Paper-6 Securing Enterprise Networks a Multiagent-Based Distributed Intrusion Detection Approach

7/28/2019 Paper-6 Securing Enterprise Networks a Multiagent-Based Distributed Intrusion Detection Approach

1/10

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6ISSN: 1837-7823

Securing Enterprise Networks: A Multiagent-Based Distributed Intrusion

Detection Approach

Nwaocha, Vivian Ogochukwu1 and Inyiama, H. C.2

Computer Science Department

University of Nigeria, Nsukka

Abstract

There is an ever-growing reliance on computer networks for business transactions globally. While these

networks have facilitated the provision of critical services in medical, financial and educational institutions in

particular, yet they have equally served as means for diffusing network attacks. These threats take many forms,

but all result in loss of privacy to some degree of malicious destruction of information or resources that can lead

to large monetary losses. One of the most prevalent threats is the Distributed Denial of Service (DDoS) network

attacks which prevent legitimate users from accessing network services. Detecting intrusions is a difficult task in

any networked environment, especially in an enterprise network which naturally lends itself to a distributedexploitation of its resources by employees and third parties. In such a scenario, the identification of a potential

attack requires that information is gathered from different sources. Besides, current solutions lack a fundamental

dynamic feature required in order to ensure both flexibility of the architecture and robustness in the event of

changes in network and traffic status. Besides, DDoS attacks are spreading at a very high rate and are not easily

contained by existing intrusion detection systems. Although, distributed intrusion detection systems have been

developed to counter these threats, they still have the drawback of using up huge network resources. It is against

this backdrop that this paper presents a model of a Multiagent-Based Distributed Intrusion Detection System

(MABDIDS) which detects intrusions efficiently by means of small-sized mobile agents. As a proof of concept,

a prototype of the proposed system is implemented and tested. The outcome of the tests revealed that compared

with existing solutions, the proposed system provides superior performance in terms of detection rate and saves

network resources.

Keywords: Distributed Intrusion Detection System, Enterprise Network, Intrusion Detection System, Mobile

Agent, Mobile Agent Platform, Multiagent System

1. Introduction

Today, there is an ever-growing reliance on computer networks for business transactions. Hence, several

educational institutions, government agencies, health care facilities, banking, financial institutions and private

residencies offer vital services through the global network, known as the Internet [1].

However, with the free flow of information and the high availability of many resources, managers of

enterprise networks have to understand all the possible threats to their networks. These threats take many forms,

but all result in loss of privacy to some degree and possibly malicious destruction of information or resources

that can lead to large monetary losses [2].

It is obvious that the Internet is critical for delivering educational contents to diverse students in remote

geographical areas globally and is regarded by everyone as an indispensible IT infrastructural service. This

media facilitates health care delivery, financial and other essential services.

On the other hand, the convenience of the Internet, comes at the expense of several security risk exposures.

It is therefore vital that the appropriate level of network security is maintained in an enterprise network to ensure

its high availability. In particular, institutions constantly face unique challenges keeping their servers and

networks secure from cyber-criminals while accommodating the influx of student and faculty-owned devices. A

recent analysis of online transaction data highlighted to what extent some of these establishments have already

been compromised.

While the Internet has facilitated the provision of critical services in educational and financial institutions in

particular, yet it has also served as a means of diffusing network attacks. These establishments have had to face


2/10


3/10


52

The EMERALD project proposes a distributed architecture for intrusion detection that employs entities

called service monitors. The latter are dynamically deployable, highly distributed, and independently tunable.

They provide localized real-time analysis of infrastructure and services. The approach covers the misuse of

individual components and network services within a single domain and includes service analysis. The objective

of the service analysis is to streamline and decentralize the surveillance of a domains network interfaces for

activities that may indicate misuse or anomalies in operations. EMERALD enables domain-wide analysiscovering the misuse visible across multiple services and components, and enterprise-wide analysis covering

coordinated misuse across multiple domains. The project also defines several layers of monitors for performing

data reduction in a hierarchical fashion. Although the monitors provide distributed network status analysis, most

of the detection intelligence is placed in a central system. Further, all the decision making regarding the

deployment of the monitors takes place in the central system, thus resulting in potential delays and processing

overhead.

In 2003, a scheme is proposed where lightweight agents travel between monitored systems in a network of

distributed systems, obtain information from data-processing agents, classify and correlate information, and

report the information to both a user interface and a database, via mediators. In such systems, the agents had zero

detection and analysis capabilities.

A new Mobile Agent Distributed Intrusion Detection System (MADIDS) was proposed to process the great

flow of intrusion detection data transfer in high-speed networks [3]. MADIDS system consists of specialized

agents: Event generation agents, event analysis agents, event tracking agents, and agent server. Event generation

agents are distributed into every place in the network to collect interested intrusion data. It submits a portion of

the data to the event analysis agent residing on the same host or passes the data directly to the agent server if the

network load permits. Event analysis agents analyze the collected data and pass the results to a local event

tracking agent which in turn tracks the intrusion. The agent server is a central supervision unit that receives data

from event generation/analysis agents and allocates the analysis/tracking tasks to the suitable agents. It monitors

and dynamically balances the load of each agent. In this system, agents had no intrusion detection or response

responsibilities.

2.1.2. Intrusion Detection Using Autonomous Agents

The application of autonomous agents in intrusion detection has equally been investigated. Agents aretaught how to identify intrusive behaviors using Genetic Programming. Nevertheless, it was discovered that this

setup imposes overhead on the system in both time and space as it consumes memory and CPU time. Besides a

long time is required to train the agents takes before the agents can be considered ready for deployment.

The approach described in propose an architecture for a distributed intrusion detection system based on

multiple independent entities called Autonomous Agents for Intrusion Detection (AAFID) framework. Agents

are used mainly as a means for structuring the intrusion detection collection component into a set of lightweight

software components, which can be easily reconfigured. On a given host, they look for interesting events and

report their findings to a single transceiver that oversees their operations. The transceivers, in turn, report their

results to one or more monitors that are responsible for the network. Among the several issues that are associated

with this framework, there is adaptability. The system is incapable of dynamically controlling the agents

population at run-time and agents appear to be static once they are deployed to a transceiver, although they can

be replaced through reconfiguration.

In a more recent research, Nwaocha and Inyiama, 2011 proposed intrusion detection and prevention system

based on small, autonomous, and intelligent intrusion detectors as sensors. Their study was inspired by the

principle of operation of nervous systems. In their work, data collection and analysis elements are operated by

autonomous agents based on risk assessment and managed on the basis of the autonomic computing theory with

self-management properties. The main purpose of using autonomic computing was to create computing systems

capable of managing themselves to a far greater extent when given high-level objectives, and to provide set of

prevention rules that will attempt to stop the attack before it happens depending on risk analysis and risk

assessment. Thus confirming the validity of the alerts and identifying the false positive alerts, by measuring the

risk caused by the detected threat, thus determining whether it is a normal activity or not. This work was

however limited to the host-based intrusion and although they had proposed the use of mobile agents they did

not implement it in their system.


4/10


53

2.1.3. Intrusion Detection Systems Based on Mobile Agents and Fully Distributed Architectures

One well-known example of applying distributed agent design methodology in the intrusion detection

domain is the Distributed Intrusion Detection System (DIDS) [Snapp et al. 1991]. DIDS was an attempt to build

a distributed system based on monitoring agents that reside at every host in the network. A centralized data

analysis component called the DIDS director agent is solely responsible for the analysis of the network trafficdata collected by each monitor. DIDS architecture presents both advantages and disadvantages. On one

hand, the system utilizes the real-time traffic information from various sources, namely, data from various

host monitors, to assess the security status of its residing network. However, as a drawback, the systems

scalability is poor for large networks, as an increasing number of host monitors also significantly increase the

work load of the DIDS director agent. Additionally, the data flow between host monitors and the director agent

may generate significantly high network traffic overheads.

A mobile agent-based architecture and model consists of a large number of small mobile agents that

perform the tasks of monitoring, decision-making, notification and reaction to attempted intrusions [45]. Each

agent observes a small aspect of the entire system. When an agent considers an activity suspicious, it advises the

other agents about it. Thereafter, an agent (or a group of agents) with a higher level of specialization for that type

of suspected intrusion is activated. Once there is a consensus among a large number of agents about the existence

of an intrusion, a message is then sent requesting the intervention of a human operator, who will launch a group

of reactive agents. In this system, specialized agents can be added whenever a new form of attack is identified or

removed dynamically from the system. The system suffers from massive detection latency since an agent by

itself has no authority to identify an attack but a majority vote among specialized agents is required before

further actions are taken.

Cooperative Security Managers (CSM) are employed to perform distributed intrusion detection that does

not need a hierarchical organization or a central coordinator. The design requires that a CSM be run on every

host attached to the network. A CSM consists of local intrusion detection component responsible for detecting

local and proactive intrusions, a security manager that correlates data collected by its own hosts IDS and other

CSMs, the intruder-handling that determines what action to do when an attack is detected, a graphical user

interface that allows the security administrator to communicate with each CSM, a command monitor that accepts

commands from the user and sends them to the IDS for analysis, and a communication handler that provides the

communication between CSMs using TCP. However, the CSMs are stationary agents, cannot be updated or

reconfigured dynamically, and result in overhead on the host performance since they run on the host for alltimes.

In [47], a social insect-based mobile agent framework, named Artificial Network Termite Colony (ANT),

was developed using static internal agents and mobile agents. The approach is based on the use of a chemical-

like information that represents an abnormal behavior. ANT relies on the raising and lowering of pheromone

fields, which represent criteria to guide simple agents towards collectively exhibiting complex problem-solving

behavior. Pheromones are spread to pheromone servers via short lived mobile agents, while other defensively

minded agents prowl the network performing system checks, sensing the gradient of the pheromone field, and

deciding whether to take a defensive action or move onward in a direction where the field is stronger. Our own

approach is similar to this work in the sense that the agent population increases when intrusions are detected and

decreases after the attack(s) are terminated. However in ANT, agents are specialized and their detection

procedures cannot be updated dynamically.

Another research presents a fully distributed architecture where data collection and information analysis are

performed locally without referring to the central management unit. For instance, the designed architecture in

comprises two components: IDS agents and a stationary secure database (SSD). The agent is responsible for

detecting intrusions based on local audit data and participating in cooperative algorithms with other IDS agents

to decide if the network is being attacked. Each agent has a local audit trail, a misuse detection module, an

anomaly detection module, and a local database. The local audit trail collects audit data and passes it to the

misuse detection module and anomaly detection module for further analysis. The local database warehouses all

information necessary for the IDS agent such as signature files and users patterns. The SSD acts as a trusted

database for the agents to obtain latest misuse signatures. It contains global signatures of known misuse attacks

and stores patterns of each user normal activity in a non-hostile environment. The system requires that an IDS

agent resides on every host, thus resulting in large number of IDS agents in the network. A large number of up-

and-running agents results in both network and host overhead. The agent processes that execute on each host

consume CPU time and the large number of agents causes intensive message passing among the agents resulting

in network bandwidth consumption. Moreover, the proposed system does not fit dynamic environment, wherecomputers are dynamically added or taken off the network, since the implementation of the system


5/10


54

administration will be far more complex.

A more recent development in the domain of distributed IDS architectures is MINDS [Ertoz et al. 2004].

The MINDS system analyzes data collected directly by sensors distributed throughout the network, tapping

information directly from the routers. It combines an unsupervised anomaly detection data mining algorithm,

which assigns to each of the collected network connections a score reflecting how anomalous it is, and an

association pattern analysis-based module, which generates a summarization report of those network connectionsthat are ranked highly anomalous. Although MINDS seems to solve both anomaly and misuse detection

problems, it requires human efforts to assist in its data mining techniques for their proper functioning. That is,

the summarized anomalous data information needs to be supplied to a human analyst who is then responsible for

manually performing the unsupervised anomalous data labeling process.

Another distributed agent-based IDS called Distributed Hybrid Agent Based Intrusion Detection and Real

Time Response System [Vaidehi and Ramamurthy 2004] analyzes anomalies to detect and identify the Denial of

Service (DoS) and data theft attacks, in addition to analyzing intrusion signatures capable of detecting

wardriving-based hacks. It also attempts to respond to intrusions in real time by sending out alerts to the

designated network administrator when network intrusions are detected. One of its main drawbacks is the design

complexity of its comprising agents, in that each agent must take on almost all of the work load of network

traffic sniffing, data parsing, and intrusion detection. This makes the architecture inherently less light weighted.

In addition, its data mining techniques are less powerful since they are capable of detecting only a limited

number of network attacks.

In Helmer et al. [2003], an IDS prototype entirely comprised of mobile agents was developed. In this

architecture, the mobile agents travel among monitored systems in a network of distributed systems, obtain

information from designated data-cleaning agents that reside at each host, classify and correlate the supplied

information, and finally report the analysis results to a designated administrator through a user interface and

several databases. One of its main advantages is its support for the runtime addition of new capabilities into the

mobile agents. However, one of its main disadvantages is the overhead in time required to transmit the mobile

agents code and required data among the monitored hosts in the residing network, which reduces the systems

ability to respond to network intrusions in real time.

All of these architectures, having both their advantages and disadvantages, attempt to achieve the common

goal of effective intrusion detection, while at the same time minimising the adverse side effects of realistic

constraints, such as the limited availability of processing power at hosts, and the scalability issues inherent in

distributed system design.

3.1 System Design

The architecture of the proposed system (MABDIDS), consists of a set of distributed, autonomous but

collaborating agents. Hence, the entire architecture of the proposed model of the Multiagent-based Distributed

Intrusion Detection System (MABDIDS) is presented in Figure 3.1.

The framework consists of the following components:

Main Machine for Intrusion monitoring and detection Mobile Agent Platform Mobile Agents for Intrusion Detection Authentication Tool Utility Tool


6/10


55

UserI nt erf ace

Det ect i onEngi ne( Snor t )

Dat abase

Message Handl er

Mobi l eAgentPl at f ormI nt erf ace

Mobi l e Agent Pl at f or m

Figure 3.1 The General Architecture of MABDIDS

4.3.1 The Intrusion Detection Controller

The intrusion detection controller is the foundation of the distributed framework. It monitors the

network segments and serves as the main intrusion detection and processing unit. Its key functions are

as follows:

i. acting as a correlating unit for multiple log files sent by dispatched agents;ii. providing and updating rule sets and severity lists for each of the agents;

iii. interfacing the IDS to the system administrator, andiv. supervising and tracking existing mobile IDS agents, as well as instructing different agents about the

speed of dumping that they should use depending on the security level.

The intrusion detection controller comprises further of the following:

an intrusion detection system (IDS) which serves as a detection engine; a user interface;

a database and a message handler.

MAPi nt erf ace

Mobi l eAgentPl at f orm( MAP)

Agl et Cont extSni f f er Li ght wei ght

SnortBr i ef case

Message Handl er

MAPi nt erf ace

Mobi l e AgentPl at f or m ( MAP)

Agl et Cont extSni f f er Li ght wei ght

Snor t

Br i ef case

Message Handl er

Mobi l eAgentPl at f orm( MAP)

Agl et ContextSni f f er Li ght wei ght

Snor tBri ef case

Mess age Handl er


7/10


56

4.3.1.1 Detection Engine

The detection engine analyses the log files of raw data gathered. The main role of the detection

engine is to gather and correlate IDS data from the multiagent-based distributed intrusion

detection system. Hence, it links events across the network and provides a heuristic analysis of

the aggregated data.

4.3.1.2 User Interface

The user interface provides the graphical user interface (GUI) for the system administrator.

Through the user interface, the system administrator is able to do the followings:

Initialise the number of start-up agents (parent IDS Agents) and arm each with a visitlist for agent hopping.

Assign an initial rule set for each agent that will be used by the detection engine totest for intrusions. This set can be updated later by the MIDP.

Attacks should be categorized according to the severity levels of each. The userinterface enables the system administrator to customize the system security concerns by

assigning dangerous attacks high severity levels and less harmful attacks with lower severity

level.

4.3.1.3 Database

The database comprises of a secure trusted storage for the mobile agents to obtainlatest information about attacks in order to update their severity lists. This database contains

two types of information: signatures (rule set) and severity level associated with each attack

(severity list). A severity level defines the response mechanism that agents should use when

particular attacks are detected. For instance, level 1 (most severe attack) means that the agents

should send all logged network traffic plus the alarm file while level 2 implies that the agent

should send a representative of the logged traffic and the alarm file. The entire list is presented

in table 4.1. The database also contains credentials of existing agents in the system. This

information includes: the agent ID, its child ID (if exists), its parent ID (if exists), the agent

visit list, the agent proxy, and the host at which the agent is currently residing.


8/10


57

Severity level Description

1 Send the entire log file and alerts generated

2 Send a summary of all log files and alerts generated

3 Send only the alert file while saving the dump file at the

current host

4 Inform the intrusion detection manager about a potential

attack while saving the dump and alert files at the current

host.

5 Inform the intrusion detection manager about a potential

attack while saving the dump file only at the current host.

6 Ignores the potential attack while saving the dump file only

at the current host.

Table 4.1 List of Severity Rules

4.3.1.4 Message Handler

The message handler enables the Intrusion Detection Manager (IDM) to respond to messages sent to it.

The intrusion detection manager identifies and interprets the following key messages: NEW_AGENT,

MANUAL_UPDATE, ATTACK_DETECTED, DISPOSAL_REQUEST,

CREATE_AGENTS_REQUEST, AGENT_INFO_REQUEST, and HOST_INFO_REQUEST.

4.3.2. Mobile Agent Platform (Tahiti Server)

The mobile agent platform (MAP) is commonly referred to as the Tahiti server; it has a graphical user

interface (GUI) and is responsible for creating, interpreting, executing, dispatching, cloning and

terminating agents. The platform is responsible for accepting requests made by network users,

generating mobile IDS agents, and dispatching agents into the network to perform intrusion detection.

The platform is a small server program that is deployed on each host within the network and is

responsible for managing the mobile agent life cycle. The MAP has a MAP interface that acts as a

graphical user interface (GUI) agent manager. The MAP interface enables end users to monitor existing

agents in the MAP platform and manually carry out the following agent functions: create, dispatch,

dispose, retract, and clone, among others.

4.3.3. Mobile IDS Agent

Each mobile IDS agent is composed of a sniffer, lightweight snort, a briefcase and message handler.

The mobile IDS essentially carries out three important tasks: sniffing the network traffic, carrying out

intrusion detection, and executing cloning mechanisms when intrusions are detected. Sniffing and

intrusion detection proceed in parallel. This implies that the agent creates two threads: the first one

starts the sniffing process and afterwards, the second thread is created to run a lightweight mobile IDS.

The execution of the cloning strategy is triggered only when an alert is logged into the alert file.


9/10


58

5. Performance Evaluation

The overall performance of the proposed MABDIDS was evaluated. Forty machines that were connected via a

switch were used for this assessment. For a realistic testing environment, attacks were interjected into a volume

of network traffic. Specifically flooding attacks were simulated by means of the well known tool Metasploit10

version 3.5.1.

6. Conclusion and Future Research

The system potentially reduces the enormous amount of distributed log data moved among the inner nodes of a

conventional IDS. Having mobile IDS agents visit hosts and doing intrusion detection locally is well suited to

the ability of mobile agents to move the computation to the data, thus reducing network load. Roaming the

internal network, agents are capable of detecting attacks launched from within the network since the IDS will be

capable of monitoring local traffic. Additionally, the developed architecture implements a robust and fault-

tolerant IDS based on agent mobility. There is no single vulnerable point of failure. Agents roam the network

continuously and thus are less suspicious to direct attacks. They can clone for redundancy or replacement and

operate independently and autonomously from where created. The architecture is flexible since it is built on the

concept of Severity on Demand. It is hoped that further work will be carried out in the area of exploring the

possibility of the extension of mobile IDS agent, and extension to the system architecture.

References

[1] Natasha Gilani, Uses of Computer Networking, eHow Contributor 2012.

[2] Cisco Press, Threats in an Enterprise Network, 2005.

[3] Helmer, G., Wong, J., Honavar, V., Miller, L., and Wang, Y., "Lightweight agents for intrusion detection,"

Journal of Systems and Software, v 67, n 2, p 109-122, Aug 15, 2003.

[4] Guangchun, L., Xianliang, L., Jiong, L., and Jun, Z., "MADIDS: A Novel Distributed IDS Based on Mobile

Agent," ACM SIGOPS Operating Systems Review, Volume 37, Issue 1, Pages: 46 53, January 2003.

[5] Hochberg, J., Jackson, K., Stallings, C., McClary, J. F., DuBois, D., and Ford, J., "NADIR: An automated

system for detecting network intrusion and misuse," Computer & Security, 12(3): 235-248, May 1993.

[6] Porras, P. A., and Neumann, P., "EMERALD: Event monitoring enabling responses to anomalous live

disturbances," Proceedings of the 20th

National Information System Security Conference, 1997.

[7] Crosbie, M., and Spafford, E., "Defending a computer system using autonomous agents," Proceedings of the

18th

National Information Systems Security Conference, Cot 1995.

[8] Crosbie, M., and Spafford, G., "Active defense of a computer system using autonomous agents," Technical

Report 95-008, COAST Group, Department of Computer Sciences, Purdue University, West Lafayette, IN

47907-1398, Feb 1995.


10/10


59

[9] Spafford, E., and Zamboniy, D., "Intrusion detection using autonomous agents," Computer Networks,

34(4):547-570, October 2000.

[10] Balasubramaniyan, J., Garcia-Fernandez, J., Isacoff, D., Spafford, E., Zamboniy, D., "An Architecture for

Intrusion Detection using Autonomous Agents," Proceedings of the Computer Security Applications

Conference, 1998.

[11] White, G., Fisch, E., and Pooch, U., "Cooperating security managers: A peer-based intrusion detection

system," IEEE Network Magazine, IEEE Press, Volume 10, Issue 1, 1996.

[12] Barrus, J., and Rowe, N., "A distributed autonomous-agent network-intrusion detection and response

system," Proceeding of the 1998 Command and Control Research and Technology Symposium, 1998.

[13] Smith, A., "An Examination of an Intrusion Detection Architecture for Wireless Ad Hoc Networks,"

Proceedings of the 5th National Colloquium for Information System Security Education, May 2001.

[14] Bernardes, M., Moreira, E., "Implementation of an Intrusion Detection System Based on Mobile Agents,"

Proceedings of the International Symposium on Software Engineering for Parallel and Distributed Systems,

2000.

[15] White, G., Fisch, E., and Pooch, U., "Cooperative security managers: A peer-based intrusion detection

system," IEEE Network Magazine, IEEE Press, pages 20-23, Jan. 1996.

[16] Fenet, S., and Hassas, S., "A distributed intrusion detection and response system based on mobile

autonomous agents using social insects communication paradigm," Electronic Notes in Theoretical

Computer Science 63, 2001.

[17] Vigna, G., Cassell, B., and Fayram, D., "An Intrusion Detection System for Aglets".

[18] Nwaocha, V.O. and Inyiama, H.C., " Precluding Emerging Threats from Cyberspace: An Autonomic

Administrative Approach". Vol. 1, No. 3, 100-104, 2011.

Documents

Paper-6 Securing Enterprise Networks a Multiagent-Based Distributed Intrusion Detection Approach