Intrusion Detection System Case Study
Abstract
Intrusion Detection system (IDS) has become powerful to provide security against the attack. It will help us to identify the deterring and deflecting malicious attacks over the network [1]. To remove all these problem regarding to security has been removed by this paper. In this paper we will go through the theoretical basis for intrusion detection. A distributed intrusion detection system based on agents and on multi agents based distributed intrusion detection also discussed in this paper. Some string matching algorithm are also used for the intrusion detection system.
Keywords – Distributed Intrusion Detection System; Agents; Multi Agents.
1. Introduction
In the introduction of this paper, we are concerning the string matching algorithm in intrusion detection algorithm. In further we will see how to use the algorithm in IDS. String matching algorithm provides the solution to the problem of Intrusion detection. This algorithm will help us to detect the suspicious attack.
- Bad Character Heuristics
The bad character heuristics [2] is very similar to the Boyer Moore string algorithm before. In this algorithm the string is divided into n number of character. Then the message is to be checked to remove the malicious attacks. In this algorithm it will check the first character of a string which is to be entered in a message. If that string is to be considered wrong that means there is some attack and the whole message is not to be considered whether it is right.
The problem regarding to this is that it can easily hide the default part in the strings.
- Aho-Corasick:-Aho-corasick
Algorithm is also used to remove the limitation of pervious algorithm. In this algorithm Aho-Corasick [2] make a algorithm as a tree structure. In this there is current node such as a message which to be checked, then if there is a matching node found in the testing than for that other node is to be made. Then after that if any other current node is being tested and if any problem is matched to the present node then the other string is to be tested.
- SFK Search
In SFK search algorithm [2] in this there is a sibling node or the text cases are being present in the form of sibling. So that the current node is being tested by the sibling node ,then at that point the detection is being found ,then it will be added to the sibling node. Otherwise the next node will be tested. By using this algorithm we can find an efficient result.
- Wu-Manber
This algorithm was developed by Wu-Manber [2] in this the limitation of bad character heuristics algorithm is being removed. In this algorithm the shift and hash two table are made to make the detection easy. In this there is character set in the shift table then it will be c be checked in the first table if the defect is found then it is move to the second table.
2. Problem in String Matching Algorithm
Some problems are discussed here:-
Snort:-Snort uses a set of rules that being derived by a attacks or other defects [2]. The rules are being made by the expert .If the condition is being satisfied then the action is being applied. Snort is a best practices and knowledge of the internet. Snort is a method through which some problem can be removed.
In snort there is problem that the use of internet increases, then the definition of snort also increases. In this the use of snort increases so that the database also being very loaded so that there is a complexity in the data base. Due to this the speed of the snort database will decreases.
3. Agent Based Intrusion Detection System
To use agent in the intrusion detection system there are some problem which we discussed here:-
a) Real time of the intrusion detection and response is not so good [3].
b) If we make the centralized database and all the collective information is sent to that host then there should be overloading [3].
C) If some new hosts are added in the centralized database then the load increases [3].
d) Flexibility of system is not so good.
e) Lack of co-operation between different intrusion detection system.
To remove this problem there is agent based intrusion detection system used.
1. Agent-Agent is a self-adaptable. Intelligent and collaborative. In this the one is agent interact with the other agent.
There are two type of agent:
(a)Static agent:-static agent is proposed by the agent technology. In this which platform is being made it is being final, no changes should be made [3].
(b)Mobile agent:- It is capable to move from one node to another network [3] .
3.Working of Distributed Intrusion Detection Based On Agent:- Some merits of agent technology in this paper we will discussed the distributed intrusion detection based on agents [3] . Some parts are: Manage agent, Host Agent, Net Agent .Manage Agent include Mobile Agent Dispatcher (MAD), Learn Agent, Update Agent.
-Static Agents are Net Agent and Learn Agent. -Mobile Agents are Manage Agent and Update Agent.
In this the data will first checked by the Host Agent and Net Agent. They will detect the suspicious activity found in the data. Then it will send to the manage agent it will check the list in Mobile Agent Dispatcher which attack the host list and the Manage agent move to all the agent to find the similar attack. If mobile agent and and other agent found the threat then it will sent and inform to the Learn Agent which have the learning ability and Learning agent will update to the VHL. So the database is update and checks the other threat.
Figure 1, Architecture of Distributed IDS Based on Agents [3].
4. Distributed Intrusion Detection System On multi-agent
In Distributed intrusion detection system only one agent is used to detect the suspicious attack. But the multi-agent it will helpful to find the suspicious attack [4].
(a)Problem:-Some problems are in multi-agent Distributed Intrusion Detection System [4] :-
1) Intrusion Detection can’t test entire packet.
2) Signature Database update is not be done timely.
3) It is a single detection.
4) IT cannot interoperate the Intrusion Detection.
5) Intrusion Detection System and other network security cannot be interoperating.
(b) Advantages:-some advantages are of Multi-agent are:
1. Intrusion Detection System based on multi-agent technology has a good independent, flexible, scalability [4].
2. It will use top-down control mechanism which will work to prevent the damage [4].
3. Each agent can inspect the system to ensure its safety. If it will lose the function, it will send its first message to the upper and then upper will restore the work[4].
4. Agent analysis application software to protect a number of applications. Use the integrity analysis technology to make detection accurate [4].
(C) Working:- In this Multi-agent based IDS can monitor a analysis network and provide the accurate detection with improve speed.
In this there is data collection agent which is configured according to network rate, data encryption etc, parameters. There is a data analysis agent which is based on expert system, state analysis and attacking tree analysis, data analysis agent can achieve high detection rate.
There is communication agent which is the main part of multi-agent based IDS.IT must be configured to provide reliable security mechanism. There is a also a center agent which handle those condition that are not handled by analysis agent [4].
5. Conclusion
We have study the most common used String Matching Algorithm that are Bad Character heuristics, Aho-corasick, SFK search, WU-manber and also study the Intrusion detection in distributed computing that are based on agent and multi-agents. We have found that multi-agent based intrusion detection system can improve detection accuracy and detection speed and enhance the systems on security. We also found that Distributed Intrusion Detection Based on Agents and Multi Agents is the Reliable and more efficient than other IDS available Today. In future it also has scope for networks.
6. References
- Zhuowei Li , “Theoretical Basis for Intrusion Detection “, Amitabha Das, Jianying Zhou ,Proceedings of the 2005 IEEE workshop on Information Assurance and Security US Military Academy, west Point ,NY.
- Nathan Tuck, “Deterministic Memory-Efficient Matching Algorithms for Intrusion Detection ” , Timothy Sherwood, Brad Calder , George Varghese, IEEE INFOCOM 2004.
- Jianxiao Liu , “A Distributed Intrusion Detection System Based on Agents” , Lijuan Li , IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application, 2008.
- Weijian Huang , “A Multi-Agent-Based Distributed Intrusion Detection System”, Yan An, Wei Du , 3 rd International Conference on Advanced Computer Theory and Engineering (ICATE) 2010.