More Related Content
Similar to Secure masid secure multi agent system for intrusion detection-2
Similar to Secure masid secure multi agent system for intrusion detection-2 (20)
More from IAEME Publication
More from IAEME Publication (20)
Secure masid secure multi agent system for intrusion detection-2
- 1. INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING
International Journal of JOURNAL OF and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
& TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 1, January- February (2013), pp. 392-397
IJCET
© IAEME:www.iaeme.com/ijcet.asp
Journal Impact Factor (2012): 3.9580 (Calculated by GISI) ©IAEME
www.jifactor.com
SECURE MASID: SECURE MULTI-AGENT SYSTEM FOR
INTRUSION DETECTION
Shraddha Chaurasia Lalit Dole
P.G. Student, MTech. (CSE), Assistant professor,
Department of Computer Science & Engineering, Department of Computer Science & Engineering,
G.H. Raisoni College of Engineering, G.H. Raisoni College of Engineering,
Nagpur, India Nagpur, India
ABSTRACT
In this paper, we will modify existing work of multi-agent system for intrusion
detection by providing more security to the agents in this system. Firstly, we present a review
on existing intrusion detection systems, and then propose a strategy for securing the agents in
MASID. Previously intrusion detection was done at different levels whether it is host based
intrusion detection, but the most recent advancement is multi-agent system for intrusion
detection. At last, we will discuss the implementation of secure-MASID. Thus we will show
how the agents in MASID could be secured using AES algorithm.
Keywords: MANET, intrusion, multi-agent, distributed, AES.
I. INTRODUCTION
One of the most important issues in computer network is security of the data that is
being transferred between the computers. Since the use of internet has been increased there
are many ways through which the computer may be attacked. Some of the ways may include
hacking, intrusion etc.
Any activity that tries to harm your computer is known as intrusion. This activity
deteriorates computer’s performance. Compared to wired network, Wireless network are
more susceptible to attack as most of the parameter in this type of network is dynamic these
parameters may include infrastructure, topology etc. There are various measures of providing
security to wireless network. Such measures could be authentication, firewalls etc. When
there is intrusion, intrusion detection and prevention becomes necessary.
392
- 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
The process of detecting suspicious activities in the computer it is known as intrusion
detection. Misuse, Anomaly and specification based detection are some of the techniques for
detecting intrusion. Misuse detection and anomaly detection are similar in techniques for
detecting intrusion i.e. they both compare available data, but misuse detection compare the
data with known attack pattern and anomaly detection compare the data with the normal
pattern of data. The data that is available with these techniques is through host or network.
There are various intrusion detection systems available. The most recent advancement
in IDS is agent based system. An agent is any process, module or host that is capable of
performing independent activities in its environment. In agent based system there is single
agent used for detecting intrusion. In multi-agent system, multiple agents is being used,
through the use of multiple agents intrusion detection process gets distributed. Thus this
system may also be called as distributive and cooperative intrusion detection system. In
multi-agent system, agents transfer intrusion detection related information between them. But
it may happen that the information transferred between the agents could be attacked therefore
a need arises for providing security to the information being transferred between the agents.
Thus the main focus of our paper is to provide security to the information exchange
between the agents. The rest of the paper is organized as follows: The following section
provides a literature review of the intrusion detection systems. Section 3 describes the
proposed system i.e. secure MASID. Section 4 provides the implementation of secure
MASID. Section 5 finally concludes the paper by providing a brief summary of the proposed
work and lastly it provides some future work that could be done.
II. RELATED WORK
Depending upon the techniques and architectures intrusion detection system for MANET can
be broadly classified into
i) Standalone IDS: Standalone means individual, independent. Thus in this type of IDS
the detection process is carried individually. No information is being transferred between the
nodes. Decisions are made individually by each node and there is no cooperation between the
nodes.
ii) Distributed and cooperative IDS: In this type of IDS, nodes cooperate with each other
by exchanging information regarding intrusion. Nodes are distributed and IDS are installed
on each host.
iii) Hierarchical IDS: In this type, IDS is divided into multiple layers or clusters. Each
cluster have a head or leader known as clusterhead who has more responsibilities than other
members in clusters for ex. Routing packets from one cluster to another.
iv) Agent Based System: Here intrusion detection process is divided into number of
agents. Each agent performs only one specific task and these agents are distributed into each
node. Not every agent is assigned with functions as it helps to reduce power consumption.
393
- 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
As described in [1], Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez,
David Isacoff, Eugene Spafford, Diego Zamboni first introduced the concept of autonomous
agent in an architecture for intrusion detection using autonomous agent is a software agent
that performs some security monitoring function at a host.
B.C cheng and R.Y tseng proposed an intrusion detection system known as context adaptive
intrusion detection system [10]. Every system has some factors for performing its execution
this system considers energy for performing intrusion. First IDS is installed on each system
the intrusion detection process is carried by checking the energy factor. The nodes perform
the task only if it has enough energy to perform it.
But while considering IDS in MANETS, the nodes must be cooperative the nodes in
this system are not cooperative.
Distributive and cooperative IDS, overcomes the limitations of CAIDS. This system
is designed using region based framework. There are two categories of nodes region member
nodes and gateway nodes. A gateway node is one which has a connection to node in
neighboring region otherwise it is called as region node.
It contains two major components gateway intrusion detection and local intrusion
detection. First each node runs a LID and only subset of nodes will run GID.
N. Marchang and R. Datta proposed hierarchical IDS which contain two algorithms ADCLI
and ADCLU.ADCLI means algorithm for detection in clique and ADCLU is algorithm for
detection in cluster. Clique means set of nodes. In both algorithm during intrusion detection,
the set of nodes transfers messages between them. If a particular node is suspicious, it will
send wrong messages to other nodes this is an assumption. If a node is malicious nodes the
other nodes may choose to isolate the malicious nodes.
C. Ramachandran, S. Misra, and M. S. Obaidat [9] proposed FORK a two way
strategy for intrusion detection here nodes get into a bidding process for performing
intrusion detection. The nodes are allowed to get into bidding process only if they have
enough resources with them. The nodes which win get into detection process. Next strategy is
to build ant colony algorithm based on anomaly detection technique.
III. PROPOSED WORK
In this section we present secure MASID. The proposed work contains a small
extension to MASID i.e. multi agent system for intrusion detection which has been developed
by Leila Mechtri, Fatiha Djemili Tolba, Salim Ghanemi. This system contained number of
agents for performing detection process. Mainly there are three agents i.e. detection agent,
collaboration agent and response agent.
Detection agent used both techniques for detection purposes i.e. misuse detection and
anomaly detection. It is responsible only for detection process. Next is response agent which
provides appropriate response when an intrusion occurs.
Third agent is collaboration agent which is responsible for exchanging messages
between these two agents. However it may happen that an attacker may attack this agent so in
order to secure detection related information we will apply AES algorithm to collaboration
agent i.e. whatever information is transferred between both agents, it will be encrypted and
decrypted by AES algorithm.
394
- 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
Detection AES algorithm Response
agent Collaboration agent
agent
Fig 1. Secure MASID architecture
Fig shows three agents as it was mentioned in [13] three agent have been shown. At
the collaboration agent, AES algorithm is being applied because it is the main point of
communication for both detection agent and response agent. The information that is being
transferred between the two agents is encrypted at detection agent who is then decrypted at
response agent.
AES is a block cipher with a block length of 128 bits. AES allows for three different
key lengths: 128, 192, or 256 bits. Most of our discussion will assume that the key length is
128 bits. Encryption consists of 10 rounds of processing for 128-bit keys,12 rounds for 192-
bit keys, and 14 rounds for 256-bit keys. Except for the last round in each case, all other
rounds are identical. Each round of processing includes one single-byte based substitution
step, a row-wise permutation step, a column-wise mixing step, and the addition of the round
key.
395
- 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
IV. IMPLEMENTATION
In order to implement secure MASID we have chosen java platform. Firstly we will
implement all three agents then apply AES to it. We have taken kdd cup database as input for
implementing this system. This database contains packet format which is used for detecting
intrusion.
In detection agent, we will first specify what will be the initial values of the parameters
contained in the packet format. After taking the packet format as input we will apply K-means
algorithm for clustering. There will be two clusters first will be of intrusion or attackers cluster
and other will be of normal data’s cluster. Clustering is done on the basis of trusted ports i.e. we
have set some ports as trusted ports from the database. If the port is not trusted we will put it into
attacking cluster otherwise classify as normal.
Along with clustering we will also classify unknown and known attack. This is based on a
condition i.e. if cluster size is greater than max intrusion (this is a variable type) then it is
unknown attack, otherwise it is known attack. Here we have set the value of max intrusion as
1000 as it is the optimum value.
Packet format from Kdd cup
database
Apply K-means algorithm
Check if it
Put it into attack cluster Inform other nodes
is attack
Put into normal cluster
STOP
Fig 2. DETECTION AGENT
Response Agent provides response to known and unknown attack as stated earlier. When it is
known attack we will check the magnitude of the attack. Magnitude is calculated as
Magnitude = cluster size of intrusion detected / max intrusion
i.e. if the cluster size or number of intrusion is 900 as compared to max intrusion the value of
attack magnitude will be 0.9 so we will conclude that it is highest magnitude attack. Thus we will
be creating rule based system which answers as to what is the magnitude of the attack. If it is
unknown attack then we will try to change the strategy which means that we will run K-means
algorithm once again.
396
- 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
V. CONCLUSION
In this paper we introduced a small modification to the existing work of [13] by providing
additional security to the information transferred between the agents. Security to the agents is being
provided to agents using AES algorithm. We also discussed how we will implement our proposed
work. Thus the main advantage of this system is that we will provide one more level of security. One
area of concern would be what if the agents undergo man-in-the-middle-attack. Future work may be
done in these directions.
REFERENCES
[1] R. Heady, G. Luger, A. Maccabe, and M. Servilla, “The architecture of a network level intrusion
detection system,” Technical report, Computer Science Department, University of New Mexico,
August 1990.
[2] M. Wooldridge and N. R. Jennings, “Intelligent agents: theory and practice”, Knowledge
Engineering Review, October 1994.
[3] M. Wooldridge and N.R. Jennings. “Agent theories, architectures, and languages,” In Wooldridge
and Jennings, eds. Intelligent Agents, Springer Verlag, 1995, pp.1-22.
[4] Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford,
Diego Zamboni, “An Architecture for Intrusion Detection using Autonomous Agents”, COAST
Technical Report 98/05, Jun. 1998.
[5] Y. Labrou, T. Finin, and Y. Peng, “The current landscape of Agent Communication Languages,”
IEEE Intelligent Systems, vol. 14, number 2, March/April, 1999.
[6] J. B. D. Cabrera et al. , “Proactive Detection of Distributed Denial of Service Attacks using MIB
Traffic Variables-A Feasibility Study”.IEEE, 2001.
[7] Tiranuch Anantvalee and Jie Wu, “A Survey on Intrusion Detection in Mobile Ad Hoc Networks”,
Wireless/Mobile Network Security, Y. Xiao, X. Shen, and D.-Z. Du (Eds.), Springer 2006, pp. 170 –
196.
[8] N. Marchang and R. Datta, “Collaborative techniques for intrusion detection in mobile ad-hoc
networks, ” Ad Hoc Networks, 6 (2008), pp. 508-523.
[9] C. Ramachandran, S. Misra, and M. S. Obaidat, “FORK: A novel twopronged strategy for an
agent-based intrusion detection scheme in adhoc networks, ” Computer Communications 31 (2008),
pp. 3855–3869.
[10] B.-C. Cheng and R.-Y. Tseng, “A Context Adaptive Intrusion Detection System for MANET, ”
Computer Communications, 2010.
[11] F. Abdel-Fattah, Z. Md. Dahalin, and S. Jusoh, “Distributed and cooperative hierarchical
intrusion detection on MANETs,” International Journal of Computer Applications (0975-8887), Vol.
12– No.5, Dec 2010, pp. 32-40.
[12] J.-H. Cho and I.-R. Chen, “Performance analysis of hierarchical group key management
integrated with adaptive intrusion detection in mobile ad hoc networks, ” Performance Evaluation 68
(2011), pp. 58–75.
[13] Leila Mechtri, Fatiha Djemili Tolba, Salim Ghanemi, “MASID: Multi-Agent System for
Intrusion Detection in MANET”, IEEE 2012.
[14] S. B. Patil, S. M. Deshmukh, Dr. Preeti Patil and Nitin Chavan, “Intrusion Detection Probability
Identification in Homogeneous System of Wireless Sensor Network” International journal of
Computer Engineering & Technology (IJCET), Volume 3, Issue 2, 2012, pp. 12 - 18, ISSN Print:
0976 – 6367, ISSN Online: 0976 – 6375, Published by IAEME.
[15] Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, “Energy Efficient Intrusion
Detection System For Wsn” International journal of Electronics and Communication Engineering
&Technology (IJECET), Volume 3, Issue 3, 2012, pp. 246 - 250, ISSN Print: 0976- 6464, ISSN
Online: 0976 –6472, Published by IAEME.
397