Multi-agent heterogeneous intrusion detection system (MAHIDS) is a prototype proposed to detect untrusted and unusual network behaviour. The main contribution of the system is the integration of several anomaly detection techniques and machinery of multi-agent temporal logic with hybrid argumentation. Every detection technique is represented by featuring a speci c detection autonomous agent. In this stage, every agent determines the ow trustfulness from aggregated connection. The anomalies are used as an input for machinery of multiagent temporal logic which is represented by the logical agent. The logical agent is one of the system's advantages because it has huge capabilities for making a right decision about intrusions from detected anomalies. Another signi cant advantage of M-AHIDS is a new innovative agent { Web agent. The Web agent is capable to detect trusted host from his activity on web pages. The system M-AHIDS is based on tra c statistics in sFlow format acquired by network device with sFlow agent and is able to perform a real-time surveillance of the 10 Gb networks.
The number of users using internet and local networks is increasing every day. As a consequence, there are many threats of trying to have an access to private password, to data or to injure users by other ways. Fortunately, current generation of network devices allows a real-time scraping of structured snapshots of a tra c on the networks. This information is provided by various technologies. Two the mostly used technologies are the NetFlow format introduced by CISCO and the sFlow format. These technologies allow us to observe the individual ows on the network. A ow is an unidirectional component of TCP connection (or UDP/ICMP equivalent), de ned as a set of packets with identical source and destination IP addresses, ports and protocol, packed size, MAC addresses, switch ports, ags and more.
An information provided by NetFlow or sFlow can be used to detect a
network attack. The most frequent attacks on networks can be divided to three
main classes [
The protection of networks is, therefore, more than useful, if it is vital for long time. This problem requires the monitoring of real distributed hosts, the various events and exchanges between these hosts. It is necessary to use MAS due to the complexity of this problems.
The aim of this paper is to propose a multi-agent system for network intrusion
detection M-AHIDS. The main contribution of the M-AHIDS is the integration
of several anomaly detection techniques and machinery of multi-agent
temporal logic with hybrid negotiation. Every detection technique is represented by
featuring a speci c detection autonomous agent and every agent determines the
ow trustworthiness from aggregated connection. We took an inspiration for our
agents in project CAMNEP [
We have used another new approach for making decisions about intrusion from detection agent's knowledge base. For this propose we have used speci cally developed multi-agent temporal logic (MTL). The anomalies are used as an input for machinery of MTL which is represented by a logical agent. The logical agent is one of the system advantages because it has huge capabilities for making a right decision about the intrusions from detected anomalies. MTL allows us to collect knowledge from every detection agent from past to future. All detected intrusions are our past states in MTL and for the future states we will use the prediction methods from past and actual connections collection.
The most important contributions of our research presented in this paper are: Integration of the several anomaly detection techniques in a form of agent; Machinery of the multi-agent temporal logic; Hybrid negotiation with argumentation and immune cell inspiration; New innovative detection agent { Web agent which is able to detect a trustworthy host from his activity on the web pages. M-AHIDS is partially implemented and tested on our Department of Applied Informatics. Obtained results of M-AHIDS are comparable to another IDS.
The organization of the paper is as follows: in section 2 { overview of the existing solutions and approaches which we use; in section 3 { proposal of a detection system architecture; in section 4 { detailed description of all agents in M-AHIDS; in section 5 { overview of case study, tests and results. 2
Intrusion Detection System or IDS is software, hardware or combination of both
used to detect an intruder's activity. The base characteristics of IDS [
There are many IDS. Each of them has some advantage and disadvantage.
Their strengths or weaknesses depend mostly on how they recognizes the threats.
Two main approaches for detection intrusion are [
An advantage of behaviour-based IDS is an ability to detect new form of intrusion, but their disadvantage is a possibility of un-detection of small intrusion or intrusion hidden in normal behaviour. On the another side knowledge-based IDS has an advantage in low false-positive alert for well known intrusion and high success rate for this intrusion. Their disadvantage is a low probability of detection of new intrusion.
One of the best known knowledge-base IDS is Snort [
There are several behaviour-based IDS. One of the most complex solution
is CAMNEP[
One agent covers only one intrusion detection method and every agent separately evaluates every connection. Evaluating of connection means that agent compute score for the connection. Higher score indicates more suspicion behaviour. We have achieved more e ective structure with this approach, because we don't have redundant computation. Another positive e ect of this approach is that we know exactly how well which agent evaluates every connection.
Di erent interesting IDS for our research is the Multi-Agents Immune
System for Network Intrusions detection (MAISId) [
MAISId is a system that performs frames analyses by a group of immune agents collaboration. These agents are distributed on the network to achieve simultaneous treatments, and are auto-adaptable to the evolution of the environment and have also the property of communication and coordination in order to ensure a good detection of intrusions in a distributed network.
An advantage of this approach is that MAISId can generate many di erent patterns to recognise intrusion in network ow. A disadvantage is a possibility that the system throws away a pattern which can be useful in the future.
A biological inspiration from MAISId was useful also in our M-AHIDS. We have used the idea of the biological immune cells in two cases. The rst case of application is in the middle between the evaluation score from detection agent and the multi-agent temporal logic in logical agent. The second case of application is during negotiation among agents. The negotiation approaches are described bellow in this section. M-AHIDS has not created new agents for intrusion detection yet, but we are rating successfulness of our agent. This rating in uences weights in logical agent, which nally makes decision about the connection.
There are two major inconveniences of the existing IDS [
On the another side the intrusion detection system is e ective if it has the
following characteristics [
The negotiation is essential in settings where autonomous agents have
con icting interests and a desire to cooperate. For this reason, a mechanisms
in which the agents exchange the potential agreements according to the various
rules of interaction which have become very popular in recent years as evident,
for example, in the auction and mechanism design community[
There are basically 3 type of negotiation: Heuristic, Game-theoretic and Argumentation.
The heuristic-base approach can be a model for multi-issue negotiation
under time constraints in an incomplete information setting. An important
property of this model is the existence of a unique equilibrium [
The game-theoretic approach for negotiation can be used in an auction
[
The argumentation as negotiation is the most interesting approach for our
M-AHIDS. Argumentation works by constructing series of logical steps
(arguments) for and against propositions of interest and as such may be seen as an
extension of classical logic [
A formal mental model of the agents based on minimal-structure of possible
worlds (time lines) has been developed using modal operators for beliefs,
desires, intentions and goals having an appropriate set of properties in [
Diagram of M-AHIDS is shown in gure 2. M-AHIDS is based on Microsoft .net 4.5 framework and multi-vendor sampling technology sFlow. It originally runs on Microsoft server 2012. However, it can run also on Linux base operation system with mono project. M-AHIDS is implemented as multi-thread application which uses sFlow for receiving sFlow UDP datagrams. 3.1
sFlow
sFlow is a multi-vendor sampling technology embedded within switches and
routers. It provides the ability to continuously monitor application level
trafc ows at wire speed on all interfaces simultaneously. sFlow monitoring of
high-speed, routed and switched networks has the following properties [
M-AHIDS save approximately 10 minute window of received sFlow datagrams in SQLlite in-memory database. This technology of in-memory database enables to analyse a lot of received data very quickly. All detection agents work with this database and it is also an input to logical agent. 3.2
M-AHIDS network intrusion detection system is made as four layer system.
The rst layer contains in our case network 10Gb switch with sFlow agent. Switch can be replaced with another network device with sFlow agent. sFlow agent sends sFlow datagram to our IDS, which is also the sFlow collector.
The second layer contains sFlowTool and pre-processing agent. sFlowTool receives sFlow UDP datagrams. M-AHIDS reads encoded result from sFlowTool and important data saves to in-memory database. Nowadays we use these information from sFlow: `srcIP`, `dstIP`, `srcMAC`, `dstMAC`, `srcPort`, `dstPort`, `IPProtocol`, `sampledPacketSize`, `UDPBytes`, `TCPFlags`, `inPort`, `outPort` and `time`.
The third layer contains the detection agents. Every agent is implemented as an autonomy thread. The number of the actually active agents depends on the number of the cores in computer processor.
The forth layer contains logical agent, database with results and front-end for network administrator, which admin can use to correct the results. 4
As we mentioned in section 2, we have taken an inspiration for our agent in the
project CAMNEP [
The rst step after IDS receive sFlow datagram is pre-processing as can be seen on gure 2. For covering this function we implement a pre-processing agent. Our IDS is designed for a huge network tra c on 10Gb switch. For this reason, we must do some quick decisions, which connections are interesting (connection has www….uniba.sk <iframe> with scripts
PHP script JavaScripts Generation of web links for history detection
Col ected based fingerprint Java Applet for Java version FlashScript for font detection
CSS
De-anonymization database
Ajax Save history to SESSION n iitcauno m m tcuoO Network switch with sFlow
Network administrator
Disk storage result database sFlow tool
Cycle Inmemory database
Preprocessing n iitccaunnoomm De-adnaotnaybmasizeation I
Detection agent 1
Detection agent 2
Detection agent n Logical decision agent In-memory database probability of being a intrusion). Like the other mentioned IDS we do this with several rules. The rules de ne which source, destination, port and protocol or they combination are OK and they are not interesting for the detection agents. Administrator of network can de ne and edit these rules. 4.2
Nowadays we have tested 5 types of intrusion detection agents. Two of these agents have arguments suitable for speci cation. Using this, we get 11 intruder detection agents. Every detection agent evaluate every connection from preprocessing agent. This evaluation is a integer number. Higher number means more unusual behaviour.
Average agent computes average number of connections with same property (dscIP, srcIP, dscPort, srcPort).
Volume agent counts number of the connections which have a same property and which are connected to the connections which have another same property. Concretely, we map with this method srcIP to dstIP, dstIP to srcIP, srcIP to dstPort and dstIP to srcPort. All of these mappings are provided by separate agents, which are running parallelly.
Cluster agent is the most computationally hard agent. This agent computes normalization distance between each of the connections. Agents use dscIP, srcIP, dscPort, srcPort, dstMac, srcMac for distance computations.
Web agent is one of our new contribution for this area of research. Web agent uses the database of university web page's visitors and it compares IP address of web page visitor and IP address form sFlow. If IP address is in both databases, we can decide if behind connection there is some system or a real user and then we can determine intrusion score for the connection. To determine the connection, the visited pages are analysed. If web pages are systematically visited page by page, then this is done with high probability by some system. If same page is visited more than once in short time, then the visitor was with high probability a real human user. We have database of university web page visitors from our Internet users anonymity research [4{6].
Entropy agent captures degree of di usion or gathering of distribution of connection properties. This detection method is based on equation:
H(X) = PiN=1( nSi )log2( nSi ) where S = PN
i=1 ni and X is set of connection properties X = fn1; :::; nN g. 4.3
Logical agent makes nal decision about every connection and if this agent decides that this connection is intrusion, then agent inserts this connection to result disk storage database. Our logical agent is based on Multi-agent Temporal Logic MTL which we mentioned in section 2 and which we describe in subsubsection MTL in M-AHIDS below. This logic is developed especially for needs of M-AHIDS. The past states in MTL are from previous results, which are saved in permanent database. The future states will be computed by time series and Fourier transform. These future states are not implemented yet.
Logical agent has 3 important tasks. The rst is to build knowledge base from results of detection agent. In this stage, LA normalizes the results to real numbers from interval h0; 1i. Normalization uses network administrator's corrections and immune inspiration for updating DA trust weights. Trust weights are also real numbers from interval h0; 1i. Higher number means more trust for the agent.
After normalization, LA uses argumentation framework to negotiate nal decision { which connections are intrusions. We describe our argumentation framework in subsubsection Argumentation framework below. The last task for LA is to save results to permanently database.
MTL in M-AHIDS is one of the modal logics. Naturally, there are many approaches of how to build logical agents but we have decided for the multiagent temporal logic (MTL). We have chosen this logic, because it allows as to compare every detection agent in time. This property of the MTL we use to decide, which connections are nally the intrusion.
We de ne simple logic syntax because nowadays we use only small subset of possible power of MTL. There are many reasons for this choice. One of the most signi cant is real time running of computationally hard problems in IDS. However, it is strength enough for making correct nal decisions. Syntax of logic where is logic formula and p 2 prop is: ' ::= > j ? ' ::= p j :' ::= Fi' j Gi' j Pi'j Hi' ::= FA' j GA' j PA'j HA' Connectors Fi; Gi; Pi and Hi are temporal connectors for one agent ai 2 A and FA; GA; PA and HA are connectors for all agents. For every judge connection there is one atomic formula p which acts in M-AHIDS as a connection with normal behaviour. hM; s; ii j= > allways true hM; s; ii 2 ? never true hM; s; ii j= p i p 2 V (s) hM; s; ii j= :' i hM; si 2 ' hM; s; ii j= Fi' i 9s0(s i s0) : hM; s0; ii j= ' hM; s; ii j= Gi' i 8s0(s i s0) : hM; s0; ii j= ' hM; s; ii j= Pi' i 9s0(s0 i s) : hM; s0; ii j= ' hM; s; ii j= Hi' i 8s0(s0 i s) : hM; s0; ii j= ' hM; si j= FA' i 8i(ai 2 A) : hM; s0; ii j= Fi' hM; si j= GA' i 8i(ai 2 A) : hM; s0; ii j= Gi' hM; si j= PA' i 8i(ai 2 A) : hM; s0; ii j= Pi' hM; si j= HA' i 8i(ai 2 A) : hM; s0; ii j= Hi'
We de ne the model of MTL logic as triple M = hS A; f i: ai 2 Ag; V i, where: { S = fs1; s2; :::g is non-empty set of states { A = fa1; a2; :::g is non-empty set of agents { i S S is binary relation of pair (s; s0), which speci es from which state s can agent ai go to state s0. { V : S A ! }(prop) is evaluating function. Function sets for every pair (s; a) 2 S A, which atomic formula p 2 prop is true. This function re ects result of the DA and it uses value weight of the DA for encoding agent's normalise result in real number to boolean.
Semantic of connectors is shown in table 1.
The argumentation framework is one of the approaches for negotiation amongst agents. Nowadays, we use only very tiny framework which is de nitely not complete because the intrusion detection is very computationally hard and M-AHIDS must work parallel with network operation. But we are still optimizing it and we will also extend this argumentation framework.
The base of our argumentation is the binary relation 7 !. 7 ! 0 means that is stronger than 0. The logical formulas and 0 belong to 7 ! i both contain same the atomic formula p with a opposite value. That means that the two DAs have contradictorily results about trust of same the connection. For solving this contradiction we use this rules: Xi' : w 7 ! Xj ' : w0, Hi 7 ! Pj , Gi 7 ! Fj and if XA' then ' where X 2 fF; G; P; Hg and agent weights w > w0. 5
We have implemented M-AHIDS button up using several iterations, because the most important requirement on IDS is real time detection. After each iteration we did performance test and optimization. Nowadays we have the proposed intrusion detection system M-AHIDS partially implemented .
M-AHIDS is now running on sever based on Intel i7-4770S, 2x8GB 1600MHz DDR3 CL10 DIMM RAM, 1TB HDD and OS Windows 2012 server. sFlow agent is runnig on switch Zyxel GS1910-24.
We did not make a long time test, because the M-AHIDS is still in implementing and developing stage. However, we did some tests. During these tests, the system was supervised and it learnt usual network behaviour. After three day of learning we tested system for some attack as DOS, DDOS, Port Scans, BitTorrents (there are usually unwanted in department network) and Malwares.
In the gure 3 detection of port scan anomaly can be seen . The SrcIP gure shows the relation between the number of unique source IP address and the number of all source IP address in time. The DstPort gure shows the relation between the number of unique destination ports and the number of all destination ports. Red point highlights time when anomaly was executed. In the next gure 4 exploit cluster pro le can be seen, because the most of the connections are located in two clusters with the small diameter. This gure shows partial (just 3 dimension space) result from cluster agent.
The table 2 shows a false positive rate of the agents. We tested M-AHIDS during usual week network operation. Every anomaly was sent 100 times and with these anomalies we sent same number of connections with similar properties as sent anomalies. During these tests we got 3 percent false negative detections. 6
In this paper we have presented a proposal of a system for detection intrusions in a network. The most important system features of developed and partially implemented M-AHIDS are integration of the several anomaly detection techniques in a form of agent, machinery of a multi-agent temporal logic, hybrid negotiation with argumentation and immune cell inspiration and last but not least new innovative Web agent which is able to detect trustworthy host from his activity on web pages. This agent is based on our previous research which is deployed on all web pages of Comenius University for one and half year.
When we set the system to pass about 3 percent false negatives in the
normal connections then we got 36 percent false positives in malicious connections,
what is satisfaction result because project CAMNEP [
M-AHIDS is still in developing state. However, we have implemented the most of the presented features of M-AHIDS. Only one important feature we have not implemented yet { prediction of a normal network behaviour from the collected data.
As a next step we would like to implement the rest of the features to MAHIDS, to optimize the already implemented features and to provide more and longer tests.