Tuesday 27 March 2012


Abstract—In this paper, the tool “sniffer” is introduced and controlled as a sensor by the IDS via mobile agents; these agents gather intrusion detection data and send them back to the server for analysis. We propose a distributed intrusion detection system (DIDS) which detects intrusion from outside the network segment as well as from inside using mobile agents. The proposed model consists of three major components: Intrusion Detection Component,     Mobile Agent  Environment, Data    Analysis Component and distributed sensors residing on every device in the network segment. Compared with traditional central sniffing IDS  techniques,  the  system  shows  superior  performances  and saves network resources.

 Keywords: intrusion detection system(ids),distributed intrusion detection  system(dids),mobile agents.

Among all security issues, intrusion is the most critical and widespread. Intrusion can be defined as an attempt to compromise or otherwise cause harm to a network. Intrusion detection involves the behavior of detecting unauthorized and malicious access network system.

Intrusion detection has become an extremely important feature of the defense-in-depth strategy. The thought used to be that if you had a firewall protecting your network you were secure. This is no longer the case. A firewall is an essential and important part of network security but it does not have the ability to detect hostile behavior. Unlike a firewall, an intrusion detection system has the ability to evaluate solitary packets and generate an alarm if it detects a packet with hostile potential. A distributed IDS (DIDS) consists of multiple Intrusion Detection Systems (IDS) over a large network, all of them communicate with  each  other,  or  with  a  central  server  that  facilitates advanced network monitoring, incident analysis, and instant attack data. By having these co-operative agents distributed across a network, incident analysts, network operations and security personnel are able to get a broader view of what is occurring on their network as a whole.

In addition to identifying attacks, IDS can be used to identify security vulnerabilities and weaknesses, enforce security  policies,  and  provide  further  system  auditing  by exploiting the logs/alerts from the output component of the IDS.

Agent is a software entity that functions continuously and autonomously in a particular environment, and is able to carry out activities in a flexible and intelligent manner that is responsive to changes in the environment [1]. So, agent can improve the means of applying detection techniques, for example,  agents could be deployed at different user computers to collect extra feature data and agents  could also provide an interface to user application systems for smooth integration. So, agents were applied in intrusion systems that could provide a good mechanism for implementation of detection algorithm on network-based application systems.

Mobile agents are intelligent program threads, its function were  continuously and  are  able  to  learn, communicate and migrate themselves from one host to another to gather information and perhaps perform specific tasks on behalf of user [2]. There are a number of possible advantages by using mobile code and mobile agent computing paradigms. This includes overcoming network latency, reducing network load, performing autonomous and asynchronous execution, and adapting          to         dynamic           environments  [3].       Moreover, implementation of mobile agents in languages such as JAVA provided mobile agent with system and platform independence and considerable security features, which are a necessity in intrusion detection systems [4].

This paper  mainly focuses on  building a  mobile  agent- based system for detecting intrusion in network-based application systems. It will provide an option for setting up a distributed network intrusion detection system by using open source tools including the intrusion detection software Snort. The tools sniffer and snort used as sensors to detecting intrusion. The specific objectives are as follows:

Step 1: A new mechanism was designed for acquiring extra data about user action from client machines or from access control module in server applications. It provides distributed IDS to reduce the congestion in the network. There are local processing units to analyze relevant data and send summaries of alerts to the main station.

Step 2: Current IDS [5] comprise many sensors distributed over the network and a centralized management station. These systems cause many bottlenecks and consume a lot of network
resources. In this paper, mobile agents are dispatched to hosts where they activate the sensor, process collected data, and send it to the main station, which signals the agents to either stop collecting data or continue, with possible changes to the collection frequency and context.

An intrusion detection system (IDS) monitors network traffic, suspicious activity and alerts the system or network administrator.  In   some   cases   the   IDS   also   respond   to anomalous or malicious traffic by taking action such as blocking the  user  or  source IP  address  from  accessing the network.

IDS come in a variety of “flavors” and approach the goal of detecting   suspicious   behavior   different   ways.   There   are network based (NIDS) and host based (HIDS) intrusion detection systems. Previous IDS use to detect based on looking for specific signatures of known threats, it is similar to the way antivirus software typically detects and protects against malware. Latter IDS detecting based on comparing traffic patterns against a baseline and looking for anomalies. The IDS simply monitor, alert and perform action in response to a detected threat.

The  intrusion  detection  technology  can  date  back  to
1980[6], it became a well-established research area after the introduction of the model [7] and the prototypes [8] [9]. These systems were centralized, a single machine monitors data flow at a strategic point in the network that collects and analyzes data from the log files. Once an intruder destabilizes the host, it was able to gain considerable access to the whole network. This limitation is the main vulnerability of currently implemented IDS.

Distributed IDS were introduced to overcome the weakness which mobile t agents are considered to play a prominent role in the implementation of such technologies. The architecture called Autonomous Agent  for  Intrusion Detection (AAFID) [10] describes a distributed intrusion detection system based on multiple independent entities. The proposed system allows data to be collected from multiple sources combining traditional host-based and network-based IDS. Several problems in this framework  including  scalability,  performance,  security,  and user interface. Agents could be added or removed dynamically from the system, whenever a new form of attack is identified, new specialized agents can be deployed into the system [11].

Subsequent work like [13], [14], or [12] present a fully distributed   architecture,   data   collection   and   information analysis are performed locally without referring to the central management unit. For instance, a system was proposed to imitate the function of natural distributed systems to achieve the efficiency found in natural systems [12]. In this system, the detection of an intrusion triggers or an alert pheromone (represented by mobile agents) that diffuses in the network searching for  antibody agents.  Mobile response agents (the lymphocytes) will migrate to the battlefield to initiate a defensive action.

This part we present the architecture of our distributed IDS. The architecture consists of the following components: (1) an intrusion detection processor, (2) a mobile agent platform, and (3) distributed sensors. A high level view of the architecture is given in Figure 1.

A.   Data Flow Capture
As the main network node monitor, the Data Flow Capture network traffic which incoming monitors, it captures dump of data and sends to IDA for detecting intrusion, then, Data Analysis component to analyze and self-learning.

B.   Intrusion Detection Agent (IDA)
IDA is the most important component of the system. It is responsible for monitoring network segments (subnets), and acts as a central intrusion detection agent and data processing unit. The unit is placed on a node that entry into intranet to monitor network traffic for all devices on the segment. And it is setup to send alert in time, so that, checking the errant packets using rule sets when it enter into the segment. It’s main capabilities is detecting intrusion and judging whether the behavior   is   abnormal,   if   it   is   abnormal,   alerting   to Administrator or make some decisions.

Log files often are sent to the IDA (via mobile agents) for packet decoding and processing. The IDA monitors agent’s operate in the network and direct them to critical locations in the network if malicious behaviors were detected. In order to guarantee  proper  interaction  with  mobile  agents,  the  IDA should exchanges data and messages as well as commands with the Mobile Agent Environment (MAE). The IDA provides the following intrusion detection services:

•          Integrate  correlating data  sent  by  individual mobile agents to implement a multi-point detection, especially

to deal with distributed attacks coming from within the network.

•          Monitor is established connections within the network at low level by scanning packets.

•          Gathered evidence of the attacker’s behavior during the time window between the attack detection and the response.

•          Look for the exploitation of known vulnerabilities in the network by checking on local intrusion signatures such as files integrity and user behavior profiles.

C.   Mobile Agent Environment (MAE)
In this paper, a Mobile Agent Environment (MAE) could create, interpret, execute, transfer, and terminate (kill) agents. The platform is responsible for accepting requests sent by the IDP , generating mobile agents plus and sending them into the network to handle the tasks (to start sniffing activities within the local network, stop it when necessary, and send collected data back to the IDP for further analysis).

D.   Data analysis (DA)
The Data analysis component receives data delivered from mobile Agents and picks up the useful information, then it sends the useful data into the self-learning component of DA. The self-learning component implements the SOM arithmetic to further deal with the data to process the abnormal intrusion.

E.   Sensors (Sniffer)
A sniffer [17] is a device used to deploy at entrance of networks to allow an application or hardware device to monitor on network traffic. The traffic with protocol can be IP, IPX etc. network packets. In general, sniffing is used for: (1) Network analysis and troubleshooting, (2) performance analysis and benchmarking, (3) monitoring for not encrypted text-based passwords and other interesting tidbits of data. Depending on the IDA’s instructions, the agent could run the sniffer for a predetermined period of time, collect the data, and send data in one batch to the IDP. Alternatively, it also could run the sniffer and send data as it is captured to the IDP until it receives instructions to stop sniffing.

F.   Working principle
Once the system is beginning started, the IDA starts its own sniffer and sends a ‘START’ request to the MAP. The message specifies the number of agents to be launched, and the corresponding IP address is set where each agent expect is visited. This implies that the IDP has a registry containing all IP addresses in the local network. The MAP, in turn, creates the agents and dispatches them into the network. Now assume that an agent on its trip sends a report to the IDP that it trigger an alarm. The IDA will send a ‘LUDGE’ message to the agent causing it to reactivate the sniffer at its current location and stay there, in an effort to gather more evidences on the current attack in order to study the behavior. The IDA will prompt the MAP to create a new agent that will takeover the agent’s task. In this scenario, the number of active sniffers may increase to form an alert stage to faster reaction.


A.   Experimental preparations
In this paper, an ameliorative IDS has been implemented by Snort [15] and a mobile agent system that was created locally. Snort is a lightweight, full-fledged open-source network based IDS (NIDS) that has many capabilities such as packet sniffing, packet  logging  and  intrusion  detection  [17].  Snort  is  a signature-based IDS  that  uses  rule-sets  to  check  for  errant packets crossing a node in the network. A rule is a set of requirements that will trigger an alert. Snort was chosen as the NIDS because of its availability, ease of configuration and customization.

MORPHEOUS [18] is a prototypical mobile agent system that was developed as a final year project at the American University of Beirut. The Mobile Agent System was chosen as IDS platform because of its availability, easily running, and support for mobile agents. It consists of four entities: agent factory (AF), listeners, officer agents (OA), and soldier agents (SA). The core of this agent system is AF. It accepts request by the network users (in the case of the Snort requests), generates mobile agents and sends them to the network in order to deal with the special tasks. On the AF host, many officer agents reside to keep track of the dispatched agents (Soldier Agents) over the network and the data fetched by these agents. The last one is the listener, which is a small program that will reside in every host in the network and will be responsible for accepting, running, and deleting SA.

Data Analysis (DA) with a function component is a SOM training procedure. In SOM, the traditional back-propagation learning rule is unsupervised learning. While the multilayer feedforward network is trained, the hidden-unit activations of the feedforward network are used as training material for the accompanying Self Organizing Maps. After a few training cycles, the maps are developed in a certain extent. The information in   the maps is used in updating the connection weights of the feedforward network. The clustering effect is obvious during SOM learning, hidden-unit activations of patterns and associated with the same class. Results on classification effects show that the SOM architecture and learning rule offer a strong alternative for training multilayer feedforward networks with back-propagation.

In experiment, TcpDump is implemented to the WinDump [19] which is the porting to windows platform. It runs on all the operating systems supported by WinPcap, i.e. window XP. It was selected in the system because of its lightweight, popularity, support of multiple operating system and ability to dynamically reconfigure its execution state.

In this paper, a model for Distributed Intrusion Detection System based on mobile agents was presented. In the system we bring in the tool “sniffer” and the open source tool “snort” to implement our prototype system. After many experiments we found that it is superior performance based on sort intrusion detestation. Also in the system we use the SOM feed forward network architecture to find new type attacks. In the future, we will pay more time for promoting new type of attacks.

[1]    J. M. Bradshaw. “An introduction to software agents”,  Software Agents, chapter 1. AAAI Press/The MIT Press, 1997.
[2]    Stefan  Fuenfrocken.  “How  to  Integrate  Mobile  Agents  into  Web Servers”, Technical   Report,   Department   of   Computer   Science, Darmstadt  University  of  Technology,   Alexanderstr.  10,  D  64283
Darmstadt, Germany
[3]    Wayne Jansen, Peter Mell, Tom Karygiannis, Don Marks. “Applying Mobile Agents to Intrusion Detection and Response”,   NIST Interim Report (IR) - 6416. ACM October 1999.
[4]    Stefan Fuenfrocken. “Integrating Java-based Mobile Agents into Web Servers under Security Concerns”, Technical Report, Department of Computer Science, Darmstadt University of Technology, Alexanderstr.
6, 64283 Darmstadt, Germany.
[5]    Rajeev   Gopalakrishna,   Eugene   H.   Spafford.   “A   Framework   for Distributed Intrusion Detection using Interest Driven Cooperating Agents”,  Purdue University, 2001.
[6]  J.  P.  Anderson.  “Computer  Security  Threat  Monitoring  and Surveillance”,      Technical   report,   James   P   Anderson   Co.,   Fort Washington, PA, Arpil 1980.
[7]    D. E. Denning. “An intrusion-detection model”, In proceeding of the
IEEE Symposium on Security and Privacy, pages 118-131, April 1986.
[8]    D. S. Bauer and M. E. Koblentz. “NIDX – an expert system for real-time network   intrusion   detection”,   In   Proceeding   of   the   Computer Networking Symposium,  pages 98-106, Washington, DC, April 1988
[9]    R. Schoonderwoerd, O. Holland, and J. Bruten. “Ant-like agents for load balancing in telecommunications networks”,  In Proceedings of the first International Conference on Autonomous Agents, 1997.
[10] Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford, Diego Zamboni. “An Infrastructure for Intrusion Detection using Autonomous Agents”,   COAST technical Report 98/05, June 11, 1998.
[11] Richard Feiertag, Sue Rho, Lee Benzinger, Stephen Wu, Timothy Redmond,  Cui  Zhang,  Karl  Levitt,  Dave  Peticolas,  Mark  Heckman, Stuart  Staniford,  and  Joey  McAlerney.  “Intrusion  detection  inter-

component adaptive negotiation”,  Computer Networks 34 (2000) 605-
[12]  Serge Fenet and Salima Hassas. “A distributed Intrusion Detection and Response  System  based  on  mobile  autonomous  agents  using  social insects communication paradigm”,  Published by Elsevier Science B. V.,
[13] G. B. White, E.A.Fisch, and U. W. Pooch. “Cooperating security managers:  A  peer-based  intrusion  detection  system”,    10(1):  20-23,
[14]  J.  Barrus and  N.  Rowe.    “A distributed  autonomous-agent  network- intrusion detection and response system”,   In proceeding of the 1998
Command and Control Research and Technology Symposium, 1998.
[15]  Sabeel Ansari, Rajeev S.G., and Chandrashekar H.S. “Packet Sniffing: A Brief Introduction”, IEEE, JANUARY 2003.
[16]  Snort website: www.snort.org (Accessed in January 15, 2003)
[17]  Martin Roesch. “Snort - Lightweight Intrusion Detection for Networks”.
A   white   paper   on   the   design   features   of   Snort   2.0   from:
www.sourcefire.com/technology/whitepapers.html (accessed in January
15, 2004).
[18]  Mohamed Mohsen and Khaled Heloue.“Mobile Agents System for Data Retrieval”, Final Year Project Report, American University of Beirut, August 2003.
[19]  The main website of Windump: www.tcpdump.org (Accessed in January
10, 2004).


Post a Comment

Search Here...