skip to main content
article

Network intrusion detection through Adaptive Sub-Eigenspace Modeling in multiagent systems

Published:01 September 2007Publication History
Skip Abstract Section

Abstract

Recently, network security has become an extremely vital issue that beckons the development of accurate and efficient solutions capable of effectively defending our network systems and the valuable information journeying through them. In this article, a distributed multiagent intrusion detection system (IDS) architecture is proposed, which attempts to provide an accurate and lightweight solution to network intrusion detection by tackling issues associated with the design of a distributed multiagent system, such as poor system scalability and the requirements of excessive processing power and memory storage. The proposed IDS architecture consists of (i) the Host layer with lightweight host agents that perform anomaly detection in network connections to their respective hosts, and (ii) the Classification layer whose main functions are to perform misuse detection for the host agents, detect distributed attacks, and disseminate network security status information to the whole network. The intrusion detection task is achieved through the employment of the lightweight Adaptive Sub-Eigenspace Modeling (ASEM)-based anomaly and misuse detection schemes. Promising experimental results indicate that ASEM-based schemes outperform the KNN and LOF algorithms, with high detection rates and low false alarm rates in the anomaly detection task, and outperform several well-known supervised classification methods such as C4.5 Decision Tree, SVM, NN, KNN, Logistic, and Decision Table (DT) in the misuse detection task. To assess the performance in a real-world scenario, the Relative Assumption Model, feature extraction techniques, and common network attack generation tools are employed to generate normal and anomalous traffic in a private LAN testbed. Furthermore, the scalability performance of the proposed IDS architecture is investigated through the simulation of the proposed agent communication scheme, and satisfactory linear relationships for both degradation of system response time and agent communication generated network traffic overhead are achieved.

References

  1. Anderson, D., Frivold, T., and Valdes, A. 1995. Next-generation intrusion detection expert system (NIDES): A summary. In SRI International Technical Report. Vol. 95. Menlo Park, CA. 28--42.Google ScholarGoogle Scholar
  2. Branden, K. and Hubert, M. 2004. Robust classification in high dimensional data. In Proceedings in Computational Statistics. Prague, Czech Republic, 1925--1932.Google ScholarGoogle Scholar
  3. Branden, K. and Hubert, M. 2005. Robust classification in high dimensions based on the SIMCA method. Chemometrics and Intelligent Laboratory Systems 79, 10--21.Google ScholarGoogle ScholarCross RefCross Ref
  4. Breuning, M. M., Kriegel, H.-P., Ng, R. T., and Sander, J. 2000. LOF: Identifying density-based local outliers. In Proceedings of the ACM SIGMOD Conference. Dallas, TX. 93--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Clark, D. 2001. Rethinking the design of the internet: end to end arguments vs. the brave new world. ACM Trans. Inter. Tech. 1, 1 (Sept.), 70--109. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. DARPA 2007. Intrusion detection evaluation data sets. available at http://www.ll.mit.edu/.Google ScholarGoogle Scholar
  7. D-ITG. 2006. Distributed internet traffic generator. available at http://www.grid.unina.it/software/ITG/.Google ScholarGoogle Scholar
  8. Dasgupta, D. and Brian, H. 2001. Mobile security agents for network traffic analysis. In DARPA Information Survivability Conference and Exposition (DISCEX II'01). Vol. 2. Anaheim, CA. 332--340.Google ScholarGoogle Scholar
  9. Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Srivastava, J., Kumar, V., and Dokas, P. 2004. The MINDS---Minnesota Intrusion Detection System, Next Generation Data Mining. MIT Press, Cambridge, MA.Google ScholarGoogle Scholar
  10. Ethereal. 2007. Ethereal---A network protocol analyzer. available at http://www.ethereal.com.Google ScholarGoogle Scholar
  11. Foukia, N., Hulaas, J., and Harms, J. 2001. Intrusion detection with mobile agents. In Proceedings of the 11th Annual Internet Society Conference. Stockholm, Sweeden.Google ScholarGoogle Scholar
  12. Greenacre, M. and Blasius, J. 2006. Multiple Correspondence Analysis and Related Methods. Chapman and Hall, Boca Raton, FL, USA.Google ScholarGoogle Scholar
  13. Greenacre, M. J. 1984. Theory and Applications of Correspondence Analysis. Academic Press, London.Google ScholarGoogle Scholar
  14. Han, B. 2003. Support vector machines. available at http://www.ist.temple.edu/~vucetic/cis526fall2003/lecture8.doc.Google ScholarGoogle Scholar
  15. Helmer, G., Wong, J., S. K., J., Honavar, V., Miller, L., and Wang, Y. 2003. Lightweight agents for intrusion detection. J. Syst. Softw. 67, 109--122. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Hochberg, J., Jackson, K., Stallings, C., Mcclary, J., Dubois, D., and Ford, J. 1993. NADIR: An automated system for detecting network intrusions and misuse. Comput. Secur. 12, 3 (May), 235--248. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Hooper, P. 1999. Reference point logistic classification. J. Classif. 16, 91--116.Google ScholarGoogle ScholarCross RefCross Ref
  18. InsecureOrg. 2006. Nmap free security scanner, tools and hacking resources. available at http://insecure.org.Google ScholarGoogle Scholar
  19. Jacobson, V., Leres, C., and McCanne, S. 2007. Tcpdump. available at [email protected].Google ScholarGoogle Scholar
  20. Kannadiga, P. and Zulkernine, M. 2005. DIDMA: A distributed intrusion detection system using mobile agents. In Proceedings of the Sixth International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel and Distributed Computing. 238--245. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. KDD. 1999. KDD Cup 1999 Data. available at http://kdd.ics.uci.edu/databases/kddcup99/.Google ScholarGoogle Scholar
  22. Kone, M., Shimazu, A., and Nakajima, T. 2000. The state of the art in agent communication languages. Knowl. and Inform. Syst. 2, 3, 259--284. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Labib, K. and Vemuri, V. 2004. Detecting and visualizing Denial-of-Service and network probe attacks using principal component analysis. In Third Conference on Security and Network Architectures (SAR'04). La Londe, France.Google ScholarGoogle Scholar
  24. Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., and Srivastava, J. 2003. A comparative study of anomaly detection schemes in network intrusion detection. In Proceedings of the Third SIAM Conference on Data Mining. San Francisco, CA.Google ScholarGoogle Scholar
  25. Lee, W. and Stolfo, S. 2000. A framework for constructing features and models for intrusion detection systems. ACM Trans. Inform. Syst. Secur. 3, 4 (Nov.), 227--261. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Liao, Y. and Vemuri, V. 2002. Use of K-nearest neighbor classifier for intrusion detection. Comput. Secur. 5, 5, 439--448.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Libcap. 2007. Libcap. available at http://www.tcpdump.org.Google ScholarGoogle Scholar
  28. Liu, H. and Motoda, H. 1998. Feature Extraction, Construction and Selection: A Data Mining Perspective. Kluwer Academic Publishers, Boston, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Liu, H., Yu, L., Manoranjan, D., and Motoda, H. 2003. Active feature selection using classes. In Proceedings of Seventh Pacific-Asia Conference on Knowledge Discovery and Data Mining. Seoul, Korea, 474--485. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Mathworks. 2007. Matlab. available at http://www.mathworks.com/matlabcentral/.Google ScholarGoogle Scholar
  31. Moore, D., Voelker, G., and Savage, S. 2001. Inferring internet Denial-of-Service activity. In Usenix Security Symposium. Washington, D.C. 9--22. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Moreno, A. 2005. Medical applications of multi-agent systems. available at http://cyber.felk.cvut.cz/EUNITE03-BIO/pdf/Moreno.pdf.Google ScholarGoogle Scholar
  33. Oxid. 2006. Irs. available at http://http://www.oxid.it/irs.html.Google ScholarGoogle Scholar
  34. Pentland, A., Moghaddam, B., Starner, T., Oliyide, O., and Turk, M. 1994. View-based and modular eigenspaces for face recognition. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR'94). Seattle, WA, 84--91.Google ScholarGoogle Scholar
  35. Quinlan, J. 1993. C4.5: Programs for Machine Learning. Morgan Kaufmann, San Francisco, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Singh, M. 1999. A social semantics for agent communication languages. In Proceedings of IJCAI-99 Workshop on Agent Communication Languages. Stockholm, Scandinavia, 75--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Snapp, S., Bretano, J., Dias, G., Goan, T., Heberlein, L., Ho, C., Levitt, K., Mukherjee, B., Smaha, S., Grance, T., Teal, D., and Mansur, D. 1991. DIDS (distributed intrusion detection system)---motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Science Conference. Washington D.C. 167--176.Google ScholarGoogle Scholar
  38. Spafford, E. and Zamboni, D. 2000. Intrusion detection using autonomous agents. Comput. Netw. 34, 4 (Oct.), 547--570. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. TCPTRACE. 2007. available at http://www.tcptrace.org.Google ScholarGoogle Scholar
  40. Tou, J. and Gonzalez, R. 1974. Pattern Recognition Principles. Addison-Wesley, MA.Google ScholarGoogle Scholar
  41. Vaidehi, K. and Ramamurthy, B. 2004. Distributed hybrid agent based intrusion detection and real time response system. In Proceedings of the First International Conference on Broadband Networks (BROADNETS'04). 739--741. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Verwored, T. and Hunt, R. 2002. Intrusion detection techniques and approaches. Comput. Comm. 25, 1356--1365. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Weka. 2007. Weka. available at http://www.cs.waikato.ac.nz/ml/weka/.Google ScholarGoogle Scholar
  44. Xie, Z., Quirino, T., Shyu, M.-L., Chen, S.-C., and Chang, L. 2006. A distributed agent-based approach to intrusion detection using the lightweight PCC anomaly detection classier. In IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC2006). Taichung, Taiwan, R.O.C, 446--453. Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Network intrusion detection through Adaptive Sub-Eigenspace Modeling in multiagent systems

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!