Ch4 - Off-line NIDS Design (simulation)

Ch4 - On-line NIDS Design & Implementation CHAPTER FOUR OF “DESIGN AND IMPLEMENTATION OF NETWORK INTRUSION DETECTION SYSTEM BASED ON EMBEDDED SYSTEM” MASTER DISSERTATION Some of this chapter is published in “Network Tapping System Based on Customized Embedded Linux: Design and Implementation”, “Packet Features Extractor for Network Security Systems: Design and Implementation” and “Creating Real-Time operation System Based on xPC Target Kernel” articles and the summery of all the dissertation topics in “ Network Intrusion Detection System Based on Embedded System - Off-line and On-line NIDS Based on Embedded System: Design and Implementation” book. Here you will find more details about the designing of the NIDS in the on-line stage. Abdullah A. Mohammed

Abdullah A. Mohammed MOSUL UNIVERSITY | MOSUL - IRAQ

Ch.4

On-line NIDS Design & Implementation

4.1 Introduction: In this chapter, on-line NIDS designing is produced. The off-line NIDS that designed in Ch.3 is used in the on-line NIDS designing here. The idea is modifying in the off-line NIDS feed to be able to take its input from a real network with keeping the System Core unchanged. Figure (4.1) shows the designed NIDS which is similar to the off-line NIDS in Fig. (3.1) but Tapping system is added which represented by the Sniffing process and the Dataset Selected Features is replaced with Packet Features Extractor (PFE). Network line

Sniffing

Features Extrating

System Core

Result display

Figure (4.1) On-line NIDS Architecture.

To ensure that the NIDS receive all the network events, tapping system is built. It designed based on embedded Linux and implemented in a strong network embedded appliance with Intel Atom N/D type processors. The PFE is built to extract the required features from the network packet and passed it to the System Core to be analyzed. The PFE designed by using C#.Net 51

Ch.4

On-line NIDS Design & Implementation

programing language and formed in Simulink C function block, then it connected with the prebuilt System Core. Real-Time Operation System (RTOS) is created to be the environment where the designed NIDS will be implemented (all the NIDS blocks except the Tapping system). The RTOS is created based on xPC Target Kernel with size about 1.4 MB. The designed NIDS blocks were embedded in the created RTOS and tested on a real network.

4.2 The Tapping System: Tapping system is a network system used especially to take a sample or copy of all the network events and pass it to the served system, which is a testing or monitoring system. It inserted in-line at a specific point in the network where all the network events can be accessed. It typically consists of two couples of ports, network and monitoring, network ports A and B connected to the network line terminals and the monitor ports 1 and 2 connected to the served system Fig. (4.2).

Figure (4.2) typical Tapping system [44].

The Taping system has two monitoring ports because the networks are full-duplex so, if there were data transmission from point A to B and B to A in the same time with 100 Mbps where the NIC was 100 Mbps type thus, the monitoring port will carry 200 Mbps. This will cause data drops, for that the monitor ports consist of two ports, one for each direction. The served system needs to make data aggregation for the two monitor ports to be as one port. 4.2.1 Tapping Technologies Methods: There are various methods for getting access to the network. Many tapping methods can be used, according to the network technology and the monitoring objective. The first method, when a monitoring device is installed in-line. When a monitoring device is installed in-line, the network will stop every time the device updated or rebooted. Similarly, if the device failed, the network will break down as well [44]. Another method to monitor networks is by enabling the Promiscuous Mode on the host that used for the monitoring, and attaching it to a network switch. This method is 52

Ch.4

On-line NIDS Design & Implementation

working well with old LAN technologies. However, Modern network became switched network, that meaning; devices communicate using Point-To-Point links. If the monitoring device is connected to such network, it will only see its own traffic, so it is hard for other devices to see the traffics [44]. Some of the traditional methods used for gaining access to network traffic using a SPAN port, also known as MIRROR port, on the switch. It is a software method to make network tapping. It makes load on the network switch. This is a low cost alternative to network tap. However, not all routers and switches support port mirror and, on those that do, using port mirroring can affect the performance of the router or the switch. Often, when the SPAN port is overloaded, packets will be dropped before reaching the monitoring device. There is also the possibility of losing some of the error packets that may be causing problems. If this data is not sent to the monitoring device because it is dropped, it is impossible to troubleshoot, no matter how advanced a device that is used [44]. All of these problems can be solved by using a TAP system. TAP will guarantee that every packet is being sent from the network to the monitoring device. It always passes every packet, even error packets that a SPAN port may drop, to the monitoring device. V-Line TAP is the most important TAP system types. V-Line TAP (also known as In-line or Bypass TAP) allows placing the served system virtually in-line. Putting this device in-line will compromise the integrity of a critical network. By placing a VLine TAP instead of the monitoring device and connecting the monitoring device to the V-Line TAP, it can guarantee that the network will continue to flow and the device will not create a failure point in the network [44].

4.2.2 Taping System Design: The system design was V-Line type based on Embedded Linux for many causes. The design needs to be fast real-time with high efficiency for that Embedded Linux is used. Embedded Linux has many properties that make it the first OS for the embedded systems. The most important properties are that it is small in size which means it does not need big memory storage, has limited tasks which means not losing the CPU resources, has open source that means the ability to customize and support the modern embedded micro-processors architecture like ARM and Atom. Network servers, switches, and NSSs are built essentially on the basing customized Embedded Linux [45]. Many embedded Linux distributions can be used to design a tapping system like Tiny-Core, Micro-Core, LISA, CintOS and Vyatta. 53

Ch.4

On-line NIDS Design & Implementation

For many reasons, Vyatta is used in this design. Among these reasons, Vyatta is based on Debian Linux distribution and customized proficiently for network systems applications. It has a lot of packages and open source network projects that make it able to configure as network switch or network security system. Open Vswitch (OVS), Quagga and VLAN are built-in in the Vyatta [46]. Table (4.1) shows comparison between Vyatta, Cisco and Quagga routers. Table (4.1) comparison of Vyatta properties with traditional routers [46].

Vyatta, Quagga (open source router) and two types of Cisco routers OS are shown. The compared virgin of Vyatta is VC 3.0 while, the virgin used in the design is VC 6.5. Vyatta VC 6.5 support VPN SSL technology and NTP server without need adding

54

Ch.4

On-line NIDS Design & Implementation

on Linux packages. If the cost is added in a field in the table, the difference will be very high. Vyatta with its packages is about 200 MB in size, but it can be reduced to minimum size by removing the unrequired packages. Vyatta includes preconfigured systems like IPS, Firewall and VPN, all these systems are removed with their files. It is reduced to be less than 50 MB size. OVS, Quagga and VLAN packages are kept because they are used in the Tapping design. By OVS, network switches for any layer that can be designed. It supports many important protocols like NetFlow and OpenFlow. VLAN has the useful properties of both L2 and L3 switches. Depending on VLAN, the switching speed of the designed switch approaches to L2 switch and controlling approaches to L3 switch. It splits the L2 network through dividing the broadcasting domain and controlling the L2 switch according to the port or protocol or MAC address [47]. GNS3 is used as a simulator and emulator in the design. It has Graphical Unit Interface (GUI) to help make the design easier. The important factors that make the GNS3 different from other emulating programs are the supporting for Virtualizing technology through soft wares like VMware, Quimu and Vbox, that means the ability to use real OS images. This property allows burning the used image on bootable media after finishing the design and can be booted on other machines as a real OS. The second property is that it supports bridging to a wide range of input/output ports and memories [48].

4.2.3 The Design Steps: The tap designing was based on VLAN (Port Based VLAN). Because the VLAN is configured after building the L2 switch, the first step was building the L2 switch.

4.2.3.1 L2 Switch Designing: Vyatta, through OVS, is an easy way to build L2 switch. The designing was based on GNS3. Two hosts are connected to the designed switch, Fig. (4.2). Tiny-Core Linux distribution is used for the two hosts because of the resource requirement. After finishing the configuration, the switch MAC table is checked. Figure (4.3) shows the terminals of the switch and the two hosts. Switch MAC table is shown in Fig. (4.3-a). It consists of the local MAC addresses ( Switch’s NIC MAC) only, but after making ping from host1 to host2 and from host2 to host1, the hosts MACs addresses are added to the switch MAC table which means that the designed switch work properly.

55

Ch.4

On-line NIDS Design & Implementation

Figure (4.2) the designed L2 switch based on Vyatta OS, by using GNS3.

(a)

(b)

(c) Figure (4.3) Test of The Designed Switch, a- PC1 (host 1) terminal, b- PC2 (host 2) terminal, c- the designed Vyatta switch terminal.

56

Ch.4

On-line NIDS Design & Implementation

At this step, GNS3 provides the ability to burn the Vyatta L2 switch image into a bootable media, and then it can be booted into a suitable network machine as a real image and it will work properly as L2 switch. The designed tapping system needs at least three ports, for that a new port is added to the switch. It is ready to turn to the VLAN configuration step. After L2 switch designing is finished, VLAN is easy to configure. Port based VLAN is the most useful and simplest type of VLAN. It depends on two types of ports, access port and trunk port. Access port is usually connected within the VLAN for the host-switch connections because it can carry traffic for one VLAN only. Switch ports connected to end station like a PC or server that deals with only one type of traffic are configured as access port, Fig. (4.4). Trunk port can carry multiple VLANs traffic, for that it is usually used for switchswitch and switch-server connections [47]. Figure (4.5) shows the designed tapping system, ports A and B set as access ports connected to the network line and tagged to the same VLAN.

Figure (4.4) Port Based VLAN [47].

Port C is set as trunk port that would be connected to the served system (NIDS). Ports A, B are bonded (aggregated) in port C by adding bonding configuration to the VLAN. By making the bonding configuration, the served system would be able to see all the traffic that passes in the full duplex line.

57

Ch.4

On-line NIDS Design & Implementation

Figure (4.5) The Designed Tapping System, by using GNS3.

Vyatta, like all the embedded OSs, is a standalone OS. It works with its entire configuration at plug-in automatically without the need for login or any user managements.

4.2.4 The Implementation: After the tapping designing is finished, the system image is burned on a bootable media (SD Card) to be ready for implementation. A strong and modern embedded network appliance is used in the implementation. BIS-6660 is used in the implementing and then it is compared with traditional preconfigured network appliance like Cisco WS-C2950T-24, Microtic 1100 RouterBoard, BIS 6730 and Gigabox. The appliances used and the compared with have good properties that discussed below.

4.2.4.1 The Devices used for the Tapping Implementation and Comparison: 1. BIS-6660: BIS-6660 is a fanless embedded appliance provided by NORCO company, Fig. (4.6). The new generation of NORCO's proprietary ICEFIN Thermal Technology ensures maximum heat dissipation and utilizing performance of latest Atom Cedar Trail N2800/D2550 1.86/1.86 GHz Intel embedded processors. Table (4.2) shows the BIS-6660 Specifications. Atom embedded processor is characterized by small size, high performance, low power consumption and low heat radiation. BIS-6660 provides network connectivity with 2xLAN 10/100/1000 Mbps Ethernet, Wi-Fi and 3G supporting, 6xUSB ports and one SIM slot [51]. 58

Ch.4

On-line NIDS Design & Implementation

(a

(b

Figure (4.6) the BIS-666: a- back view, b- front view [50]. Table (4.2) the specifications of BIS-6660 [50].

Figure (4.7) the two MINI PCIE ports of BIS-6660, Wi-Fi card connections

Figure (4.7) shows one of the two MINI PCIE (one supports 3G) connected to the Wi-Fi device to allow connecting to wireless networks.

59

Ch.4

On-line NIDS Design & Implementation

An external LAN Ethernet Card is connected instead of the Wi-Fi device to evaluate the tapping requirements.

2. Cisco WS-C2950T-24: Cisco is one of the best-specialized companies that provides software and hardware network technologies. Figure (4.8) shows the Cisco WS-C2950T-24 switch. It includes 24x10/100 Mbps Ethernet ports and 2 Gigabit ports. Cisco IOS operating system allows the switch to make IP routing and VLAN configuration. The IOS is a closed source which means it is unable to reform the system, remove or add to it, which block the developing attempts allowed just by Cisco [52].

Figure (4.8) Cisco WS-C2950T-24 switch [52].

3. Mikrotik 1100 AHx2 RouterBoard: Mikrotik, like Cisco, provides network appliances with high efficiency. RouterBoard 1100 AHx2 is one of the most popular routers, Fig. (4.9). It has thirteen of Gigabit Ethernet ports. A strong dual core CPU 1.06 GHz and the supporting for memory RAM up to 2GB are the most important properties as shown in Table (4.3). Due to the router OS limitations, it can use only 1.5 GB of RAM. Its OS, like Cisco, is closed source provided by MikrotiK [53].

Figure (4.9) Mikrotik 1100 AHx2 RouterBoard [53]

60

Ch.4

On-line NIDS Design & Implementation Table (4.3) Mikrotik 1100 AHx2 RouterBoard Specifications [53].

4. Giga-Box 8-ports Switch: Giga-Box is a traditional network switch from Aventador Network Company. Figure (4.10). It has eight Gigabit ports. Customized embedded Linux OS makes it good enough to drive enterprise networks with acceptable throughput.

Figure (4.10) Giga-Box 8-ports Switch.

61

Ch.4

On-line NIDS Design & Implementation

It is designed as L2 switch and there is no reconfigured port, for that it is used to compare with L2 switch not tapping system.

5. BIS-6370: BIS-6370 is a NORCO based network-security bare bone appliance, Fig. (4.11). It is powered with one of the best-embedded CPU architectures. Marvell ARMv5TE processor 1.6 GHz is used in BIS-6370, which has many properties. ARM processors are the best and the most embedded processors that are used in the embedded systems. Low power consumed, high processing speed, low heat radiation and small size are a few of ARM properties. BIS-6370 is designed with 6 Gigabit ports (5x LAN 1xWAN), 1x RS-232, 1x USB2.0, 1xSATAII, 1xSD Card, Onboard 512 MBDDRII RAM and 1Gb NAND flash. Linux OS supported [54]. BIS-6370 designed for IDS, IPS, VPN, FW, Flow Control and other Fields of network applications.

Figure 4.11 BIS-6370.

NOROC provide an OS image for BIS-6370 and it is a customized embedded Linux OS. The provided OS allows configuring any network layer switch and it supports VLAN. The OS image is injected inside the BIS-6370 to be able to compare with the designed tapping system. The work with embedded systems, especially ARM architecture, and the method of communicating with it to inject the OS need some experience. The method of OS image injection will be produced bellow to be as tutorial or introduction to those who want to work on these platforms in the future, where the embedded Linux systems and the ARM /Atom processor architectures are not popular in the Iraqi Universities. The BIS-6660 and BIS-6370 that work by Atom and ARM processors are used for first time in Iraq.

62

Ch.4

On-line NIDS Design & Implementation

5.1 The Communication and OS Injection Technic: To inject the OS image inside the NAND flash of the embedded appliance, it must communicate with it at first. Usually, the communications with the embedded systems are made by Host-Target method. The BIS-6370 has one console port set for host communications. One of the client Linux distributions must be set in the Host (Ubuntu is preferred). BIS-6660 is used as Host where Ubuntu 12.04 is installed on it. Through one of BIS-6660 serial ports, the Target (BIS-6370) is connected (by the console-serial adapter). Some protocols, libraries, terminal emulation and modem control must be installed on the Ubuntu to be able to deal with the ARM architecture. VIM, TFTP, NFS, Libpcap, Cross Compiler Tool Chain and MINICOM are the most required software to be installed in Ubuntu. A fast view will be taken for the installation process where more details are found in [51]. TFTP installing is done through a small code: $sudo apt-get install tftp Then it must be configured and edited with VIM text editor, and some codes must be added [51].With the same method of installing and configuring, NFS is installed and configured, but the NFS Kernel modifier must be installed at first through: $sudo apt-get install nfs-kernel-server MINICOM the terminal emulation and modem control (serial port debugging) is installed and run from the Ubuntu terminal through: $sudo minicom –s A menu window will be displayed, Fig. (4.12). From the menu, select Serial port setup, and then a new window will appear, Fig. (4.13). From the menu, set as below: • Set Serial device field to /dev/ttyS0. (Assuming the Target connected to Com1 of the Host) • Set Bps/Par/Bits field to 115200 8N1. • Set Hardware Flow Control to No. • Set Software Flow Control to No. • Select Exit.

63

Ch.4

On-line NIDS Design & Implementation

Figure (4.12) MINICOM configuration.

Figure (4.13) MINICOM-Serial port setup.

To download OS image (Host files) to the ARM board (Target), the OS image must be stored in the Host at /tftpboot directory. The host IP Address must be set to 10.4.52.7, which is the default network of the Target. Then, the following command will download the file to the ARM board and save it in /tmp directory: #tftp -l /tmp/OS-Name -r Linux-2.6.31.8.img -g 10.4.52.7. If you need to boot the OS image directly from a removable drive, Boot Mood must be set to direct the booting operation to the removable drive, where the default boot mode is booting from NAND flash.

64

Ch.4

On-line NIDS Design & Implementation

Figure (4.14) the booting operation of the injected image (a).

In Mincom, write “Boot u-boot”, and then restart the Target. The target will load the OS image as shown in Figs. (4.14(a-b)). The booting start with displaying the Target specifications, and then it turns to read the NAND flash content that includes the Kernel image (OS image). The Kernel image is uncompressed and loaded. The terminal shows the Kernel version and the Kernel image type which is an ARM Linux Kernel image, Fig. (4.14-b). The creation date of the Kernel image shows that it is created at the end of 2012. The OS image creation from a file system can be done, but it needs to install Cross Compiler and “Mtd-Utils” tool [51].

65

Ch.4

On-line NIDS Design & Implementation

Figure (4.14) the booting operation of the injected image (b).

4.2.5 The Testing of the Designed Tapping System: To test the designed Tapping system perfectly, MikrotiK RouterBoard 1100 is used as a testing instrument. Local-loop is done by making the MikrotiK generate packets, send it to the Tap system and then receive it from the Tap system. The MikrotiK generates the packets, but it couldn’t continue, where it generated about 250 Mbps and the CPU load reached 100%. Figure (4.15) shows the MikrotiK records of the test, where the throughput reached 244 Mbps, the CPU load 100% and no errors or packets drop. Figure (4.16) shows the throughput when the receiving task is done by a Laptop instead of the MikrotiK. The throughput (Tx/Rx) reached about 300Mbps because of the MikrotiK used for packet generation only and the Laptop receives the traffic from the Tap system.After that, the testing is done by using three Laptops where a big size file is transmitted between two of them while the third was receiving the taped traffic from the tapping port.

66

Ch.4

On-line NIDS Design & Implementation

Figure (4.15) the designed tapping system traffic by using Mikrotik 1100 AHx2 RouterBoard as test

instrument, Mikrotik 1100 AHx2 RouterBoard record.

Figure (4.16) the designed system traffic by using MikrotiK 1100 AHx2 RouterBoard as packet generator and Laptop for the receiving task, receiving Laptop record.

It is found that the video file is the best file types for testing, especially when the file size is greater than 1GB, where the transmitted packets are in MTU size and no transmission drooping that occurs at each end-start of sending files (between end of send file and start the next).

67

Ch.4

On-line NIDS Design & Implementation

The throughput increases to reach 670 Mbps in this method (three Laptops), and then the MikrotiK is placed in-line of the tap port to record more details about the throughput where it shows 700 Mbps throughput without packets loose, Figs. (4.174.18).

Figure (4.17) the designed system traffic by using three Laptops method, receiving Laptop record.

Figure (4.18) the designed system traffic by using three Laptops method, MikrotiK 1100 AHx2 RouterBoard record.

Using the MikrotiK as throughput-recording device is very useful and powerful, but it is used as packets generator (it achieved 250 Mbps only) for important reasons. 68

Ch.4

On-line NIDS Design & Implementation

The MikrotiK allows generating and sending random packets with variable sizes that are the most efficient test for the system. One of the most important factors in the network systems is the system efficiency, when it deals with variable size packets, especially the small ones and there the measurement will be the Packet rate, not the Bitrate. Unfortunately, the packet specifications (packet size) cannot be controlled in the three laptops method, where the test depends on sending files between the laptops, for that the bitrate is depended, not the packet rate. Figure (4.19) represents the data rate at the received laptop, which shows 49.9 MB, where it represents the information only, and no headers for all the layers.

Figure (4.19) the designed system data rate by using three Laptops method, receiving Laptop record.

Figure (4.20) The MikrotiK 1100 AHx2 RouterBoard traffic, receiving Laptop record.

69

Ch.4

On-line NIDS Design & Implementation

Figure (4.20) shows the bitrate 660 Mbps when the Mikrotik is used as tapping system. It approaches from the result of the designed system, which depended on BIS6660. The throughput reached to 650 Mbps when Cisco is used as tapping system, Fig. (4.21). BIS-6750 achieved 450 Mbps which is the minimum one between the other tested devices, Fig. (4.22).

Figure (4.21) The Cisco WS-C2950T-24 traffic, receiving Laptop record.

Figure (4.22) the BIS-6730 traffic, receiving Laptop record.

The results achieved were approaching from 700 Mbps. The thought was the devices couldn’t achieve more than this, or the reason is the data lines limitations. The

70

Ch.4

On-line NIDS Design & Implementation

data lines are replaced with others that have good qualities, but the result is not changed. Finally, the limitation is found and it came from the test instrument used. The PCs used with the Hard Disk (magnetic SATA HD) cannot achieve data read/ write more than 50 MB/Sec. HDs from several companies and models like Toshiba MK3276GSX, Samsung HD 501LG and Mobile Samsung HM160HI/CN3 5400RP with PCs properties from Core2 Dou- 2 GB RAM to Core I7-16 GB RAM were used in the testing for ensuring more results. Many tests were done for the tested devices, and the averages were listed in Table (4.4). All the records listed of the devices tested as tapping systems expected the GIGABOX where it is used as L2 switch only. The last record is the throughput when direct connection is used between two laptops without in line devices. The results show that the designed tapping system is more efficient and reached the result of the direct connection. If a Solid-Stat HD and a more efficient test instrument like " Spirent Test Center v. 3.70 that supports throughput up to 40 Gbps " are used in the testing, the throughput may become more than the recorded result in Table (4.4). The results of the Mikrotik 1100 AHx2 RouterBoard, Cisco WS-C2950T-24 and the designed tapping system more converge where the difference is in the gap of the percentage error values. The system testing is done in Matrix Company, which is one of the best companies in Iraq for communications and internet service.

71

Ch.4

On-line NIDS Design & Implementation

Table (4.4) the throughput of the tested devices.

THROUGHPUT OF THE TESTED DEVICES 800

Throughput Mbps

700

671

693

693

657

638

600 449

500 400 300 200 100 0

Series1

Mikrotik 1100 AHx2 RouterBoard

BiS-6660Vyatta

Cisco WSC2950T-24

BIS-6730Costm-Linux

GIGA-BOX L2 Switch only

Direct

671

693

657

449

638

693

Tested Devices

4.3 The Real-Time Operation System (RTOS): Today, speed has become the most important factor for any system, computer networks, control units and counting systems. Therefore, if the designed project has a high accuracy, simplicity or flexibility, but unable to deal with the overall system speed, it will be the bottleneck and it will not be an efficient system. Designing a project and implementing it on non-real-time OS like Windows, Mac or Linux will not give solution for the execution speed because the CPU will be interrupted from many tasks that are not useful for the main aim of the designed project like mouse, keyboard, sound card and unused ports. The right solution is to convert the designed project to a real-time OS, it is a magic, xPC is the magic tool that gives the ability to adopt the Kernel and convert the designed project to a custom lite OS. This facility increases the speed of the execution and makes it a real-time system. xPC overcomes the real-time and it gives a True-time operation time. It can be used in many fields, which required high-speed execution as control systems [55], [56] and computer network systems [11].

4.3.1 Real-Time vs. True-Time: Real-time is a more flexible word. If there is a network that works with 1 KB/sec speed and the designed system can give an output with a speed equal or over 1 KB/sec, it will be a real-time system with respect to that network. It depends on the speed of 72

Ch.4

On-line NIDS Design & Implementation

the network and there is no limited speed of execution to be a standard for real-time condition that it can be decided if the system is a real-time or not [57]. True-time is a word that is less confusing than the previous one. It takes a virtual environment as the real-world for the network environment and consider the designed system applied on a PC connected with that real-world. It makes a ratio between the CPU clock of the assumed PC, virtual environment and the CPU clock of the devices used in the designing. True-time is more real than Real-Time and it gives the true result in testing and implementing [58].

4.3.2 xPC: xPC is one of the most powerful libraries of Simulink Toolbox. It is a magic tool that consists of two parts, the Target product and the Host product. It produces the best solution for the rapid and fast control prototyping and testing, Hardware In the Loop (HIL) and deploying real-time systems using standard PC hardware. Target PC is separated from the Host PC. Host PC is used for controlling and monitoring the work of the project in the Target PC. The xPC software environment includes many features that help the designer to design, build, test and create a standalone real-time OS [59]. It contains many blocks that can easily be used in the designing, Fig. (4.23). These blocks are classified to many categories Ethernet, IP carrier and many others. The general Simulink blocks are also supported like signal generators, scopes, etc.

Figure (4.23) xPC Target Library, Simulink-Matlab R2010.

73

Ch.4

On-line NIDS Design & Implementation

4.3.3 Creating of the RTOS: xPC uses xPC Target kernel as a base to create a custom operating system, for that it does not require Linux, DOS, Windows or any another OS on the target PC. The target PC is booted by boot media, which includes the xPC Target kernel. xPC Target software requires C/C++ compiler, Real-Time Workshop, State flow Coder (optional), Real-Time Workshop Embedded Coder (optional) software to convert the designed model to an executable code [60]. The optional tools are required, if the designed RTOS is needed to be a standalone OS. This code is downloaded from the host PC to the target PC running the xPC Target kernel, and then it can run in real-time. Additionally, I/O blocks can be added to the designed model to connect and communicate with other hardwares. To simplify what has been mentioned above, it is subdivided to steps. • Step one: The Configuration of the Target-Host Communication: To define the communication method for the created RTOS (Host-Target communication), some configurations are required. xPC provides xPC-Explorer tool that through it, configurations can be set to create the right adopted xPC Kernel. This tool is executed by putting ''xpcexpr'' in the Matlab command window, Fig. (4.24) shows xPC-Explorer.

Figure (4.24) xPC-Explorer, Simulink-Matlab R2010.

74

Ch.4

On-line NIDS Design & Implementation

xPC allows making Host-Target connection through two communication methods: RS232 and TCP/IP. Under the ''TargetPC1-Configuration-Communication'' there are three fields, Fig. (4.25). A. Communication protocol: through ''Host Target Communication '' the protocol can be set as RS232 or TCP/IP. B. Target PC TCP/IP Configuration: Target IP address can be set through ''Target PC IP address''. Target driver can be set through ''TCP/IP Target driver''. xPC support limited vender types of Ethernet cards [61]. All the other fields can be left as default. C. RS232 Configuration: if the Host PC has more than one COM, the COM number must be defined as well as the baud rate. By clicking ''apply'', all the setting will be saved and the RTOS is ready to burn on a bootable media.

Figure (4.25) xPC-Explorer-Communication configuration, Simulink-Matlab R2010.

• Step two: Create and Burn the RTOS on Bootable Media: After configuring the Host-Target communication, the RTOS can easily burn on a bootable media. Under the ''TargetPC1 Configuration'', there are a number of booting options Boot Floppy, CD Boot and others, Fig. (4.24). By choosing “CD Boot” option, it will ask to define the location to create the CD boot image in it. Through ''Browser'' option, the location set in any folder or directly on the writable disk CD/DVD. By clicking on ''Create CD Boot image'', the image (xPC Target kernel) will be created automatically, and then click on “Apply” and the disk will start burning. 75

Ch.4

On-line NIDS Design & Implementation

4.3.4 Building Two Models and Testing Them on the Created RTOS: To test the features of the created RTOS, two models are built and applied separately on it. A. Target-Host transmission using UDP: UDP packets generator is designed as shown in Fig. (4.26). Three PCs and network switch are used to implement the model as shown in Fig. (4.27). When boot the created RTOS by the Target PC, it will give the minimum required details about the Target PC, Fig. (4.28). The Target PC (x86 2.2GHz Core 2 Duel CPU and 2GB RAM) is connected with the Host PC through TCP/IP (Ethernet). When opening the model in the Host PC, it can be easily controlled through the xPC-Explorer, Fig. (4.29).

Figure (4.26) Model 1, Simulink-Matlab R2010.

Figure (4.27) Model 1 and 2 topology.

76

Ch.4

On-line NIDS Design & Implementation

Figure (4.28) the created RTOS at the booting.

Figure (4.29) the control window in xPC-Explorer. Model 1, Simulink-Matlab R2010.

By clicking ''connect'' on ''TargetPC1'', the states will become connected ''yes'' and then it will allow downloading the model to the Kernel of the Target PC’s RTOS. When you start running the model, Target PC will execute it and it will give the max., min. and the average Task Execution Time (TET) '' TET is the time in seconds to complete calculations for the model equations and post outputs during each sample interval [62]'', Fig (4.30). All the information displayed in Target PC monitor can be monitored and controlled in the Host PC through xPC-Explorer. Target PC generates a UDP packets 77

Ch.4

On-line NIDS Design & Implementation

with destination IP of the third PC and send it to the Switch that forwards it to the third PC which receives it successfully.

Figure (4.30) the execution of Model 1 in the created RTOS.

B. Spectrum Analyzer: By using the same configuration and steps in model ''A'', model ''B'' is built and executed, Fig. (4.31). The model is very simple. It is a signal generator that consists of two sinusoidal signals and a spectrum analyzer for the signal.

Figure (4.31) Model 2, Simulink-Matlab R2010.

Target PC displays the frequency components generated in the model as shown in Fig. (4.32). It shows very little TET and very high accuracy.

78

Ch.4

On-line NIDS Design & Implementation

Figure (4.32) the execution of model 2 in the created RTOS.

4.3.5 The Test Results and Conclusions: xPC is a very efficient tool to create a real-time system that can be used in many field Networks, Control Units and High Speed Projects. The created RTOS is tested with two models, Target-Host transmission using UDP and Spectrum Analyzer. The first model is chosen to see how the RTOS can deal with the network systems and check the ability to communicate with other external systems. The second model is chosen to see the ability of dealing with controlling units and Analyzing systems. Table (4.5) shows that the RTOS is very efficient and it gives less TET than the same models when it runs inside the Matlab-Simulink with the same hardware PC. This difference comes when the model runs inside the Simulink, it takes a little care from the CPU. That is because the CPU processes the Windows tasks and it runs the Simulink inside the Windows and the model inside the Simulink. These series of levels interrupt the CPU process, but when the model runs inside the created OS, the CPU will have nothing to do just the model. It will take all the CPU resources. The model running for the first time in the Simulink takes more time because the building process that is not needed in the next time running the model unless closing the model. At the model downloading step in the RTOS, the model is built, and thus no matter where the run was for the first time or else. About ten iterations are done for each case and the records are summered in Table (4.5).

79

Ch.4

On-line NIDS Design & Implementation

Table (4.5) The Results comparison of the two models.

4.4 The Packet Features Extractor (PFE): The Network Systems (NS) depend essentially on the packet features (header fields and payload) in their work that include packet analyses and filtering. Routers, bridges and network security systems need to extract the features of the packet to do their jobs for that the PFE is one of the most important parts in the on-line NS. It is the absent step through which the off-line NS can be developed to on-line systems. The PFE is designed to develop an off-line NIDS (ch3) to be an on-line system. The designing was based on extract 12 NSL-KDD features from the packet. The 12 features are the same features that the off-line NIDS was based on, Table (3.2). The on-line system needs to deal with real network. It sniffs the packets, and then extracts the features that it needs. After that, it passes the features to the system core for analyzing. Figure (4.33) includes a comparison between the off-line and on-line NIDS (Figs. (3.1, 4.1)). To modify the off-line NIDS to be on-line, two importing parts are added or changed. The sniffing operation, which is the task of the designed Tapping system (see 4.2) and the features extracting, which is the task of the PFE system, and it will be discussed here.

80

Ch.4

On-line NIDS Design & Implementation

Network line

Sniffing

Features Extrating

Data set Selected Features

System Core

System Core

Result display

Result display

( b)

(a)

Figure (4.33) NIDS Architecture: a-on-line NIDS, b-off-line NIDS.

4.4.1 The PFE Design: To design the PFE, C#.Net is used. C#.Net is a strong programing language designed especially for the network applications. It is highly flexible, very simple and the most powerful Microsoft Visual Studio languages. Windows Packet Filter Kit (WinPKfilter), PacketX, Sharp Packet Capture (SharpPcap) and Packet Capture.Net (PcapDotNet) are the most popular libraries that work on C#.Net. PcapDotNet is the best one of these libraries for network applications [63]. PcapDotNet and SharpPcap are used in the PFE designing. The First step is sniffing the packet, temporarily storing it, and then the extracting function is called to complete the job, Fig. (4.34). The off-line NIDS is designed by using Simulink software. The PFE designed to develop the off-line NIDS to be applicable to on-line NIDS, for that it extracts the same 12 features that the off-line NIDS is based on. To use the designed PFE in the prebuild off-line NIDS, it must be embedded in a Simulink block. C function block is used to pick up the C# Features Extracting project. It is inserted in the system to replace the testing dataset, Fig. (4.33). The features that were passed to the System Core from the dataset, were replaced with those extracted from the network line by the PFE. 81

Ch.4

On-line NIDS Design & Implementation

Figure (4.34) Program piece code for the features extractor, M-soft VS2012-C#.Net.

4.4.2 The Implementation of the Designed PFE: The PFE is applied on the RTOS and tacked about (0.65 micro sec) average TET. The implementation of the system gives a good result with a high performance and throughput reached 100Mbps limited by the NIC (100 Mbps NIC is used). The point is that the throughput can be over this, if a gigabit-NIC is used. Table (4.6) shows that the average of the throughput is saturated with convergence values for three deferent models that are simpler than the PFE and the values reach the end of the NIC limit which is about 100 Mbps.

82

Ch.4

On-line NIDS Design & Implementation

Table (4.6) Comparison of the throughput results .

the average throughput of the tested models 99.8 99.78

99.77

99.76

99.76 99.75

throughput in Mbps

99.74

99.74

99.72

99.72

99.7 99.68 99.66

Series1

UDP transmit only

UDP receive only

TCP transmit only

TCP receive only

PFE over TCP communication

99.75

99.77

99.72

99.74

99.76

Models

4.5 The Forming of the On-line NIDS: After finishing building the Tapping and the PFE systems, the off-line NIDS approached to be an on-line NIDS. The new on-line NIDS uses the same System-Core of the off-line NIDS, Fig. (4.33). The designed PFE is connected to the System-Core block and the output is connected to the Displayer block to monitor the actions of the NIDS operations, Fig. (4.35).

Figure (4.35) the built online NIDS block diagram, Simulink-Matlap2010.

Ethernet-Receive is one of the xPC Target library blocks. It is used to receive the Ethernet packets from the Ethernet NIC card of the Target PC. The PFE receives the packets from the Ethernet-Receive block, extracts the needed features, reforms them as the System-Core can deal with them and pass them to the System-Core. The SystemCore consists of many sub-blocks; see ch3-3.6 and Fig. (3.14). The Displayer block 83

Ch.4

On-line NIDS Design & Implementation

does the same job of the Displayer block of the off-line NIDS, but some xPC TargetScopes were added. The on-line NIDS is applied on the RTOS. Each attack class of the NIDS object has a special field and shows the account of the attack attempts, Fig. (4.36). The intruder (attacker) IP is shown in a special field. The scope1 shows the system-health signal. This signal shows the system performance when the system approaches from a critical case like overload or others, the signal approaches from the sawtooth form more than rectangular form.

Figure (4.36) the built on-line NIDS monitor.

The simultaneously throughput is shown in scope5. The throughput scope shows 99.9 Mbps. The on-line NIDS achieves a very good throughput that reached 99.97 Mbps in average. The throughput is limited by the Network Interface Card (NIC) properties, see ch4-4.4.2. The xPC Target Kernel supports limited NIC vendors when it deals with TCP communication [61]. It depends an Intel 8255x NIC and there was a 100Mbps NIC only in this experiment, so it is used. The performance of the NIDS system shows good results in intrusions detection and operation speed. To ensure the testing of the detection job of the system, many intrusion applications are used to make many types of attacks. Net-Cut, njRAT, DsPloit, NetSpy, Selfish-Net, ARP-spoofing, Proxy-ARP, ZenMate and Hide-Me are used to make attacks test the NIDS system. Those applications make a wide range of attack types (DoS, R2L and U2R). The system succeeded to detect all the attacks made by the applications used in real-time. 84

Ch.4

On-line NIDS Design & Implementation

4.6 Comparison with Other Works: The first attempt in Mosul University to build a real on-line NIDS was by Sahar Lazem Kadoory in her Master research titled " Design and Implementation of an Embedded Intrusion Detection System (IDS) for Wireless Applications", a thesis 2009 [10]. Sahar designed her system based on SNORT IDS by modifying on its rules set. She removed many of its rules after making study to choose the most effective rules and made the system lite. The system gives good results at data rate ranges between 1.08 and 9.42 Mbps. To compare the built system with Saher's system, a number of things must be discussed. 1. The proposed NIDS is designed and constructed completely without depending on a prebuilt NIDS like Saher's system, where it depends on SNORT, that it is an open source NIDS. 2. The proposed system used the NSL-KDD dataset as the base to form the NIDS rules, but the previous system used the prebuilt SNORT rules. 3. The proposed system included the designing of off-line and on-line NIDS and produced a new method to develop the off-line NIDS to be on-line NIDS but the previous was focusing on the on-line NIDS only. 4. The proposed system includes the Tapping system without which the NIDS is blind whereas the previous did not mention this problem. 5. The proposed system includes separated subsystems that can be used in other projects like the PFE and the RTOS, but the previous did not show any subsystems. 6. The proposed system produced many modern things like dealing with the modern embedded appliances that are BIS-6660 and BIS-6370, dealing with ARM and Atom embedded processor architectures, embedded Linux and the comparison with popular systems but the previous system used Ubicom platform. 7. The proposed system achives about 100 Mbps where the limitation comes from the used NIC card not the system, but the previous achieve data rate ranging between 1.08 and 9.42 Mbps.

85

Ch.4

On-line NIDS Design & Implementation

References: [1] Abdullah A. Mohamed and Dia M. Ali, “Challenges Of Designing And Implementing Intrusion Detection System”, The International Conference on Computer Related Knowledge (ICCRK'2013), Sousse-Tunisia, Jun-2014. [2] Moradi M. and Zulkernine M.," A Neural Network Based System for Intrusion Detection and Classification of Attacks", School of computing, Queen University Canada, 2004. [3] Yacine Bouzida, "Neural Networks vs. Decision Trees for Intrusion Detection", Mitsubishi Electric ITE-TCL, Rennes, Department RSM GET/ENST Bretagne, France, 2006. [4] Wafa' S. Al-Sharafat, Reyadh Sh.Naoum, "Adaptive Framework for Network Intrusion Detection by Using Genetic-Based Machine Learning Algorithm", Al Al-Bayt University, Information Technology College, Jordan, 2009. [5] Shilpa l., Sini J., B. verma, ''Feature Reduction using Principal Component Analysis for Effective Anomaly–Based Intrusion Detection on NSL-KDD'', International Journal of Engineering Science and Technology, Vol. 2(6), pp.1790-1799, 2003. [6] Laheeb M. and etal, “A Comparison Study For Intrusion Database (Kdd-99, NslKdd) Based On Self Organization Map (Som) Artificial Neural Network “, School of Engineering, Taylor’s University, Journal of Engineering Science and Technology, Vol. 8(1), pp 107-119, 2013. [7] RONG-TAI LIU and etal, “A Fast String-Matching Algorithm for Network Processor-Based Intrusion Detection System” International Conference on Performance, Computing, and Communications, IEEE, 2004. [8] Seungho Ryu, etal '' Incorporating Intrusion Detection Functionality into 1XP2800 Network Processor based Route'' The 8th International Conference in Advanced Communication Technology, 2006. [9] Chris Clark and etal, “A Hardware Platform for Network Intrusion Detection and Prevention’’, Center for Experimental Research in Computer Systems (CERCS), Georgia Institute of Technology, Atlanta, GA, USA, 2010. [10] Sahar Lazem Kadoory,” Design and Implementation of an Embedded Intrusion Detection System (IDS) for Wireless Applications“, Master Thesis, Mosul University, 2010.

86

Ch.4

On-line NIDS Design & Implementation

[11] Abdullah A. Mohamed, “Design Intrusion Detection System Based On Image Block Matching”, International Journal of Computer and Communication Engineering, IACSIT Press, Vol. 2, No. 5, September 2013. [12] William Stallings, '' Network Security Essentials: Applications and Standards'', Prentice Hall, fourth edition, pp. 1-20, 2011. [13] Mattord, verma “Principles of Information Security”, Course Technology, pp. 290–301, 2008. [14] Intel, ''IXP2400/IXP2800 Network Processor Programmer’s Reference Manual'', Intel Corporation, 2003. [15] Intel, ''IXP2800 Network Processor Product Brief'', Intel Corporation, 2002. [16] Intel, ''Internet Exchange Architecture (Intel IXA) Software Developers Kit 3.0 SDK_3_Product_Brief'', Intel Corporation, 2002. [17] Erik J. Johnson and Aaron R. Kunze, "IXP2400/2800 Programming the Complete Microengine Coding Guide'', Intel Press, 2003. [18] Wen Cheng-yu and etal ,’’ Research and implementation of NIDS based on IXP2400’’, Second International Conference on Future Information Technology and Management Engineering, 2009. [19] George E. Brown, “Real-time Applications Using Simulink and OpenSees”, Network for Earthquake Engineering Simulation NEES, 2011. [20] C. R. Clark and C. D. Ulmer, “Network intrusion detection systems on FPGAs with on-chip network interfaces”, Sandia National Laboratories,Sandia Corporation, 2005. [21] M. Roesch, ''Snort: Lightweight intrusion detection for networks'', USENIX LISA Systems Conference, snort org., 1999. [22] Chris Clark and etal , “A Hardware Platform for Network Intrusion Detection and Prevention’’, Center for Experimental Research in Computer Systems (CERCS), Georgia Institute of Technology, Atlanta, USA, 2005. [23] Eivind Naess, '' Configurable Middleware-Level Intrusion Detection Support For Embedded Systems'', thesis, Washington State University-School of Electrical Engineering and Computer Science, May 2004. [24] NOROC Comp., NA-813 data-sheet, Desktop Network Appliance Platform with Intel Atom Processor, www.axiomtek.com. [25] Yocto Project,''Yocto Project Quick Start'', Linux Foundation, 2011. [26] Abdullah A. Mohamed and Dia M. Ali, " Packet Features Extractor for Network Security Systems: Design and Implementation", International Journal of Engineering and Innovative Technology (IJEIT), Vol 3(10), April 2014. 87

Ch.4

On-line NIDS Design & Implementation

[27] J. McHugh, “Testing Intrusion Detection Systems A Critique of The 1998 And 1999 DARPA Intrusion Detection”, ACM Transactions on Information and System Security, pp. 262–294, 2000. [28] Hung-Jen Liao and etal, “Intrusion detection system: A comprehensive review”, Journal of Network and Computer Applications, Elsevier, Vol. 36(1), PP. 16–24, January 2013. [29] S. Lakhina, Sini J. and B Verma, “Feature Reduction using Principal Component Analysis for Effective Anomaly–Based Intrusion Detection on NSL-KDD”, International Journal of Engineering Science and Technology,Vol. 2(6), pp. 1790-1799, 2010. [30] Oatley and etal. “SMART software for decision makers KDD experience”, Knowledge-Based System, Elsevier, Vol. 15(5), PP. 323–333, Jul. 2002. [31] Hee C., B. Jo, S. Choi and T. Park, “Feature Selection for Intrusion Detection using NSL-KDD”, Recent Advances in Computer Science, pp. 184-187, 2013. [32] Shaheen A., “A Comparative Analysis Of Intelligent Techniques For Detecting Anomalous Internet Traffic”, MSc. Thesis, King Fahd University. 2010. [33] Olusola., Adeola S. and D. Abosede, “Analysis of KDD ’99 Intrusion Detection Dataset for Selection of Relevance Features”, Proceedings of the World Congress on Engineering and Computer Science, San Francisco, USA, October, 2010. [34] Rupali D.and Shilpa L., “Performance Comparison of Features Reduction Techniques for Intrusion Detection System”, International Journal of Computer Sience and Techenology”, Vol. 3(1), 2012. [35] Hafiz M. Imran and etal., “Intrusions Detection based on Optimum Features Subset and Efficient Dataset Selection”, International Journal of Engineering and Innovative Technology, Vol. 2(6), 2012. [36] Taisir E., Mohammad K. and Aws K., “On The Kdd'99 Dataset Statistical Analysis For Feature Selection”, Journal of Data Mining and Knowledge Discovery, Vol. 3(3), pp. 88-90, 2012. [37] Ricardo A. and Rajesh S., “Feature Ranking and Support Vector Machines Classification Analysis of the NSL-KDD Intrusion Detection Corpus”, Proceedings of the Twenty-Sixth International Florida Artificial Intelligence Research Society Conference, 2013. [38] Hana M. and Najla B., “Analysis of Basic Compounds in Network Intrusion Detection System Based On NSL-KDD Dataset”, Journal of Al-Rafidain for Computer Science and Mathematics”, vol. 10(1), 2013.

88

Ch.4

On-line NIDS Design & Implementation

[39] Emeka Eyisi and etal, “An integrated modeling and simulation tool for networked control systems”, Simulation Modelling Practice and Theory, Elsevier, Vol. 27, 2012. [40] Bhavsar, Yogita B.and Kalyani C. Waghmare. "Intrusion Detection System Using Data Mining Technique: Support Vector Machine." International Journal of Emerging Technology and Advanced Engineering, Vol. 3, pp. 581-586, 2013. [41] Vaitsekhovich L. “Intrusion Detection in TCP/IP Networks Using Immune Systems Paradigm and Neural Network Detectors”. Brest State Technical University, XI International PhD Workshop, OWD, 2009. [42] Prasanta Gogoi and etal., “MLH-IDS: A Multi-Level Hybrid Intrusion Detection Method”, The Computer Journal Advance Access, Published by Oxford University Press on behalf of The British Computer Society, 2013. [43] Lee, Wenke, and Salvatore J. Stolfo. "A framework for constructing features and models for intrusion detection systems.", ACM transactions on Information and system security (TiSSEC), Vol 3, pp. 227-261, 2000. [44] Alistair Croll and Sean Power, "Complete Web Monitoring", O’Reilly Media, Inc., Vol. 1, Ch-10, PP 353-376, June 2009. [45] Richard Zurawski, " Embedded Systems Handbook", CRC press, Vol. 2, pp. 7285, July 2009. [46] Vyatta Inc., "Why Vyatta is Better than Cisco", Vyatta Inc., 2007. [47] Super Micro Computer Inc., "Supermicro L2/L3 Switches VLAN Configuration Guide", Super Micro Computer Inc., Vol 1, January 2013. [48] RedNectar Chris Welsh, "GNS3 Network Simulation Guide", Packt Publishing, Vol 1, PP 22-28, October 2013. [49] Vyatta Inc., "Vyatta System Quick Start Guide", Vyatta Inc., Vol 2, August 2008. [50] NORCO Intelligent Technology Co., "BIS-6660 Datasheet", NORCO Intelligent Technology Co., Novmber 2012. [51] NORCO Intelligent Technology Co., "BIS-6660 User's Manual", NORCO Intelligent Technology Co., 2011. [52] Cisco Systems Inc., "Cisco Catalyst 2950 Series Intelligent Ethernet Switches", Cisco Systems Inc., 2013. [53] MikroTikls SIA Inc., " RouterBOARD 1100/AH Series User's Manual", MikroTikls SIA Inc, jun 2013. [54] NORCO Intelligent Technology Co., "BIS-6370 Datasheet", NORCO Intelligent Technology Co., January 2013.

89

Ch.4

On-line NIDS Design & Implementation

[55] Anton Cervin, “Integrated Control and Real-Time Scheduling”,PhD. Thesis, Department of Automatic Control, Lund Institute of Technology, Lund, Sweden, pp. 139-161, April 2003. [56] Emeka Eyisi and etal, “An integrated modeling and simulation tool for networked control systems”, Simulation Modelling Practice and Theory, Elsevier, 2012. [57] Stefan Molyneux, “Real-Time Relationships-The Logic of Love", Freedomain Library, Volume 4 Version 1.0 Extended Edition, pp. 205-230, January 2008. [58] Abdullah A. Mohamed, Dia M. Ali, “Creating Real-Time operation System Based on xPC Target Kernel”, International Journal of Recent Technology and Engineering, Volume-2, Issue-4, September 2013 [59] The MathWorks Inc., “xPC Target”, The MathWorks Inc., 2012. [60] The MathWorks Inc., “xPC Target Getting Started Guide”, The MathWorks Inc., pp. 10-31, 2010. [61] The MathWorks Inc., “xPC Target Supported Ethernet Chipsets”, The MathWorks Inc., 2010. [62] The MathWorks Inc., “xPC Target User’s Guide for Use with Real-Time Workshop”, The MathWorks Inc., pp. 85-92, 2000. [63] Mahmod S. Bashi and Najla B. Abrahim, ''Using of Ants Maps and SelfRegulation Algorithms in the Intrusion Detection and Classification in the Computer Networks'', Computer Science, Thesis, Mosul University, 2011.

90