Intrusion Detection Systems(IDSs) are those that monitor malicious or suspicious activities and issue alarm when undesirable events occur.
Need of IDS
- Security is a primary issue
- Big organizations have very important and confidential data.
- Cyber-attacks have risen to a large extent with ever increasing usage of Internet for large domain of applications.
Some of the common threats to network security are DoS attack, Botnet, and SQL injection attack. Some of the available security measures are firewalls, anti-virus cannot protect against malicious codes or attacks within the network and a huge percentage of intrusions may be from within the network.
IDS can monitor and analyze various events coming from outside the network as well as inside the network.
Types of Intrusion Detection Systems
- Misuse-based IDS match computer activities with already stored signatures of known attacks.
- Anomaly-based IDS first learns normal behavior of users and systems in the network and find anything that deviates from normal activities.
- Hybrid IDS combine both the approaches to detect known as well as novel attacks. Hybrid detection can be done either sequentially in which misuse detection followed by anomaly detection or anomaly detection followed by misuse detection or both detection processes can be done in parallel. The result of both the modules are then combined for final decision making.
Multi-Agent based IDS
An agent is a computer program that is capable of doing independent actions on behalf of its user to achieve pre-defined goals. They are autonomous, proactive, reactive and have social ability.
Multi-Agent System is a collection of agents that can interact with each other to achieve the common goal.
Benefits of Multi-agent based IDS
- Agents used in multi agent based IDSs gain knowledge from their experience, communicate and work together to accurately detect network intrusions.
- Agents can simultaneously collect data from different hosts to check for anomalies.
- Several agents can work in parallel for packet capturing, feature selection, classification and updating signature database.
- Multi-agent based IDSs are highly scalable.
Design of Integrated scheme using MAS
Design Comprises of Three Agents
- Interface agent performs network packets collection, feature extraction, and passes affected IP addresses in the network to an administrator.
- Training agent constructs models for both misuse and anomaly modules using extracted features.
- Detector agent is used for testing which analyzes network packets and tagged them if it is found anomalous. DA is a mobile agent which predicts the class of coming packet and sends related information about anomalous packets to Interface Agent.
Work Flow of the system
- Interface Agent (IA), on the request of administrator captures packets from organization network and extracts the useful features from packets.
- It also collects log files of the same time duration at which network packets are captured.
- Then the extracted features from packets and information about these features from log files are passed to Training Agent (TA).
- TA then labels these packets by analyzing log files information and creating a database of attack signatures.
- TA uses database and builds misuse detection model using decision tree algorithm.
- TA also builds normal profiles from the captured packets by computing frequency vector of payload data using n-gram approach.
- Then TA informs IA that training has been done and the system is ready to detect attacks in the network.
- IA then asks the Detector Agent (DA) to test the newly coming network packets.
- DA uses both misuse and anomaly detection models to classify packets and passes the obtained results to IA.
- The information of detected attack packets is kept by DA and then this information is passed to IA and then to the administrator for further action.