How to Implement Anomaly based IDS in ns3

To implement an anomaly based (Intrusion Detection System) IDS in ns3, during the network traffic the nodes could be able to detect anomalies with the help of network simulation. It can accomplished by monitoring the traffic patterns and flagging any deviations from the normal behavior as potential intrusions.

Here’s a comprehensive details to help you implement an anomaly-based IDS in ns3:

Step-by-Step Implementation:

Step 1: Set Up ns3 Environment

  1. Install ns3: Make sure that ns3 is installed on your computer. Follow the installation guide suitable for your operating system.
  2. Familiarize Yourself with ns3: The ns3 tutorial helps you to know more the basic concepts and its simulation structure.

Step 2: Define the Network Topology

  1. Create a Simple Network: We have to define a basic network topology which includes creating nodes, setting up channels, and configuring IP addresses by using ns3. We’ll use a point-to-point topology for simplicity.

#include “ns3/core-module.h”

#include “ns3/network-module.h”

#include “ns3/internet-module.h”

#include “ns3/point-to-point-module.h”

#include “ns3/applications-module.h”

#include <iostream>

#include <vector>

#include <string>

using namespace ns3;

class AnomalyDetectionApp : public Application {

public:

AnomalyDetectionApp() : m_packetsReceived(0) {}

virtual ~AnomalyDetectionApp() {}

void Setup(Address address, uint16_t port) {

m_peerAddress = address;

m_peerPort = port;

}

private:

virtual void StartApplication() {

m_socket = Socket::CreateSocket(GetNode(), TypeId::LookupByName(“ns3::UdpSocketFactory”));

m_socket->Bind();

m_socket->Connect(InetSocketAddress(m_peerAddress, m_peerPort));

// Schedule the first packet transmission

Simulator::Schedule(Seconds(1.0), &AnomalyDetectionApp::SendPacket, this);

// Set up the receive callback

m_socket->SetRecvCallback(MakeCallback(&AnomalyDetectionApp::ReceivePacket, this));

}

virtual void StopApplication() {

if (m_socket) {

m_socket->Close();

m_socket = 0;

}

}

void SendPacket() {

std::string message = “Normal traffic”;

Ptr<Packet> packet = Create<Packet>((uint8_t *)message.c_str(), message.size());

m_socket->Send(packet);

// Schedule the next packet transmission

Simulator::Schedule(Seconds(1.0), &AnomalyDetectionApp::SendPacket, this);

}

void ReceivePacket(Ptr<Socket> socket) {

Ptr<Packet> packet = socket->Recv();

m_packetsReceived++;

// Analyze the received packet

uint8_t buffer[1024];

packet->CopyData(buffer, packet->GetSize());

std::string receivedMessage((char *)buffer, packet->GetSize());

// Example anomaly detection logic: flag packets containing “malicious”

if (receivedMessage.find(“malicious”) != std::string::npos) {

std::cout << “Anomaly detected: ” << receivedMessage << std::endl;

} else {

std::cout << “Normal packet received: ” << receivedMessage << std::endl;

}

}

Ptr<Socket> m_socket;

Address m_peerAddress;

uint16_t m_peerPort;

uint32_t m_packetsReceived;

};

int main(int argc, char *argv[]) {

NodeContainer nodes;

nodes.Create(3); // Example: 3 nodes (1 client, 1 IDS, 1 server)

PointToPointHelper pointToPoint;

pointToPoint.SetDeviceAttribute(“DataRate”, StringValue(“1Gbps”));

pointToPoint.SetChannelAttribute(“Delay”, StringValue(“2ms”));

NetDeviceContainer devices1;

devices1 = pointToPoint.Install(nodes.Get(0), nodes.Get(1)); // Client to IDS

NetDeviceContainer devices2;

devices2 = pointToPoint.Install(nodes.Get(1), nodes.Get(2)); // IDS to Server

InternetStackHelper stack;

stack.Install(nodes);

Ipv4AddressHelper address;

address.SetBase(“10.1.1.0”, “255.255.255.0”);

Ipv4InterfaceContainer interfaces1 = address.Assign(devices1);

address.SetBase(“10.1.2.0”, “255.255.255.0”);

Ipv4InterfaceContainer interfaces2 = address.Assign(devices2);

Ipv4GlobalRoutingHelper::PopulateRoutingTables();

uint16_t port = 9;

Ptr<AnomalyDetectionApp> clientApp = CreateObject<AnomalyDetectionApp>();

clientApp->Setup(InetSocketAddress(interfaces1.GetAddress(1), port), port);

nodes.Get(0)->AddApplication(clientApp);

clientApp->SetStartTime(Seconds(2.0));

clientApp->SetStopTime(Seconds(10.0));

Ptr<AnomalyDetectionApp> idsApp = CreateObject<AnomalyDetectionApp>();

idsApp->Setup(InetSocketAddress(interfaces2.GetAddress(1), port), port);

nodes.Get(1)->AddApplication(idsApp);

idsApp->SetStartTime(Seconds(1.0));

idsApp->SetStopTime(Seconds(10.0));

Ptr<AnomalyDetectionApp> serverApp = CreateObject<AnomalyDetectionApp>();

serverApp->Setup(InetSocketAddress(Ipv4Address::GetAny(), port), port);

nodes.Get(2)->AddApplication(serverApp);

serverApp->SetStartTime(Seconds(1.0));

serverApp->SetStopTime(Seconds(10.0));

Simulator::Run();

Simulator::Destroy();

return 0;

}

Explanation:

  1. Network Topology:
    • The network consists of three nodes: a client, an IDS, and a server.
    • IDS analyze the traffic that are send by the client and forwards it to the server.
  2. AnomalyDetectionApp Class:
    • This custom application class handles sending, receiving, and analyzing traffic for anomalies.
    • Application which includes peer address and port are initialized by Setup method.
    • StartApplication method sets up the socket connection, schedules the first packet transmission, and sets up the receive callback.
    • SendPacket method sends a normal traffic message to the peer node.
    • ReceivePacket method receives and checks for anomalies in the messages(e.g., packets containing the word “malicious”).
  3. Main Function:
    • Installs the AnomalyDetectionApp on the client, IDS, and server nodes by creating the network topology.
    • IDS checks for anomalies in the messages which are send by the client and prints a message if an anomaly is detected.

Compile and Run:

  1. Compile the Code: Compile the ns3 simulation code using the following command:

g++ -std=c++11 -o ns3-anomaly-ids main.cc `pkg-config –cflags –libs ns3-dev`

  1. Run the Simulation: Execute the compiled program:

./ns3-anomaly-ids

This setup demonstrates a simple implementation of an anomaly-based IDS in ns3. You can expand it further to include more sophisticated anomaly detection algorithms, additional nodes, and more complex traffic patterns as needed.

We have utterly learned and understand through the step-by-step procedure given in the script on how to implement Anomaly based Intrusion detection System (IDS) in the ns3 tool. For your further purposes, we will help you to understand any other topic related to IDS.

For a successful Implementation of Anomaly based IDS in ns3tool you can be in touch with ns3suimulation.com team.