Multi Agent Based Distributed Network Intrusion

Published Date: 02 Nov 2017

Along with the rapid development of computer network technology and Internet, the computer network has brought the huge convenience to the people. But the Internet is open system for the general public, it does not consider Information confidentiality and security of the system completely. So internet exists Security risks, network security situation has become more critical. Intrusion detection system can analyze and monitor customer and system activity, identify and reflect the activity patterns attacks activity patterns that have known by Management personnel. Distributed Intrusion Detection System collect information on several key points of the computer network or computer system and analyze this information. It can discover signs of attack and violation behaviors of network or system security policy according to the collected information. Distributed Intrusion Detection System can make up for lack of a firewall. It provides real-time network security intrusion detection and takes the appropriate protective measures. Distributed Intrusion Detection System based on multi-agent technology can effectively improve the detection accuracy and detection speed, and enhance the system's own security. A Multi-Agent-Based Distributed Intrusion Detection System can cooperate with the firewall and the network management tool to constitute a three dimensional defense system.

Background to the study

Along with computer network's swift development, the network security problem is becoming more and more important. Using firewalls to protect network security is not enough, because the intruder might try to find open channels behind the firewall. Moreover, as a result of the performance limitations, the firewall can not normally provide an effective intrusion detection capability. Intrusion detection system is a new network security technology in recent years. It is a combination of hardware and software and it can make up firewall's insufficiency, and provide effective intrusion detection and take necessary protective measures for the protected network. Intrusion detection is a new and rapidly developing area and it has become an important issue in network security. Intrusion detection methods and products are constantly being researched and developed. Intrusion detection technology has begun to show its important value of offensive and defensive instance in the network.

Host-based or network-based Intrusion Detection System is almost powerless for complex attacks. Distributed intrusion detection system can curb devastating effects of this attack.

Intrusion detection system must comply with the safety and integrity of the principle and parallelism Principle. Intrusion Detection System is very difficult to meet the three principles, so Intrusion Detection System still has many defects and hazards:

Intrusion detection system can't test the entire packet very well.

Signature database updates is not timely.

Detection method is single.

Different Intrusion Detection Systems can not interoperate.

Intrusion Detection Systems and other network security products can not interoperate.

Intrusion detection systems' architecture needs to be improved.

A Multi-Agent-Based Distributed Intrusion Detection System

1.2.1.1 Advantages

A Multi-Agent-Based Distributed Intrusion Detection System's advantages are as follows:

Distributed Intrusion Detection System based on multi-agent technology has a good independent, strong flexibility, good scalability. It uses Agent's autonomy and system structure to ensure Intrusion Detection System scale extensible. Intrusion Detection Module is designed by a unified framework and its rules can be extended.

It uses a top-down control mechanism which can work layer by layer to prevent the spread of damage. Upper entity can control lower entity. Entities in the same layer can send transaction information with each other.

Resilience of the system is very strong. Each Agent has a System image inspection system to ensure its safety. Once an Agent lost its function, it will send an initiative message to the upper, and the upper Agent will do Restoration work.

It uses the analysis of Agent for application software to protect a number of important applications. It uses data integrity analysis technology to make detection more accurate.

1.2.1.2 Framework

The figure describes a Multi-Agent-Based Distributed Intrusion Detection System's framework. The system consists of a number of Agents that have different functions in the network to form a Uniform level of system. These agents can either work independently or work together. Data collection agent has three categories, data collection agent based on host, data collection agent based on network, data collection agent based on applications. The main job of data collection agent is to collect raw data.

These raw data includes the State and behavior of system, network and user activity. Data collection agent filters and re-organizes the raw data collected, then transmitters to data analysis agent. Data analysis agent has three categories, data analysis agent based on host, data analysis agent based on network, data analysis agent based on applications. Data analysis agent's main job is to do a comprehensive analysis with the data that data collection agent sent to. Data analysis agent can detect the intrusion involving multiple hosts,

networks and applications. Data analysis agent is the key to the whole Intrusion Detection System. The accuracy of Data analysis agent directly affects the performance of whole system. Communication agent's main task is in charge of related agent's communications. Communication agent can not detect and control. Communication Agent is responsible for transmission of all information flow. Center agent monitors in the high-level the whole system's operation. System administrator use center agent to manage the entire Distributed Intrusion Detection System.

1.2.1.3 Working principle

The figure describes a multi-agent-based Distributed Intrusion Detection System's principle of work. Distributed Intrusion Detection System based on multi-agent technology uses the architecture of Distributed Intrusion Detection

System and uses a variety of advanced intrusion analysis and detection technology comprehensively. These intrusion analysis and detection technologies include pattern matching, Protocol analysis, anomaly detection, key surveillance, content resume, network audit and so on. Intrusion Detection System based on multi-agent technology can monitor and analysis of network communication and provide real-time intrusion detection and the corresponding

preventive methods. It can create comprehensive network security protection.

In specific deployment Data collection agent should be flexible configured according to actual situation, such as network rate, the data encryption, network for switching and so on. Data analysis agent uses misuse detection technology based on the expert system ,State analysis and attacking tree analysis to make the proper response to attack. Data analysis agent can achieve high detection

rate, low false alarm and timely response. Communication agent is a multi-agent-based Distributed Intrusion Detection System's key parts. Communication

agent can not detect and control attack, so communication agent must set reliable security mechanism. Center agent can determine the condition that data analysis agent can't judge, unity allocate and manage the entire Agent in the

system, display the alarm information and respond to treatment.

Artificial Intelligence (Genetic Algorithms)

A Genetic Algorithm (GA) is a programming technique that mimics biological evolution as a problem-solving strategy. It is based on Darwinian’s principle of evolution and survival of fittest to optimize a population of candidate solutions towards a predefined fitness.

GA uses an evolution and natural selection that uses a chromosome-like data structure and evolve the chromosomes using selection, recombination, and mutation operators.

The process usually begins with randomly generated population of chromosomes, which represent all possible solution of a problem that are considered candidate solutions. Different positions of each chromosome are encoded as bits, characters or numbers. These positions could be referred to as genes. An evaluation function is used to calculate the goodness of each chromosome according to the desired solution, this function is known as "Fitness Function". During evaluation, two basic operators, crossover and mutation, are used to simulate the natural reproduction and mutation of species. The selection of chromosomes for survival and combination is biased towards the fittest chromosomes. The following figure taken shows the structure of a simple genetic algorithm.

Starting by a random generation of initial population, then evaluate and evolve through selection, recombination, and mutation. Finally, the best individual (chromosome) is picked out as the final result once the optimization meet it target.

Many authors and researchers are highly motivated to Genetic Algorithms as a strong and efficient method used in different field in Artificial Intelligence, noting that several AI techniques could be combined in different ways in different systems for several purposes.

RESEARCH METHODOLOGY

Presently, it is unfeasible for several computer systems to affirm security to network intrusions with computers increasingly getting connected to public accessible networks (e.g., the Internet). In view of the fact that there is no ideal solution to avoid intrusions from event, it is very significant to detect them at the initial moment of happening and take necessary actions for reducing the likely damage. One approach to handle suspicious behaviors inside a network is an intrusion detection system (IDS). For intrusion detection, a wide variety of

techniques have been applied specifically, data mining techniques, artificial intelligence technique and soft computing techniques. Most of the data mining techniques like association rule mining, clustering and classification have been applied on intrusion detection, where classification and pattern mining is an important technique. Similar way, AI techniques such as decision trees, neural networks, genetic algorithms and fuzzy logic are applied for detecting suspicious activities in a network, in which genetic algorithm based system provides significant advantages over other AI techniques.

Recently, several researchers focused on genetic algorithm for effective intrusion detection using data mining techniques. By taking into consideration these motivational thoughts, we have developed genetic algorithm based system in detecting the attacks. This system, anomaly-based intrusion detection makes use of effective rules identified in accordance with the designed strategy, which is obtained by mining the data effectively. The genetic algorithm generated from the proposed strategy can be able to provide better classification rate in detecting the intrusion behavior. Even though signature-based systems provide good detection results for specified and familiar attacks, the foremost advantage of anomaly-based detection techniques is their ability to detect formerly unseen and unfamiliar intrusion occurrences. On the other hand and in spite of the expected erroneousness in recognized signature specifications, the rate of false positives in anomaly-based systems is generally higher than in signature based ones.

The genetic algorithm is employed to derive a set of classification rules from network audit data, and the support-confidence framework is utilized as fitness function to judge the quality of each rule. The generated rules are then used to detect or classify network intrusions in a real-time environment. As a conclusion of what previously presented of AI based IDS, these systems work is divided into two main stages. Fist the training stage which provides the system with necessary information required initially, after that the next step is the detection stage where the system detects intrusions according to what was learned in the previous step. Applying this in GA based IDS; the GA is trained with classification rules learned from previous network audit data. The second stage is applied in a real-time manner by classifying the incoming network connections according to the generated rules. Many systems have been proposed in a lot of researches in either simple or advanced fashion, but to give a general idea of the components of the system and basic mechanism of it.

Data Representation

Genes should be represented in some format using different data types such as byte, integer and float. Also they may have different data ranges and other features, knowing that the genes are generated randomly, in each population generating iteration. Genetic algorithms can be used to evolve rules for the network traffic; these rules are usually in the following form:

"If {condition} then {act}"

It basically contains if-then clause, a condition and an act. The conditions usually

matches the current network behaviour with the one stored in the in the IDS such as comparing an intruder source IP address and port number with one already stored in the system. The act could be an alarm indicating that the intruders IP and Port numbers are related to an attacker who is previously known in the system.

GA Parameters

GA has some common elements and parameters which should be defined:

• Fitness Function "The fitness function is defined as a function which scales the value individual relative to the rest of population." It computes the best possible solutions from the amount of candidates located in the population.

• GA Operators According to the figure below we could see that the selection mutation and crossover are the most effective parts in the algorithm as they are they participate in the generation of each population.

Selection is the phase where population individuals with better fitness are selected, otherwise it gets damaged.

• Crossover is a process where each pair of individuals selects randomly participates in exchanging their parents with each other, until a total new population has been generated.

• Mutation flips some bits in an individual, and since all bits could be filled, there is low probability of predicting the change.