How to Implement Network Intrusion Detection in NS2

To implement the Network Intrusion Detection System (NIDS) in NS2 encompasses to simulate a incident where an intrusion detection agent observe network traffics and spots malevolent behaviors like packet injection, unusual traffic or attacks like Distributed Denial of Service (DDoS). Below is a step-by-step guide to help you implement a basic NIDS in NS2.

Step-by-Step Implementation:

  1. Set Up NS2

Make sure that you have installed the ns2 on your system. If not, install it using:

sudo apt-get install ns2

  1. Define the Network Topology

First, we have to design a basic network topology that has several nodes. One of the nodes will behave like an Intrusion Detection System (IDS) that observes the traffic.

Example of a basic network topology:

set ns [new Simulator]

set tracefile [open intrusion_detection.tr w]

$ns trace-all $tracefile

# Create nodes

set n1 [$ns node]    ;# Normal node (Sender)

set n2 [$ns node]    ;# Intermediate node (Router)

set n3 [$ns node]    ;# Normal node (Receiver)

set nIDS [$ns node]  ;# Intrusion Detection System (IDS)

# Create links between the nodes

$ns duplex-link $n1 $n2 1Mb 10ms DropTail

$ns duplex-link $n2 $n3 1Mb 10ms DropTail

$ns duplex-link $n2 $nIDS 1Mb 10ms DropTail

  1. Simulate Normal Traffic

Mimic the normal network traffic amongst two nodes (n1 and n3), which will be observed by the IDS node (nIDS).

# Set up normal UDP traffic between n1 and n3

set udp1 [new Agent/UDP]

set null1 [new Agent/Null]

$ns attach-agent $n1 $udp1

$ns attach-agent $n3 $null1

$ns connect $udp1 $null1

# Create a CBR (Constant Bit Rate) traffic generator attached to UDP

set cbr1 [new Application/Traffic/CBR]

$cbr1 set packetSize_ 512

$cbr1 set rate_ 1Mb

$cbr1 attach-agent $udp1

# Start normal traffic

$ns at 1.0 “$cbr1 start”

  1. Implement the Intrusion Detection System (IDS)

The IDS node (nIDS) will monitor the traffic flowing across the network. You can imitate various types of attacks involves packet injection or traffic flooding, and identify them using the IDS logic.

Example of intrusion detection logic:

(A) Detect Unusual Traffic (Flooding Attack):

You can see the amount of packets being delivered from one node. If the number of packets surpasses a specified threshold, it can be considered as an intrusion (like a DDoS attack).

# IDS Node monitoring function

proc monitor_traffic {pkt_count threshold} {

if { $pkt_count > $threshold } {

puts “Intrusion detected: Traffic flooding”

return 1 ;# Detected intrusion

} else {

return 0 ;# No intrusion detected

}

}

# Simulate IDS monitoring traffic at nIDS

set pkt_count 0

set threshold 1000 ;# Set a threshold for packet count

# Function to simulate packet capture at IDS node

proc capture_packet {source dest size} {

global pkt_count

incr pkt_count

puts “Packet captured by IDS: Source=$source Dest=$dest Size=$size”

}

# Attach IDS agent at nIDS

set udpIDS [new Agent/UDP]

$ns attach-agent $nIDS $udpIDS

# Simulate packet capture at IDS

$ns at 1.5 “capture_packet n1 n3 512”

# Check for intrusion after capturing traffic

$ns at 2.0 “if {[monitor_traffic $pkt_count $threshold]} {puts ‘Mitigation triggered’}”

(B) Detect Packet Injection:

The IDS can confirm for illegitimate packets being sent by the attacker (malicious node). You can replicate this by identifying packets from unexpected sources.

# List of authorized nodes

set authorized_nodes {n1 n2 n3}

# Function to detect unauthorized packet injection

proc detect_unauthorized_packets {source} {

global authorized_nodes

if { [lsearch -exact $authorized_nodes $source] == -1 } {

puts “Intrusion detected: Unauthorized packet from $source”

return 1 ;# Intrusion detected

} else {

return 0 ;# No intrusion detected

}

}

# Simulate unauthorized packet injection from a malicious node

set malicious_node “nMalicious”

$ns at 2.5 “detect_unauthorized_packets $malicious_node”

(C) Simulate Attack Scenarios (Packet Injection / Flooding):

You can simulate attacks like packet injection or traffic flooding by launching a mischievous node (nMalicious) that sends abnormal traffic.

Example of simulating traffic flooding from a malicious node:

# Set up malicious traffic (flooding) from malicious node

set nMalicious [$ns node]   ;# Malicious node

set udpMalicious [new Agent/UDP]

set cbrMalicious [new Application/Traffic/CBR]

$cbrMalicious set packetSize_ 512

$cbrMalicious set rate_ 5Mb ;# Higher rate to simulate flooding attack

$cbrMalicious attach-agent $udpMalicious

# Connect malicious node to n2 (intermediate node)

$ns attach-agent $nMalicious $udpMalicious

$ns connect $udpMalicious $null1

# Start flooding attack

$ns at 3.0 “$cbrMalicious start”

  1. Simulate Mitigation Mechanisms

After spotting an intrusion, you can simulate various mitigation techniques, such as:

  • Blocking the malicious node.
  • Throttling traffic.
  • Sending notifications to administrators.

Example of blocking a malicious node:

proc block_node {node} {

puts “Blocking traffic from $node”

$ns detach-agent $node ;# Detach the malicious node from the network

}

# Trigger block on intrusion detection

$ns at 3.5 “block_node nMalicious”

  1. Run the Simulation

After writing the Tcl script, you can execute the simulation using the command:

ns your_script.tcl

  1. Analyze the Results

After the simulation finishes, assess the trace file (intrusion_detection.tr) to see:

  • How the IDS monitored the traffic.
  • Whether it identified malicious traffic.
  • How the network acted after mitigation (blocking the malicious node or throttling traffic).

You can also visualize the network activity using NAM (Network Animator) for a better understanding of how the IDS reacted to the attack.

  1. Extend the Simulation

You can extend this basic simulation by:

  • Executing more sophisticated detection algorithms like machine learning-based anomaly detection.
  • Including advanced attack scenarios (like DDoS, man-in-the-middle, or insider threats).
  • Mimicking real-world protocols like Snort or other signature-based intrusion detection systems.
  • Presenting false positives/negatives to compute the precision of your IDS.

Now, you can clearly understand the approach and be able to implement the Network Intrusion Detection System by referring the given structured procedure and the examples. You can also expand the simulation according to the requirements.

We assist you in monitoring network traffic and identifying harmful activities such as packet injection, strange traffic patterns, or attacks like DDoS. Plus, we offer prompt support for implementation. Visit ns2project.com for some great Network Intrusion Detection project ideas that fit your research needs—just let us know what you’re looking for!