ThesisPDF Available

Agent Based Network Sniffer Detection System

Authors:
Ravi Shankar at University College Dublin
Ravi Shankar
Mahesh .k
Mahesh .k
Mahesh .k
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

A Sniffer is a program on the network traffic by grabbing information travelling over a network. Many people assume computers connected to a switch are safe from sniffing here we go for Anti sniffing. Nothing could be further from the truth. Computers connected to switches are just from vulnerable to sniffing. Computers connected to switches are just as vulnerable to sniffing as those connected to a hub. Here in this paper we propose Mobile Agents to detect sniffers. Mobile agents perform a task by migrating and executing on several nodes connected to the network. Ignored to detect sniffers [3], the network administrator sends some special types of mobile agents in the network and collects information from different nodes. After analyzing this information the network administrator can identify the computer system running in promiscuous mode.
Figures - uploaded by Ravi Shankar
Author content
All figure content in this area was uploaded by Ravi Shankar
Content may be subject to copyright.
Content uploaded by Ravi Shankar
Author content
All content in this area was uploaded by Ravi Shankar on Apr 10, 2014
Content may be subject to copyright.
International Journal of Scientific and Research Publications, Volume 3, Issue 4, April 2013 1
ISSN 2250-3153
www.ijsrp.org
Agent Based Network Sniffer Detection
A.R.M. Ravi Shankar*, K. Mahesh**
* Department of Computer Science & Engineering, Arunai Engineering College
** Department of Computer Science & Engineering, Arunai Engineering College
Abstract- A Sniffer is a program on the network traffic by
grabbing information travelling over a network [1]. Many people
assume computers connected to a switch are safe from sniffing
here we go for Antisniffing [2]. Nothing could be further from
the truth. Computers connected to switches are just from
vulnerable to sniffing. Computers connected to switches are just
as vulnerable to sniffing as those connected to a hub. Here in this
paper we propose Mobile Agents to detect sniffers. Mobile
agents perform a task by migrating and executing on several
nodes connected to the network. Ignored to detect sniffers [3],
the network administrator sends some special types of mobile
agents in the network and collects information from different
nodes. After analyzing this information the network
administrator can identify the computer system running in
promiscuous mode.
Index Terms- Computer Security, Mobile Agent, Sniffer,
Sniffer Detection
I. INTRODUCTION
acket sniffing is a technique of monitoring every packet that
crosses the network. In theory, it’s impossible to detect these
sniffing tools because they are passive in nature, meaning that
they only collect data. While they can be fully passive, some
aren’t therefore they can be detected. This paper discusses the
different packet sniffing methods and explains how AntiSniff
tries to detect these sniffing programs.
II. METHODOLOGY
A mobile agent[5] is a software agent that has the additional
property that it is not bound to operate only in the system in
which it started. A mobile agent is autonomous because it may
decide itself where it will go, what it will do there, and how long
it will exist for. However, its environment or other mobile agents
may also influence it.
Although mobile agents do not provide a solution to any
previously unsolvable problems, they do have advantages over
other technologies. They can be used to benefit or to simplify
different types of application areas. Some examples of these
application areas include ecommerce, distributed information
retrieval, telecommunication networks services, and monitoring
and notification.
Adaptive Learning: Mobile agents[6] can learn from experiences
and adapt themselves to the environment. They can monitor
traffic in large networks and learn about the trouble spots in the
network. Based on the experiences of the agent in the network
the agent can choose better routes to reach the next host.
Autonomy: Mobile agents can take some decisions on its own.
For example, mobile agents are free to choose the next host and
when to migrate to the next host. These decisions are transparent
to the user and the decisions are taken in the interest of the user.
Mobility: Mobile agents have the ability to move from one host
to another in the network.
III. LITERATURE SURVEY
Packet Sniffing Tools: developers debugging communication
protocol implementations, or anyone trying to learn how their
networks work. Because attackers use sniffers for network
reconnaissance and to intercept transmitted credentials and data,
learning about the capabilities and limitations of packet sniffers
is an important facet of understanding the security risks.
Tcpdump is the most widely used UNIX/Linux tool to record
network traffic. It captures packets based on a wide range user-
specified criteria, and can save the traffic in different formats.
Tcpdump is commonly included in most Linux distributions.
Wireshark is the most widely used graphical application for
network monitoring and analysis. It is open-source and runs on
most popular computing platforms, including UNIX, Linux, and
Windows..
IV. SYSTEM ARCHITECTURE
Here The architecture consists of the following components:
An intrusion detection processor,
Network Administrator,
Mobile Agent Platform,
Mobile Agent for detection.
Mobile Agent Platform is basically providing all the services like
creation, interpretation, execution, transfer and termination for
the mobile agents. This platform is responsible for accepting
instructions given by network administrator, sending mobile
agents to other nodes etc.
P
International Journal of Scientific and Research Publications, Volume 3, Issue 4, April 2013 2
ISSN 2250-3153
www.ijsrp.org
Fig.1 Architectural View
Mobile Agents are the main component of this architecture.
They are specially designed to perform network analysis task.
Whenever a mobile agent starts execution on a specified node, it
monitors all the incoming and outgoing network traffic for that
node. If it finds any abnormal incoming traffic (in the case of
sniffer) or any other malicious activity, it immediately sends an
alarm message to the network administrator for necessary action
V. DESIGN
The following steps can be used for the detection of sniffer in the
network. For the mobile agent implementation, we use aglets2.5-
alpha which is a java based tool and freely available on the
internet. This part we present the architecture of our distributed
IDS.
The architecture consists of the following components: (1) an
intrusion detection processor, (2) a mobile agent platform, and
(3) network administrator, (4) mobile agent for detection.
A. Data Flow Capture
As the main network node monitor, the Data Flow Capture
network traffic which incoming monitors, it captures dump of
data and sends to IDA for detecting intrusion, then, Data
Analysis component to analyze and self-learning.
B. Intrusion Detection Agent (IDA)
IDA is the most important component of the system. It is
responsible for monitoring network segments (subnets), and acts
as a central intrusion detection agent and data processing unit.
The unit is placed on a node that entry into intranet to monitor
network traffic for all devices on the segment. And it is setup to
send alert in time, so that, checking the errant packets using rule
sets when it enter into the segment. Its main capabilities is
detecting intrusion and judging whether the behaviour is
abnormal, if it is abnormal, alerting to Administrator or
make some decisions.
C. Sniffer Detection Techniques
1. Network administrator installs and configures Mobile
Agent Platform on all the computers connected in the
Local Area Network (LAN)
2. Now whenever the whole system starts, the network
administrator activates some specially designed mobile
agents.
3. Now these mobile agents travel in the network and
select any random node for execution.
4. Mobile Agent collects all the information about network
activities including network traffic for that node.
5. As we know if any node runs a Sniffer, then it collects
all the packets moving in the network. So mobile agent
sends an alarm message to the network administrator if
it finds that the incoming network traffic is greater than
a pre specified value.
6. After receiving this alarm message, network
administrator can take necessary action.
7. If everything is normal then the mobile agent moves to
another node and repeats the steps 4 and step 5.
So this whole process can detect the sniffer present in the
network. For the mobile agent implementation, we use aglets2.5-
alpha which is a java based tool and freely available on the
internet
VI. CONCLUSION
Distributed computing involving several computers in a network
can be achieved using message passing or remote procedure calls
(RPC). The recently developed mobile agent technology adds a
new dimension to distributed computing. Experts suggest that
mobile agents will be used in many Internet applications in the
years to come.
However there still exist many technical hurdles that need to be
tackled, the most important of them being security. Only when
security issues are properly addressed, will the mobile agent
technology be widely accepted. However if intruder makes some
changes in our mobile agent platform or mobile agent, then it
may fail the whole process.
So in future, some more security measures should be taken for
the guaranteed security. Mobile agent selects any node randomly
and investigates that node, if it finds excessive incoming traffic
on the network interface card then report to network
administrator. So the sniffer can be detected.
REFERENCES
[1] Sumit dhar “Sniffer intrusions” network security.
[2] Antisniffing:
http://www.securitysoftwaretech.com/antisniffing,
[3] H. M. Kortebi AbdelallahElhadj, H. M. Khelalfa, An
experimental sniffer detector: Snifferwall, (2002).
International Journal of Scientific and Research Publications, Volume 3, Issue 4, April 2013 3
ISSN 2250-3153
www.ijsrp.org
[4] Thawatchai Chomsiri, Sniffng packets on LAN without
arp spooffing, Third 2008 International Conference on
Convergence and Hybrid Information Technology
(2008).
[5] http://en.wikipedia.org/wiki/Mobile_ agent
[6] Network Management with mobile agents-Andrzej
Bieszczad
AUTHORS
First Author A.R.M Ravi Shankar, M.C.A., M.E., Arunai
Engineering College, muraliravishankar@gmail.com.
Second Author K. Mahesh. M.E., Arunai Engineering College,
mbmaheshbabu5@gmail.com.
ResearchGate has not been able to resolve any citations for this publication.
Sniffing packets on LAN without ARP spoofing
Conference Paper
Full-text available
  • Dec 2008
Identifying weak points of network systems and protecting them (before attackers or hackers detect and use our data to attack our systems) are regarded as essential security methods, especially on the LAN system which uses ARP protocol with holes enabling hackers to conduct ARP spoof and sniff packets on the LAN systems. Regarding Web sites with membership systems such as e-commerce Web sites and Web sites with e-mail systems such as Hotmail and Gmail, every time users click links, browsers will send away HTTP requests which contain cookies and session ID. If hackers successfully sniff cookies and session ID of any member, they will be able to access the member's system by the right of that member. This type of attacks can be prevented by using static ARP, detecting ARP spoof using IDS, or using anti sniff type programs to scan for the computer which is sniffing the data. Although sniffing data is harmful, it sometimes needs to be conducted for some purposes, e.g. confidential affair job (sniffing terrorists' data) etc. This research aims to study techniques in sniffing data on the LAN system without using ARP spoof. The results are as follows. (1) The victims cannot detect hackers by using IDS. (2) Static ARP cannot prevent sniffing data by this method. (3) The hacker's computer cannot be scanned and found by using anti sniff type programs. MAC address and IP address values are set to coincide with gateway MAC address and gateway IP address respectively. Only two basic programs-Ping and Ethereal are used. Ethereal is used to sniff the data, and Ping command is used to send Packets to deceive the switch port that gateway is connecting with the port that we are connecting. This process is to alternate with stop ping (wait) in order to enable the system to function normally on occasions. This method is tested in sniffing the victim's cookies while the victim is clicking links to open the mailboxes of Gmail and Hotmail. The result shows that the number of the sniff- - ed cookies is approximately 20-35%, comparing with the number of the cookies sent to the Internet by the victim. The number of sniffed cookies also depends on other factors such as periods of stop ping (wait) and brands of switch. We have conducted the experiment with three brands of switch consisting of Cisco, 3COM and SMC. It is found that using Cisco brand provides the potentiality to get the largest amount of cookies. In contrast, using SMC brand provides the potentiality to get the smallest amount of cookies. And when Ping sending is tested, switching with wait for 1, 2, 3, ....., 40 seconds, it is found that when we wait for 1-2 seconds, the user will feel that the network system encounters a problem, and Login and Logout process takes longer time than usual. However, the proportion of the sniffed cookies is high (about 30-35%). When the Wait value is set higher, the chance to get cookies decreases, but the victim will not feel the abnormality (setting the wait value at 7-10 seconds, the sniffed Cookies will be about 20% of all cookies).
View
An Experimental Sniffer Detector: SnifferWall
Article
  • Jan 2002
An experimental sniffer detector, SnifferWall, is presented. Based on an open architecture, it combines between detecting hosts in promiscuous mode and hosts replaying information sniffed from honey pots. Two majors methods of detection are used:
View