Hybrid Detection and Mitigation of DNS Protocol MITM attack based on Firefly algorithm with Elliptical Curve Cryptography

A Domain Name Server is a critical Internet component. It enables users to surf the web and send emails. DNS is a database used by millions of computers to determine which address best answers a user’s query. DNS is an unencrypted protocol that may be exploited in numerous ways. The most popular DNS MITM attack uses DNS poisoning to intercept communications and fake them. DNS servers do not verify the IP addresses they forward traffic to. In DNS attacks, the attacker either targets the domain name servers or attempts to exploit system weaknesses. The Proposed FFOBLA-ECC model detects the DNS Spoofed nodes in a wireless network using the optimized firefly boosted LSTM with the help of TTL and RTR parameters received from the simulation environment and provides authentication between the nodes in order to mitigate it using the Elliptical curve cryptography. The proposed model results are different from the other methods and yield highly accurate results beyond 98% compared with the existing RF, ARF, and KNN methods.


Introduction
The Internet is a haven for all kinds of cyber-attacks.For protection against cyber-attacks, many internet platforms and services designed to make lives more accessible at the same time must be aware and vigilant.Some attacks on web servers and websites have grown simpler due to the Internet's wide accessibility, which causes risks that lead to revenue loss in organizations.One of the most significant risks associated with the cyber-attack is based on the "Domain Name System (DNS)" protocol, which acts as a fundamental internet protocol, DNS Spoofing or DNS MITM (Man in the Middle) attack [1].The domain name to IP address mapping is made easier with this hierarchical, distributed directory service.DNS Spoofing or DNS MITM attack is where the hackers compromise the system, inject false DNS records in the DNS servers, and redirect the traffic to some fraudulent websites to steal the credentials or information.
As soon as a domain name is entered into a web browser, the DNS resolver requests to translate the domain name to an IP address.If the domain name isn't discovered in the DNS resolver, then something went wrong.If that's the case, it'll try to find the data on another recursive or iterative server and pass it along to the user so they may follow it.In the DNS server's memory, requests for domain addresses are stored for later use.
DNS is a critical name resolution service that is extensible to clients [2].However, owing to the enormous increase of internet users, DNS became insecure.Attackers actively seek ways to exploit the system's flaws.DNS cache poisoning, spoofing, or MITM, is a misleading cyber-attack that changes DNS records via a DNS query that redirects traffic from legitimate servers to false websites.These attacks are difficult to detect and sometimes undetected for a long time, causing serious security issues.
DNS spoofing attacks are classified according to the attacker's ultimate objective.DNS spoofing may be accomplished in a variety of methods, including the following [3]:   The following table 1 summarizes the literature on the various kinds of DNS MITM attack detection methods.

The Proposed Model
The Proposed FFOBLA-ECC model consists of a server, clients, and a controller which generated the communication between the server and the clients.The model predicts DNS MITM attacker nodes based on the optimized firefly boosted LSTM method, and also it is effective in terms of accurate detection [53].

Observation due to literature
Among all this literature, ML/DL Techniques have given a high accuracy rate where some methods have reduced time in extracting features, some reduced computation time.However, researchers have rare literature on using swarm intelligence algorithms defined in the proposed methodology.
A server, clients (browsers), and a controller are included in the proposed attacker model.The controller generates traffic between the clients and servers.The obtained traffic is captured as an a.csv file, and the firefly algorithm is used to optimize the features.The features are loaded into the LSTM model to stable the model, and the network is then stimulated using AdaBoost to optimize detection accuracy

Protocol Simulation model
An HTTP toolkit with 50 browser clients, three servers, and a single controller is utilized to handle and run the  simulation.In the simulation, the client and server use the TCP/IP model to send messages.Clients and servers generate requests and replies [54].The scenario includes clients, servers, and two routers linked by a connection.The servers are www.good.com,www.bad.com, and www.ugly.com.The network structure defines the message that may be sent directly between clients and servers or through routers.Some of the browser-based parameters evaluated for the request and reply are given in Table 6.Table 6.Browser-based Parameters solution created by chance and firefly attraction.Two key issues are at stake: light intensity variance and attractiveness formulation.A firefly's brightness Ι at a specific location х defined as Ι(х), and it is proportional to the fitness function Ϝ Ι(х)αϜ(х).
The brightness of the Firefly Ι(r) changes with respect to the distance r may be defined as Ι = Ι 0  − (1) Where Ι0 is the brightness, and  is the coefficient of absorption of light.The attractiveness  is equivalent to the brightness of the Firefly and brightness  can be defined as  =   − 2 (2) Where 0 defines the attractiveness at r=0.Brightness Ι and attractiveness  are linked in several ways.Although brightness is a true measure of the firefly's emitted light, attractiveness is a subjective measure of the light that should be seen in beholders' eyes and measured by other fireflies.Distance (  ) between the fireflies    defined using Cartesian distance   =∥   −   ∥= √∑ = (  −   ) 2 (3) N defines the dimensionality of the problem.The firefly  migrate towards the brightness of the other firefly  is defined as  =  +   − 2 ( −  ) +  As part of the attack, the attackers compromised code in the victim's web browsers, diverting traffic to the attacker's servers and spoofing the victim's IP address.
As demands increase, so does the server service level.On average, per 200 queries, the browser user receives one malicious link.Even if discovered, the user is routed to the attacker's site.The firefly optimization method collects browser request and response data over time to identify DNS MITM attacks.

Optimized firefly boosted LSTM Algorithm
The simulation generates datasets in the form of a .csvfile.Training and testing datasets are separated.The flashing characteristic of fireflies is the basis for the firefly algorithm [55].The three rules that apply to flashing features are as follows:  Fireflies are genderless, so that they may be attracted to each other despite their differences in appearance. They are also attractive based on their brilliance; thus, the brighter one attracts the less vivid one. The target feature's search space to be optimized affects the brightness or intensity of a firefly's light.
Based on the firefly's brightness, the objective function is optimized on how the brighter firefly is attracted to the other.At the same time, the distance between fireflies enhances attraction.(10) Where  denotes the sigmoid function,   denotes the weight of the respective neuron, ℎ −1 denotes the output received from the earlier iteration at the checksum t-1,   denotes entering data of the current checksum,   denotes corresponding gates' prejudices,   denotes cell state memory at the checksum (t), c denotes a possible option for the cell state at the checksum (t).The input gate symbolizes the new information that will be saved in the cell at the moment.The output gate activates the last LSTM block using a sigmoid function, checksum 't' received from the forget state.Forget state represents deleted information.To find a candidate (  ) for the current checksum (t), and from the equations above, the model knows which has to be discarded i.e.,   *  −1 and which has to be taken for the current checksum (t) i.e.,   * c .Then the cell state is filtered and passed t the activation function to predict the information that appears in the LSTM block's output in the current checksum (t).ℎ  is passed to the current LSTM block with the softmax layer to predict the output   .
When LSTM is trained, the model's performance is continuously unstable.To overcome it, one of the robust ensemble machine learning techniques called AdaBoost, which is good at predicting results, is ensembled with an LSTM block to train iteratively after t iterations.

Experiment Results And Discussions
The Technical specifications of the experiment conducted in a simulated environment are given in table 7. Six months of data logs were taken for the experiment.(11) where The Proposed hybrid FFOBLA-ECC model gives a novel solution to detect and mitigate the DNS MITM attack nodes using the Optimized firefly boosted LSTM (12) 1 and ECC algorithm.It produced very accurate outcomes when compared with the existing RF, ARF, and KNN   denotes the weights of the weak learners in the classifier and combines all the t predictors to boost the model's performance to achieve high accuracy, which results in a stable form.Both AdaBoost and LSTM models are trained separately, and predictions are calculated on average.This combined heterogeneous model yields accurate prediction results than using a single LSTM model.This hybridized optimized firefly with boosted LSTM gives high accuracy, which outperforms the existing Random Forest, Adaptive Random Forest, KNN models in terms of some performance metrics like Detection Accuracy, Delay, Packet Delivery Ratio, Packet Drop Ratio, Throughput.Pseudo Code models.The advantages of this proposed hybrid FFOBLA-ECC model include its ease of convergence into complicated problems, its simplicity and versatility, and its accurate, high-performance outcomes.

Detection Accuracy Ratio
The proportion of correctly predicted DNS MITM nodes is about the total number of predictions produced.It can be shown from the detection accuracy ratio that the hybrid FFOBLA-ECC model outperforms the current methods. +

Average Delay
The time it takes for data packets to arrive at their destination.Furthermore, it takes time to find the routes and queue packets for transmission.7.7 compares the proposed FFOBLA-ECC model to existing methods in terms of performance measures.The proposed hybrid FFOBLA-ECC Method performed optimally based on time (s) basis as well as the total number of nodes, resulting in a small percentage of delay.Packet Delivery Ratio was the most outstanding level reached 600 percent compared to previous techniques that attained just 200 percent, resulting in packet delivery success.The packet drop percentage is low, ranging between 30% and 40%.The current techniques RF, ARF, and KNN, had the most significant drop ratios ranging from 150 to 250 percent, but the maximum throughput ratio of 300 percent remained constant.All of the time and current techniques range from 100 percent to 225 percent, resulting in the best packet transmission.

Conclusion
The DNS MITM attack is where the attacker holds the DNS records and tries to change them so that it can redirect the traffic to fake websites to steal the credentials of the victims or access some sensitive information or malicious websites try to install worms or virus software in their personal computer for long term access to the data stored in the computer.DNS MITM attack can be troublesome for both the website owners and the users.It can cause some security issues and be undetected for an extended period.There are various prevention techniques applied to avoid DNS MITM attacks using some encryption techniques, DNSSEC.Various literature was given to detect, prevent, and defend against the DNS MITM attack.The Proposed hybrid Model uses a threat model of creating a DNS MITM attack using a simulation tool and injecting the attack, capturing the traffic before and after the attack.
Using Optimized Fireflies boosted LSTM algorithm provides a novel solution in detecting and predicting the attacker nodes' accuracy by using the captured file obtained from the simulation.Based on the TTL and Roundtrip time of the DNS record, some features are extracted and fed into the LSTM model for the training.It uses AdaBoost with the LSTM model to stabilize the network and improve its performance to achieve high accuracy results.Boosted LSTM performs well than the single LSTM model.
The Proposed FFOBLA-ECC Model outperforms the existing model and yields a high accuracy rate with performance.

Fig 2
Fig 2 How DNS Spoofing or DNS MITM works.Different types of DNS attacks have been studied.Among those, DNS MITM or DNS Spoofing are the most predominant and commonly found on the Internet.DNS MITM allows the attackers for data theft, malware infection, stop the security updates and censorship.The main objective is to predict the detection of the DNS Spoofed nodes in a network using the FFOBLA-ECC algorithm based on the simulation data analysis.The proposed approach creates a network with a server, clients (browsers), and a controller to generate traffic between them.The firefly algorithm optimizes the characteristics based on the generated traffic.The characteristics are given as input into the LSTM model to stabilize it, and then AdaBoost is used to enhance the detection accuracy and provides authentication of the nodes.
Some of the necessary online tools that are in practice to handle DNS MITM attacks are  Ettercap  Hetty  Bettercap  Proxy.py Mitmproxy and  Burp Based on the literature, different types of Detection mechanisms, Prevention mechanisms, Defense mechanisms, Cryptographic mechanisms, and ML/DL mechanisms to handle the DNS MITM attacks are given in Tables 1,2,3,4 and 5.
ML/DL techniques to handle DNS MITM attack.

7 𝑡=1
Fireflies move spontaneously if their brightness is the same.A novelWhere   is a random number that denotes the movement of the fireflies based on the Gaussian distribution.The fireflies' movement comprises the firefly's current position, attractiveness towards the other firefly, and random walk  generated randomly from the interval (0, 1). denotes the convergence speed.The value is taken from (0, ∞).0 denotes the random walk.The Firefly method uses the DNS header file's TTL and roundtrip time to identify DNS MITM attacks.Other features retrieved from the simulation environment include Event, Time, Router, ID, Source got, Source received, Actual received, Actual utilized.Extracted features put into LSTM model to address vanishing gradient.Another kind of recurrent neural network used for time series data prediction LSTM, has several faults, including vanishing gradient issues.It cannot train the model for long-term dependency.LSTM solves these problems by storing data for an extended period utilizing these three gates.LSTM model uses three gates called input gate, forget gate, and output gate.Each gate learns from the input given through a chain of sequences and chooses whether to retain or reject it to transmit necessary information down the lengthy chain of sequences.The equation of input (   ), output (  )and forget (  ) states are   = (  [ℎ −1 ,   ] +   ) (5)   = (  [ℎ −1 ,   ] +   ) (6)   = (  [ℎ −1 ,   ] +   ) (7) c = tanh(  [ℎ −1 ,   ] +   (8)   =   *  −1 +   * c (on Pervasive Health and Technology 08 2022 -10 2022 | Volume 8 | Issue 4 | e3 Hybrid Detection and Mitigation of DNS Protocol MITM attack based on Firefly algorithm with Elliptical Curve Cryptography ℎ  =   * tanh Simulation is done, and the data are collected, and the packet details are  Event  Time  Relevant Hops  Type  Information  Source EAI Endorsed Transactions on Pervasive Health and Technology 08 2022 -10 2022 | Volume 8 | Issue 4 | e3 8 Sabitha Banu., A. Dr. G. Padmavathi  Destination  Protocol  Length Performance measures are used to compare the Existing and Proposed approaches.Additionally, they are  Detection Accuracy  Delay  Packet Delivery Ratio  Packet Drop Ratio  Throughput.

Fig 4 Average Delay 4. 3 .Fig 3
Fig 4 Average Delay It only counts packets that are delivered to their destination.When the average Delay outcomes are low, it indicates better performance.Average delay is shown in Fig 4.
Total no of arriving time − Total no of sending time = Total no of Packets

Fig 6
Fig 6 Packet drop Ratio

Table 1 DNS MITM attacks Detection mechanisms Authors Journal, issue, Year Detection Mechanism Limitations
Hybrid Detection and Mitigation of DNS Protocol MITM attack based on Firefly algorithm with Elliptical Curve Cryptography Sabitha Banu., A. Dr. G. PadmavathiThe following table3summarizes the literature on the various kinds of DNS MITM attack defence mechanisms.

Table 3 DNS
MITM attacks Defence mechanisms

Table 4 DNS
MITM attacks Cryptographic mechanismsHybrid Detection and Mitigation of DNS Protocol MITM attack based on Firefly algorithm with Elliptical Curve CryptographyThe following table summarizes the literature of EAI Endorsed Transactions on Pervasive Health and Technology 08 2022 -10 2022 | Volume 8 | Issue 4 | e3 5

Table 5
Literature of ML/DL Techniques used for DNS MITM attack

Table 7
Comparison of Existing Model and Proposed Model