A SNIFFER INTRUSION DETECTION SYSTEM BASED
ON MOBILE AGENTS
Abstract—In this paper, the tool “sniffer”
is introduced and controlled as a sensor by the IDS via mobile agents; these
agents gather intrusion detection data and send them back to the server for
analysis. We propose a distributed intrusion detection system (DIDS) which
detects intrusion from outside the network segment as well as from inside using
mobile agents. The proposed model consists of three major components: Intrusion
Detection Component, Mobile Agent Environment, Data Analysis
Component and distributed sensors residing on every device in the network
segment. Compared with traditional central sniffing IDS techniques,
the system shows
superior performances and saves network resources.
Keywords: intrusion detection
system(ids),distributed intrusion detection
system(dids),mobile agents.
I. INTRODUCTION
Among all security issues, intrusion is the
most critical and widespread. Intrusion can be defined as an attempt to
compromise or otherwise cause harm to a network. Intrusion detection involves
the behavior of detecting unauthorized and malicious access network system.
Intrusion detection has become an extremely
important feature of the defense-in-depth strategy. The thought used to be that
if you had a firewall protecting your network you were secure. This is no
longer the case. A firewall is an essential and important part of network
security but it does not have the ability to detect hostile behavior. Unlike a
firewall, an intrusion detection system has the ability to evaluate solitary packets
and generate an alarm if it detects a packet with hostile potential. A
distributed IDS (DIDS) consists of multiple Intrusion Detection Systems (IDS)
over a large network, all of them communicate with each
other, or with
a central server
that facilitates advanced network
monitoring, incident analysis, and instant attack data. By having these
co-operative agents distributed across a network, incident analysts, network
operations and security personnel are able to get a broader view of what is occurring
on their network as a whole.
In addition to identifying attacks, IDS can
be used to identify security vulnerabilities and weaknesses, enforce
security policies, and provide further
system auditing by exploiting the logs/alerts from the output
component of the IDS.
Agent is a software entity that functions
continuously and autonomously in a particular environment, and is able to carry
out activities in a flexible and intelligent manner that is responsive to
changes in the environment [1]. So, agent can improve the means of applying
detection techniques, for example,
agents could be deployed at different user computers to collect extra
feature data and agents could also
provide an interface to user application systems for smooth integration. So,
agents were applied in intrusion systems that could provide a good mechanism
for implementation of detection algorithm on network-based application systems.
Mobile agents are intelligent program
threads, its function were continuously
and are
able to learn, communicate and migrate themselves
from one host to another to gather information and perhaps perform specific
tasks on behalf of user [2]. There are a number of possible advantages by using
mobile code and mobile agent computing paradigms. This includes overcoming
network latency, reducing network load, performing autonomous and asynchronous
execution, and adapting to dynamic environments [3]. Moreover,
implementation of mobile agents in languages such as JAVA provided mobile agent
with system and platform independence and considerable security features, which
are a necessity in intrusion detection systems [4].
This paper
mainly focuses on building a mobile
agent- based system for detecting intrusion in network-based application
systems. It will provide an option for setting up a distributed network
intrusion detection system by using open source tools including the intrusion
detection software Snort. The tools sniffer and snort used as sensors to
detecting intrusion. The specific objectives are as follows:
Step
1:
A new mechanism was designed for acquiring extra data about user action from
client machines or from access control module in server applications. It
provides distributed IDS to reduce the congestion in the network. There are local
processing units to analyze relevant data and send summaries of alerts to the
main station.
Step
2:
Current IDS [5] comprise many sensors distributed over the network and a
centralized management station. These systems cause many bottlenecks and consume
a lot of network
resources. In this paper, mobile agents are
dispatched to hosts where they activate the sensor, process collected data, and
send it to the main station, which signals the agents to either stop collecting
data or continue, with possible changes to the collection frequency and
context.
An intrusion detection system (IDS)
monitors network traffic, suspicious activity and alerts the system or network
administrator. In some
cases the IDS
also respond to anomalous or malicious traffic by taking
action such as blocking the user or
source IP address from
accessing the network.
IDS come in a variety of “flavors” and
approach the goal of detecting
suspicious behavior different
ways. There are network based (NIDS) and host based
(HIDS) intrusion detection systems. Previous IDS use to detect based on looking
for specific signatures of known threats, it is similar to the way antivirus
software typically detects and protects against malware. Latter IDS detecting
based on comparing traffic patterns against a baseline and looking for
anomalies. The IDS simply monitor, alert and perform action in response to a
detected threat.
The
intrusion detection technology
can date back
to
1980[6], it became a well-established
research area after the introduction of the model [7] and the prototypes [8]
[9]. These systems were centralized, a single machine monitors data flow at a
strategic point in the network that collects and analyzes data from the log
files. Once an intruder destabilizes the host, it was able to gain considerable
access to the whole network. This limitation is the main vulnerability of
currently implemented IDS.
Distributed IDS were introduced to overcome
the weakness which mobile t agents are considered to play a prominent role in
the implementation of such technologies. The architecture called Autonomous
Agent for Intrusion Detection (AAFID) [10] describes a
distributed intrusion detection system based on multiple independent entities.
The proposed system allows data to be collected from multiple sources combining
traditional host-based and network-based IDS. Several problems in this
framework including scalability,
performance, security, and user interface. Agents could be added or
removed dynamically from the system, whenever a new form of attack is
identified, new specialized agents can be deployed into the system [11].
Subsequent work like [13], [14], or [12]
present a fully distributed
architecture, data collection
and information analysis are
performed locally without referring to the central management unit. For
instance, a system was proposed to imitate the function of natural distributed
systems to achieve the efficiency found in natural systems [12]. In this
system, the detection of an intrusion triggers or an alert pheromone (represented
by mobile agents) that diffuses in the network searching for antibody agents. Mobile response agents (the lymphocytes) will
migrate to the battlefield to initiate a defensive action.
III. SYSTEM ARCHITECTURE
This part we present the architecture of
our distributed IDS. The architecture consists of the following components: (1)
an intrusion detection processor, (2) a mobile agent platform, and (3)
distributed sensors. A high level view of the architecture is given in Figure
1.
A. Data Flow Capture
As the main network node monitor, the Data
Flow Capture network traffic which incoming monitors, it captures dump of data
and sends to IDA for detecting intrusion, then, Data Analysis component to
analyze and self-learning.
B. Intrusion Detection Agent (IDA)
IDA is the most important component of the
system. It is responsible for monitoring network segments (subnets), and acts
as a central intrusion detection agent and data processing unit. The unit is
placed on a node that entry into intranet to monitor network traffic for all
devices on the segment. And it is setup to send alert in time, so that,
checking the errant packets using rule sets when it enter into the segment.
It’s main capabilities is detecting intrusion and judging whether the behavior is
abnormal, if it
is abnormal, alerting
to Administrator or make some decisions.
Log files often are sent to the IDA (via
mobile agents) for packet decoding and processing. The IDA monitors agent’s
operate in the network and direct them to critical locations in the network if
malicious behaviors were detected. In order to guarantee proper
interaction with mobile
agents, the IDA should exchanges data and messages as
well as commands with the Mobile Agent Environment (MAE). The IDA provides the
following intrusion detection services:
• Integrate correlating data sent
by individual mobile agents to
implement a multi-point detection, especially
to deal with distributed attacks coming
from within the network.
• Monitor
is established connections within the network at low level by scanning packets.
• Gathered
evidence of the attacker’s behavior during the time window between the attack
detection and the response.
• Look
for the exploitation of known vulnerabilities in the network by checking on
local intrusion signatures such as files integrity and user behavior profiles.
C. Mobile Agent Environment (MAE)
In this paper, a Mobile Agent Environment
(MAE) could create, interpret, execute, transfer, and terminate (kill) agents.
The platform is responsible for accepting requests sent by the IDP , generating
mobile agents plus and sending them into the network to handle the tasks (to
start sniffing activities within the local network, stop it when necessary, and
send collected data back to the IDP for further analysis).
D. Data analysis (DA)
The Data analysis component receives data
delivered from mobile Agents and picks up the useful information, then it sends
the useful data into the self-learning component of DA. The self-learning
component implements the SOM arithmetic to further deal with the data to
process the abnormal intrusion.
E. Sensors (Sniffer)
A sniffer [17] is a device used to deploy
at entrance of networks to allow an application or hardware device to monitor
on network traffic. The traffic with protocol can be IP, IPX etc. network
packets. In general, sniffing is used for: (1) Network analysis and
troubleshooting, (2) performance analysis and benchmarking, (3) monitoring for
not encrypted text-based passwords and other interesting tidbits of data.
Depending on the IDA’s instructions, the agent could run the sniffer for a
predetermined period of time, collect the data, and send data in one batch to
the IDP. Alternatively, it also could run the sniffer and send data as it is
captured to the IDP until it receives instructions to stop sniffing.
F. Working principle
Once the system is beginning started, the
IDA starts its own sniffer and sends a ‘START’ request to the MAP. The message
specifies the number of agents to be launched, and the corresponding IP address
is set where each agent expect is visited. This implies that the IDP has a
registry containing all IP addresses in the local network. The MAP, in turn,
creates the agents and dispatches them into the network. Now assume that an
agent on its trip sends a report to the IDP that it trigger an alarm. The IDA will
send a ‘LUDGE’ message to the agent causing it to reactivate the sniffer at its
current location and stay there, in an effort to gather more evidences on the
current attack in order to study the behavior. The IDA will prompt the MAP to
create a new agent that will takeover the agent’s task. In this scenario, the
number of active sniffers may increase to form an alert stage to faster
reaction.
IV. EXPERIMENTAL RESULTS AND ANALYSIS
A. Experimental preparations
In this paper, an ameliorative IDS has been
implemented by Snort [15] and a mobile agent system that was created locally.
Snort is a lightweight, full-fledged open-source network based IDS (NIDS) that
has many capabilities such as packet sniffing, packet logging
and intrusion detection
[17]. Snort is a
signature-based IDS that uses
rule-sets to check
for errant packets crossing a
node in the network. A rule is a set of requirements that will trigger an
alert. Snort was chosen as the NIDS because of its availability, ease of configuration
and customization.
MORPHEOUS [18] is a prototypical mobile
agent system that was developed as a final year project at the American
University of Beirut. The Mobile Agent System was chosen as IDS platform
because of its availability, easily running, and support for mobile agents. It
consists of four entities: agent factory (AF), listeners, officer agents (OA),
and soldier agents (SA). The core of this agent system is AF. It accepts
request by the network users (in the case of the Snort requests), generates
mobile agents and sends them to the network in order to deal with the special
tasks. On the AF host, many officer agents reside to keep track of the
dispatched agents (Soldier Agents) over the network and the data fetched by
these agents. The last one is the listener, which is a small program that will
reside in every host in the network and will be responsible for accepting,
running, and deleting SA.
Data Analysis (DA) with a function
component is a SOM training procedure. In SOM, the traditional back-propagation
learning rule is unsupervised learning. While the multilayer feedforward
network is trained, the hidden-unit activations of the feedforward network are
used as training material for the accompanying Self Organizing Maps. After a
few training cycles, the maps are developed in a certain extent. The
information in the maps is used in
updating the connection weights of the feedforward network. The clustering
effect is obvious during SOM learning, hidden-unit activations of patterns and
associated with the same class. Results on classification effects show that the
SOM architecture and learning rule offer a strong alternative for training
multilayer feedforward networks with back-propagation.
In experiment, TcpDump is implemented to
the WinDump [19] which is the porting to windows platform. It runs on all the
operating systems supported by WinPcap, i.e. window XP. It was selected in the
system because of its lightweight, popularity, support of multiple operating
system and ability to dynamically reconfigure its execution state.
V. CONCLUSION
In this paper, a model for Distributed
Intrusion Detection System based on mobile agents was presented. In the system
we bring in the tool “sniffer” and the open source tool “snort” to implement
our prototype system. After many experiments we found that it is superior
performance based on sort intrusion detestation. Also in the system we use the
SOM feed forward network architecture to find new type attacks. In the future,
we will pay more time for promoting new type of attacks.
REFERENCES
[1]
J. M. Bradshaw. “An introduction to software agents”, Software Agents, chapter 1. AAAI Press/The
MIT Press, 1997.
[2]
Stefan Fuenfrocken. “How
to Integrate Mobile
Agents into Web Servers”, Technical Report,
Department of Computer
Science, Darmstadt
University of Technology,
Alexanderstr. 10, D
64283
Darmstadt, Germany
[3]
Wayne Jansen, Peter Mell, Tom Karygiannis, Don Marks. “Applying Mobile
Agents to Intrusion Detection and Response”,
NIST Interim Report (IR) - 6416. ACM October 1999.
[4]
Stefan Fuenfrocken. “Integrating Java-based Mobile Agents into Web
Servers under Security Concerns”, Technical Report, Department of Computer
Science, Darmstadt University of Technology, Alexanderstr.
6, 64283 Darmstadt, Germany.
[5]
Rajeev Gopalakrishna, Eugene
H. Spafford. “A
Framework for Distributed
Intrusion Detection using Interest Driven Cooperating Agents”, Purdue University, 2001.
[6]
J. P. Anderson.
“Computer Security Threat
Monitoring and Surveillance”, Technical
report, James P
Anderson Co., Fort Washington, PA, Arpil 1980.
[7]
D. E. Denning. “An intrusion-detection model”, In proceeding of the
IEEE Symposium on Security and Privacy,
pages 118-131, April 1986.
[8]
D. S. Bauer and M. E. Koblentz. “NIDX – an expert system for real-time
network intrusion detection”,
In Proceeding of
the Computer Networking
Symposium, pages 98-106, Washington, DC,
April 1988
[9]
R. Schoonderwoerd, O. Holland, and J. Bruten. “Ant-like agents for load
balancing in telecommunications networks”,
In Proceedings of the first International Conference on Autonomous
Agents, 1997.
[10] Jai Sundar Balasubramaniyan, Jose Omar
Garcia-Fernandez, David Isacoff, Eugene Spafford, Diego Zamboni. “An
Infrastructure for Intrusion Detection using Autonomous Agents”, COAST technical Report 98/05, June 11, 1998.
[11] Richard Feiertag, Sue Rho, Lee
Benzinger, Stephen Wu, Timothy Redmond,
Cui Zhang, Karl
Levitt, Dave Peticolas,
Mark Heckman, Stuart Staniford, and
Joey McAlerney. “Intrusion
detection inter-
component adaptive negotiation”, Computer Networks 34 (2000) 605-
621.
[12]
Serge Fenet and Salima Hassas. “A distributed Intrusion Detection and
Response System based
on mobile autonomous
agents using social insects communication paradigm”, Published by Elsevier Science B. V.,
2001.
[13] G. B. White, E.A.Fisch, and U. W.
Pooch. “Cooperating security managers:
A peer-based intrusion
detection system”, 10(1):
20-23,
1996.
[14]
J. Barrus and N.
Rowe. “A distributed autonomous-agent network- intrusion detection and response
system”, In proceeding of the 1998
Command and Control Research and Technology
Symposium, 1998.
[15]
Sabeel Ansari, Rajeev S.G., and Chandrashekar H.S. “Packet Sniffing: A
Brief Introduction”, IEEE, JANUARY 2003.
[16]
Snort website: www.snort.org (Accessed in January 15, 2003)
[17]
Martin Roesch. “Snort - Lightweight Intrusion Detection for Networks”.
A
white paper on
the design features
of Snort 2.0
from:
www.sourcefire.com/technology/whitepapers.html
(accessed in January
15, 2004).
[18]
Mohamed Mohsen and Khaled Heloue.“Mobile Agents System for Data
Retrieval”, Final Year Project Report, American University of Beirut, August
2003.
[19]
The main website of Windump: www.tcpdump.org (Accessed in January
10, 2004).
0 comments:
Post a Comment