Functional Behavior of Mobile Agent on Intrusion Detection System
Introduction and Overview With rapid development of wireless network applications, security became one of the major problems that wireless networks face today. Wireless transmissions are subject to eavesdropping and signal jamming. Physical security of each node is important to maintain integral security of the entire network. Ad hoc wireless networks are totally dependent on collective participation of all nodes in routing of information through the network. These are some of the major problems that wireless networks face today. As the uses of such networks grow, users will demand secure yet efficient low-latency communications. Intrusion detection is one of key techniques behind protecting a network against intruders. An Intrusion Detection System tries to detect and alert on attempted intrusions into a system or network, where an intrusion is considered to be any unauthorized or unwanted activity on that system or network. Extensive research has been done in this field and efficient IDS systems have been designed for wired networks. All of those systems usually monitor user, system and network-level activities continuously and normally have a centralized decision making entity. But most of the techniques will not produce expected results when applied to wireless networks, due to some inherent properties of wireless networks, as mentioned further. In this paper, we concentrate our discussion on ad hoc wireless networks. Such a network is a collection of mobile nodes that establish a communication protocol dynamically. The nodes may join the network at any time and communicate with entire network via neighboring nodes. Each member of such a network is responsible for accurate routing of information. Due to arbitrary physical configuration of an ad hoc network, there is no central decision-making mechanism of any kind – rather, the network employs distributed mechanisms of coordination and management. What really makes a difference between fixed wired and mobile wireless networks is the fact that mobile nodes have a very limited bandwidth and battery power. Network packet monitoring is performed at gateways in a fixed network, but a concept of a gateway in a wireless network is very vague, depending on the type of network and routing algorithms used. Efficient host based monitoring requires large amounts of CPU processing power, and hence is energy consuming. Our proposed IDS system takes into account the above considerations to provide a lightweight, low-overhead mechanism based on mobile security agent concept. An agent is a small intelligent active object that traverses the network to be executed on certain hosts. Agents are dynamically updateable, lightweight, have limited functionality and can be viewed as components of flexible, dynamically-configurable IDS. These qualities make them
a choice for security framework in bandwidth and computation-sensitive wireless ad hoc networks.
Network:
Definition of Network A network is a set of devices (often referred to as nodes) connected by communication links. A node can be a computer, printer, or any other device capable of sending and/or receiving data generated by other nodes on the network [1]. Purpose of network Computer networks can be used for several purposes: • Facilitating communications. Using a network, people can communicate efficiently and easily via email, instant messaging, chat rooms, telephone, video telephone calls, and video conferencing. • Sharing hardware. In a networked environment, each computer on a network may access and use hardware resources on the network, such as printing a document on a shared network printer. • Sharing files, data, and information. In a network environment, authorized user may access data and information stored on other computers on the network. The capability of providing access to data and information on shared storage devices is an important feature of many networks. • Sharing software. Users connected to a network may run application programs on remote computers. Network classification The following list presents categories used for classifying networks. • LAN - Local Area Network • WLAN - Wireless Local Area Network • WAN - Wide Area Network • MAN - Metropolitan Area Network • SAN - Storage Area Network, System Area Network, Server Area Network, or sometimes Small Area Network
CAN - Campus Area Network, Controller Area Network, or sometimes Cluster Area Network • PAN - Personal Area Network • DAN - Desk Area Network LAN and WAN were the original categories of area networks, while the others have gradually emerged over many years of technology evolution [3]. Now we are going to discuss shortly each of the above categories •
LAN - Local Area Network A LAN connects network devices over a relatively short distance. A networked office building, school, or home usually contains a single LAN, though sometimes one building will contain a few small LANs (perhaps one per room), and occasionally a LAN will span a group of nearby buildings. In addition to operating in a limited space, LANs are also typically owned, controlled, and managed by a single person or organization. WLAN - Wireless Local Area Network Wireless Local Area Network is a LAN based on WiFi wireless network technology. WAN - Wide Area Network As the term implies, a WAN spans a large physical distance. The Internet is the largest WAN, spanning the Earth. A WAN is a geographically-dispersed collection of LANs. A network device called a router connects LANs to a WAN. In IP networking, the router maintains both a LAN address and a WAN address. A WAN differs from a LAN in several important ways. Most WANs (like the Internet) are not owned by any one organization but rather exist under collective or distributed ownership and management. WANs tend to use technology like ATM (Asynchronous transfer mode), Frame Relay and X.25 for connectivity over the longer distances. MAN - Metropolitan Area Network Metropolitan Area Network a network spanning a physical area larger than a LAN but smaller than a WAN, such as a city. A MAN is typically owned and operated by a single entity such as a government body or large corporation. SAN - Storage Area Network Storage area network connects servers to data storage devices through a technology like Fiber Channel. SAN - System Area Network System area network links high-performance computers with high-speed connections in a cluster configuration. Also known as Cluster Area Network. CAN - Campus Area Network Campus area network is a network spanning multiple LANs but smaller than a MAN, such as on a university or local business campus. PAN – Personal Area Network A personal area network (PAN) is a computer network used for communication among computer and different information technological devices close to one person. Some examples of devices that are used in a PAN are personal computers, printers, fax machines,
telephones, PDAs (Personal digital assistant), scanners, and even video game consoles. A PAN may include wired and wireless devices. The reach of a PAN typically extends to 10 meters [4]. A wired PAN is usually constructed with USB and Firewire connections while technologies such as Bluetooth and infrared communication typically form a wireless PAN. DAN - Desk Area Network DAN (Desk Area Network) is an interconnection of computer devices around the ATM (Asynchronous Transfer Mode). This exchange of information between various peripherals and CPU is based on the transfer of ATM (Asynchronous Transfer Mode) cells mainly. DAN (Desk Area Network) enables the network to share resources over the network [5]. Network Elements There are four basic elements of networks. They are • Rules • Medium • Messages • Devices
Fig 1.1: Elements of network
The diagram shows elements of a typical network, including devices, media, and services, tied together by rules, that work together to send messages. We use the word messages as a term that encompasses web pages, e-mail, instant messages, telephone calls, and other forms of communication enabled by the Internet. Network Criteria A network must be able to meet a certain number of criteria. The most important of these are • Fault Tolerance • Scalability • Quality of Service (QoS) • Security Now we are going to discuss shortly each of the above criteria Fault Tolerance A fault tolerant network is one that limits the impact of a hardware or software failure and can recover quickly when such a failure occurs. These networks depend on redundant links, or paths, between the source and destination of a message. If one link or path fails, processes ensure that messages can be instantly routed over a different link transparent to the users on either end. Both the physical infrastructures and the logical processes that direct the messages through the network are designed to accommodate this redundancy. Scalability
A scalable network can expand quickly to support new users and applications without impacting the performance of the service being delivered to existing users. The ability of the network to support these new interconnections depends on a hierarchical layered design for the underlying physical infrastructure and logical architecture. Quality of Service (QoS) The Internet is currently providing an acceptable level of fault tolerance and scalability for its users. But new applications available to users over inter-networks create higher expectations for the quality of the delivered services. Voice and live video transmissions require a level of consistent quality and uninterrupted delivery that was not necessary for traditional computer applications. Quality of these services is measured against the quality of experiencing the same audio or video presentation in person. Security The security and privacy expectations that result from the use of inter-networks to exchange confidential and business critical information exceed what the current architecture can deliver. Rapid expansion in communication areas that were not served by traditional data networks is increasing the need to embed security into the network architecture. As a result, much effort is being devoted to this area of research and development. In the meantime, many tools and procedures are being implemented to combat inherent security flaws in the network architecture. Providing network security Securing a network infrastructure includes the physical securing of devices that provide network connectivity and preventing unauthorized access to the management software that resides on them. Security measures taken in a network should: • Prevent unauthorized disclosure or theft of information • Prevent unauthorized modification of information • Prevent Denial of Service Means to achieve these goals include: • Ensuring confidentiality • Maintaining communication integrity • Ensuring availability Now we are going to discuss each of the above goal shortly Ensuring Confidentiality Data privacy is maintained by allowing only the intended and authorized recipients individuals, processes, or devices - to read the data. Having a strong system for user authentication, enforcing passwords that are difficult to guess, and requiring users to change them frequently helps restrict access to communications and to data stored on network attached devices. Where appropriate, encrypting content ensures confidentiality and minimizes unauthorized disclosure or theft of information. Maintaining Communication Integrity Data integrity means having the assurance that the information has not been altered in transmission, from origin to destination. Data integrity can be compromised when information has been corrupted - willfully or accidentally - before the intended recipient receives it.
Source integrity is the assurance that the identity of the sender has been validated. Source integrity is compromised when a user or device fakes its identity and supplies incorrect information to a recipient. The use of digital signatures, hashing algorithms and check sum mechanisms are ways to provide source and data integrity across a network to prevent unauthorized modification of information. Ensuring Availability Ensuring confidentiality and integrity are irrelevant if network resources become over burdened or not available at all. Availability means having the assurance of timely and reliable access to data services for authorized users. Wireless Network
Definition of Wireless network Wireless network is a network set up by using radio signal frequency to communicate among computers and other network devices. Sometimes it’s also referred to as WiFi network or WLAN [6]. Wireless network refers to any type of computer network that is wireless, and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of remote information transmission system that uses electromagnetic waves, such as radio waves, for the carrier and this implementation usually takes place at the physical level or "layer" of the network. Types of wireless connections Wireless PAN Wireless Personal Area Networks (WPANs) interconnect devices within a relatively small area, generally within reach of a person. For example, Bluetooth provides a WPAN for interconnecting a headset to a laptop. Wireless LAN A wireless local area network (WLAN) links two or more devices using a wireless distribution method and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network.
Wi-Fi: Wi-Fi is increasingly used as a synonym for 802.11 WLANs, although it is technically a certification of interoperability between 802.11 devices. Fixed Wireless Data: This implements point to point links between computers or networks at two locations, often using dedicated microwave or laser beams over line of sight paths. Wireless MAN Wireless Metropolitan area networks are a type of wireless network that connects several Wireless LANs. • WiMAX is the term used to refer to wireless MANs and is covered in IEEE 802.16d/802.16e. Wireless WAN Wireless wide area networks are wireless networks that typically cover large outdoor areas. These networks can be used to connect branch offices of business or as a public internet access system. They are usually deployed on the 2.4 GHz band. A typical system contains base station gateways, access points and wireless bridging relays [7]. Figure 2.1 shows the wireless classification. Fig 2.1: Types of wireless network
Wireless Operating Mode The IEEE 802.11 standards specify two operating modes: infrastructure mode and ad hoc mode.
Infrastructure mode is used to connect computers with wireless network adapters, also known as wireless clients, to an existing wired network with the help from wireless router or access point. Ad hoc mode is used to connect wireless clients directly together, without the need for a wireless router or access point. An ad hoc network consists of up to 9 wireless clients, which send their data directly to each other.
Wireless Ad Hoc Network (WAHN) and Security Issues
Wireless Ad hoc network Wireless Ad hoc networks are a new paradigm of wireless communication for mobile hosts (which we call nodes). In a wireless ad hoc network, there is no fixed infrastructure such as base stations or mobile switching centers. Mobile nodes within each other’s radio range communicate directly via wireless links, while those that are far apart rely on other nodes to relay messages as routers. Node mobility in an ad hoc network causes frequent changes of network topology. Figure 3.1 shows an example: Initially, nodes A and D have a direct link between them. When D moves out of A's radio range, the link is broken. However, the network is still connected, because A can reach D through C, E, and F. Topology changes in ad hoc networks Nodes A, B, C, D, E and F constitute an ad hoc network. The circle represents the radio range of node A. The network initially has the topology in (a). When node D moves out of the radio range of A, the network topology changes to that in (b). Problems related to wireless networks Structural and behavioral differences between wired and wireless mobile networks make existing Intrusion Detection System (IDS) designs inapplicable to the wireless networks. Network monitoring in wireless ad hoc networks is performed at every network node. This
approach is inefficient due to network bandwidth consumption and increased computations resources that are highly limited in a wireless network. Applying functionality-based network IDS models also has limitations. • Anomaly detection model is built on along-term monitoring and classifying of what is a normal system behavior. Ad hoc wireless networks are very dynamic in structure, giving rise to apparently random communication patterns, thus making it challenging to build a reliable behavioral model. • Misuse detection requires maintenance of an extensive database of attack signatures, which in the case of ad hoc network would have to be replicated among all the hosts. To avoid problems outlined above, the approach is to build a modular IDS system, based on intelligent mobile agents. The main advantages of having a modular approach are • Increased fault tolerance • Communications cost reduction • Improved performance of the entire network and • Scalability [10]. Types of attack Attacks in Mobile Ad hoc networks can be categorized as follows. • Unfair use of the transmission channel (ATTACK1). • Anomalies in Packet Forwarding (ATTACK2). Unfair use of the transmission channel (ATTACK1) A node can prevent other nodes in its neighborhood from getting fair share of the transmission channel. This misbehavior can be considered as Denial of Service (DoS) attacks against the competing neighbors in a contention-based network since the competing neighbors are deprived of their fair share of the transmission channel. Some of the possible methods for unfair use of the transmission channel are as follows:
Ignoring the MAC protocol Protocols like 802.11 uses RTS (Request to send) and CTS (Clear to send) to notify the immediate neighbors of how long the transmission channel will be reserved for the successful transmission. Such methods minimizes collisions among competing neighbors and try to ensure that all the competing neighbors can get some share of the common channel. But a misbehaving node can generate RTS/CTS at an unacceptable rate by ignoring the back off mechanism. Hence the competing neighbors cannot get an adequate share of the transmission channel. This imposes a long delay at the output queues and they finally time out and get removed. If the indicated duration (Ti) is less than the actual duration (Ta) taken for successful transmissions, the transmission channel will remain occupied for an additional period, Ta Ti. The competing neighbors may not be aware of this additional hidden period. Therefore, neighbors trying to access the channel within the hidden period are likely to face unexpected collisions, increase their back off intervals and hence may not get their share of the channel. Jamming the transmission channel with garbage Garbage can consist of packets of unknown formats, violating the proper sequence of a transaction (e.g. sending a data packet without exchanging RTS and CTS) or simply random bits used as static noise by misbehaving nodes. Garbage data may result in too many collisions, may consume a significant part of the available Channel capacity or both. Consequently, legitimate neighbors may not be able to access the channel properly when needed. Ignoring the bandwidth reservation scheme Nodes in a multi-hop wireless network reserves a slot for transmission channel before initiating a flow. If there is not enough bandwidth, new flows should not be admitted so that existing flows are not choked. A misbehaving node may not abide by this rule and try to push out packets when there is not enough bandwidth left. As a result legitimate nodes may not get fair share of the transmission channel. Malicious flooding Deliver unusually large amount of data of control packets to the whole network or some target nodes. Network Partition A connected network is partitioned into k (k >= 2) sub networks where nodes in different sub networks cannot communicate even through a route between them actually does exist. Sleep Derivation A node is forced to exhaust its battery power. Anomalies in packet forwarding (ATTACK2) Anomalies in packet forwarding take the following forms:
Types
Description
Drop Packets
This type of attack can be classified into two types: (a) Black hole attack and (b) Gray hole attack. Black hole: A misbehaving node drops all types of packets (both data and control packets). Gray hole attack: An attacker selectively drops data packets
A node can give preference to transmitting its own or friends’ packets Delay Packet by delaying others’ packets. As a result, some flows may be not being able to meet their end-to-end delay and jitter requirements Transmissions Wormhole
A tunnel is created between two nodes that can be utilized to secretly transmit packets.
Packet Dropping Routing Loop Denial of Service
A node drops data packets that are supposed to forward. A loop is introduced in a route path A node is prevented from receiving and sending data packets to its destinations.
Fabricated Route Route messages with malicious contents are injected into the network. Messages False Route.
Source
Maximum Sequence
An incorrect route is advertised into the network, setting the route length to be 1 regardless where the destination is. Modify the sequence field in control messages to the maximum allowed value.
Cache Poisoning
Information stored in routing tables is either modified, deleted or injected with false information
Selfishness Rushing Spoofing
A node is not serving as a relay to other nodes. This can be used to improve fabricated route messages. Inject data or control packets with modified source addresses [11]. Table 3.1: Anomalies in packet forwarding
Vulnerabilities in WAHNS There are six major attributes and/or vulnerabilities can be recognized. The six attributes are: Lack of infrastructure: This is based on the peer-to-peer architecture they form once deployed. Inconsequence, traditional centralized security solution architectures
including centralized IDS do not apply, and the need for distributed IDSs becomes evident. Shared wireless medium: Since no physical access is required for a node to join, it is impossible to define a clear line of defense or boundaries for the system. This makes it impossible to place a single security solution on a well-defined infrastructure. Cooperative nature between the nodes: Since all nodes are required to cooperate in supporting the WAHN operations, As a result, a compromised node may badly affect the whole network. Easy physical accessibility: Nodes with low physical protection can be easily captured and tampered. Consequently, a compromised node may use the standard security means available to every node to protect its attack. Dynamic network topology: This attribute is more common in the case of MANET than in WSN. As nodes frequently join and leave the network, it becomes extremely difficult for other nodes to tell whether the large number of route requests is due to the high mobility or to a denial of service attack. Operational constraints: Both WSN and MANET share this attribute, but WSN nodes experience more constraints. In either case, the limitation of memory, bandwidth, computation, processing, and power capabilities highly affect the design of WAHNs [12]. Building a system to establish security in WAHNs Each security solution encompasses all three components of prevention, detection, and reaction. However, an attacker succeeds in infiltrating the security system and causes them to misbehave. Node misbehavior can result in degradation of network performance. Hence, the system should be monitored for any anomalies and take necessary actions if an anomaly is detected. A system performing these tasks is known as an intrusion detection system (IDS). Ideal IDS should be able to set thresholds for its detection schemes dynamically so that misbehaving nodes cannot easily work around the detection scheme. An attacker may find certain loopholes in the current IDS and tries to attack. Hence these types of flaws in the basic operations must be recognized and raise the security level. The attacker identity must be reported by the IDS. Each monitor node should invoke the security mechanisms whenever necessary and possible [13]. Choosing a Wireless Intrusion Detection System Now that we have an idea of what can be detected and what to do during an incident, we need to decide which WIDS to implement and how. Here we’ll discuss the architecture of a wireless IDS along with a general overview of Commercial WIDS systems vs. Open Source WIDS systems. A wireless IDS can be deployed in one of two ways • Decentralized
•
Centralized
In a decentralized environment each WIDS operates independently, logging, and alerting on its own. In addition this also means each WIDS has to be administered independently. In a large network this can quickly become overwhelming and inefficient, and therefore is not recommend for networks with more than one or two access points. The idea behind a centralized WIDS is that sensors are deployed that relate information back to one central point. This one point would send alerts and log events as well as serve as a single point of administration for all sensors. Another advantage to a centralized approach is that sensors can collaborate with one another in order to detect a wider range of events with more accuracy. In this approach there are also three main ways in which sensors can be deployed. • The first is by using existing access points (AP). •
The second option is to deploy “dumb” sensors. These devices simply relay all information to the central server and rely on the server to detect all events. While inexpensive, all information is sent back to a central point causing an impact in the performance of the wired network and creating a single point of failure at the server.
•
The third option is the use of intelligent sensors. These devices actively monitor and analyze wireless traffic, identify attack patterns and rouge devices as well as look for deviations from the norm. They then report these events back to the central server and allow an administrator to invoke countermeasures [14]. Intrusion Detection System
Definition of Intrusion Detection System Intrusion detection can be defined as the automated detection and subsequent generation of an alarm to alert the security apparatus at a location if intrusions have taken place or are taking place. An IDS is a defense system that detects hostile activities in a network and then tries to possibly prevent such activities that may compromise system security. IDSs achieve detection by continuously monitoring the network for unusual activity. The prevention part may involve issuing alerts as well as taking direct preventive measures such as blocking a suspected connection.
In other words, intrusion detection is a process of identifying and responding to malicious activity targeted at computing and networking resources. In addition, IDS tools are capable of distinguishing between insider attacks originating from inside the network and external ones. Unlike firewalls which are the first line of defense, IDSs come into the picture only after an intrusion has occurred and a node or network has been compromised. The primary assumptions of intrusion detection are: user and program activities are observable, for example via system auditing mechanisms; and more importantly, normal and intrusion activities have distinct behavior. Intrusion detection therefore involves capturing audit data and reasoning about the evidence in the data to determine whether the system is under attack [15]. An IDS is characterized by the following features [16]: I. It runs continually with mini-mal supervision and intervention from the end user II. Is able to operate in a hostile computing environment while exhibiting a high degree of fault-tolerance III. Can be con-figured to adapt to changes in the system and to user behavior over time IV. Imposes a minimal overhead on the system V. Is able to perform data fusion and correlate information from multiple sources. IDS classification Traditionally, IDS systems were divided into two classes – Network-based Host-based IDS Network based systems (NIDS) listen on the network, and capture and examine individual packets flowing through a network. In contrast to firewalls, NIDS can analyze the entire packet, not just the header. They are able to look at the payload within a packet, to see which particular host application is being accessed, and to raise alerts when attacker tries to exploit a bug in such code. NIDS are host independent and can run as “blackbox” monitors to cover entire network. In practice, active scanning slows down the network considerably and can effectively analyze a limited bandwidth networks. Host-based intrusion detection systems are concerned with what is happening on each individual host. They are able to detect actions such as repeated failed access attempts or changes to critical system files, and normally operate by accessing log files or monitoring real time system usage. To ensure effective operation, host IDS clients have to be installed on every host on the network, tailored to specific host configuration. Host based IDS do not depend on network bandwidth, and are used for smaller networks, where each host dedicates processing power towards the task of system monitoring. It slows down the hosts that have IDS clients installed. IDS systems are functionally divided into two categories – Anomaly detection systems Misuse detection systems.
Anomaly detection system detects intrusion detections in a very accurate and consistent way and has low level of false alarms if a system under surveillance follows static behavioral patterns. This class of IDS systems is well suited to detect unknown or previously not encountered attacks. Misuse detection systems monitor networks/hosts for known attack patterns. This class of IDS systems is useful in networks with highly dynamic behavioral patterns, and is a choice of many commercial IDS products. Both categories of IDS can be used on host-based and network-based IDS systems. History of IDS The concept of creating an intrusion detection system was first proposed in 1980 by James Anderson [ANDE80]. However, the field did not take off until 1987 when Dorothy Denning published an intrusion detection model [DENN87]. In 1988, at least three IDS prototypes were created [BAUE88] [SEBR88] [SMAH88]. In the following years, an ever-increasing number of research prototypes were explored. The US government, realizing that its computer systems were insecure, provided significant funding for research in IDSs. Hundreds of millions of dollars have probably been spent on IDS research within the last ten years. Existing IDSs There are several IDSs existed in recent world, which can be defined as Stand-Alone IDS With stand-alone IDS, the architecture is normally based upon running each node separately in order to locate the intrusions if perpetrated. Hence every decision is based and focused upon all the information that is collected at each and every node as all the nodes are independent and work individually as per its name itself “standalone�. Beside being totally isolated, the nodes on the same network do not know anything about the different nodes or the same network as no data is exchanged hence no alert information is passed on. Even though restricted by its limitations, more adaptable in situation when each node can run an IDS on their own or have IDS installed it is much more preferred for a flat network architecture which will unfortunately not suitable for wireless mobile network. Cooperative and Distributed IDS Zhang & Lee (2003) mentioned that wireless mobile networks have to adapt a cooperative and distributed intrusion detection system architecture. This is achieved by the IDS agent running on top of the nodes. Yet the IDS agent can however be complex but when analyzed closely, the IDS agent can be broken into six different modules. So in the cooperative and distributed network mentioned by Zhang & Lee (2003), every single node has a crucial role to play, each node has the responsibility for detecting any signs of intrusion and is responsible for contributing individually or entirely onto the network.
Zone Based IDS In a proposal by Sun, B. et al., (2003), an anomaly-based two-level non-overlapping ZoneBased Intrusion Detection System (ZBIDS) can be used by separating the network into nonoverlapping, zones. Referring to Figure 4.1, the nodes can be classified into 2 different groups: • Intra zone would be independent nodes by a shown in Figure 4.1 with nodes F, E, I,
•
and J. Inter zone node would be the nodes that have a physical connection to a different node in a different zone area. Example would be node H, B, C and K as illustrated in Figure 4.1.
Manager – Based IDS In Manager – Based IDS nodes that construct the network are divided into two types: Regular Node and Manager. One Manager and N Regular Nodes (RNs) (N ≥ 0) compose a smaller sub-network that is called zone. RN functions as sensor whose task is collecting and/or creating intrusion data locally, while Manager, besides as sensor, functions as the head of each zone to perform the intrusion detection in its zone based on the data collected by Regular Nodes and itself. Since ad hoc network doesn’t have any fixed infrastructure, it is difficult to aggregate all intrusion data occurred in the network to one place without cooperation of all nodes. Here all Managers should cooperate to provide the network with more complete data for an accurate and efficient detection [20]. Fig 4.2: Manager - Based IDS
SVM - Based IDS A Support Vector Machine (SVM) based intrusion detection system is which suitable for realtime intrusion detection in wireless ad hoc networks. The proposed intrusion detection system comprises of 4 components: 1. Local Data Collection Module(DCM) 2. SVM-based Intrusion Detection Module (SVMDM) 3. Local Response Module (LRM) and 4. Global Response Module (GRM).
Fig 4.3: SVM – Based IDS
The DCM gathers streams of audit data from various network sources and passes it to the SVMDM. The SVMDM analyzes the gathered local data traces using SVM classification algorithm, and identifies misbehaving nodes in the network. In the SVMDM, two types of SVM based detection methods are present, which depends on whether the attack data are available or not. One-class SVM classifier [22] based intrusion detection (1-SVMDM) is used whenever no attack data are available, while conventional two-class SVM based intrusion detection (2-SVMDM) is applied in the situation when attack data are available. In practice, the 1- SVMDM can be used in the early stage of intrusion detection to find possible network intrusive behaviors. After collecting some attack instances, 2-SVMDM can be used. The LRM is responsible for sending out the local detection results based on locally collected data set. The GRM collects the local detection results from the LRM, and makes a global response. Whenever any misbehaving node is detected, the GRM sends out alarm messages to the whole network to isolate the misbehaving node.
Agent – Based IDS A mobile agent implementation is chosen, to support such features of the IDS system as mobility of sensors, intelligent routing of intrusion data throughout the network and lightweight implementation [10]. IDS Requirements At least one past effort has identified desirable characteristics for an IDS. Regardless on what mechanisms an IDS is based, it must do the following: Run continuously without human supervision, Be fault tolerant and survivable, Resist subversion, Impose minimal overhead, Observe deviations from normal behavior, Be easily tailored to a specific network, Adapt to changes over time, and Be difficult to fool. Functional Requirements As the network-computing environment increases in complexity, so do the functional requirements of IDSs. Common functional requirements of an IDS being deployed in current or near-term operational computing environments include the following: The IDS must continuously monitor and report intrusions. The IDS must supply enough information to repair the system, determine the extent of damage, and establish responsibility for the intrusion. The IDS should be modular and configurable as each host and network segment will require their own tests and these tests will need to be continuously upgraded and eventually replaced with new tests. Since the IDS is assigned the critical role of monitoring the security state of the network, the IDS itself is a primary target of attack. The IDS must be able to operate in a hostile computing environment and exhibit a high degree of fault-tolerance and allow for graceful degradation. The IDS should be adaptive to network topology and configuration changes as computing elements are dynamically added and removed from the network. Anomaly detection systems should have a very low false alarm rate. Given the projected increase in network connectivity and traffic, simply decreasing the percentage of overall false alarms may not be sufficient as their absolute number may continue to rise. The IDS should be able to learn from past experiences and improve its detection capabilities over time. Self-tuning IDS will be able to learning from false alarms with the guidance of system administrators and eventually on its own.
The IDS should be able to be easily and frequently updated with attack signatures as new security advisories and security patches become available and new vulnerabilities and attacks are discovered. Decision support tools will be necessary to help system administrators respond to various attacks. The IDS will be required not only to detect anomalous events, but also to take automated corrective action. The IDS should be able to perform data fusion and be able to process information from multiple and distributed data sources such as firewalls, routers, and switches. As real-time detection demands push networked-based solutions to reprogrammable hardware devices that can download new capabilities, the IDS will need to be able to communicate with the hardware-based devices. Data reduction tools will be necessary to help the IDS process the information gathered from data fusion techniques. Data mining tools will be helpful in running statistical analysis tools on archived data in support of anomaly detection techniques. The IDS should be capable of providing an automated response to suspicious activity. Rapid changes in network conditions and limited network administration expertise make it difficult for system administrators to diagnose problems and take corrective action to minimize the damage that intruders can cause. The ability to detect and react to distributed and coordinated attacks will become necessary. Coordinated attacks against a network will be able to marshal greater forces and launch many more and varied attacks against a single target. These attacks can be permutations of known attacks, be rapidly evolving, and be launched at little cost to the attackers. Distributing the computational load and the diagnostic capabilities to agents scattered throughout the network adds a level of fault-tolerance, but it is often necessary for the system administrator to have control over the IDS from a central location. The IDS should be able to work with other Commercial Off-the-Shelf (COTS) security tools, as no vendor toolset is likely to excel in or to provide complete coverage of the detection, diagnosis, and response responsibilities. The IDS framework should be able to integrate various data reduction, forensic, host-based, and network-based security tools. Interoperability and conformance to standards will further increase the value of the IDS. IDS data often requires additional analysis to assess any damage to the network after an intrusion has been detected.
The IDS itself must also be designed with security in mind. For example, the IDS must be able to authenticate the administrator, audit administrator actions, mutually authenticate IDS devices, protect the IDS data, and not create additional vulnerabilities. Performance Requirements An IDS that is functionally correct, but that detects attacks too slowly is of little use. Here enumerate several performance requirements for IDSs. The IDS performance requirements include: To the extent possible, anomalous events or breaches in security should be detected in real-time and reported immediately to minimize the damage to the network and the loss or corruption of confidential information. The IDS must not place undue burden or interfere with the normal operations for which the systems were bought and deployed to begin with. This requirement makes it necessary for the agents to be cognizant of the consumption of network resources for which they are competing. There is a tradeoff between additional levels of security monitoring and the performance penalty to be paid by other applications. The IDS must be scalable. As new computing devices are added to the network, the IDS must be able to handle the additional computational and communication load
Mobile Agent
Definition of Mobile Agent Mobile agents are a special type of agents defined as "processes capable of roaming through large networks such as the ad-hoc wireless network, interacting with machines, collecting information and returning after executing the tasks adjusted by the user". There are several features of mobile agent. They are • Mobile agents are programs with persistent identity, which move around a network on their own volition and can communicate with their environment and with other agents.
•
These systems use specialized servers to interpret the agent's behavior and communicate with other servers.
•
Mobile agents may execute on any machine in a network without the necessity of having the agent code pre-installed on every machine the agent could visit.
•
Mobile agents offer several potential advantages when used in ID systems that may overcome limitations that exist in IDS that only employ static, centralized components.
•
The non-monolithic systems based on autonomous mobile agents offer several advantages over monolithic systems [23], such as: -Easy configuration, -Extension capacity, -Efficiency and -Scalability
So we can say that, Mobile Agents can be defined as autonomous executing programs that can halt themselves, migrate to another host, in a heterogeneous environment, and continue execution without being affected by the status of the originating node. On the hosts they move to, mobile agents interact with stationary service agents, collect information and execute to accomplish their tasks [24, 25]. A software mobile agent can carry out activities from one node to another in a flexible and smart way as a response to new changes in the network [26]. Using this feature; mobile agents can communicate and cooperate with each other. The obvious advantage of using mobile agents is when they present a single general framework in which many distributed applications can be implemented easily, efficiently and robustly [25]. Advantages of Mobile Agent A number of advantages of using mobile code and mobile agent computing paradigms have been proposed. These advantages include: • Overcoming network latency, • Reducing network load, • Executing asynchronously and autonomously, • Adapting dynamically, • Structure and Composition, • Operating in heterogeneous environments, and • Having robust and fault-tolerant behavior. • Scalability This section examines these claims and evaluates their applicability to the design of IDS. Overcoming Network Latency Mobile agents are useful for applications that need to respond in real time to changes in their environment, because they can be dispatched from a central controller to carry out operations directly at the remote point of interest. In addition to detecting and diagnosing
potential network intrusions, an IDS needs to provide an appropriate response in order to protect and defend the network from malicious behavior. While a central controller can send messages to the nodes within the network and issue instructions on how to respond to a particular condition or perceived threat, the approach is problematic. For example, the central controller may have to respond to a number of events throughout the network in addition to handling its normal processing load and become a bottleneck or a single point of failure. If connections to this central server are slow or unreliable, the network communications are susceptible to unacceptable delays. Mobile agents, since they are distributed throughout the network, may take advantage of alternate routes around any problem communication links. It will always be faster to send a message to a network node to execute predetermined, resident code, rather than send a mobile agent to the node. However, such architecture requires that all response and reconfiguration actions be predefined, replicated and distributed throughout the network. The response mechanism then constitutes, in effect, a large distributed database, raising serious administration problems concerning configuration management, consistency and transaction control. Innovative responses, by definition, must be transmitted at least once to each affected node, either by conventional network means, a series of messages, or by a mobile agent. Of these choices, the mobile agent technique offers the fastest response. Reducing Network Load One of the most pressing problems facing current IDSs is the processing of the enormous amounts of data generated by the network traffic monitoring tools and host-based audit logs. IDSs typically process most of this data locally. Even though the data is usually abstracted before being sent out on the network, the amount of data can still place a considerable communication load on the network. Mobile agents offer an opportunity to reduce the network load by eliminating the need for this data transfer. Mobile agents are well suited for ad hoc, flexible, search and analysis problems involving multiple distributed resources that require specialized tasks that are not supported by the data server. A mobile agent-based search and data analysis approach can help decrease network traffic resulting from the transfer of large amounts of data across a network for local processing. Instead of transferring the data across the network, mobile agents can be dispatched to the machine on which the data resides, essentially moving the computation to the data, instead of moving the data to the computation, thus reducing the network load for such a scenario. Clearly, transferring an agent that is smaller in size than the data to be transferred reduces the network load. Asynchronous Execution and Autonomy IDS architectures that are coordinated by a central host require reliable communication paths to the network sensors and intermediate processing nodes. The critical role played by this central controller makes it a likely target of attack. Mobile agent frameworks allow IDSs to continue operation in the event of the failure of a central controller or communication link. Unlike message passing routines or Remote Procedure Call (RPC), once the mobile agent is launched from a home platform it can continue to operate autonomously even if the host platform from where it was launched is no longer available or connected to the network. The coordination of IDS sensors and filters can be protected from the loss of network connections since the mobile agents do not require control by another process. A
mobile agent's inability to communicate with central controller would not prevent it from carrying out its assigned tasks. Structure and Composition MAs allow for a natural way to structure and design an IDS. For example, rather than a monolithic static system, an IDS can be divided into data producer and data analyzer components and represented as agents. The data producer provides an interface to the networks it sniffs or audit trails it filters. Multiple analyzers, each responsible for detecting a single attack or a small set of attacks, interact with the producer to look for attacks. Under such a framework, MAs from multiple vendors can be used to create an IDS. If a company has the best detector for attack X and another company has the best detector for attack Y, then we can use MAs from both vendors to detect X and Y. Adapting Dynamically MAs provide a versatile and adaptive computing paradigm as they can be retracted, dispatched, cloned, or put to sleep as network and host conditions change. For example, as better MAs detectors for an attack are developed they can be sent out on the network to replace the older version, or if an MA is producing too many false positives it can be recalled or gracefully terminated. MAs also have the ability to sense their execution environment and autonomously react to changes. For example, if the computational load of the host platform is too high and the host's performance doesn't meet the agent's service expectations, the agent and its data can move to another machine that can better satisfy its computational needs. MAs can distribute themselves among the hosts in the network in such a way as to maintain the optimal configuration for solving a particular problem. Operating in Heterogeneous Environments Large enterprise networks are typically comprised of many different computing platforms and computing devices. One of the greatest benefits of MAs is the implementation of interoperability at the application layer. Interoperability at the computer or transport layer requires significant changes to the host’s environment. Interoperability at the presentation layer limits flexibility in updating the system for new attacks. Conversely, while MA frameworks must be installed on each host, MAs themselves are independently configurable. Since mobile agents are generally computer and transport-layer independent, and dependent only on their execution environment, they offer an attractive approach for heterogeneous system integration. The ability of MAs to operate in heterogeneous environments also provides an opportunity for the easy integration of network-based and host-based tools operating on various platforms. Robust and Fault-tolerant Behavior The ability of mobile agents to react dynamically to unfavorable situations and events makes it easier to build robust distributed systems. For example, if a host is being shut down, all agents executing on that machine are warned, whenever possible, and given time to dispatch and continue their operation while preserving their execution state on another host in the network. Their support for disconnected operation and distributed design
paradigms eliminate single point of failure problems and allow mobile agents to offer faulttolerant characteristics. Scalability The computational load on centralized IDSs increases as more processing nodes are added to the networks they monitor. As networking technology continues to improve, increased bandwidth and network traffic will place greater demands on these centralized architectures. Distributed MA IDS architectures are one of several options that allow computational load and diagnostic responsibilities to be distributed throughout a network. As the number of computing elements in the network increases, agents can be cloned and dispatched to new machines in the network. Disadvantages of Mobile Agent The obvious disadvantage of using MAs is the concern that they will introduce vulnerabilities into the network. However, this is not the only disadvantage to implementing Mobile Agent Intrusion Detection System (MAIDS). MA solutions may not perform fast enough to meet the IDS’s needs. Security The security concerns related to mobile code are one of the main obstacles to the widespread use of this technology. The MA computing paradigm presents a number of security threats that are not addressed by conventional security techniques. Standard security techniques must be modified or new techniques invented to address these threats. The security threats can be classified into four broad categories: • Agent-to-agent • Agent-to-platform • Platform-to-agent • Other-to-agent platform Agent-to-agent category represents the set of threats in which agents exploit security weaknesses of other agents or launch attacks against other agents. Agent-to-platform category represents the set of threats in which agents exploit security weaknesses of or launch attacks against an agent platform. Platform-to-agent category represents the set of threats in which platforms compromise the security of agents. Other-to-agent platform category represents the set of threats in which external entities, including agents and agent platforms, threaten the security of an agent platform. Performance One of the most challenging problems facing IDSs is improving the speed with which they can identify malicious activity. Not only must IDSs detect attacks quickly, but they must also process system events in real time. This task is becoming ever more difficult as network
bandwidth increases. Mobile agent software will generally hinder rather than help an IDS’s ability to rapidly process events and detect attacks. Code Size IDSs are complex pieces of software. Agents that perform IDS services may thus be required to contain a large amount of code. If these agents are supposed to do operating system specific tasks on multiple operating systems then this code base may get extremely large. The size of MA code may limit the functionality of MAIDS because it will take a long time to transfer an agent between hosts. In addition, such a transfer will require greater computing and network resources. Lack of Priori Knowledge Large enterprise networks are comprised of several different hardware platforms, running several different operating systems, each having different configurations and running different applications. It is not trivial for the mobile agents to have a priori knowledge about how a system is configured, how data is arranged. Limited Exposure An agent’s envisioned autonomous behavior, involving collaboration with other agents at various network locations, creates a dynamic environment that requires new design methodologies and modeling tools to properly formulate and construct agent-based systems. The lack of mature agent design methodologies and modeling tools makes this task difficult. Coding and Deployment Difficulties MAs' inherent capabilities, such as moving and cloning, add more complexity to the design and development process. Given this added complexity, MAIDS will be even more prone to faults than their non-MA counterparts. Further hampering near term MAIDS deployment is a lack of MA design, development, and management tools, needed before any large-scale deployment of agent-based applications becomes feasible. Studying Mobile Agents Suitability for WAHNS In order for the nodes in WAHNs to collaborate in the IDS overall functionality, they need to either exchange audit data or exchange software that work on these data. The followings are the main mobile agents features that demonstrate straight relevance to the special challenging requirements found in WAHNs: Reducing network load: Through migrating the code and not the data, mobile agents can limit the amount of traffic traveling between the nodes. Conserving bandwidth: Mobile agents limit intermediate messages between the nodes, and hence, reasonably reduce the amount of bandwidth needed. Improving load balancing in the network: Load balancing problem clearly appears in a distributed computing system, where tasks are being unequally allocated to the different
network elements. Load balancing greatly helps with the computation and processing constraints of WAHN nodes. Reducing the total tasks completion time: This will help avoiding the time-consuming transmission of intermediate results between tasks . This is very useful to deal with WAHN nodes’ battery constraints. Overcome network latency: Moving the executing code to the system where computation and output is to be produced will help to reduce the network latency. Again this helps with battery constraints in WAHNs. Advance mobile computing: Handling the nodes’ join-and-leave issues. This is achieved by the ability of a mobile agent to continue its task even if one of its links goes off due to a leaving node. Enabling dynamic deployment and adoption of the executing program on other processing nodes: This adds more efficiency to the whole system as the same programs might be called multiple times. Having robust and fault-tolerant behavior: As the same code may get executed on different nodes. Fault tolerance is one of the main features required for WAHNs IDS due to the frequent joining and leaving of nodes in the network. Working on a heterogeneous network: Mobile agent systems allow agents to be language and operating system-independent which can be recognized as a portability advantage. It can be also utilized for IDS interoperability. Light-weight: Light-weight mobile agents only carry the primary features they need, and hence, they accomplish their tasks with minimal code. Once they reach their destination, they get updated and upgraded as needed [32]. This brings a design tradeoff issue. While light-weight mobile agents reduce network traffic and conserve bandwidth, they also demand more powerful nodes to support their updates and upgrades processes. In particular, mobile agents operating on different nodes might have similar and different tasks assigned to them, and their collaborative work makes the final intrusion detection picture in the network Scalability, interoperability, fault tolerance, and conservative use of system resources can all be accomplished with the use of mobile agents. Agent-based ad hoc network IDS This section introduces a multi-sensor intrusion detection system employing cooperative intrusion detection. A mobile agent implementation is chosen, to support such features of the IDS system as • Mobility of sensors, • Intelligent routing of intrusion data throughout the network and • Lightweight implementation. There are three types IDSs that use mobile agent. They are
1. Distributed Intrusion Detection Using Mobile Agents 2. Local Intrusion Detection System (LIDS) 3. Intrusion Detection Architecture based on a Static Stationary Database Each of the above IDS will be discussed in the next chapter. Summary At first glance, mobile agent technology offers much to the field of intrusion detection. The idea of mobile and autonomous components intuitively seems useful in intrusion detection and many other applications. However, it is difficult to realize the benefits of mobile agent technology in practice. Despite these difficulties, the technology appears to provide valuable extensions to current capabilities. Although the barriers to creating practical mobile agent systems are high, the ability to move a running program from one hardware platform to another is a useful feature. Ultimately, as the security, performance, emerging technology, and standards barriers that inhibit this technology fall, mobile agents will enter mainstream use. Not only do mobile agents appear to be useful in general, but they appear useful to IDSs. Mobile agents may enhance the performance of IDSs and even offer them new capabilities. However, obtaining these benefits is not easy and will require a substantial commitment of resources to research. Many researchers have been conducted to secure mobile agents functionality. Moreover, new researches are being made that concern with light weight designs for mobile agents.
Intrusion Detection system Using Mobile Agent
Distributed Intrusion Detection Using Mobile Agents (DIDMA) Here each module represents a lightweight mobile agent with certain functionality. This makes the total network load smaller by separating the functional tasks into categories and dedicating each agent to a specific purpose. Modular IDS architecture This Intrusion Detection System is built on a mobile agent framework. It is a non-monolithic system and employs several sensor types that perform specific functions. There are three major agent categories, namely: action, decision-making, and monitoring agents. (Fig. 6.1)
Fig 6.1: Layered mobile agent architecture
•
Monitoring agents monitor packets as they arrive to host or network. While host monitoring sensors are present on all mobile hosts, network monitoring sensors are distributed to a selected group of nodes. Moreover, monitoring agents are classified into packet, user and system monitoring agents.
•
Decision-making agents, on the other hand, are present on each node and will decide on the threat level on a host-level basis.
•
Finally, action agents are present on every host and are responsible for resolving intrusion situations on a host as they occur.
Agent distribution To save resources, some of the IDS functionality must be distributed efficiently to a (small) number of nodes while providing an adequate degree of intrusion detection. While all the nodes accommodate host-based monitoring sensors of IDS, we use a distributed algorithm to assign a few nodes to host sensors that monitor network packets, and agents that make decisions. We logically divide a mobile network into clusters with a single cluster head for each cluster that monitors packets within the cluster. Clustered Network-Monitoring Node Selection Algorithm I. Hop Selection Step, based on security requirements, a certain number of hops is selected. This step is important in choosing decision agent-hosting nodes, as well as network monitoring nodes, as the selected number is the maximum number of hops from any node in the ad-hoc network to the Decision Node. Selection of this number greatly affects the network monitoring range. II. Let Ci denote the number of established connections (reachable nodes) for node i at the time of cluster setup, with a total of N nodes in the entire network. Each node sends its Ci value to all its reachable neighbors.
III. Upon receiving Cj values from its neighbors j, where j ≠i for all i = 1…N, node i sums up the total as Si(connectivity index), which upon completion is broadcast to all nodes with a time to live (TTL) equal the number of hops selected in step (1): Si = Ci + ∑ Cj …………………. (1) j IV. Each node then has to vote to select cluster head node, that will accommodate network monitoring and decision agents. Every node sends a vote packet to the node it selects based on highest connectivity index received as a result of a broadcast in step (3). If a node receives a vote from a node with equal Si value, it doesn’t send a vote to the source node. In case two nodes have equal Si values and send votes to each other simultaneously, the node with the largest total of Si values sends a “discard vote” message to the other node. This will ensure that the minimal number of nodes is selected for hosting packet-monitoring agents. Note that in step 3, a node will decrease TTL count and broadcast the packet containing Si to all its reachable neighbors, resulting in every node receiving information about the maximum Si within the hop distance. V. Each node that received at least one vote loads and runs Network Monitoring and Decision Agents. Steps (4) and (5) are shown in Fig. 6.2, giving scenarios for (a) onehop and (b) two-hop ad-hoc wireless networks. In the figure dashed arrows indicate a vote packet route. Nodes selected to host network monitoring and decision agents are highlighted.
Network motoring node selection with (a) one-hope radius and (b) two-hop radius
The selected nodes host network-monitoring sensors that collect all packets within communication range, and analyze them for known patterns of attacks. Parameters such as • Per-protocol statistics • Number and frequency of certain packet types and
• Consistency with the model is verified. As the physical network arrangement changes, cluster membership is dynamically updated. Now we will analyze the number of node engaged in packet monitoring, following figure will demonstrate it.
Fraction of nodes engaged in packet monitoring
In the above figure dashed line demonstrate that number of node engaged in a one-hop network and solid line demonstrate that number of node engaged in a two-hop network We can see that for monitoring the same number packet in a one-hop network much more nodes are needed than the two-hop network. For example, for monitoring 25% packets in a two-hop network only 20% nodes acting as network monitors while in a one-hop network more than 30% nodes acting as network monitors. Activity-monitoring process Activity-monitoring process consists of two agents. Packet monitoring agents Packet monitoring is activated only when a node participates in the network. Packetmonitoring agents reside on each selected node. On the Figure 6.2 above, we can see that for a case of one-hop cluster, 5 nodes out of a total of 11 nodes host network monitoring sensors, resulting in the entire network being monitored. For instance, a packet sent from node A to node B will be received and analyzed by the monitoring node to the left of node A. In fact, for a case of one-hop cluster, every node has at least one neighboring node hosting a packet monitoring agent, and thus the entire network is always being monitored. If the system resources are scarce and security requirements can be relaxed, a two-hop system will be more appropriate, as indicated on Figure 6.2 (b). Here, we have only 3 hosts dedicated to packet monitoring and decision-making process, saving overall system resources.
Local detection agents Local detection agents are located on each node of an ad-hoc network, and act as user-level and system-level anomaly-based monitoring sensors. These agents look for suspicious activities on the host node, such as • Unusual process memory allocations • CPU activity • I/O activity • User operations (invalid login attempts with a certain pattern, super-user actions, etc). If an anomaly is detected with strong evidence, a local detection agent will terminate suspicious process or lock out a user and initiate re-issue of security keys for the entire network. If some inconclusive anomalous activity is detected on a host node by a monitoring agent, the node is reported to the decision agent of the same cluster that the suspicious node is a member of. If more-conclusive evidence is gathered about this node from any source the action is undertaken by the agent on that node, as described above. Intrusion Detection Intrusion Detection consists of Decision Making Mechanism Classification of decision making mechanisms for IDS systems into two categories – •
Collaborative decision-making mechanism is employed in a system where each node can take active part in intrusion detection process. However, such systems are prone to denial of service and spoofed intrusion attacks, where any (malicious) node can trigger full-forced intrusion response, affecting entire network.
•
Independent decision-making system, certain nodes are designated to perform decision-making functionality. This category of decision-making mechanisms is far less prone to spoofing attacks; however, the amount of information obtained by a decision-making node about each node participating in the network is limited. If a node in question had failed in local intrusion detection and all reporting mechanisms were somehow disabled, it will be difficult to detect such kinds of passive intrusion, where, for instance, a node could be intruded in and used as a passive listener on the network.
Intrusion detection process This intrusion detection system utilizes a modified independent decision-making mechanism. Decision agents are located on the same nodes as packet monitoring agents. Detection and classification of security violations works as follows. Decision agent contains a state machine for all the nodes within the cluster it resides in. As intrusion or anomalous activity evidence is gathered for each node, the agent can decide with a certain confidence that a node has been compromised by looking at reports from the node’s own local monitoring agents, and the packet-monitoring information pertaining to
that node. When a certain level of threat is reached for a node in question, decision agent dispatches a command that an action must be undertaken by the local agents on that node, as described. In time, the threat level decreases for each node in the decision agent’s database. Conclusion This architecture is aimed to minimize costs of network monitoring and maintaining a nonmonolithic IDS system. New agents with added functionality can be plugged in when an expansion is necessary. Moreover, based on individual security requirements, the level of monitoring can be decreased resulting in greater availability of computational resources for the entire network. This design works only using the anomaly-based detection method. This model increases fault tolerance and scalability of the whole system. Proper distribution of those mobile agents balances the work load in the network; restricts computation-intensive analysis to fewer nodes; and eliminates the possibility of encompassing network dependency on specific nodes. Local Intrusion Detection System (LIDS) The architecture depends on the advantages offered by the Simple Network Management Protocol (SNMP). Data used are those stored in the Management Information Base (MIB) of SNMP. Since SNMP uses UDP for communication, mobile agents are used to send requests to remote hosts to overcome the unreliability of UDP. As the figure below shows (Fig. 6.4) several collecting agents work together in LIDS as follows:
Fig 6.4: LIDS architecture
Local LIDS Agent: It does local intrusion detection, and reacts to intrusion alerts by other nodes. Once a local LIDS detects an intrusion, it updates the other network nodes.
Mobile Agents: Transport SNMP requests to remote hosts to overcome the unreliability of SNMP message transfer over UDP. An LIDS can handover a specific task to a MA that it will achieve in an autonomous manner without any help from its LIDS. This comes in favor of WAHN’s in which connections are not always reliable. MIB Agent: Provides a means of collecting MIB variables for either mobile agents or local LIDS agent. Conclusion: This design may use anomaly, signature, or hybrid detection method, and is more suitable for MANET than for WSN. The innovation of this design is the use of SNMP’s data located at MIBs as audit sources and the use of mobile agents to process these data at the source node to reduce communication overheads. Intrusion Detection Architecture based on a Static Stationary Database (IDASSD) The architecture of this system consists of two parts: • Mobile IDS agents: It run on every node • Stationary secure database: It acts as a secure trusted repository for the mobile nodes. Mobile nodes use this database to obtain latest misuse signatures and find the latest patterns of normal user activity. It contains global signatures of known misuse attacks and store patterns of each user’s normal activity in a non-hostile environment. Then IDS agents’ responsibility is to detect intrusion based on local audit data and participate in co-operative algorithm with IDs agents on attacks.
Fig 6.5: IDS based on stationary database
Conclusion This design also allows for the use of anomaly, signature, or hybrid detection methods. However, the use of stationary database limits the allowed mobility duration of the nodes.
This might not be acceptable at all times in the case of MANETs. Moreover, for the most part, mobile agents are merely used as static IDS agents on the nodes. Their mobility feature is not being exploited except, perhaps, during the off-line update process. Comparison Study between Existing Mobile Agent - Based IDSs for WAHNS In this section we study the comparison between all three existing agent based IDS for WAHNs. To do this we recognize Local Intrusion Detection System, Intrusion Detection Architecture based on a Static Stationary Database and Distributed Intrusion Detection Using Mobile Agents as LIDS, IDASSD and DIDMA respectively. The following table will highlight the comparison between all these three existing IDS. Agent based IDSs for WAHNS LIDS
App. MANET Vs. WSN
Configuration Agent Add Security ID Flat vs. Distribution Vulnerability Method Layered
Overall IDS performance
MANET
Flat
Equal
Speed up
IDASSD
MANET
Flat
Equal
No, snmp v3 Hybrid added security! No Hybrid
DIDMA
Both
Layered
Different
No
Speed up
Agent based IDSs for WAHNS LIDS
Flexibility in Mobility
Resource Constraints
Yes
Conservative Yes
IDASSD
No
DIDMA
Yes
Aggressive, Yes heavy computation on every node Conservative Yes
Scalability
Interoperability
Anomaly
Slow down
Fault Light vs. Tolerance Heavy Weight
Yes, through Yes SNMP No No
Heavy
Yes
Light
Yes
Heavy
Table 6.1: Comparison between the design of LIDS, IDASSD and DIDMA against common design and parameters
Discussion: Comparison between the design of LIDS, IDASSD and DIDMA against common design and parameters can be described as bellow:
Applicable in MANET vs. WSN: LIDS and IDASSD are only applicable for MANET whereas DIDMA used in both MANET and WSN. Comparison Flat vs. Layered: LIDS and IDASSD both have flat architecture but DIDMA has layered architecture. This layered architecture enable DIDMA to make the total network load smaller by separating the functional tasks into categories and dedicating each agent to a specific purpose. Agent distribution: LIDS and IDASSD have equal agent distribution whereas DIDMA has different agent distribution different network has different number of agent based node. Add security and vulnerability: All of three existing agent based IDS that means LIDS, IDASSD and DIDMA add no security and vulnerability. But in case of LIDS SNMP (Simple Network management protocol) v3 add security. Intrusion detection method: LIDS and IDASSD use both anomaly and misuse detection method to detect intrusion whereas DIDMA use only anomaly detection method. Overall IDS performance: LIDS and DIDMA speed up the IDS performance but IDASSD slowed down the IDS performance because in these IDS heavy computation on every node is needed. Flexibility in mobility: Both LIDS and DIDMA provide flexibility in mobility but IDASSD does not provide it. Resource Constraints: In case of resource constraints both LIDS and DIDMA are conservative but IDASSD is aggressive and need heavy computation on every node. Scalability: All three agent-based IDSs are scalable. Interoperability: Both LIDS and DIDMA provide Interoperability but IDASSD does not provide it. Fault tolerance: Both LIDS and DIDMA support fault tolerance feature but IDASSD does not provide it. Light vs. Heavy weight: Both LIDS and IDASSD are heavy in weight but DIDMA is light in weight. Light weight feature of DIDMA makes it more usable than LIDS and IDASSD.
But none of these above three agent based IDS efforts however shares Lightweight Adaptive Mobile Agent-Based Intrusion Detection system (LAMAIDS’s) abilities for dynamically updating the detection mechanisms and adaptation to network security states, nor do they include provisions to ensure their own survivability in hostile environments. So here we are going to describe new “Lightweight Adaptive Mobile Agent-Based Intrusion Detection system”. Lightweight Adaptive Mobile Agent-Based Intrusion Detection system Introduction This portion presents a lightweight and adaptive mobile agent-based intrusion detection system (LAMAIDS) that detects intrusion from outside the network as well as from inside. A main machine, being a typical intrusion detection system residing at a secure location, creates mobile IDS agents and dispatches them into the network. The mobile IDS agents are equipped with lightweight IDS capabilities and decision-making. On each hop, the agents sniff the network traffic and look for abnormal activities using a set of rules supplied by the main machine called IDP. LAMAIDS has the following features: I. Providing a highly distributed IDS, with mobile processing units to capture and analyze relevant data asynchronously and independently from the main machine, II. Roaming the internal network, mobile agents are capable of detecting attacks from within the network, III. Securing against attacks targeting the IDS itself since attackers do not know the exact locations of the mobile IDS agents, IV. Using dynamic and centrally-controlled rule-sets, meaning that these sets can adapt to the state of the network, V. Adapting to the severity level of the attack by increasing the degree of monitoring traffic. System Architecture The system administrator initially starts the main intrusion detection processor (IDP) stationary component which in turn creates the user interface agent. The latter prompts the user for the startup conditions of the system (number of startup agents and their visit lists, rules sets, severity lists, among others). The IDP then creates agents, configures them through briefcases they carry around, and dispatches them into the network. Once launched, the agents perform intrusion detection and take local measures as well as notifying the IDP when attacks are suspected. The IDP may perform further analysis of the received data and inform the user if an attack is deemed real. Agents primarily respond to suspected attacks by means of cloning to increase the level of monitoring in the network. When the suspicious activity subsides, the cloned agents in the network become subject to gradual disposal.
This section presents the architecture of our distributed IDS. The architecture is made up of the following components: • An intrusion detection processor, • A mobile agent platform, and • Distributed sensors. A high level view of the architecture is given in Figure 6.6.
Fig 6.6: General architecture of LAMAIDS.
Intrusion Detection Processor (IDP) This component is the cornerstone of our distributed framework. It is responsible for monitoring network segments (subnets), and acts as a central intrusion detection and agent data processing unit. The unit is placed on a strategic node to monitor network traffic for all devices on the segment. Furthermore, it is setup to send real-time alerts that are generated using rule-sets to check for errant packets entering into the segment. It has three main capabilities: packet sensing, packet logging, and intrusion detection. Every now and then, log files are sent to the central intrusion processing unit (via mobile agents) for packet decoding and processing. The IDP monitors agent’s movement in the network and guides them towards critical locations in the network if malicious activities were detected. To guarantee proper interaction with mobile agents, the IDP should exchange data and messages with the mobile agent platform. As a network watcher, the IDP provides the following intrusion detection services: •
Monitor incoming network traffic
•
Integrate correlating data sent by individual mobile agents to implement a multipoint detection, especially to deal with distributed attacks coming from within the network.
1 2
•
Monitor established connections within the network at low level by scanning packets.
•
Gather evidence of the attacker’s behavior during the time window between the attack detection and the response.
•
Look for the exploitation of known vulnerabilities in the network by checking on local intrusion signatures such as files integrity and user behavior profiles.
Mobile Agent Platform: A mobile agent platform (MAP) can create, interpret, execute, transfer, and terminate (kill) agents. The platform is responsible for accepting requests made by network users (in our case the IDP) and generating mobile agents plus sending them into the network to handle the tasks (in our case to start sniffing activities within the local network, stop it when necessary, and send the collected data back to the IDP for further analysis).
Fig 6.7: Mobile agent platform.
Distributed sensors and sniffer: A sniffer is a device used to tap into networks to allow an application or hardware device to eavesdrop on network traffic. The traffic can be IP, IPX (Internetwork Packet Exchange), or AppleTalk network packets. In general, sniffing is used for: 1. Network analysis and troubleshooting, 2. Performance analysis and benchmarking or, 3. Eavesdropping for clear-text passwords and other interesting tidbits of data. Depending on the IDP’s instructions, the agent may run the sniffer for a predetermined period of time, collect the data, and send it in one batch to the IDP. Alternatively, it may run the sniffer and send data as it is captured to the IDP until it receives instructions to stop sniffing.
How does it work? When the system is initially started, the IDP starts its own sniffer and sends a ‘START’ request to the MAP. The message specifies the number of agents to be launched and the corresponding IP address sets that each agent is expected to visit. This implies that the IDP has a registry containing all IP addresses in the local network. The MAP, in turn, creates the agents and dispatches them into the network. Now assume that an agent on its trip sends a report to the IDP that triggered an alarm. The IDP will send a ‘LODGE’ message to the agent causing it to reactivate the sniffer at its current location and stay there, in an effort to gather more evidences on the current attack in order to study the behavior. The IDP will prompt the MAP to create a new agent that will take over the agent’s task. In this scenario, the number of active sniffers may increase to form an alert stage for faster reaction. Implementation of LAMAIDS IDS Implementation The prototype IDS has been implemented on top of Snort [34] and a mobile agent system that was created locally. Snort is a full-fledged open-source network based IDS (NIDS) that has many capabilities such as packet sniffing, packet logging and intrusion detection [33]. Snort is a signature-based IDS that uses rule-sets to check for errant packets crossing a node in the network. A rule is a set of requirements that will trigger an alert. Snort was chosen as the NIDS because of its availability, ease of configuration and customization. Mobile agent system (MORPHEOUS) MORPHEOUS [35] is a prototypical mobile agent system that was developed as a final year project at the American University of Beirut. The system was chosen as the mobile agent platform because of its availability, ease of running, and support for mobile agents. It consists of four entities: • The agent factory (AF), • The listeners, the officer agents (OA), and • The soldier agents (SA). The core of the agent system is the agent factory. It accepts requests made by the network users (in our case the Snort requests), generates the mobile agents and sends them to the network to handle tasks. On the AF host, many officer agents reside to keep track of the dispatched agents (Soldier Agents) over the network and the data gathered by these agents. The last element is the listener, which is a small program that will reside in each host in the network and will be responsible for accepting, running, and deleting SAs. Win dump sniffer: WinDump is the porting to the Windows platform of TcpDump that runs on all the operating systems supported by WinPcap, i.e. Windows 95, 98, ME, NT4, 2000 and XP. It was selected in the prototype because of its lightweight, popularity, support of multiple operating system, and ability to dynamically reconfigure its execution state. Discussion and results:
Figure 6.8 presents the prototype network that we used to proof-concept our work. The network comprises a Linux server and three Windows hosts. Network credentials about the four computers are shown in the figure. The system is configured as follows: • •
The Linux box is set as the intrusion detection processor where Snort is installed and is running in addition to the mobile agent platform. The other three PCs have WinDump installed on each as well as the mobile agent platform.
When the system starts up, Snort sends MORPHEOUS an HTTP request to start sniffing and provides it with the IP addresses of PC1 and PC2. MORPHEOUS creates an agent, assigns to it the task of starting and stopping WinDump and then dispatches it into the network. The MAP listens to Snort at a specific IP address and port number. When a request is sent, the MAP checks for the type of the message (START, PROCEED, or LODGE).
Fig 6.8: A sample network.
A summary of possible message exchanges between Snort, MAP, and the agent are detailed in Table 6.2. Using several experiments, the overall trip of the agent took roughly 4.42 sec (4 sec are for activating the sniffers and 0.42 sec for agent migrations, messaging between the components, and processing activities). Message Arguments Description Message Exchange between MAP and Snort CONNECT IP address, Port Request an HTTP connection Between Snort and MAP # START #of agents, IP Snort to MAP to create and dispatch agents when the lists system starts. LOGRECVED None MAP tells snort that the log file is successfully received PROCEED None Snort sends this signal if no alerts were generated out of the log file LODGE None Snort sends this signal if malicious activities were detected CLOSE None To terminate the HTTP connection between Snort and
MAP Message Exchanged between the local MAP and the Agent NXTCONNECT IP address, Port Starts connection between the agent and next host for # migration SENDFILE None The agent sends this message to its MAP to copy itself to new host CONNECT IP address, Port Requests an HTTP connection to the MAP # SENDDATA None Send log file from the host where the agent resides to the main station SENDINFO None Sends information about host (host name, IP address, active directory) PROCEED None Tell agent to continuously run sniffer when an intrusion is detected CLOSE None Close the client socket with the next host. DELETE None Tell the MAP residing to delete the agent’s directory LODGE None MAP Sends this signal if malicious activities were detected Table 6.2: Message exchange in the system
Sample output for Snort (Signature Based) IDS
Here is a sample output of snort signature based IDS which shows that number of packets received are 4300, analyzed are 4299. Number of packet dropped, filtered and injected is 0. Only 1 packet is outstanding. Conclusion:
Here we highlight architecture for distributed intrusion detection and defense system based on mobile agents that detects intrusions from outside and inside a network segment. The system is shown to be efficient, robust, and flexible. The system potentially reduces the massive amount of distributed log data moved among the inner nodes of a conventional IDS. Having mobile IDS agents visit hosts and doing intrusion detection locally is well suited to the ability of mobile agents to move the computation to the data, thus reducing network load. Furthermore, the developed architecture implements robust and attack-resistant IDS (inherited from agent mobility). There is no single vulnerable point of failure. Recent Analysis and Work on Intrusion Detection System using Mobile Agent in Ad-hoc Network. Introduction: In this chapter, a new attempt has been made and worked out effectively against attacks in wireless networks. This chapter incorporates agent and data mining method to provide solution against security issues in MANET networks. With the help of home agent and mobile agents, it gathers information from its own system and neighboring system to identify any attack and through data mining techniques to find out the attacks has been made in that networks. New approach: R. Nakkeeran, T. Aruldoss Albert and R.Ezumalai propose this new approach. This new approach is entirely based on anomaly based method, which has been used to address security problems related to attacks in a wireless networks. This chapter incorporates new methodology such as mining and agents to provide solutions against wireless networks. This system provides the three different techniques to provide suffice security solution to current node, Neighboring Node and Global networks. Their proposed system provides solution in three techniques. 1. It monitors its own system and its environment dynamically. It uses classifier construction to find out the local anomaly. 2. Whenever the node want to transfer the information from the node F to B. It broadcast the message to E and A. Before it sends the message, it gathers the neighboring nodes (E &B) information using mobile agent. It calls the classifier rule to find out the attacks with help of test train data. 3. It provides same type of solution throughout the global networks. It has been explained in the following section.
Fig 7.1: General view of the system.
Current node - Home Agent is present in the system and it monitors its own system continuously. If an attacker sends any packet to gather information or broadcast through this system, it calls the classifier construction to find out the attacks. If an attack has been made, it will filter the respective system from the global networks. Neighboring node - Any system in the network transfer any information to some other system, it broadcast through intermediate system. Before it transfer the message, it send mobile agent to the neighboring node and gather all the information and it return back to the system and it calls classifier rule to find out the attacks. If there is no suspicious activity, then it will forward the message to neighboring node. Data collection - Data collection module is included for each anomaly detection subsystem to collect the values of features for corresponding layer in a system. Normal profile is created using the data collected during the normal scenario. Attack data is collected during the attack scenario. Data preprocess - The audit data is collected in a file and it is smoothed so that it can be used for anomaly detection. Data preprocess is a technique to process the information with the test train data. In the entire layer anomaly detection systems, the above mentioned preprocessing technique is used.
System architecture: The following figure clearly depicts the architecture of the system to prevent the attacks in wireless networks. The following section outlines each module’s work in detail.
Fig 7.2: Architecture of the system.
Home Agent: Home agent is present in each system and it gathers information about its system from application layer to routing layer. Cross feature analysis for classifier sub model construction: •
Each feature or character vector f in the training data set, calculate classifier C, using Naïve Bayesian classification algorithm. The probability P. (fl, f2….. fi) is learned.
•
Compute the average probability for each feature vector f, and save in a probability distribution matrix M. A decision threshold 0 is learned from the training data set. Normal profile is created using the threshold value. If the probability is greater than threshold value it is labeled as normal, otherwise it is labeled as abnormal.
•
Anomaly detection: Input: Preprocessed train data, preprocessed test data Output: Percentage of anomaly 1. Read processed data set file 2. Call Bayesian classifier program for training the classifier for anomaly detection 3. Read the test data file 4. Test the classifier model with the test data file 5. Print the confusion matrix to show the actual class vs. predicted class 6. Percentage of anomaly is calculated as follows Percentage
Number of predicted abnormal class * 100 = -------------------------------------------------------Total number of traces Local integration Local integration module concentrate on self system and it find out the local anomaly attacks. Each and every system under wireless networks follows the same methodology to provide a secure global network. Global integration Global integration module is used to find the intrusion result for entire network. The aim of global integration is to consider the neighbor node(s) result for taking decision towards response module. Experimental results: There are many number of attacks has been tested to prevent attacks in wireless network. This system not only blocks the application oriented issues and it stops some of the network security issues. Consider this limited number of attacks and tested with this proposed system to find out the attacks and got a encourage results. These are the parameters has been take to analyze the proposed system to find out the efficiency. Parameters No. of nodes Terrain range Routing layer protocol Mobility model
Values 30 2000 * 2000 Meters Dynamic source routing (DSR) Random way point Table 7.1: Input parameter consideration.
This system can tested with limited number of attacks present in the wireless networks. It shows the encouragement results to support the proposed system. Detection rate of anomaly rate in our proposed system is high and it encourages the system. Detection Module Anomaly Detection Local Integration Global Integration
Detection Rate 80% 95.41% 94.33% Table 7.2: Detection rate of the system.
This system act as an Intrusion prevention system to detect and prevent the attacks. But the drawback of existing Intrusion prevention system can generate the more false alarms, but it may work efficiently. This system can able to stop the attacks as well as it could not generate the false alarms and it work effectively against the web parameter attacks. Consider this limited number of access and tested with this proposed system to find out the alarm rates. Detection Module
False positivity
Anomaly Detection Local Integration Global Integration
1.0% 0.8% 0.75% Table 7.3: Alarm rate of the system.
Conclusion: In this work, an anomaly detection system comprises of detection modules for detecting anomalies in each layer. This system is cooperative and distributive; it considers the anomaly detection result from the neighbor node(s) and sends the current working node's result to its neighbor node(s). Experimental results show that detection rate is increased when compared to the other mechanism. False positive rate is also reduced in this mechanism. Traditional security mechanism such as IDS and firewall have not been sufficient to provide the security of wireless networks, however, this mechanism is able to block abnormal approach to wireless networks and to detect previously unknown attacks as well as variations of known attacks.
Proposed model based on the concept of LAMAIDS and recent analysis of Intrusion Detection System using Mobile Agent. Here we proposed a model based on the concept of LAMAIDS and recent analysis of Intrusion Detection System using Mobile Agent with just a little modifications to implement a hybrid mobile agent based IDS which will be able to detect signature based as well as anomaly based intrusion. This model System Architecture
Fig 8.1: General view of our proposed agent based IDS
Above figure depict a simple view of our proposed model. Here IDP (Intrusion detection processor) is used for detecting signature based intrusion and each node classifier is used for detecting anomaly based intrusion. Here IDP plays a role of network based IDS and each home agent reside in the each node plays the role of host based IDS. This model is combination of two types of agent based IDS so hope that it will be more effective to detect any kind of intrusion whereas it is known and unknown. Intrusion detection preprocessor works similar as it is discussed in the LAMAIDS but the drawback is we use snort as our IDS which is signature based IDS. Snort is configured using a database of signatures which characterize network packets that are potentially malicious. Using this database, Snort monitors a network connection and logs all occurrences of network packets that match any of the configured signatures. As is the case with any misuse based system, however, Snort cannot detect events for which no signatures have been developed. Anomaly detection refers to an approach where a system is trained to learn the “normal behavior� of a network. An alarm is raised when the network is observed to deviate from this learned definition of normality. This type of system is theoretically capable of detecting unknown attacks, overcoming a clear limitation of the misuse approach. However, because an alarm is based on a detected change in an abstract representation of the network behavior, information about the root cause of the deviation may be difficult to infer.
Global Integration
IDP Snort as IDS Aglet as Mobile Agent
A
B
C
Home Agent
Home Agent
Home Agent
WinDump as Sniffer
WinDump as Sniffer
WinDump as Sniffer
Classifier
Classifier
Classifier
Aglet as Mobile Agent Fig 8.2: Architecture of the
proposed system
Defining the classifier: Here we will use the following equation f (n) for each node to define the classifier. The f(n) value should be always 2 otherwise an attack can be detected and the corresponding node will be considered as a misbehaving node. We will introduce a threshold value which would be equal to 2. Then after calculating the f (n) value for the each node we will compare it to the threshold value if it is equal then no alarm will be raised. If less than then it will be determine as a class 1 attack and greater than it will be determine as class 2 attack and necessary alarm will be raised. NFP (n)
NRP (n) f (n) = ------------------- + ------------------N R_ack (n) ENRP (n)
Where, NFP (n) is the number of packets forwarded by node n. NR_ack (n) is the number of received acknowledgments by node n. NRP (n) is the number of received packets by node n. ENRP (n) is the expected number of received packets by node n. f (n) should be always 2. Threshold (TH) value = 2 f (n) = threshold, then no attack is detected. But if, f (n) < TH then class 1 attack detected alarm raised f (n) > TH then class 2 attack detected alarm raised 48
Implementation of proposed system IDP implementation IDP consists of two parts one is IDS and another is mobile agent. We use Snort_2_9_0_2_Installer.exe as our IDS and snort rules from http://www.snort.org. Download IDScenter 1.1 RC4 from http://www.engagesecurity.com/downloads. Then we have to install it. Snort Installation Do the following on the Windows XP virtual machine: 1. Download Snort_2_9_0_2_Installer.exe, IDSCenter 1.1RC4, and Snort rules. 2. Run Snort Snort_2_9_0_2_Installer.exe file. 3. Select default selections for components to install. Here we use default installation folder (C:\Snort). 4. Complete the installation of Snort. 5. Right click My Computer. Then select “Properties”. 6. Next click the “Advanced” tab. 7. In the middle of the “System Properties” screen, click the “Environment Variable” button. 8. Click “Path” to select it, then edit the “Variable Value” with: (;C:\Snort\bin). 9. Click “OK” to close the “Edit System Variable”, then “Environment Variables” screen, then “System Properties” screen. 10. Open “Command Prompt”, run “snort -W”. (If Snort has started correctly, we will see the small “piggy” in the upper left corner) 11. The command displays the device names for the network adapters on our computer, copy the device name (NIC) like: \Device\NPF_{592C2220-E3BC-49C4-8EFB81089DBE6BAC} and save the file as Devices.txt in C:\Snort\ and close it. 12. Make a backup copy of snort.conf and Unzip the downloaded rule files in (C:\Snort\rules). IDSCenter Installation and Configuration Do the following on the Windows XP virtual machine: 1. Run IDSCenter 1.1 RC4 installer file which is downloaded and we must configure some initial settings before the installation completes.
2. In the “Snort executable file” box type: C:\Snort\bin\snort.exe, in the “Set a logging directory and standard log file” box type: C:\Snort\log\alert.ids. 3. In the left panel, click the icon for “Snort options”. The right panel will refresh. 4. Click the ellipse button next to the “Configuration file (Snort.conf, -c)” box. Browse to the path to snort.conf. This by default is in the \etc subfolder in Snort installation folder (C:\Snort\etc\snort.conf). 5. In the left panel, click “Wizards”, then Click the icon for “Network variables”. In the right panel, click “HOME_NET” click the “Edit variable” button. 6. A new area called “Network address configuration” appears, click the “Single host/network/parameter” radio button. In the “Available IP’s” box, make sure 172.xxx.xxx.xxx is selected and in the “CIDR subnet configurations:” box, select “/24 1 Class C 256 hosts”. 7. Click the “Select/Add” button. The IP address of the machine will appear in the text box below the “Single host/network/parameter” radio button. Click the “Apply” button to close the “Network address configuration” area. Then Click “RULE_PATH”, then “Edit variable”. 8. Click the “Single host/network/parameter” radio button. In the text box below the radio button, enter the path to your rules, e.g., C:\Snort\rules). Click the “Apply” button to close the “Network address configuration” area. 9. In the left panel, click the icon for “Preprocessors”, then “Stream4 and Frag2”, then under “Stream4:” click on: “Detect scans”, “Disable evasion alerts”. Under “Stream4TCP streams reassembly directive” click on: “client side’. 10. Click the “Protocol preprocessors” tab. One of the preprocessors on this tab is “IP conversation”. It tracks conversations in network traffic and is required for running portscan2. Then select “IP protocol conversation (TCP, UDP, ICMP traffic)”. Click the “Portscan detection” tab and select “Portscan2 preprocessor”. 11. In the “Log folder” box, enter \ps2log. In the left panel, click the icon for “Rules/Signatures”. In the “Rule file(s)” box in the right panel, look for and select the entry for “classification.config:”. Click “Select” button. A new line will appear under “Classification file”. By default classification.config file in the \etc subfolder is used. In the left panel, click the “logs” tab. Under “Packet logging options”, select “Decode link layer header (-e)” and “Dump application layer (-d)”. Then open Devices.txt (part 8.2.1.1 step 11), copy the device name and paste the device name into the “Network interface # (-i)” text box under “Network settings”. 12. In the left panel, click the “Alerts” tab and then click the icon for “Alert detection”. Click “Add alert file”.
50
13. In the left panel, click the icon for “Alert notification”. In the right panel, select the “Start alarm sound when an alert is logged” radio button. Click the ellipse button and select C:\Windows\Media\chord.wav. 14. Click the “Apply” button in the top row of the IDSCenter screen. To see check configuration errors, click the “General Tab” and then the icon for “Overview”. The upper portion of the right panel tells you whether you have any configuration errors. 15. To fix the IDSCenter bug, click the icon for “Snort options”. You will see the content of snort.conf again. Replace the following two lines: preprocessor http_inspect: global \ preprocessor http_inspect_server: server default \ by: preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 }oversize_dir_length 500 16. If there is a line preprocessor sfportscan: proto { all }\, comment it out by adding a # sign at the beginning of the line. 17. Click the “Save” button. Then click “Yes” to overwrite the file. 18. Click the “Test settings” button in the top row of the IDSCenter Screen. (A command console opens If the test succeeds, the command prompt will either close by itself or we will see it ends with “Snort existing”) 19. If there is a configuration error, the console will report a “fatal error” and suspend. If so, go over the configuration steps for errors and test configuration again. 20. Once the test is run, you should have these contents in the \log subfolder. Close the command console for the Snort test. Running Snort from IDSCenter Do the following on the Windows XP virtual machine: 1. Start IDSCenter. We will see a splash screen but not the IDSCenter screen. Double click the IDSCenter icon in the system tray to bring up the IDSCenter screen. Click the “Start Snort” button in the upper-left corner. 2. In IDSCenter, click the “Reset Alarm” button if there are speakers hooked up to your computer and the alarm is becoming annoying. Click the “Stop Snort” button. Close the Snort command console. Exit IDSCenter.
Mobile agent implementation Here we use Aglet as mobile agent. The aglet represents the next leap forward in the evolution of executable content on the Internet, introducing program code that can be transported along with state information. Aglets are Java objects that can move from one host on the Internet to another. That is, an aglet that executes on one host can suddenly halt execution, dispatch itself to a remote host, and resume execution there. When the aglet moves, it takes along its program code as well as its data. Aglets Software Development Kitis free software from IBM. Download it from http://www.trl.ibm.com/aglets/download_e.htm and get started with our own Internet agents written in Java! Sniffer and classifier Next we install WinDump as our packet sniffer software which can be downloaded from http://www.winpcap.org/windump/install/default.htm then we set our classifier by analyzing the test train data. Conclusion and Future Work We have proposed a Distributed Hybrid Agent Based Intrusion Detection System to increase the security in wireless networks in ad-hoc mode. The system utilizes open source solutions, thus minimizing deployment and maintenance costs to a large extent. The analogy between LAMAIDS and agent based efficient anomaly intrusion detection system represents a rich source of inspiration for development of new defense mechanisms. Be it algorithms and intrusion detection techniques, security policies aware of possible flaws or even entire security systems. By exploring this analogy, the proposed IDS combine learning and specialization into hybrid architecture of intrusion detection and response. In this way, the proposed IDS is able of detect and respond to unknown attacks, improving its accuracy and efficiency on subsequent exploitations. By using a mobile agent platform that allows us to incorporate object-oriented design techniques, we are able to treat the agent engines as an uniform interface for agents to access data generated by each type of monitoring system. Our system architecture realizes the scalability of mobile agent-based approaches, and addresses flexibility, extensibility, and delay limitations of existing approaches. Our proposed system architecture presented in section 8.1 illustrates how it can incorporate both misuse and anomaly approaches by implementing agents that employ each technique. Our distributed architecture can handle distributed attacks. By distributed attacks, we mean attacks accomplished when the attacker moves from one cell to another. However this can be done in either of two ways. 1. Data collection and analysis is done in a centralized fashion by the central administrator. 2. Data collection is distributed locally to the various agents and the analysis of the collected data is done centrally. 52
In our proposed system, data collection is localized on the agents of the respective cells. The first level of analysis is also done in the agents. Then all the collected data are sent to the central intrusion detection processor. As our current work focuses on the implementation of our proposed system, in the future we would like to investigate enhancement of the detection portion of the framework.
-----------------