Abstract
Recently, network security has become an extremely vital issue that beckons the development of accurate and efficient solutions capable of effectively defending our network systems and the valuable information journeying through them. In this article, a distributed multiagent intrusion detection system (IDS) architecture is proposed, which attempts to provide an accurate and lightweight solution to network intrusion detection by tackling issues associated with the design of a distributed multiagent system, such as poor system scalability and the requirements of excessive processing power and memory storage. The proposed IDS architecture consists of (i) the Host layer with lightweight host agents that perform anomaly detection in network connections to their respective hosts, and (ii) the Classification layer whose main functions are to perform misuse detection for the host agents, detect distributed attacks, and disseminate network security status information to the whole network. The intrusion detection task is achieved through the employment of the lightweight Adaptive Sub-Eigenspace Modeling (ASEM)-based anomaly and misuse detection schemes. Promising experimental results indicate that ASEM-based schemes outperform the KNN and LOF algorithms, with high detection rates and low false alarm rates in the anomaly detection task, and outperform several well-known supervised classification methods such as C4.5 Decision Tree, SVM, NN, KNN, Logistic, and Decision Table (DT) in the misuse detection task. To assess the performance in a real-world scenario, the Relative Assumption Model, feature extraction techniques, and common network attack generation tools are employed to generate normal and anomalous traffic in a private LAN testbed. Furthermore, the scalability performance of the proposed IDS architecture is investigated through the simulation of the proposed agent communication scheme, and satisfactory linear relationships for both degradation of system response time and agent communication generated network traffic overhead are achieved.
- Anderson, D., Frivold, T., and Valdes, A. 1995. Next-generation intrusion detection expert system (NIDES): A summary. In SRI International Technical Report. Vol. 95. Menlo Park, CA. 28--42.Google Scholar
- Branden, K. and Hubert, M. 2004. Robust classification in high dimensional data. In Proceedings in Computational Statistics. Prague, Czech Republic, 1925--1932.Google Scholar
- Branden, K. and Hubert, M. 2005. Robust classification in high dimensions based on the SIMCA method. Chemometrics and Intelligent Laboratory Systems 79, 10--21.Google Scholar
Cross Ref
- Breuning, M. M., Kriegel, H.-P., Ng, R. T., and Sander, J. 2000. LOF: Identifying density-based local outliers. In Proceedings of the ACM SIGMOD Conference. Dallas, TX. 93--104. Google Scholar
Digital Library
- Clark, D. 2001. Rethinking the design of the internet: end to end arguments vs. the brave new world. ACM Trans. Inter. Tech. 1, 1 (Sept.), 70--109. Google Scholar
Digital Library
- DARPA 2007. Intrusion detection evaluation data sets. available at http://www.ll.mit.edu/.Google Scholar
- D-ITG. 2006. Distributed internet traffic generator. available at http://www.grid.unina.it/software/ITG/.Google Scholar
- Dasgupta, D. and Brian, H. 2001. Mobile security agents for network traffic analysis. In DARPA Information Survivability Conference and Exposition (DISCEX II'01). Vol. 2. Anaheim, CA. 332--340.Google Scholar
- Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Srivastava, J., Kumar, V., and Dokas, P. 2004. The MINDS---Minnesota Intrusion Detection System, Next Generation Data Mining. MIT Press, Cambridge, MA.Google Scholar
- Ethereal. 2007. Ethereal---A network protocol analyzer. available at http://www.ethereal.com.Google Scholar
- Foukia, N., Hulaas, J., and Harms, J. 2001. Intrusion detection with mobile agents. In Proceedings of the 11th Annual Internet Society Conference. Stockholm, Sweeden.Google Scholar
- Greenacre, M. and Blasius, J. 2006. Multiple Correspondence Analysis and Related Methods. Chapman and Hall, Boca Raton, FL, USA.Google Scholar
- Greenacre, M. J. 1984. Theory and Applications of Correspondence Analysis. Academic Press, London.Google Scholar
- Han, B. 2003. Support vector machines. available at http://www.ist.temple.edu/~vucetic/cis526fall2003/lecture8.doc.Google Scholar
- Helmer, G., Wong, J., S. K., J., Honavar, V., Miller, L., and Wang, Y. 2003. Lightweight agents for intrusion detection. J. Syst. Softw. 67, 109--122. Google Scholar
Digital Library
- Hochberg, J., Jackson, K., Stallings, C., Mcclary, J., Dubois, D., and Ford, J. 1993. NADIR: An automated system for detecting network intrusions and misuse. Comput. Secur. 12, 3 (May), 235--248. Google Scholar
Digital Library
- Hooper, P. 1999. Reference point logistic classification. J. Classif. 16, 91--116.Google Scholar
Cross Ref
- InsecureOrg. 2006. Nmap free security scanner, tools and hacking resources. available at http://insecure.org.Google Scholar
- Jacobson, V., Leres, C., and McCanne, S. 2007. Tcpdump. available at [email protected].Google Scholar
- Kannadiga, P. and Zulkernine, M. 2005. DIDMA: A distributed intrusion detection system using mobile agents. In Proceedings of the Sixth International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel and Distributed Computing. 238--245. Google Scholar
Digital Library
- KDD. 1999. KDD Cup 1999 Data. available at http://kdd.ics.uci.edu/databases/kddcup99/.Google Scholar
- Kone, M., Shimazu, A., and Nakajima, T. 2000. The state of the art in agent communication languages. Knowl. and Inform. Syst. 2, 3, 259--284. Google Scholar
Digital Library
- Labib, K. and Vemuri, V. 2004. Detecting and visualizing Denial-of-Service and network probe attacks using principal component analysis. In Third Conference on Security and Network Architectures (SAR'04). La Londe, France.Google Scholar
- Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., and Srivastava, J. 2003. A comparative study of anomaly detection schemes in network intrusion detection. In Proceedings of the Third SIAM Conference on Data Mining. San Francisco, CA.Google Scholar
- Lee, W. and Stolfo, S. 2000. A framework for constructing features and models for intrusion detection systems. ACM Trans. Inform. Syst. Secur. 3, 4 (Nov.), 227--261. Google Scholar
Digital Library
- Liao, Y. and Vemuri, V. 2002. Use of K-nearest neighbor classifier for intrusion detection. Comput. Secur. 5, 5, 439--448.Google Scholar
Digital Library
- Libcap. 2007. Libcap. available at http://www.tcpdump.org.Google Scholar
- Liu, H. and Motoda, H. 1998. Feature Extraction, Construction and Selection: A Data Mining Perspective. Kluwer Academic Publishers, Boston, MA. Google Scholar
Digital Library
- Liu, H., Yu, L., Manoranjan, D., and Motoda, H. 2003. Active feature selection using classes. In Proceedings of Seventh Pacific-Asia Conference on Knowledge Discovery and Data Mining. Seoul, Korea, 474--485. Google Scholar
Digital Library
- Mathworks. 2007. Matlab. available at http://www.mathworks.com/matlabcentral/.Google Scholar
- Moore, D., Voelker, G., and Savage, S. 2001. Inferring internet Denial-of-Service activity. In Usenix Security Symposium. Washington, D.C. 9--22. Google Scholar
Digital Library
- Moreno, A. 2005. Medical applications of multi-agent systems. available at http://cyber.felk.cvut.cz/EUNITE03-BIO/pdf/Moreno.pdf.Google Scholar
- Oxid. 2006. Irs. available at http://http://www.oxid.it/irs.html.Google Scholar
- Pentland, A., Moghaddam, B., Starner, T., Oliyide, O., and Turk, M. 1994. View-based and modular eigenspaces for face recognition. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR'94). Seattle, WA, 84--91.Google Scholar
- Quinlan, J. 1993. C4.5: Programs for Machine Learning. Morgan Kaufmann, San Francisco, CA. Google Scholar
Digital Library
- Singh, M. 1999. A social semantics for agent communication languages. In Proceedings of IJCAI-99 Workshop on Agent Communication Languages. Stockholm, Scandinavia, 75--88. Google Scholar
Digital Library
- Snapp, S., Bretano, J., Dias, G., Goan, T., Heberlein, L., Ho, C., Levitt, K., Mukherjee, B., Smaha, S., Grance, T., Teal, D., and Mansur, D. 1991. DIDS (distributed intrusion detection system)---motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Science Conference. Washington D.C. 167--176.Google Scholar
- Spafford, E. and Zamboni, D. 2000. Intrusion detection using autonomous agents. Comput. Netw. 34, 4 (Oct.), 547--570. Google Scholar
Digital Library
- TCPTRACE. 2007. available at http://www.tcptrace.org.Google Scholar
- Tou, J. and Gonzalez, R. 1974. Pattern Recognition Principles. Addison-Wesley, MA.Google Scholar
- Vaidehi, K. and Ramamurthy, B. 2004. Distributed hybrid agent based intrusion detection and real time response system. In Proceedings of the First International Conference on Broadband Networks (BROADNETS'04). 739--741. Google Scholar
Digital Library
- Verwored, T. and Hunt, R. 2002. Intrusion detection techniques and approaches. Comput. Comm. 25, 1356--1365. Google Scholar
Digital Library
- Weka. 2007. Weka. available at http://www.cs.waikato.ac.nz/ml/weka/.Google Scholar
- Xie, Z., Quirino, T., Shyu, M.-L., Chen, S.-C., and Chang, L. 2006. A distributed agent-based approach to intrusion detection using the lightweight PCC anomaly detection classier. In IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC2006). Taichung, Taiwan, R.O.C, 446--453. Google Scholar
Cross Ref
Index Terms
Network intrusion detection through Adaptive Sub-Eigenspace Modeling in multiagent systems
Recommendations
A New Model to Detect Stepping-Stone Intrusion
IWCSE '09: Proceedings of the 2009 Second International Workshop on Computer Science and Engineering - Volume 01Most researchers do not distinguish stepping-stone detection and stepping-stone intrusion detection, thus introduce more false positive errors in detecting stepping-stone intrusion. Those approaches proposed to detect stepping-stone intrusion are ...
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Honeybee-Based Model to Detect Intrusion
ISA '09: Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and AssuranceThis paper proposes a novel approach based on the honeybee model to improve the intrusion detection system. The power of defending the intruder from entering the hive, the effectiveness of exchanging information between the bees and the successfulness ...






Comments