses with IDS is that there is no a clear definition of the behavior of the trusted users and those users are mainly treated equally in case if there is intrusion. The illusion of randomization concept is applied in the communication sequence between all nodes inside the infrastructure. That concept creates confusion since all nodes communicate with each other in a formal connection definition and continually changes. Moreover, hiding the identity of all hosts (IP addresses) is a one major step towards protection for the entire infrastructure against hacking.

For generating the trusted graph, it uses any randomized algorithm. Trust network: A trust network can be formed based on transitive trust, with each link representing the trust relationships between two participants. Trusted graph: A trusted graph is a sub-network of a trust network and connected by a set of trusted paths.

Figure 2: Trusted Graph4.1.2.1 Example of Trusted Graph

This example of trusted graph illustrates the virtual connection between all nodes. In this example, all IP addresses have the same network mask and it is not a flat network. In order for an endpoint, which holds an IP address (192.186.1.112), to require communication with a host (192.186.1.114), it needs at the beginning a comprehensive look at the current dynamic protocol. Then the communication will proceed to that sequence in this example. The trusted graph in that example (see figure 3) shows that the host (192.186.1.112) is directly connected to two hosts (192.186.1.200) and (192.186.1.150) which means that the original host cannot communicate directly with its intended destination (192.186.1.114). Instead, it has two options: 1) send the packet to 192.186.1.150 and the host (192.186.1.150) will send that packet to (192.186.1.200) and afterwards to 192.186.1.114; or 2) a direct connection to 192.186.1.114 via host (192.186.1.200). For simplicity, we use the typical IP format to illustrate the communication sequence.

Figure 3: Communication Sequence in Trusted Graph

During the design of this approach, we very well know the hackers abilities to investigate them and generate a method to attack and crack it. Thats why this approach contains a dynamic feature that updates the trusted graph architecture in a period of time which is not enough for hackers to understand the current architecture of the trusted graph. The architecture is generated by a Dynamic Protocol Decoder which will be explained in the following subsections.

The IP addresses within the infrastructure is generated in a dynamic and randomized method, which means that in every protocol, every endpoint will hold a new identification number different to that of regular IP addresses. The actual identification for every host is shuffled with the sequence of bits within packets. Every host obtains its new identification number from the dynamic protocol decoder based on the randomization function that ensures how the new IP address is structured in the reformed packets. Instead of proposing new protocols and packet formats, we use the current packet format as an encapsulation for transmission.

4.1.3 Dynamic Protocol Decoder

On the scale of the distribution of functions between other engines, this engine performs the main functions and tasks for the trusted graph approach. Trusted behavior is completely facilitated by this engine which is clarified by trusted graphs. The IP addresses within the infrastructure is generated in a dynamic and randomized method, which means that in every protocol, every endpoint will hold a new identification number different to that of regular IP addresses. The actual identification for every host is shuffled with the sequence of bits within packets. Every host obtains its new identification number from the dynamic protocol decoder based on the randomization function that ensures how the new IP address is structured in the reformed packets.

The dynamic protocol decoder is responsible for a count of all endpoints inside an infrastructure and then forming a new connection graph that consists of all these endpoints. Based on the illusion of randomization concept, that dynamic protocol decoder will start decoding a new protocol which is encapsulated with the current protocol (TCP/ IP or OSI protocols). That dynamic protocol defines the communication sequence between all nodes, the number of fragment required and the arrangement of bits inside these packets.

4.1.4 Understanding Agent

The only possible way for all endpoints to work in a respect to this meaninglessness of communication is by understanding agents. The main functions of understanding agent are:

It controls incoming and outgoing traffic in all endpoints, besides enforcing the dynamic protocol generated by the dynamic protocol decoder.

To receive the ambiguous packets and decode it back to the original (TCP/IP or OSI network protocols), which is necessary for upper layers in the original network protocols.

This concept is employed to avoid major changes in the upper layers (above the network layer).

4.1.5 Monitor Engine

The concept of having a monitoring process of a network is crucial for many security approaches, and in some cases, it is an entire security solution. The monitor engine in this approach is the decision maker, which is basically made for intrusion detection. Generating decision by monitor engine is heavily relied on the generated dynamic protocol by the dynamic protocol decoder. The detection mechanism is simple, if an endpoint repeatedly does not comply with the current dynamic protocol; it is an intruder.

CHAPTER 5DEMONSTRATION OF THE TRUSTED GRAPH APPROACH5.1 Scenario of Approach in PracticeSince the previous chapter illustrates common aspects, fundamentals and approach components, it is important to show a scenario of the approach in practice. The next figure shows the architecture of a network with new approach. The network setup wont get affected since the approach has been designed in respect to existing technologies including OSs, routers, servers or even network cables. However, there is hardware required for this approach to make the approach functions properly. One piece of hardware is the understanding agents and the second is a normal server that executes the functions of the monitor engine and dynamic protocol decoder.

The first hardware used is understanding agent. The functions of Understanding Agents are :

The understanding agents are connected to every host inside the infrastructure and obtained by external users who require access to high profile data (secure zone).

One understanding agent is connected to every router inside the network.

The only possible way for all hosts, servers and routers to communicate properly is by the understanding agents since this approach performs its tasks on packet level.

The prime function of the understanding agent is to reform received packets into their original format to be processed normally by routers (for redirection purposes) and for OS (executing commands and applications operations).Next figure shows the understanding agents main function between client and a server through a router.

The second hardware is mainly for monitor engine and dynamic protocol decoder. That hardware is a server but it only operates the monitor engine and dynamic protocol decoder tasks. After integrating the network with this hardware, following steps are done:

The dynamic protocol decoder generates the new communication protocol based on the fundamentals and concepts illustrated in the previous sections.

Then, it distributes the new protocol to all nodes integrated with the network and these new protocols must be encrypted.

After that, understanding agents decrypt that massage and function in the respect to the new generated protocol.

5.2 Virtual Communication between NodesIn the previous section, we saw the actual physical network setup. But virtual communication between these nodes is different. It can be seen clearly through this example:

From figure 6, the steps followed during a virtual connection are following:

In order for client 2 to communicate with server 5; the client 2 must follow the structure of the trusted graph and the dynamic protocol which enforces client 2 to go throw the client 3 and then to the server 5 and vice versa. So the physical communication will be in that sequence.

First, client 2 sends a request to server 5. The actual request is generated normally by the OS in client 2 without any interference from its understanding agent.

Then, the understanding agent for client 2 obtains that request before it goes to the network cable. The understanding agent right now reforms the packet into the current communication protocol (dividing the original packet into more than one packets, shuffled up packets bits, hiding the identity of the host itself) generated by dynamic protocol decoder.

After that, the understanding agent for client 2 sends these packets normally to the router.

The understanding agent for the router receives these packets and based on the trusted graph the understanding agent for the router resends these packets to client 3 with little bit of confusion. If the understanding agent for the router redirects messages directly to the next node in the graph, hackers can easily identify the architecture of the trusted graph. So, the understanding agent for the router sends these packets to its destination with extra packets to some nodes for confusion purpose.

Subsequently, the understanding agents for client 3 receives the divided packets originally sent by client 2 and recognizes that theses packets are directed to server 5; so, the understanding agent for the client 3 resends these packets to the router again. The same step illustrated before when the understanding agents for the router receives the packets from client 2, is performed again by the routers understanding agent but the packets are directed to its destination (server 5) with the same confusion concept.

Now the understanding agent for server 5 receives these packets and from their formation, the understanding agent reforms these packets into its original form (exactly like what client 2 generates before but it has been modified by the understanding agent for client 2).

After reforming it again, server 5 receives this request and replies to it normally. These communication steps are performed again for the reply generated by server 5 to its final destination client 2.

This security approach with its all concept and fundamentals ensures the difficulty of launching attack against it, since this approach provides a complex communication infrastructure to demolish the three pre- hacking steps. So, without performing the three pre-hacking steps, hacking becomes very complicated.

CHAPTER 6

CONCLUSION

The idea behind this proposed security solution is to develop a conceptual dynamic security approach against hacking in general. This approach is also constructed to target the three essential pre-hacking steps, which results on launching an attack against infrastructures practically complicated. It is believed that the security of the entire infrastructure is relied on the security of network since, if the network is completely protected, the entire infrastructure is protected as well. This approach is a new security solution compared with its own kind.

One possible weakness with that approach is the amount of the packets that might excessive the network bandwidth. However, the new technologies such as fiber optical would reduce that excessive use of network bandwidth.

Bibliography

[1] Saad Alsunbul, Phu Le,Jefferson Tan A defense security approach for infrastructures against hacking, 2013 IEEE DOI 10.1109/TrustCom.2013.197, pp.1600-1606.

[2] B. Smith, Yurcik, W., Doss, D., "Ethical hacking: the security justification redux," in Technology and Society, 2002. (ISTAS'02). 2002 International Symposium on, 2002, pp. 374-379.

[3] M. Dekker, "Security of the Internet," The Froehlich/Kent Encyclopedia of Telecommunications, vol. 15, pp. 231-255, 1997.

[4] Aisha. (2011, 10/3/2012). Sony Broken By Anonymous $24 Billion Dollar Hack. Available: http:// www.judiciaryreport.com/ sony_broken_by_anonymous_24_billion_dollar_hack.htm.

[5] N. Messieh. (2011, 12/3/2012). Available: http://thenextweb.com/me/ 2012/01/18/ everything-you- need- to-know-about-the-ongoing-israeli-saudi- hacker-struggle.

[6] S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network Security Secrets and Solutions, Fourth Edition: McGraw-Hill, Inc., 2003.

[7] C. Payne and T. Markham, "Architecture and applications for a distributed embedded firewall," Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual, pp. 329- 336, 2001.

[8] A. X. Liu and M. G. Gouda, "Diverse firewall design," Parallel and Distributed Systems, IEEE Transactions on, vol. 19, pp. 1237-1251, 2008.

[9] A. X. Liu and M. G. Gouda, "Firewall Policy Queries," Parallel and Distributed Systems, IEEE Transactions on, vol. 20, pp. 766-777, 2009.

[10] Y. Bartal, A. Mayer, K. Nissim, and A. Wool, "Firmato: a novel firewall management toolkit," in Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, 1999, pp. 17-31.

[11] F. Avolio, "Firewalls and Internet security, the second hundred (Internet) years," The Internet Protocol Journal, vol. 2, pp. 24-32, 1999.

[12]C.C.Center,"CERTAdvisoryCA200320W32/BlasterWorm,"AvailableAt:http://www.cert.org/advisories/CA-2003-20.html, 2003.

[13] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "The spread of the sapphire/slammerworm,2003,"AvailableAt:http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html.

[14] M. Roesch, "Snort-lightweight intrusion detection for networks," in Proceedings of LISA '99: 13'th Systems Administration Conference, 1999, pp. 229-238.

[15] Y. Lin, Y. Zhang, and Y.-j. Ou, "The Design and Implementation of Host-Based Intrusion Detection System," in Intelligent Information Technology and Security Informatics (IITSI), 2010 Third International Symposium on, 2010, pp. 595-598.

[16] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, "Network intrusion detection," Network, IEEE, vol. 8, pp. 26-41, 1994.

[17] D. Goldsmith and M. Schiffman, "Firewalking: A traceroute-like analysis of IP packet responses to determine gateway access control lists," Cambridge Technology Partners, vol. Available At: http://www.packetfactory.net/firewalk/firewalk- final.html, 1998.

[18] G. A. Marin, "Network security basics," Security & Privacy, IEEE, vol. 3, pp. 68-72, 2005.

[19] D. Mutz, G. Vigna, and R. Kemmerer, "An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems," in Computer Security Applications Conference, 2003. Proceedings. 19th Annual, 2003, pp. 374-383.

[20] M. Sourour, B. Adel, and A. Tarek, "Environmental awareness intrusion detection and prevention system toward reducing false positives and false negatives," in Computational Intelligence in Cyber Security, 2009. CICS '09. IEEE Symposium on, 2009, pp. 107- 114.

[21] T. Pietraszek and A. Tanner, "Data mining and machine learning Towards reducing false positives in intrusion detection," Information Security Technical Report, vol. 10, pp. 169-183, 2005.

[22] L. Spitzner, Honeypots: tracking hackers: Addison-Wesley Professional, 2003.

[23] L. Spitzner, "The Honeynet Project: trapping the hackers," Security & Privacy, IEEE, vol. 1, pp. 15-23, 2003.

[24] B. Jian, J. Chang-peng, and G. Mo, "Research on network security of defense based on Honeypot," in Computer Application and System Modeling (ICCASM), 2010 International Conference on, 2010, pp. V10-299-V10-302.

Department of Computer Science & Engineering, Vidya Academy of Science & Technology, Thrissur