JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.

ORG

44

Analysis of Security Attacks at different layers of TCP/IP Network Model

Khalid Saeed, Muhammad Adil, and Muhammad Saqib Awan
Abstract Security attacks are the main anxiety of almost every user of Internet or an organizations network. Not even a single computer is 100% secure from security attacks. All that one can do is to minimize the impact of these attacks. The TCP/IP Network Model consists of four layers and the network faces different attacks at different layers of TCP/IP network model. The consequences of these attacks are different therefore these attacks are to be handled contrarily. This research studies and analyzes certain security attacks at different layers of TCP/IP network model, their consequences and the possible countermeasures in order to either eliminate or mitigate their effects.

Index Terms Security Attacks, TCP/IP Network Model, DNS Cache Poisoning, Trojan Horse, DOS Attack, Port Scanning, Session Hijacking, IP Spoofing, Packet Sniffing, ARP Cache Poisoning, MAC Address Spoofing.

1. INTRODUCTION
u sing Internet shou ld know abou t the m ost com m on attacks w hich can occur at d ifferent layers of TCP/IP N etw ork Mod el and the u ser shou ld also know the counterm easu res of those attacks in ord er to protect him / herself from these attacks.

ll comm u nication on Internet practices TCP/IP Netw ork Mod el. The TCP/IP N etw ork Mod el consists of fou r layers su ch as Application Layer, Transport Layer, Internet Layer and N etw ork Access Layer as exposed in figu re 1. For com m u nication betw een tw o com pu ters the d ata is encapsulated such as head er is added at each layer of TCP/IP network mod el and then it is converted to signals so that it can travel on the transm ission m ed iu m . At the d estination the d eencapsu lation process occu rs su ch as head ers are extracted and the u ser gets the original d ata sent by the send er. Internet is a pu blic netw ork w hich allow s its u sers to access the resources provid ed by Internet. User connected to Internet can send and receive emails, u pload and d ow nload files and can also u se other featu res provid ed by Internet. H ow ever there are secu rity risks associated w ith the resou rces provid ed by the Internet. Som e of these secu rity risks are: tw o users are com m u nicating via Internet and an attacker cap tures the m essages com m u nicated betw een them , the attacker alters the actu al m essages com m u nicated betw een tw o parties, attacker can capture the usernam e and passw ord of the u ser accou nt etc. Therefore u sers
Khalid Saeed is with Department of Computer Science, IBMS KPK Agricultural University Peshawar, Pakistan Muhammad Adil is with Department of Computer Sciences, Iqra National University Peshawar, Pakistan Muhammad Saqib Awan is with Department of Computer Sciences,City University of Science & Information Technology, Peshawar, Pakistan

Fig. 1. TCP/IP Network Model

2. RELATED WORK

There are several d ifferent secu rity attacks and

threats exist and the u sers u sing Internet or an organizations netw ork m ay have experienced som e of those. Majority of the u sers u sing Internet u ses som e sort of secu rity solu tions in ord er to protect them selves from

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

45

these attacks. Alm ost all Internet u sers experience secu rity problem s and for that pu rpose they pu rchase a security solu tion for protection from these attacks bu t users are not ready to pay more for these security solutions [1]. Intru sion Detection System (IDS) is one of a solu tion w hich is u sed to id entify netw ork intru sions [2]. Intru sion Detection System is com paratively an effective solu tion as com pared to other solutions. Firew all plays a very im portant role in Internet Security, it protects the internal netw ork from ou tsid e attacks bu t an im portant factor in firew alls is its proper configu ration [3]. If the firew all is not properly configu red the u sers system w ill be vu lnerable to d ifferent secu rity attacks. Internet banking u sers access their accou nts online u sing Internet and they can perform transactions from their accou nts online. Secu rity attacks are possible in this case su ch as an attacker steals the credentials of u ser having an online bank account and u sing these cred entials an attacker perform s transactions from the online account of a user. Security risks associated w ith Internet banking is one of a barrier for the u sers to ad opt Internet banking. In ord er to protect from these attacks banks having Internet banking service provid es reliable security to its clients in ord er to protect them from d ifferent secu rity attacks. Hiltgen, Kramp, and Weigold [4] Presents tw o au thentication solutions for Internet banking authentication, one solution is based on short-time passw ord s and the other solution is certificate-based . Since all com m u nication on Internet follow TCP/IP netw ork m od el therefore a secu rity attack is possible at every layer of the TCP/IP netw ork m od el d u ring com m u nication. This research tries to find ou t how these attacks can com prom ise the secu rity of com m u nication and system . The research also qu eries what the consequ ences of these attacks are and how one can mitigate the effect of these attacks.

throu gh the w eb brow ser, DN S Server resolves it to its IP ad d ress and u sing that IP ad d ress w ebsite is accessed . DN S Cache Poisoning attack is lau nched in su ch a w ay that an attacker send s a spoofed reply to the qu ery w hich w as sent by him . The process is show n in figu re 2. The attacker need s a 16 bit pseu d orand om nu m ber in ord er to su ccessfully lau nch this attack [5].

Fig. 2. DNS Cache Poisoning Process

3.1.1.1. Consequences: The attacker can u se the fake website to obtain critical information from user such as cred it card information, bank accou nt nu m ber, bank balance etc. The pu rpose of DN S Cache Poisoning is to d ivert the traffic of actu al w ebsite tow ard s a fake w ebsite. We can see in the figu re 3 given below , the w ebsite looks like gm ail bu t the URL of the w ebsite is d ifferent.

3. ANALYSIS

In this section som e of the security attacks at d ifferent layers of TCP/IP networks model are analyzed. 3.1. Application Layer: At application layer the research d iscu sses som e of the secu rity attacks su ch as DNS Cache Poisoning, Trojan Horses and DOS Attack. 3.1.1. D N S Cache Poisoning: DN S Cache Poisoning is a techniqu e u sed to corrupt the cache of DN S Server. The pu rpose of DN S server is to resolve d om ain name to IP ad d ress. When a client requ est for a w ebsite
Fig. 3. DNS Cache Poisoning example

3.1.1.2. Countermeasures/Mitigation Plans: In order to d etect this type of attack Trostle, Besien, Bill and Pujari [5] proposed a techniqu e in w hich an ad d itional 2012 Journal of Computing Press, NY, USA, ISSN 2151-9617
http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

46

requ est for the sam e DN S Resou rce Record is sent and this process only requires changes to the DN S Cache Server. Yuan, Kant, Mohapatra and Chen-Nee [6] proposed a technique known as DoX which can be used to id entify and correct nam e to IP m appings. This techniqu e also im proves the consistency of DN S Server Cache by d etecting and then rem oving the obsolete records. 3.1.2. Trojan Horse: Trojan H orse is an application w hich is u sed to illegally access the target com pu ter. The Trojan horse has the capability to hid e its extension and one can configure it so that it looks like a norm al im age or any other file. When the target user receives the file and opens it than the Trojan horse installs on his com pu ter. After su ccessfu l installation the attacker can access the resou rces of the target computer. N u m ber of Trojans is available on the Internet. CIA 1.3 is a Trojan w hich provid es access to d ifferent resou rces of the target com pu ter. The interface of that Trojan is shown in figure 4.

tion of Trojan requires access to prim ary partition of the target com pu ter, so if the Trojans try to access the prim ary partition of the target com pu ter than the u ser w ill see a pop u p w ind ow stating that a m aliciou s program is trying to install, so if the user d eny access than the attacker w ill not be able to install Trojan on the target com puter. Wu , Qian and Chen [7] proposed a m ethod to d etect Trojans. In this m ethod first the packages are monitored which are transmitted by computer, and then ports are id entified throu gh w hich packages are transmitted. With the available information the process w hich send s the packages u sing a port and the program file w hich creates the process can be traced . In this w ay the port w hich w as u sed for correspond ing process can be linked . This w ill help to d etect Trojans. This m ethod w as im plem ented and tested in w ind ow s system. Jie, H u ijuan, Qun and Fuliang [8] Presents a Trojan-d etection system mod el that is based on behavior analysis.

3.1.3. D OS Attack: DOS Attack is a com m on threat to w ebsites on Internet. In DOS Attack the m ain objective of attacker is to com prom ise the availability of services. DOS attack as shown in figure 5.

Fig. 4. CIA 1.3 Trojan Interface

3.1.2.1. Consequences: Using Trojan Horse the attacker can illegally access the target com pu ter. The attacker can also copy or d elete the files on target com pu ter. Even the attacker can change the configu ration of the target com puter. In short the attacker has fu ll access to the target com pu ter if the cu rrent u ser login to the target computer has administrator level permissions.

.
Fig. 5. DOS Attack

3.1.3.1. Consequences: In DOS Attack the server is u nable to provide services to its actual clients.

3.1.2.2. Countermeasure/Mitigation Plans: In ord er to 3.1.3.2. Countermeasure/Mitigation Plans: Tw o d eavoid Trojans attack the user shou ld install a licensed fense m od els for DOS attacks w ere d eveloped su ch as version of Antivirus and Firew all. Moreover the WinSecu re Overlay Service (SOS) Mod el and Service H opd ow s Vista operating system has an ad d ed fu nctionalping Mod el by u sing d istribu ted firew alls. Both of ity su ch as an exe file can not be executed in primary partition w ithou t the perm ission of JournalThe installa 2012 user. of Computing Press, NY, USA, ISSN 2151-9617
http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

47

these m od els provid e d efense in d ifferent parts of the network [9]. 3.2. Transport Layer: At transport layer the research w ill d iscuss tw o secu rity attacks su ch as Port Scanning and Session Hijacking. 3.2.1. Port Scanning: The pu rpose of port scanning is to find open ports on the target com pu ter. These open ports are exploited by attackers to lau nch an attack against the target com puter. N u m ber of tool is available on Internet w hich can be u sed to scan ports of the target com pu ter. Figu re 6 show s the resu lt of port scanning process w hich d escribes that 8 ports are opened on the target computer.

lished session betw een tw o com m u nicating parties. In this technique if the attacker w ants to hijack an established session than for this the attacker m u st know the IP ad d ress of client and server w hich can be d one throu gh eavesd ropping on the netw ork. The attacker first send too m u ch qu eries to the client so that the client cant com m u nicate w ith the actual server and after that the attacker uses spoofed IP address (IP address of client), sequ ence nu m ber and than starts com m u nication w ith the server. The server w ill not see any d ifference in the packets sent by attacker and actu al client therefore the server w ill continu e its com m u nication w ith the attacker. The entire process is show n in the figu re 7. In this case the attacker m ust have quick access to the netw ork so that the attacker can quickly send m essages to the client to m ake his system bu sy and in the m eanw hile start com m u nication w ith the server. The tw o im portant things required in session hijacking is the IP ad d ress of the target com pu ters and sequence numbers.

Fig. 6. Port Scanning Process

3.2.1.1. Consequences: Port Scanning is u su ally the first step of an attack. Throu gh port scanning the attacker find s the open ports on the target com pu ter and these open ports are then u sed to access the target system illegally. 3.2.1.2. Countermeasures/Mitigation Plans: There are nu m ber of tool available in ord er to scan the ports of the target com pu ter bu t very few tools are available to id entify the origin su ch as machine from w here the port scan w as perform ed . Gad ge, Patil and Anand [10] presented a tool w hich can be u sed to id entify from w here the attack w as lau nched . This inform ation w ill help to reach the actual attacker w ho lau nched an attack after perform ing a port scan. An Architecture of the N etw ork Forensic System w as proposed in [11] w hich can be u sed to get d etails abou t an attacker w ho scanned the port of the target machine.
Fig. 7. Session Hijacking Process

3.2.2.1. Consequences: The successful session hijacking attack hijacks an established session betw een tw o communication parties. Countermeasure/Mitigation Plans: The com m u nication between client and server or two parties should be encrypted , so if the attacker is able to captu re traffic betw een client and server than still the attacker w ill not be able to read the messages becau se it w ill be in encrypted form.

3.2.2. Session Hijacking: Session H ijacking is a techniqu e w hich is u sed by the attacker to hijack an estab- Press, NY, USA, ISSN 2151-9617 2012 Journal of Computing
http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

48

3.3. Internet Layer: At Internet layer tw o secu rity attacks are d iscu ssed su ch as IP Spoofing and Packet Sniffing. 3.3.1. IP spoofing: IP Spoofing refers to the technique of creating packets w ith forged IP ad d ress in ord er to conceal the id entity of the send er or im personating someone else com pu ter system . Spoofing the actu al IP ad dress is one of the most common attacks used by the attackers to lau nch d ifferent attacks such as DOS attack etc. 3.3.1.2. Consequences: The attacker can u se the spoofed IP ad d ress to launch DOS attack as show n in figure 8.
Fig. 9. Packet Sniffing using Wireshark

3.3.2.1. Consequences: The attacker can captu re the d ata of other u sers illegally w hich m ay inclu d e em ail ad dress, passwords and other critical information etc. 3.3.2.2. Countermeasures/Mitigation Plans: There are several w ays to d etect the presence of system w ith packet sniffer and to m itigate its effect. The u ser can generate packets w ith invalid ad d ress, if a machine on netw ork accept these packets then it show s that the system is running packet sniffer. There are also softw are program s like AntiSniff to d etect packet sniffers [13]. The packet sniffers can also be d etected u sing ARP Packets su ch as the ARP packets are sent w ith d estination ad d ress as fake ad d ress. Only the system with N IC in prom iscu ous m od e w ill reply to these packet w hich show s that the packet sniffer is ru nning on that m achine [14], [15]. If the d ata is in encrypted form then encrypted d ata w ill not be of any u se for attacker becau se after sniffing encrypted d ata the attacker will not be able to decrypt it. 3.4. N etw ork Access Layer: At this layer tw o secu rity attacks su ch as ARP Cache Poisoning and MAC address spoofing are discussed. 3.4.1. ARP Cache Poisoning: Ad d ress Resolu tion Protocol (ARP) is u sed in local area netw ork to resolve IP Ad d ress to MAC or Physical ad d ress. All nod es keep the resolved ad d ress in Cache know n as ARP Cache. ARP Resolu tion is required w hen a MAC ad d ress of new IP ad d ress is requ ired or w hen an ARP Cache expires [16]. ARP Cache Poisoning attack m eans that, host ad d an incorrect IP ad d ress and MAC ad d ress mapping to an ARP Cache as shown in figure 10.

Fig. 8. IP Spoofing Process

3.3.1.3. Countermeasures/Mitigation Plans: A m echanism of both prevention and d etection of IP spoofing attack in a netw ork having trusted nod es w as proposed in [12]. 3.3.2. Packet Sniffing: Packet Sniffing is the m ethod of captu ring traffic w hich flow s across the netw ork. In this attack the attacker captu re the d ata of other u sers illegally. Packet Sniffer is actually a trou bleshooting tool u sed by netw ork ad m inistrators to captu re netw ork traffic for trou ble shooting netw ork problem s. Wireshark is a tool used to captu re traffic for trou bleshooting pu rpose. Figu re 9 show s the traffic cap tured throu gh Wireshark. The packet sniffer can be u sed in both LAN and WAN . When a packet sniffer is u sed in a LAN, it turns the systems NIC in promiscuous mode as a resu lt the system in prom iscu ou s receives all the traffic on the LAN.

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

49

Fig. 10. ARP Cache Poisoning Process

Fig. 11. Spoofed MAC Address example

3.4.1.2. Consequences: This attack can be u sed to captu re LAN traffic belongs to other u ser on the netw ork. ARP Cache Poisoning is part of other seriou s attacks su ch as DOS Attack, H ost Im personation, Man in the Middle Attack and Cloning Attack. 3.4.1.3. Countermeasures/Mitigation Plans: Trabelsi and El-Hajj [16] proposed a solu teon to ARP Cache Poisoning by u sing statefu l ARP Cache for m anagem ent and secu ring ARP Cache. They also d ifferentiated betw een norm al and m alicious ARP replies by u sing novel fu zzy logic approach. A solu tion is there in ord er to d etect and protect from ARP Poisoning know n as Dynam ic ARP-Spoof Protection & Su rveillance [17]. N am , Kim, and Kim [18] proposed an enhanced version of ARP protocol in ord er to protect against ARP Poisoning based man-in-the-m id d le attack.

3.4.2.1. Consequences: By u sing a spoofed MAC add ress a nod e can receive the traffic of other nod e in LAN. Spoofed MAC address is shown in figure 11. 3.4.2.2. Countermeasures/Mitigation Plans: Spoofed MAC ad d ress can be id entified by u sing RARP (Reverse Ad d ress Resolu tion) Protocol. A d esign of architectu re and protocols for provid ing the LAN secu rity and preventing the MAC ad d ress spoofing is presented by Pansa and Chom siri [19]. A new MAC spoofing d etection algorithm w as presented by Chumchu , Saelim and Sriklauy [20]. The algorithm u tilizes the PLCP (Physical Layer Convergence Protocol) head er of the 802.11 fram es in ord er to d ifferentiate between an attacker station and a genu ine station.
4. LIMITATIONS

3.4.2. MAC Address Spoofing: Every N etw ork Interface Card (N IC) has a u niqu e ad d ress know n as MAC Ad d ress. It is a perm anent ad d ress su ch as it is bu rnt on a N IC. In a local area netw ork, the com pu ters exchanges MAC addresses in order to identify each other in a netw ork. MAC Spoofing is a system id entity theft. MAC Spoofing is the process of altering the MAC address of a system.

There are many m ore attacks possible on d ifferent layers of TCP/IP network m od el bu t it is not possible to d iscu ss all the attacks in this research paper. Therefore, the research d iscu ssed som e of the m ost com m on attacks here. 5. CONCLUSION

N ow a d ay a person w ho u ses a com pu ter wou ld also invariably use a com pu ter. Since Internet is a pu blic network therefore the d ata transfer throu gh Internet need s to be secu red . Secu rity attacks are com m on on Internet and m ajority of Internet u sers have experienced it on the Internet. The consequences are som etim es very severe su ch as com prom ise of em ail accou nts password s, losing confid ential files etc therefore every u ser on Internet shou ld have a basic know led ge of these secu rity threats w hich exist on the Internet and he/she should also know how to protect his/her com pu ter from these attacks. The su ccess and failu re of these attacks d epend s on the secu rity m echanism used and also on the 2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 knowledge level about secuhttp://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

50

rity attacks of the u ser w ho is using the com pu ter. If the u ser is aware of the secu rity threats on the Internet and he/she know s abou t the consequences than the attack is least likely to be su ccessfu l but if the u ser is u naware of the security threats and if he/she has not installed any d efense system for these attacks than the attack is m ost likely to be su ccessfu l. Moreover, It is not possible for a u ser to know abou t all the possible secu rity attacks. All that we can d o is we shou ld know abou t the basic secu rity attacks, their consequ ences and m itigation plans so that we can protect ou r self from these attacks.

[12] Ma, Yu nji. (2010). A n Effective M ethod for Defense against IP Spoofing A ttack: 6th International Conference on Wireless Com m u nication Networking and Mobile Computing (WiCOM), 2010. [13] Ansari, Sabeel. S. G, Rajeev and H .S Chand rashekar. (2002). Packing Sniffing: A Brief Introduction: IEEE, Potentials. [14] Qad eer, Moham m ad Abd u l. Zahid , Moham m ad .; Iqbal, Arshad . And Sid d iqu i, Misbahu rRahm an. (2010). N etwork Traffic A nalysis and Intrusion Detection using Packet Sniffer: Second International Conference on Communication Software and Networks. [15] Zhang, Liqiang. and Zhang, H u angu o. (2008). A n Introduction to Data Capturing: International Sym p osiu m on Electronic Commerce and Security. [16] Trabelsi, Zou heir. And El-H ajj, Wassim . (2007). Preventing A RP A ttacks using a Fuzzy-Based Stateful A RP Cache: ICC 2007 Proceedings (IEEE). [17] Pu angp ronp itag, Som nu k. And Masu sai, N arongrit. (2009). An Efficient and Feasible Solution to A RP Spoof Problem: 6th International Conference on Electrical Engineering/Electronics, Com p u ter, Telecommunications and Information Technology, 2009. ECTICON 2009. [18] N am , Seu ng Yeob. Kim , Dongw on. And Kim , Jeongeu n. (2010). Enhanced A RP: Preventing A RP Poisoning Based M an-in-the-Middle Attacks: IEEE Communication Letters, Vol. 14, No. 2. [19] Pansa, D. and Chom siri, T. (2008). A rchitecture and Protocols for Secure LA N by Using a Software- Level Certificate and Cancellation of A RP Protocol: Third International Conference on Convergence and Hybrid Information Technology, 2008. ICCIT 08. [20] Chu m chu , P. Saelim , T. and Sriklau y, C. (2011). A new MAC ad d ress sp oofing d etection algorithm u sing PLCP head er: International Conference on Information Networking (ICOIN), 2011

REFERENCES
[1] Johnson, David W. and Koch, H arold . (2006). Computer Security Risks in the Internet Era: A re Small Business Owners A ware and Proactive: Proceed ings of the 39th H aw aii International Conference on System Sciences. [2] Al-Mam ory, Safaa. O. H ongli, ZH AN G. and Abbas, Ayad R. (2008). M odeling N etwork A ttacks for Scenario Construction: International Joint Conference on Neural Network. [3] Liu , Alex X. and Gou d a, Moham ed G. (2009). Firewall Policy Queries: IEEE Transactions on Parallel and Distributed Systems. [4] H iltgen, Alain. Kram p , Thorsten. And Weigold , Thom as. (2006). Secure Internet Banking Authentication: IEEE Security & Privacy Vol. 4 No. 2. [5] Trostle, Jonathan. Besien, Bill Van. And Pu jari, Ashish. (2010). Protecting A gainst DN S Cache Poisoning A ttack: 6th IEEE Workshop on Secure Network Protocols (NPSec), 2010. [6] Yu an, Lihu a. Kant, Krishna. Mohap atra, Prasant. and Chu ah, Chen-N ee. (2006). DoX : A Peer-to-Peer A ntidote for DN S Cache Poisoning A ttacks: IEEE International Conference on Com m u nications, 2006. ICC 06. [7] Wu , N aiqi. Qian, Yanm ing. And Chen, Gu iging. (2006). A N ovel approach to Trojan horse detection by process tracing: Proceed ings of the 2006 IEEE International Conference on N etw orking Sensing and Control icnsc06 (2006). [8] Jie, Qin. H u iju an, Yan. Qu n, Si. And Fu liang, Yan. (2010). A Trojan Horse Detection Technology Based on Behavior A nalysis: 6th International Conference on Wireless Communication Networking and Mobile Computing (WiCOM), 2010. [9] N agesh, H .R. and Sekaran, K.C. (2006). Design and Development of Proactive Solutions for M itigating Deniel-of-Service A ttacks: International Conference on Ad vance Com p u ting and Com m u nication. ADCOM, 2006. [10] Gad ge, Jayant. And Patil, Anish Anand . (2008). Port Scan Detection:16th IEEE International Conference on N etw orks, 2008. ICON 2008. [11] Kau shik, Atu l Kant. Pilli, Em m anu el S. and Joshi, R.C. (2010). N etwork Forensic System for Port Scanning A ttack: IEEE 2nd International Advance Computing Conference.

Khalid Saeed. Lecturer, Department of Computer Science, IBMS, KPK Agricultural University Peshawar. BS Computer Science with distinction (Silver Medal) from IBMS, KPK Agricultural University Peshawar and MS Computer Engineering from Center for Advanced Studies in Engineering (CASE), Islambad. He has about 1 and a half year of teaching experience at undergraduate and graduate level. He is author of the one research book and his area of research interest is Information Security and Software Project Management.

Muhammad Adil. Assistant professor, Department of Computer Science, Iqra National University. MCS from Peshawar University and MS (Networking and Telecommunication) from Iqra University, Karachi. He has more than 8 years experience of teaching graduates and under graduates of computer sciences. He was awraded 2 times the Best Teacher of the year. His area of research interest is MANETs and Wireless Networks

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

51

Muhammad Saqib Awan, Assistant Professor, Department of Computer Science, City University of Science & Information Technology, Peshawar. MCS from IQRA University, Karachi and MS-IT degree from IMSciences, Peshawar. He has more than 7 years of experience of research and academics. He has 07 research publications and his areas of expertise are: Data Warehouse and Data Mining.

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/