Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Download
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
14Activity
×
0 of .
Results for:
No results containing your search query
P. 1
Multi - Level Intrusion Detection Model Using Mobile Agents In Distributed Network Environment

Multi - Level Intrusion Detection Model Using Mobile Agents In Distributed Network Environment

Ratings: (0)|Views: 1,113|Likes:
Published by ijcsis
Computer security in today’s networks is one of the fastest expanding areas of the computer
industry. Therefore protecting resources from intruders is a difficult task that must be automated so that it is efficient and responsive. Most intrusion-detection systems currently rely on some type of centralized processing to analyze the data necessary to detect an intruder in real time. A centralized approach can be vulnerable to attack. If an intruder can disable the central detection system, then most protection is weakened. The paper presented here demonstrates that independent detection agents can be run in a distributed fashion at three levels, each operating mostly independent of the others, thereby cooperating and communicating with the help of mobile agents to provide a truly distributed detection mechanism without a single point of failure. The agents can run along with user and system applications without much consumption of system resources, and without generating much amount of network traffic during an attack.
Computer security in today’s networks is one of the fastest expanding areas of the computer
industry. Therefore protecting resources from intruders is a difficult task that must be automated so that it is efficient and responsive. Most intrusion-detection systems currently rely on some type of centralized processing to analyze the data necessary to detect an intruder in real time. A centralized approach can be vulnerable to attack. If an intruder can disable the central detection system, then most protection is weakened. The paper presented here demonstrates that independent detection agents can be run in a distributed fashion at three levels, each operating mostly independent of the others, thereby cooperating and communicating with the help of mobile agents to provide a truly distributed detection mechanism without a single point of failure. The agents can run along with user and system applications without much consumption of system resources, and without generating much amount of network traffic during an attack.

More info:

Published by: ijcsis on Jun 12, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less

12/07/2012

pdf

text

original

 
MULTI - LEVEL INTRUSION DETECTION MODELUSING MOBILE AGENTS IN DISTRIBUTED NETWORK ENVIRONMENT
S.Ramamoorthy Dr.V.Shanthi
Research Scholor ProfessoSathyabama university,Chennai St.Joseph’s college of engineering,chennaimailrmoorthy@yahoo.comdrvshanthi@yahoo.co.in
ABSTRACT
Computer security in today’s networks is oneof the fastest expanding areas of the computer industry. Therefore protecting resources fromintruders is a difficult task that must be automatedso that it is efficient and responsive. Mostintrusion-detection systems currently rely onsome type of centralized processing to analyzethe data necessary to detect an intruder in realtime. A centralized approach can be vulnerable toattack. If an intruder can disable the centraldetection system, then most protection isweakened. The paper presented heredemonstrates that independent detection agentscan be run in a distributed fashion at three levels,each operating mostly independent of the others,thereby cooperating and communicating with thehelp of mobile agents to provide a trulydistributeddetection mechanism without a single point of failure. The agents can run along withuser and system applications without muchconsumption of system resources, and withoutgenerating much amount of network trafficduring an attack.
1.INTRODUCTION
Intrusion detection means identifying any setof actions that attempt to compromise theintegrity, confidentiality or availability of resource. Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalousactivity. Generally there are two types of intrusion detection namely misuse detection andanomaly detection. Misuse detection deals withfinding out known patterns of attack like chainloop attack, denial of service attack, etc.Intrusion Detection Systems are broadlyclassified into host based system, network basedsystem and distributed system. IntrusionDetection systems that operate on a host to detectmalicious activity on that host are called host- based Intrusion Detection systems and IntrusionDetection systems that operate on network dataflows are called network-based IntrusionDetection systems. The third category is thedistributed intrusion detection system where IDSmodules are installed on each machine and processed independently. The goal of IDS is toreduce the number of false positives as much as
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, May 2010106http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
 possible. There are two types of intrusiondetection namely, anomaly detection and misusedetection. Misuse detection deals with identifyingknown patterns of attacks like chain loop
attack,
denial of service attack, etc. while anomalydetection deals with identifying the deviation of auser from normal.
2.LITERATURE SURVEY
DIDMA [1] is a system developed todetect intrusion activities throughout thenetwork. This system uses mobile agents thatcan move from one node to another within anetwork, and perform the task of aggregationand correlation of the intrusion related data.Here the system has static agents in all hostswhich inform the mobile agent about thestatus of the system. The mobile agent,which roam about the network collects thedata and goes to the mobile agent dispatcher.The mobile agent dispatcher dispatches theappropriate mobile agent and sends it to thevictim host for processing.AID [2] is a client-server architecturethat consists of agents residing on network hosts and a central monitoring station.Information is collected by the agents andsent to the central monitor for processing andanalysis. It currently has implemented 100rules and can detect ten attack scenarios. The prototype monitor is capable of handlingeight agents.This system currently runs only onUNIX-based systems.The AAFIDarchitecture [3] appears the most similar tothe proposed work. AAFID is designed as ahierarchy of components with agents at thelowest level of the tree performing the most basic functions. The agents can be added,started, or stopped, depending on the needsof the system. AAFID agents detect basicoperations and report to a transceiver, which performs some basic analysis on the data andsends commands to the agents. A transceiver may transmit data to a transceiver on another host. If any interesting activity takes place, itis reported up the hierarchy to a monitor. Themonitor analyzes the data of manytransceivers to detect intrusions in thenetwork. A monitor may report informationto a higher-level monitor. The AAFIDmonitors still provide a central failure pointin the system. AAFID has been developedinto two prototypes: AAFID, which hadmany hard-coded
variables and usedUDP as the
inter-host communication, andAAFID2, which was developed completelyin PERL and is more robust. They run onlyon Unix-based systems.In [4] a system has been presented thatcontains three levels each monitoringindependently thereby cooperating andcommunicating among them selves with thehelp of mobile agents thus forming adistributed detection mechanism.EMERALD [5] is a system developed by Sri International with research fundingfrom DARPA. It is designed to monitor largedistributed networks with analys
is and
response units called monitors. Monitors areused sparingly
t
hroughout the domain
toanalyze
network services. The informationfrom these monitors is
 passed to other 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, May 2010107http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
monitors that perform domain-widecorrelation, obtaining a higher viewof the network. These in turn reportto higher-level enterprise monitorsthat
analyze the entire network. EMERALDis a rule-based system. The target operatingsystem has not been stated, but it is beingdesigned as a multi-platform system.EMERALD provides a distributedarchitecture with no central controller or director; since the monitors are placedsparingly throughout the network, they couldmiss events happening on an unmonitoredsection. My approach is to employ agents onmany hosts toattempt detection of allsuspicious activity.
3.SYSTEM ARCHITECTURE
The Intrusion Detection System isinstalled at three levels namely network level, subnet level and node level and thecorresponding Intrusion Detection systemsare called network monitor, subnet monitor and node detector.At each level, the Intrusion DetectionSystem includes information database,knowledge database, high level analyzingengine, log sensor module, host sensor 
KNOWLEDGEBASERESPONDINGENGINECOMM. CONTROLBROADCASTSENDER BROADCASTRECEIVER MOBILE AGENTDISPATCHER HIGH LEVELANALYSING ENGINEANOMALYDETECTOR MISUSEDETECTOR IDS TRAFFICCONTROLLER INFORMATIONDATABASECOLLECTOR SENSORSENSOLOG FILESACTIVEHOSTSTOHIGHER /LOWER LEVELFROMLOWER /HIGHER LEVELDETECTORSMOBILE AGENTRECEIVER 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, May 2010108http://sites.google.com/site/ijcsis/ISSN 1947-5500

Activity (14)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
smkhowaja liked this
Lalit Bhudiya liked this
sravaniravuri liked this
scribdshullir liked this
scribdshullir liked this
scribdshullir liked this
scribdshullir liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->