Distributed Detection of DDoS Attacks During the Intermediate Phase Through Mobile Agents

A Distributed Denial of Service attack is a large-scale, coordinated attack on the availability of services of a victim system, launched indirectly through many compromised computers on the Internet. Intrusion detection systems are network security tools that process local audit data or monitor network traffic to search for specific patterns or certain deviations from expected behavior, which indicate malicious activities against the protected network. In this study, we propose distributed intrusion detection methods to detect Distributed Denial of Service attacks in a special dataset and test these methods in a simulated-real time environment, in which the mobile agents are synchronized with the timestamp stated in the dataset. All of our methods use the alarms generated by SNORT, a signature-based network intrusion detection system. We use mobile agents in our methods on the Jade platform in order to reduce network bandwidth usage and to decrease the dependency on the central unit for a higher reliability. The methods are compared based on reliability, network load and mean detection time values

Cooperative Trust Framework for Cloud Computing Based on Mobile Agents

Cloud computing opens doors to the multiple, unlimited venues from elastic computing to on demand provisioning to dynamic storage, reduce the potential costs through optimized and efficient computing. To provide secure and reliable services in cloud computing environment is an important issue. One of the security issues is how to reduce the impact of for any type of intrusion in this environment. To counter these kinds of attacks, a framework of cooperative Hybrid intrusion detection system (Hy-IDS) and Mobile Agents is proposed. This framework allows protection against the intrusion attacks. Our Hybrid IDS is based on two types of IDS, the first for the detection of attacks at the level of virtual machines (VMs), the second for the network attack detection and Mobile Agents. Then, this framework unfolds in three phases: the first, detection intrusion in a virtual environment using mobile agents for collected malicious data. The second, generating new signatures from malicious data, which were collected in the first phase. The third, dynamic deployment of updates between clusters in a cloud computing, using the newest signatures previously created. By this type of close-loop control, the collaborative network security management system can identify and address new distributed attacks more quickly and effectively. In this paper, we develop a collaborative approach based on Hy-IDS and Mobile Agents in Cloud Environment, to define a dynamic context which enables the detection of new attacks, with much detail as possible

An Interactive Distributed Simulation Framework With Application To Wireless Networks And Intrusion Detection

In this dissertation, we describe the portable, open-source distributed simulation framework (WINDS) targeting simulations of wireless network infrastructures that we have developed. We present the simulation framework which uses modular architecture and apply the framework to studies of mobility pattern effects, routing and intrusion detection mechanisms in simulations of large-scale wireless ad hoc, infrastructure, and totally mobile networks. The distributed simulations within the framework execute seamlessly and transparently to the user on a symmetric multiprocessor cluster computer or a network of computers with no modifications to the code or user objects. A visual graphical interface precisely depicts simulation object states and interactions throughout the simulation execution, giving the user full control over the simulation in real time. The network configuration is detected by the framework, and communication latency is taken into consideration when dynamically adjusting the simulation clock, allowing the simulation to run on a heterogeneous computing system. The simulation framework is easily extensible to multi-cluster systems and computing grids. An entire simulation system can be constructed in a short time, utilizing user-created and supplied simulation components, including mobile nodes, base stations, routing algorithms, traffic patterns and other objects. These objects are automatically compiled and loaded by the simulation system, and are available for dynamic simulation injection at runtime. Using our distributed simulation framework, we have studied modern intrusion detection systems (IDS) and assessed applicability of existing intrusion detection techniques to wireless networks. We have developed a mobile agent-based IDS targeting mobile wireless networks, and introduced load-balancing optimizations aimed at limited-resource systems to improve intrusion detection performance. Packet-based monitoring agents of our IDS employ a CASE-based reasoner engine that performs fast lookups of network packets in the existing SNORT-based intrusion rule-set. Experiments were performed using the intrusion data from MIT Lincoln Laboratories studies, and executed on a cluster computer utilizing our distributed simulation system

Distributed intrusion detection for secure cooperative multi–agent systems

In this thesis we propose a solution for the problem of detecting intruders in an open set of cooperative agents. An agent can perform a finite set of maneuvers and is modeled by a hybrid system whose state is a continuous and a discrete part, representing the agents' physical evolution and logical variables, respectively. Each agent plans its behavior and chooses the appropriate maneuver to perform following a common set of shared rules designed to ensure the safety of the entire system. Since the number of agents is unknown, and since these agents have a limited knowledge of their neighborhood, they can make decisions based only on their own position, and on the configuration of a limited number of surrounding agents. Such a planning strategy is said to be decentralized. The expounded solution is an Intrusion Detecting System (IDS), based on a decentralized monitoring strategy, performed by several common local monitor modules running on--board each agent. This module tries to evaluate the behavior of neighboring agents by estimating the occurrence of the logical events described in the shared rule set. Since each monitor has a limited vision of its neighbors, in many cases it can remain uncertain about the correctness of the monitored agent's behavior. In order to solve this problem we developed a distributed consensus algorithm which, by introducing communication between agents, enhances the intrusion detection capabilities of single monitors. The effectiveness of our solution has been proved by in-depth simulations and a theoretical demonstration of the convergence of the consensus algorithm

Use Trust Management Framework to Achieve Effective Security Mechanisms in Cloud Environment

Cloud Computing is an Internet based Computing where virtual shared servers provide software, infrastructure, platform and other resources to the customer on pay-as-you-use basis. Cloud Computing is increasingly becoming popular as many enterprise applications and data are moving into cloud platforms. However, with the enormous use of Cloud, the probability of occurring intrusion also increases. There is a major need of bringing security, transparency and reliability in cloud model for client satisfaction. One of the security issues is how to reduce the impact of any type of intrusion in this environment. To address this issue, a security solution is proposed in this paper. We provide a collaborative framework between our Hybrid Intrusion Detection System (Hy-IDS) based on Mobile Agents and virtual firewalls. Therefore, our hybrid intrusion detection system consists of three types of IDS namely IDS-C, IDS-Cr and IDS-M, which are dispatched over three layer of cloud computing. In the first layer, we use IDS-C over our framework to collect, analyze and detect malicious data using Mobile Agents. In case of attack, we collect at the level of the second layer all the malicious data detected in the first layer for the generation of new signatures using IDS-Cr, which is based on a Signature Generation Algorithm (SGA) and network intrusion detection system (NIDS). Finally, through an IDS-M placed in the third layer, the new signatures will be used to update the database NIDS belonging to IDS-Cr, then the database to NIDS belonging of IDS-Cr the cluster neighboring and also their IDS-C. Hardware firewall is unable to control communication between virtual machines on the same hypervisor. Moreover, they are blind to virtual traffic. Mostly, they are deployed at Virtual Machine Monitor- level (VMM) under Cloud provider’s control. Equally, the mobile agents play an important role in this collaboration. They are used in our framework for investigation of hosts, transfer data malicious and transfer update of a database of neighboring IDS in the cloud. With this technique, the neighboring IDS will use these new signatures to protect their area of control against the same type of attack. By this type of close-loop control, the collaborative network security management framework can identify and address new distributed attacks more quickly and effectively

Preemptive distributed intrusion detection using mobile agents.

by Chan Pui Chung.Thesis (M.Phil.)--Chinese University of Hong Kong, 2002.Includes bibliographical references (leaves [56]-[61]).Abstracts in English and Chinese.Chapter 1 --- Introduction --- p.1Chapter 1.1 --- The Trends --- p.1Chapter 1.2 --- What this Thesis Contains --- p.3Chapter 2 --- Background --- p.5Chapter 2.1 --- Computer Security --- p.5Chapter 2.2 --- Anti-intrusion Techniques --- p.6Chapter 2.3 --- The Need for Intrusion Detection System --- p.7Chapter 2.4 --- Intrusion Detection System Categorization --- p.8Chapter 2.4.1 --- Network-based vs. Host-based --- p.8Chapter 2.4.2 --- Anomaly Detection vs. Misuse Detection --- p.10Chapter 2.4.3 --- Centralized vs. Distributed --- p.11Chapter 2.5 --- Agent-based IDS --- p.12Chapter 2.6 --- Mobile agent-based IDS --- p.12Chapter 3 --- Survey on Intrusion Step --- p.14Chapter 3.1 --- Introduction --- p.14Chapter 3.2 --- Getting information before break in --- p.14Chapter 3.2.1 --- Port scanning --- p.14Chapter 3.2.2 --- Sniffing --- p.16Chapter 3.2.3 --- Fingerprinting --- p.17Chapter 3.3 --- Intrusion method --- p.17Chapter 3.3.1 --- DOS and DDOS --- p.17Chapter 3.3.2 --- Password cracking --- p.18Chapter 3.3.3 --- Buffer overflows --- p.19Chapter 3.3.4 --- Race Condition --- p.20Chapter 3.3.5 --- Session Hijacking --- p.20Chapter 3.3.6 --- Computer Virus --- p.21Chapter 3.3.7 --- Worms --- p.21Chapter 3.3.8 --- Trojan Horse --- p.22Chapter 3.3.9 --- Social Engineering --- p.22Chapter 3.3.10 --- Physical Attack --- p.23Chapter 3.4 --- After intrusion --- p.23Chapter 3.4.1 --- Covering Tracks --- p.23Chapter 3.4.2 --- Back-doors --- p.23Chapter 3.4.3 --- Rootkits --- p.23Chapter 3.5 --- Conclusion --- p.24Chapter 4 --- A Survey on Intrusion Detection System --- p.25Chapter 4.1 --- Introduction --- p.25Chapter 4.2 --- Information Source --- p.25Chapter 4.2.1 --- Host-based Source --- p.25Chapter 4.2.2 --- Network-based Source --- p.26Chapter 4.2.3 --- Out-of-band Source --- p.27Chapter 4.2.4 --- Data Fusion from multiple sources --- p.27Chapter 4.3 --- Detection Technology --- p.28Chapter 4.3.1 --- Intrusion signature --- p.28Chapter 4.3.2 --- Threshold Detection --- p.31Chapter 4.3.3 --- Statistical Analysis --- p.31Chapter 4.3.4 --- Neural Network --- p.32Chapter 4.3.5 --- Artificial Immune System --- p.33Chapter 4.3.6 --- Data Mining --- p.33Chapter 4.3.7 --- Traffic Analysis --- p.34Chapter 4.4 --- False Alarm Rate --- p.35Chapter 4.5 --- Response --- p.35Chapter 4.6 --- Difficulties in IDS --- p.36Chapter 4.6.1 --- Base Rate Fallacy --- p.36Chapter 4.6.2 --- Denial of Service Attack against IDS --- p.37Chapter 4.6.3 --- Insertion and Evasion attack against the Network-Based IDS . --- p.37Chapter 4.7 --- Conclusion --- p.38Chapter 5 --- Preemptive Distributed Intrusion Detection using Mobile Agents --- p.39Chapter 5.1 --- Introduction --- p.39Chapter 5.2 --- Architecture Design --- p.40Chapter 5.2.1 --- Overview --- p.40Chapter 5.2.2 --- Agents involved --- p.40Chapter 5.2.3 --- Clustering --- p.42Chapter 5.3 --- How it works --- p.44Chapter 5.3.1 --- Pseudo codes of operations --- p.48Chapter 5.4 --- Advantages --- p.49Chapter 5.5 --- Drawbacks & Possible Solutions --- p.49Chapter 5.6 --- Other Possible Mode of Operation --- p.50Chapter 5.7 --- Conclusion --- p.51Chapter 6 --- Conclusion --- p.52A Paper Derived from this Thesis --- p.54Bibliography --- p.5

LnaCBR:Case Based Reasoning Architecture for Intrusion Detection to Learning New Attacks

The agents used in the intrusion detection architectures have multiple characteristics namely delegation, cooperation and communication. However, an important property of agents: learning is not used. The concept of learning in existing IDSs used in general to learn the normal behavior of the system to secure. For this,normal profiles are built in a dedicated training phase, these profiles are then compared with the current activity. Thus, the IDS does not have the ability to detect new attacks. We propose in this paper, a new architecture based intrusion MAS adding a learning feature abnormal behaviors that correspond to new attack patterns detection. Thanks to this feature to update the knowledge base of attacks take place when a new plan of attack is discovered. To learn a new attack, the architecture must detect at first and then update the basic attack patterns. For the detection step, the detection approach adopted is based on the technique of Case-Based Reasoning (CBR). Thus, the proposed architecture is based on a hierarchical and distributed strategy where features are structured and separated into layers