Preemptive distributed intrusion detection using mobile agents.

by Chan Pui Chung.Thesis (M.Phil.)--Chinese University of Hong Kong, 2002.Includes bibliographical references (leaves [56]-[61]).Abstracts in English and Chinese.Chapter 1 --- Introduction --- p.1Chapter 1.1 --- The Trends --- p.1Chapter 1.2 --- What this Thesis Contains --- p.3Chapter 2 --- Background --- p.5Chapter 2.1 --- Computer Security --- p.5Chapter 2.2 --- Anti-intrusion Techniques --- p.6Chapter 2.3 --- The Need for Intrusion Detection System --- p.7Chapter 2.4 --- Intrusion Detection System Categorization --- p.8Chapter 2.4.1 --- Network-based vs. Host-based --- p.8Chapter 2.4.2 --- Anomaly Detection vs. Misuse Detection --- p.10Chapter 2.4.3 --- Centralized vs. Distributed --- p.11Chapter 2.5 --- Agent-based IDS --- p.12Chapter 2.6 --- Mobile agent-based IDS --- p.12Chapter 3 --- Survey on Intrusion Step --- p.14Chapter 3.1 --- Introduction --- p.14Chapter 3.2 --- Getting information before break in --- p.14Chapter 3.2.1 --- Port scanning --- p.14Chapter 3.2.2 --- Sniffing --- p.16Chapter 3.2.3 --- Fingerprinting --- p.17Chapter 3.3 --- Intrusion method --- p.17Chapter 3.3.1 --- DOS and DDOS --- p.17Chapter 3.3.2 --- Password cracking --- p.18Chapter 3.3.3 --- Buffer overflows --- p.19Chapter 3.3.4 --- Race Condition --- p.20Chapter 3.3.5 --- Session Hijacking --- p.20Chapter 3.3.6 --- Computer Virus --- p.21Chapter 3.3.7 --- Worms --- p.21Chapter 3.3.8 --- Trojan Horse --- p.22Chapter 3.3.9 --- Social Engineering --- p.22Chapter 3.3.10 --- Physical Attack --- p.23Chapter 3.4 --- After intrusion --- p.23Chapter 3.4.1 --- Covering Tracks --- p.23Chapter 3.4.2 --- Back-doors --- p.23Chapter 3.4.3 --- Rootkits --- p.23Chapter 3.5 --- Conclusion --- p.24Chapter 4 --- A Survey on Intrusion Detection System --- p.25Chapter 4.1 --- Introduction --- p.25Chapter 4.2 --- Information Source --- p.25Chapter 4.2.1 --- Host-based Source --- p.25Chapter 4.2.2 --- Network-based Source --- p.26Chapter 4.2.3 --- Out-of-band Source --- p.27Chapter 4.2.4 --- Data Fusion from multiple sources --- p.27Chapter 4.3 --- Detection Technology --- p.28Chapter 4.3.1 --- Intrusion signature --- p.28Chapter 4.3.2 --- Threshold Detection --- p.31Chapter 4.3.3 --- Statistical Analysis --- p.31Chapter 4.3.4 --- Neural Network --- p.32Chapter 4.3.5 --- Artificial Immune System --- p.33Chapter 4.3.6 --- Data Mining --- p.33Chapter 4.3.7 --- Traffic Analysis --- p.34Chapter 4.4 --- False Alarm Rate --- p.35Chapter 4.5 --- Response --- p.35Chapter 4.6 --- Difficulties in IDS --- p.36Chapter 4.6.1 --- Base Rate Fallacy --- p.36Chapter 4.6.2 --- Denial of Service Attack against IDS --- p.37Chapter 4.6.3 --- Insertion and Evasion attack against the Network-Based IDS . --- p.37Chapter 4.7 --- Conclusion --- p.38Chapter 5 --- Preemptive Distributed Intrusion Detection using Mobile Agents --- p.39Chapter 5.1 --- Introduction --- p.39Chapter 5.2 --- Architecture Design --- p.40Chapter 5.2.1 --- Overview --- p.40Chapter 5.2.2 --- Agents involved --- p.40Chapter 5.2.3 --- Clustering --- p.42Chapter 5.3 --- How it works --- p.44Chapter 5.3.1 --- Pseudo codes of operations --- p.48Chapter 5.4 --- Advantages --- p.49Chapter 5.5 --- Drawbacks & Possible Solutions --- p.49Chapter 5.6 --- Other Possible Mode of Operation --- p.50Chapter 5.7 --- Conclusion --- p.51Chapter 6 --- Conclusion --- p.52A Paper Derived from this Thesis --- p.54Bibliography --- p.5

A Multi Agent System for Flow-Based Intrusion Detection

The detection and elimination of threats to cyber security is essential for system functionality, protection of valuable information, and preventing costly destruction of assets. This thesis presents a Mobile Multi-Agent Flow-Based IDS called MFIREv3 that provides network anomaly detection of intrusions and automated defense. This version of the MFIRE system includes the development and testing of a Multi-Objective Evolutionary Algorithm (MOEA) for feature selection that provides agents with the optimal set of features for classifying the state of the network. Feature selection provides separable data points for the selected attacks: Worm, Distributed Denial of Service, Man-in-the-Middle, Scan, and Trojan. This investigation develops three techniques of self-organization for multiple distributed agents in an intrusion detection system: Reputation, Stochastic, and Maximum Cover. These three movement models are tested for effectiveness in locating good agent vantage points within the network to classify the state of the network. MFIREv3 also introduces the design of defensive measures to limit the effects of network attacks. Defensive measures included in this research are rate-limiting and elimination of infected nodes. The results of this research provide an optimistic outlook for flow-based multi-agent systems for cyber security. The impact of this research illustrates how feature selection in cooperation with movement models for multi agent systems provides excellent attack detection and classification

Based on Regular Expression Matching of Evaluation of the Task Performance in WSN: A Queue Theory Approach

Due to the limited resources of wireless sensor network, low efficiency of real-time communication scheduling, poor safety defects, and so forth, a queuing performance evaluation approach based on regular expression match is proposed, which is a method that consists of matching preprocessing phase, validation phase, and queuing model of performance evaluation phase. Firstly, the subset of related sequence is generated in preprocessing phase, guiding the validation phase distributed matching. Secondly, in the validation phase, the subset of features clustering, the compressed matching table is more convenient for distributed parallel matching. Finally, based on the queuing model, the sensor networks of task scheduling dynamic performance are evaluated. Experiments show that our approach ensures accurate matching and computational efficiency of more than 70%; it not only effectively detects data packets and access control, but also uses queuing method to determine the parameters of task scheduling in wireless sensor networks. The method for medium scale or large scale distributed wireless node has a good applicability

Wireless Sensor Networks for Fire Detection and Control

Due to current technological progress, the manufacturing of tiny and low price sensors became technically and economically feasible. Sensors can measure physical surroundings related to the environment and convert them into an electric signal. A huge quantity of these disposable sensors is networked to detect and monitor fire. This paper provides an analysis of utilisation of wireless sensor networks for fire detection and control

From Intrusion Detection to an Intrusion Response System: Fundamentals, Requirements, and Future Directions

In the past few decades, the rise in attacks on communication devices in networks has resulted in a reduction of network functionality, throughput, and performance. To detect and mitigate these network attacks, researchers, academicians, and practitioners developed Intrusion Detection Systems (IDSs) with automatic response systems. The response system is considered an important component of IDS, since without a timely response IDSs may not function properly in countering various attacks, especially on a real-time basis. To respond appropriately, IDSs should select the optimal response option according to the type of network attack. This research study provides a complete survey of IDSs and Intrusion Response Systems (IRSs) on the basis of our in-depth understanding of the response option for different types of network attacks. Knowledge of the path from IDS to IRS can assist network administrators and network staffs in understanding how to tackle different attacks with state-of-the-art technologies

A New Approach for DDoS attacks to discriminate the attack level and provide security for DDoS nodes in MANET

Mobile Ad Hoc Networks (MANETs) enable versatile hosts to frame a correspondence arrange without a prefixed framework. In military applications portable specially appointed system assumes essential part since it is particularly planned network for on request necessity and in circumstances where set up of physical network isn't conceivable. Despite the fact that it gives high adaptability, it likewise conveys more difficulties for MANETs to battle against malicious assaults. In any case, the property of mobility and excess additionally motivates new plans to outline safeguard procedure. In this paper, we propose a procedure to relieve DDoS assaults in MANETs. Expect that a malicious attacker ordinarily targets particular victims. The attacker will surrender if the assault neglected to accomplish the coveted objectives after a specific length of assaulting time. In our assurance system, we exploit high excess and select a protection node. Once a DDoS attack has been identified, the suspicious movement will be diverted to the protection node. The victim will work typically, and it is sensible to expect that the attacker will stop the trivial endeavors. Through escalated recreation test utilizing NS-2, we have confirmed the viability of our approach and assessed the cost and overhead of the framework