Author Topic: New Approach for Detecting Intrusions  (Read 3283 times)

0 Members and 1 Guest are viewing this topic.

IJSER Content Writer

  • Sr. Member
  • ****
  • Posts: 327
  • Karma: +0/-1
    • View Profile
New Approach for Detecting Intrusions
« on: February 18, 2012, 02:22:32 am »
Quote
Author : Mohammed Chennoufi, Fatima Bendella
International Journal of Scientific & Engineering Research Volume 3, Issue 1, January-2012
ISSN 2229-5518
Download Full Paper : PDF

Abstractó This paper describes how multi-agent systems can help to solve a complex problem such as security and more precisely intrusion detection. Intrusion Detection System (I.D.S) is a component of the security infrastructure designed to detect violations of security policy. Most of the intrusions can be localized either by considering of models "pattern" of user activities (non-behavioral approach) or by considering the audit log (behavioral approach). False positives and false negatives are considered as the major disadvantages of these approaches. We consider that good I.D.S should respond to the characteristics of intelligent agents such as autonomy, distribution and communication.
For this we suggest a new approach based on multi-agent systems (M.A.S), which incorporates the characteristics of intelligent agents (automatic learning of new attacks) so that decisions taken by the system are the result of a work group of agents and makes IDS more flexible and reliable. This approach is applied to a large data source and requires a previous work (pretreatment).

Index Termsó Security, attack, I.D.S, K.D.D, M.A.S, MLP, cognitive agent, learning.

1   INTRODUCTION                                                                     
When the Internet was created, the main challenge was to enable data transmission. This objective was achieved, but at the expense in accordance with the security of users and data of organizations. They agree to take the risk because the security is difficult which makes their computer systems vulnerable to attacks. Various tools   to prevent these attacks or reduce their severity, but no solution can be considered satisfactory and complete. The I.D.S is one of the most effective tools to detect I ntrusions or attempted intrusions by user behavior or by the recognition of attacks from the stream of the network data. This last is to locate abnormal and suspected activities on the analysed target (network or host) [1].

Various methods and approaches have been adopted for the design of intrusion detection systems.
Our objective is to design an intelligent tool capable of detecting new intrusions while trying to solve one main problem of IDS which is the very large amount of data. For this, we suggest a new approach based on multi-agent systems (M.A.S), which incorporates the features of intelligent agents (learning new attacks). Our approach is applied to the data source KDD 99 Knowledge Discovery and Data Mining [2]. 

This article is organized as follows: in the first section, we present intrusion detection systems and  their link with the SMA. In the second section, we discuss previous work with the scenario method. The third section is devoted to the presentation of our architecture based on  M.A.S with a pre-processing module of our comprehensive data and a supervised learning of our cognitive agent. A conclusion and an outlook are presented in the fourth section.

2   INTRUSION DETECTION SYSTEM
An intrusion detection system is a tool that identifies abnormal activity on the analyzed target and to have prevention on the risks of intrusion. They are designed to analyze large volumes of data [3]. There are two main approaches to detect intrusions [4] [5] [6].
1)   The behavioural approach (Anomaly Detection).
2)   The non-behavioural approach (scenario).
The first approach is based on the assumption that the exploitation of a break in the system requires abnormal use of the latter and thus unusual behaviour of the user. The second approach relies on knowledge of techniques used by attackers to obtain typical scenarios. The best known and most easily understood method in this approach is pattern matching. It is based on pattern search (string or byte sequences) in the data stream.
For the advantages and disadvantages of each approach we have table 1.

TABLE 1
 COMPARISON BETWEEN THE TWO APPROACHES.

2.1  Different types of IDS
  The intrusion detection system or IDS can be classified into three major categories according to whether they are committed to monitor
   - Network IDS or NIDS (Network based IDS).
   - System IDS or HIDS (Host based IDS).
   - Hybrid IDS (NIDS and HIDS).
   NIDS: are tools that analyze network traffic, they generally include a sensor that listens on the network segment to    be   monitored and an engine that performs traffic analysis to detect signatures attacks or differences facing the reference model.
   HIDS: Their mission is to analyze system logs, control access to system calls and check file integrity. HIDS can rely on these auditing features, clean or not the operating system, for integrity checking, and generate alerts. They are unable to detect attacks exploiting the weaknesses of the intellectual property system stack, usually by denial of service as a SYN flood or other.
     So a hybrid is ideal, all by improving the basic algorithms of detection and minimizes false positives, to identify complex attack scenarios. We can classify IDS according to various criteria. These can be used to select the most appropriate to the IDS needs. Some classifications are based on the behaviour of the IDS, some of their information sources; another classification based on their frequency of use of IDS with active or passive response is given.
2.2  Related works   
 To adapt to changing security needs due to changes in networks, new intrusion detection systems must offer features such as adaptability, flexibility, distribution, autonomy, communication and cooperation. If we compare these characteristics with the different properties of intelligent agents (autonomy, adaptability, responsiveness,), it is very clear that SMA is very appropriate to the problem of intrusion detection [7][8][9][10]. Many attacks are caused by abnormal behavior of network elements, hence the need to distribute the IDS functionalities to several entities.
In [11] the author has designed a multi-agent system for intrusion detection. This model is based on several layers according to a hierarchical model, extra and intranet.He worked on a scenario approach, his model is based on reactive agents. It does not detect new attacks.
In [12] the author has designed an architecture based on 4 well distributed agents. The approach used is based on the host, its security model an asymmetric cryptography.This key exchange between hosts can be broken if the attacker has a  depth knowledge on cryptography.
Detter [13] uses an architecture based on the network by placing a agent motor at each location. It is made of layers distributed to operate over arrange of distributed agent engines. This architecture takes advantage of the mobile agent paradigm to implement a system capable of an efficient and flexible distribution of tasks of analysis, monitoring, and the integration of existing detection techniques.
In [14] the authors suggest to extend their system   with a model of case-based reasoning for learning new attacks. They propose to integrate to different agents (With the exception of the agent manager for Security Policy) a learning function based on the resemblance and similarities  between past attacks and new attacks. Their model did not produce a result.
Brahimi [15] has developed an IDS based on mobile agents and on data Manning, where an update to the signing table is performed by data mining.
In [16] the author uses the approach NIDS. Its architecture is based on a simulation based on KDD. He used an algorithm through reinforcement to detect new attacks, but his model did not give good results. There is a risk of convergence on unbalanced K.D.D.
Raoui [17] has developed an IDS on a distributed platform based on the M.A.S. He used two types of reactive agents to detect known attacks and cognitive agents to detect unknown attacks (one agent detects viruses, Trojans ... the other).

Read More: Click here...