Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Distributed and Scalable Intrusion Detection System Based on Agents and Intelligent Techniques

  • El-Semary, Aly M. (Dept. of Systems and Computer Engineering, Faculty of Engineering, Al-Azhar University) ;
  • Mostafa, Mostafa Gadal-Haqq M. (Dept. of Computer Science, Faculty of Computer and Information Science, Ain Shams University)
  • Received : 2010.05.10
  • Accepted : 2010.09.08
  • Published : 2010.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

The Internet explosion and the increase in crucial web applications such as ebanking and e-commerce, make essential the need for network security tools. One of such tools is an Intrusion detection system which can be classified based on detection approachs as being signature-based or anomaly-based. Even though intrusion detection systems are well defined, their cooperation with each other to detect attacks needs to be addressed. Consequently, a new architecture that allows them to cooperate in detecting attacks is proposed. The architecture uses Software Agents to provide scalability and distributability. It works in two modes: learning and detection. During learning mode, it generates a profile for each individual system using a fuzzy data mining algorithm. During detection mode, each system uses the FuzzyJess to match network traffic against its profile. The architecture was tested against a standard data set produced by MIT's Lincoln Laboratory and the primary results show its efficiency and capability to detect attacks. Finally, two new methods, the memory-window and memoryless-window, were developed for extracting useful parameters from raw packets. The parameters are used as detection metrics.

Keywords

References

  1. J. Anderson. Computer security threat monitoring and surveillance. Technical Report, James P. Anderson Company, Fort Washington, Pennsylvania, 1980.
  2. D. Denning. An intrusion detection model. IEEE Transactions on Software Engineering, 13(2):222-232, 1987. https://doi.org/10.1109/TSE.1987.232894
  3. D. Anderson, T. Frivold, and A. Valdes. Next-generation intrusion detection expert system (NIDES). Technical Report SRI-CSL-95-07, SRI International, Computer Science Laboratory, Menlo Park, California, 1995.
  4. M. Roesch. Snort−lightweight intrusion detection for networks. In Proceedings of the 13th Systems Administration Conference, Seattle, Washington, 1999, pp.229-238.
  5. K. Ilgun, R. Kemmerer, and P. Porras. State transition analysis: A rule-based Intrusion detection approach. IEEE Transactions on Software Engineering, 21(3):181-199, 1995. https://doi.org/10.1109/32.372146
  6. S. Kumar and E. Spafford. Software architecture to support misuse intrusion detection. Technical Report, The COAST Project, Department of Computer Science, Purdue University, West Lafayette, Indiana, 1995.
  7. T. Lane. Machine Learning Techniques for Computer Security. Ph.D. Dissertation, Purdue University, West Lafayette, Indiana, 2000.
  8. W. Lee and S. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, 1998.
  9. W. Lee, S. Stolfo, and K. Mok. A data mining framework for building intrusion detection model. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, 1999. https://doi.org/10.1109/SECPRI.1999.766909
  10. J. E. Dickerson and J. A. Dickerson. Fuzzy network profiling for intrusion detection. In Proceedings of the North American Fuzzy Information Processing Society, Atlanta, Georgia, 2000, pp.301-306. https://doi.org/10.1109/NAFIPS.2000.877441
  11. J. E. Dickerson, J. Juslin, J. A. Dickerson, and O. Koukousoula. Fuzzy intrusion detection. In Proceedings of North American Fuzzy Information Processing Society 2001, Vancouver, Canada, 2001.
  12. G. Florez, S. Bridges, and R. Vaughn. An improved algorithm for fuzzy data mining for intrusion detection. In North American Fuzzy Information Processing Society Conference (NAFIPS 2002), (New Orleans, Louisiana), June, 2002.
  13. Aly El-Semary, J. Edmonds, J. Gonzalez, and M. Papa. Framework for hybrid fuzzy logic intrusion detection systems. In Proceedings of the 2005 IEEE International Conference on Fuzzy Systems, Reno, Nevada, May 22-25, 2005, pp.325-330. https://doi.org/10.1109/FUZZY.2005.1452414
  14. Aly El-Semary, J. Edmonds, J Gonzalez, and M. Papa. Implementation of a hybrid intrusion detection system using FuzzyJess. In Proceedings of the 7th International Conference on Enterprise Information Systems, Miami, Florida, 2005, pp.390- 393.
  15. Aly El-Semary, J. Edmonds, J. Gonzalez and M. Papa. Applying data mining of fuzzy association rules to network intrusion detection. In Proceedings of the 7th Annual IEEE Information Assurance Workshop, United States Military Academy, West Point, NY, 2006, pp.100-107.
  16. J. Luo and S. Bridges. Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection. International Journal of Intelligent Systems, 15(8):687-703, 2000. https://doi.org/10.1002/1098-111X(200008)15:8<687::AID-INT1>3.0.CO;2-X
  17. M. Qin and K. Hwang. Frequent episode rules for intrusive anomaly detection With Internet data mining. In Proceedings of the 13th USENIX Security Symposium, 2004.
  18. S. Bridges and R. Vaughn. Fuzzy data mining and genetic algorithms applied to intrusion detection. In Proceedings of the 23rd National Information Systems Security Conference, Baltimore, Maryland, 2000.
  19. Ming-Yang Su. Discovery and prevention of attack episodes by frequent episodes mining and finite state machines. Journal of Network and Computer Applications, Vol.33, Issue 2, March, 2010, pp.156-167. https://doi.org/10.1016/j.jnca.2009.10.003
  20. The FuzzyJess toolkit. http://www.cs.vu.nl/~ksprac/2002/doc/fuzzyJDocs/FuzzyJess.html.
  21. The C Language Integrated Production System (CLIPS). http://clipsrules.sourceforge.net/.
  22. DARPA Intrusion Detection Data Set. http://www.ll.mit.edu/ mission/communications/ist/corpora/ideval/data/index.html,

Cited by

  1. Detection of botnets before activation: an enhanced honeypot system for intentional infection and behavioral observation of malware vol.5, pp.10, 2012, https://doi.org/10.1002/sec.431
  2. Detecting SYN flooding attacks based on traffic prediction vol.5, pp.10, 2012, https://doi.org/10.1002/sec.428
  3. Multipoint-to-point communications for SHE surveillance with QoS and QoE management vol.25, pp.7, 2012, https://doi.org/10.1016/j.engappai.2012.03.019
  4. A novel intrusion detection framework for wireless sensor networks vol.17, pp.5, 2013, https://doi.org/10.1007/s00779-012-0529-y
  5. Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet vol.9, pp.2, 2017, https://doi.org/10.3390/su9020262
  6. Strategies for data stream mining method applied in anomaly detection pp.1573-7543, 2018, https://doi.org/10.1007/s10586-018-2835-2