=Paper=
{{Paper
|id=Vol-1755/227-233
|storemode=property
|title=Modeling an Enhanced Intrusion Detection System Using Mobile Agent: A Methodological Framework
|pdfUrl=https://ceur-ws.org/Vol-1755/227-233.pdf
|volume=Vol-1755
|authors=Isah Olawale Mustapha,Rasheed Gbenga Jimoh
|dblpUrl=https://dblp.org/rec/conf/cori/MustaphaJ16
}}
==Modeling an Enhanced Intrusion Detection System Using Mobile Agent: A Methodological Framework==
https://ceur-ws.org/Vol-1755/227-233.pdf
Modeling an Enhanced Intrusion Detection System
using Mobile Agent: A Methodological Framework
Isah Olawale Mustapha R. G. Jimoh
Al_Hikmah University Ilorin, Nigeria University of Ilorin, Ilorin, Nigeria
salnet2002@yahoo.com jimoh_rasheed@yahoo.com
ABSTRACT A number of previous researchers in the field of information
Increase demand by all and sundry for internet and share network, security equally testify to the fact that information is becoming
has enhanced the development of various network technology that more vulnerable [17]. Computer network consists of
has linked together different people of different motives, heterogeneous entities that include all kinds of processors,
consequently it has paved way for malicious and unauthorized communication devices, and different human beings with different
user to intrude into information resources of organization. As a motives. Along with the heterogeneous nature of each of the
result of the advantage embedded in the layered framework and entities on computer network, the entities have continuously
those of signature base approach proposed by a number of earlier diversify exponentially over the years [9].
researchers, this research proposed an hybridized framework with The internet traffic together with it’s data and other resources is
the use of two comparators for detection of intrusion using on the increasing trend and it is projected to maintain such trend
secured, collaborative and optimum numbers of mobile agents. as far back as 2009 [9]. This is illustrated in Figure 1.
The framework if implemented is expected to be of better
Consequently, network overload, delay in network transmission,
efficiency with respect to time of detection, storage space and
insufficient storage facilities, inadequate information, insufficient
reduction of network congestion.
resources, traffic congestions that result to dropping of packet
along the channel of transmission, increase computational
bottleneck on the central processing modules of applications and
CCS Concepts total coordination of network affairs become a problem [9].
• Security and privacy ➝Intrusion/anomaly detection and These factors among others are posing insecurity problem to the
malware mitigation ➝ Intrusion Detection systems computer network and are creating more avenues for intrusion
[21]
Keywords
[32] also stated that Some vital information that are disseminated
Intrusion, Intrusion Detection System, Mobile Agent, Dijkstra
within institutions, offices, across offices, between branches of an
Algorithm.
organization and different types of establishment today atimes get
to the hands of an unauthorized persons who tampered with the
1. INTRODUCTION contents of the information, therefore there is need to put some
Most companies, institutions and organizations today rely on security measures in place, capable of detecting intrusion attempt
information for decision making [4]. Hence, other things being promptly across every network settings otherwise lots of valuable
equal, the efficiency of any organization today depends on how data and other sensitive information may continue to experience
well it can secure its information resources especially through the threats such as impersonation, corruption, repudiation, break-in or
use of computer system [30]. Apart from that, computer system denial of services which can cause serious danger on the
also responds to issues based on available resources and individual or organization that are concerned.
information that are presented to it [5]. More so, resources and Insecurity as a result of intrusion has been a teething problem that
information sharing are the two primary objectives of setting up a has been scaring user of computer network, despite the inevitable
computer network such information and resources serve as a benefit derived from it.
major factor in attaining and sustaining competitive advantage in
the emerging information driven organizations [16]. On 20th Feb. 2012 there was a report by Jinshan that China”s
internet security shows that network insecurity incidents are on a
rising trend. This shows a global trend in the information security
This among other factors, led the world into ubiquitous computing threat.
with e-banking ,e-commerce, e-messages, e-training and so on as
its dividend, this however does not come without its challenges as In a null shell, the problem of information and network insecurity
it equally paved ways for intruder and unauthorized user to gain especially by virtue of intrusion has become more rampant,
undue access to certain sensitive information [17]. prominent, complicated and dynamic along with the rapid
development of network technology, and up till now the network
security technology has not been able to eradicate intrusion [25].
Hence, there is need for enhancement of the current intrusion
detection technologies capable of prompt detection. Such system
design should not add too much load to the network and must be
CoRI’16, Sept 7–9, 2016, Ibadan, Nigeria. fast for better detection.
227
� to increase in network load on the part of the agent system. [14]
50000 also asserted that the main obstacle hindering the application of
mobile agent to IDS is insecurity on the part of the agent. This
45000 reveals that if mobile agent is highly secured, the performance of
IDS will be improved. The question here is that if such
performance is improved through the enhancement of mobile
40000 agent security, would there be any significant effect on the
network traffic and network load?.
35000 [28] also enlisted some shortcoming of mobile agent in the area of
insecurity that has affected the usability and performance of IDS.
Usage
30000 In a recent study of mobile agent security threats, it was stated
Usage
that lots of security issues of mobile agent needs to be addressed
and such issues include inter mobile agent collaboration, and
25000 mutual authentication between host and mobile agents [1].
[25] also claimed that agents’ security, management, coordination,
20000 and collaboration are important problems for effective
identification of distributed attack in a system. The fact here is
15000 that when agents are highly secured and well collaborated, better
detection of attack by the agent’s system can be achieved. In such
scenario, how can secured agents be achieved to mutually address
10000 intrusions with little or no effect on system usability and
efficiency ?
5000 What enhancement can be done on agents such that there will be
little or no effect on processor’s load , processing time and
0 network traffic ?
2005 2006 2007 2008 2009 2010 2011 2012
Year
3. METHODOLOGY
As a result of the need to make effective usage of mobile agents
Figure 1. Internet Usage Trend (Holz, David, & Timoteo,
and to take advantage of their inevitable characteristics for
2011)
intrusion detection, this research is aimed at proposing an
enhanced intrusion detection model with the use of more secured
and collaborative mobile agents. Since mobile agent is central to
2. PROBLEM STATEMENT the proposed model for intrusion detection then the idea is to
As much as the use of computer network even internet is improve their safety, collaborative ability and reduce their
inevitable in the emerging information driven world, rapid response time such that the agent system usability and efficiency
development and increase demand for internet has pave way for can be improved.
malicious user to illegally intrude into computer network [27]. To this end, this research work proposed an improvement on the
Day in day out, number of attackers is increasing, and the framework of [11] where mobile agents were used to detect user
technologies and the targets of attacks are diversified [18]. These anomalities (i.e model of normal behaviour) in two level: user
among other insecurity issues has led to various researches and activities and program operations. The model uses two approaches
development of IDS with the use of different technologies that which include misuse detection approach (model of abnormal
include data mining, multi agent, Honey pot, multiclass, mobile behaviour base on experience) and anomaly approach, this
agent etc. hybridized approaches is proposed to enhance effectiveness of the
Up till today, previous research work reveals that, the technology detection. It will also give room for Network Administrator to
of mobile agent can still be enhanced to reduce the dynamism and make a decision on the suspected intrusion so as to avoid False
mutative rapid development of hacker technology and that the Positive Alarm to some extent. It gives room for mobile agents to
benefit of using mobile agents in detecting intrusion cannot be collaborate by triggering and communicating on any detected
denied, however securing the agent itself still poses a great intrusion then store the characteristics of such intrusion attempt,
challenge in the information security domain [28]. Therefore, this also enhance fast detection when such attempt is made again.
mobile agent effectiveness in IDS depends on some factors
relating to the agent itself [15].
3.1 Modified Hybrid Framework
The architecture of this proposed model consists of two
According to [15], mobile agent portability, and security affect comparators being handled by mobile agent as shown below:
agent system’s usability and efficiency in intrusion detection.
Hence, attempt to improve on the security of mobile agent result
228
� EN
D
User Profile First Administrato Block Access
Repositor
y Comparator r & Transfer
Check Response Characteristics
To Store Deviation
Process Profile Interface
Profile
N
O
Detected Intrusions
Characteristics From
[Second Comparator]. Store the
Other AGENTs &
characteristics of detected Networks
intrusions & compare it with
the present Users profile
User & Process Ye
Authentication s
User Block Access
or Host
Figure 2. Propose Framework for the Hybridized Architecture
Mobile agent will perform the function of comparing profile in the solution to security problem of mobile agent, there will be severe
first and second comparators. It will gather information and data impediment on IDS. Therefore, the following principles of
relating to user and process profile of its domain from repository, mobile agent need to be applied to guarantee safety of the agents
this task is performed on timely basis or based on an event [11]:
occurrence. 1. Participants cannot be assumed to trust each other by default.
Each agent will have an access to relay the 2. Any agent-critical decisions should be made on trusted hosts.
characteristics of detected intrusion within its domain to other
agents outside its domain and within some other network for 3. Unchanging components of the state should be sealed
future detection (collaboration). Such characteristics may include cryptographically.
recorded user activities, start time, speed of input, system resource Therefore, this research design has proposed to look at
used, energy consumption, and some other expected deviance security issues of mobile agents from four different perspectives
behavior of user and process detail for comparism purpose. Here, of threat as follows
matching algorithm can be used by agent.
Agent to platform threat.
Platform to agent threat.
3.2 Mobile Agent Security Enhancement Agent to agent threat.
Since security is also a key factor in ensuring the efficiency, ease Platform to platform threat [1]
of use and wide spread deployment of intrusion detection
application base on mobile agent technology. Without proper
229
�Some of those threats that can cause insecurity include Alteration, transmission, network traffic congestion and on computational
Eavesdropping, Repudiation, Denial of service, Unauthorized and processing time of the central processor. Hence, to improve
Access, Masquerading etc. the performance of the proposed design as regard to fastness and
i. Masquerading is away of impersonating legitimate network traffic, we propose the use of Dijkstra Algorithm as
user, it gives room for extraction of sensitive follows:
information by the fake agent. In line with Dijkstra algorithm, G is propose to be a
ii. Unauthorized access exist by way of illegal graph which will represent the network of nodes in a domain and
interference with a platform or when agents invoke is going to have two sets associated with it.
the public method of another agent. The first set is N which represents all nodes in the domain.
iii. Denial of service as to do with exhausting The second set is C which represents all connections between
resources so that others can be deprived of it. nodes in the domain.
iv. Repudiation attack refers to threat that involve For each c ϵ C, we have d(c) ≥ 0, which represents the delay of
preventing agent from participating in edge c.
communication or transaction. The symbol σ will be used to represent the delay of the shortest
v. Alteration is a threat that has to do with undetected path from one node to another node within the domain.
change of code or data of an agent. Having defined these symbols we can formally define our mobile
vi. Eavesdropping is a passive attack that involves the agent placement method as follows:
interception and monitoring of secret Given G = (N, C) where each c ϵ C, d(c) > 0 , select a
communication. node v ϵ V, such that the maximum σ from node v to all other
It may be concluded by close assessment and analysis of some of nodes in the domain, will be the minimum. This will be the
the above listed threats, that agents may be safe to certain level if location for an agent to be placed. (i.e minmum of the maximum
delay)
i. Their privacy and integrity is assured. Alternatively we can say that the node with min{max {σ(v, vi v )
ii. Agent to platform or server authentication is for i v ϵ V}for j ϵ V } will be the location for an agent to be
ensured. place within the domain.
iii. Authorization and access control is highly Hence for practical purpose, we shall examine the delay
observed [11]. from a node to all other nodes within a domain and pick the
maximum delay for all the available nodes and store it in an array
In a null shell, to provide security for mobile agents in this model call MAXARRAY. Then from MAXARRAY we shall pick the
against all or some of the above mentioned threats, this research node with the smallest and place our Mobile Agent there.
work proposed to employ some of the following techniques: The diagram and table below shows an instance of this:
i. During collaboration between agent from other
domain for exchange of intrusion characteristics,
agent and platform will be design to authenticate
themselves (i.e verification of each other identity).
Implementation of this is proposed to use digital
signature and password protection strategies.
ii. To enhance high level of agent data and
behavioural privacy, encryption and cloning is
proposed.
iii. Agent communication and security related
transactions is proposed to be recorded so that
auditing and tracing of non participating agent can
be fish out.
iv. Platform will be structured in such away that it can
control concurrent and simultaneous access to data
and services. It must also be a good manager of
dead lock.
v. A platform or agent will also be design to signal
the administrator in case any agent belonging to a
domain has been changed or not, by monitoring a
code that has been tempered, or whose state has
been changed or whose execution flow has been
redirected.
vi. Some other proposed mobile agent security
mechanism for this model includes hash function,
range checker, execution tracing and cryptography
that allows detection of attack against code
manipulation.
3.3 Placement and Distribution Enhancement
It is not an overemphasis, to say that too much of mobile agents in
many intrusion detection application have an effect on data
230
�As an instance, the domain in the above diagram has five nodes Atimes increasing the number of agents in the network will allow
and the weight of the delay from node to node is has shown intrusions, anomalies and other security issues to be detected
above. Therefore, N = 5 and for the connection between node a faster as well as spread the workload out across the network.
to node e
We have the following alternative connections together with their Suppose we have a very large network consisting of network of
respective delay, networks, in which case there is a need to use more than a single
agent in the agent system (i.e the proposed intrusion detection
p1=< a, b, c, e > and it”s weighted delay system) for effective intrusion detection.
= w( a, b ) + w( b, c ) + w( c, e ) Therefore in such scenario, we propose the following strategies
= 1+2+1=4 inline with the above MAXARRAY list for selection and
assignment of mobile agent to various domain within a large
also network. As an instance, suppose the outcome of our SORTED
MAXARRAY is as follows:
p2=< a, d, c, e > and it”s weighted delay =
w( a, d ) + w( d, c ) + w( c, e ) = 3 + 2 + 1 = 6.
Table 4: SORTED MAXARRAY
Table 1: shows the list of shortest delay from node to node for the
above sample network. NODE MAXIMUM
DELAY
NODE a b C d e C 3
A 0 1 3 3 4 A 4
B 1 0 2 4 3
C 3 2 0 2 1 B 5
D 3 4 2 0 1 D 5
E 4 3 1 1 0
E 5
Table 2: MAXARRAY shows the maximum delay from each
node to other nodes as follows. Here it imply that if we wish to assign two agents, they are
preferably better placed in Node c and Node a. If we pick all the
NODE MAXIMUM weighted delays of Node a and Node c to all other nodes within
DELAY the network from Table 1, we can come out with the following
A 4 two dimensional array:
B 4 Table 5: Multiple Agents Assignment Table [ MAAT ]
C 3
D 4 NODE a b C d e
A 0 1 3 3 4
E 4
C 3 2 0 2 1
Hence from MAXARRAY, NODE C is the appropriate node to Consequently, Table 5 clearly indicates that if we are to assign
place the mobile agent such that the IDS can be more efficient by two agents, they should be place in Node a and Node c. Apart
virtue of less workload. This is to say that Node C alone may be from that , mobile agent in Node a should be responsible for node
assigned an agent rather than assigning agents to every nodes a and node b while mobile agent in Node c should be responsible
within the domain. for Node c, Node d, and Node e. Hence this kind of assignment
strategy is proposed for this research design so as to use minimum
We can also have a SORTED MAXARRAY as shown in Table 3 mobile agents that can respond to every other nodes efficiently in
below case of any intrusion to our network.
Table 3: SORTED MAXARRAY 3.4.1 Algorithm for Placement and Distribution of
Mobile Agent.
NODE MAXIMUM
DELAY
Single mobile agent placement algorithm for small network
C 3
i) Input all the available nodes delay
A 4 ii) Apply Dijkstra Algorithm to get all shortest
distance from node to node
B 4 iii) For each node, select the highest delay out of
all the available shortest delay from a node to
D 4 all other nodes.
iv) Tabulate all the highest delay with their
corresponding node.
E 4 v) Sort the table in ascending order
vi) Output the node with the smallest delay in the
table
231
� [8] Ganapathy, S., Yogesh, P., & Kannan, A. (2012).
3.4.2 Multiple Mobile Agent Placement Algorithm Intelligent Agent-Based Intrusion Detection System Using.
for Large Network. Computational Intelligence and Neuroscience .
i. Input the max(min(delay)) for each node. [9] Holtz, M. D., David, B. M., & Timoteo, R. (2011).
ii. Arrange and tabulate them in ascending order. Building Scalable Distributed Intrusion Detection System
iii Select the number of node you need in line Based on the MapReduced Framework . REVISTA
with tabulated order. Ziv Create your TELECOMUNICACOES , 22-31.
multiple agent assignment table [10] Jabez, J., & Muthukumarb, B. (2015). Intrusion Detection
v Determine and pick which of the nodes has a System (IDS): Anomaly Detection using Outlier.
minimum delay to the selected node International Conference on Intelligent Computing,
vi Output the selected node with those node for Communication & Convergence (pp. 338 – 346). India:
which they have minimum delay. Procedia Computer Science Press.
[11] Jaisankar, N., Saravanan, R., & Swamy, K. D. (July 2009).
Intelligent Intrusion Detection System Framework Using
Mobile. International Journal of Network Security & Its
3.5 Experimental Data: Applications (IJNSA) , Vol 1, No 2., 72-88.
This research work proposed to use randomly generated data to [12] Jansen, W. A. (2003). Intrusion Detection With Mobile
evaluate the efficiency of the research model through a series of Agents. USA: NIST Special Publication 800-.
experimental simulation. The randomly generated data shall be
[13] Jansen, W., & Karygiannis, T. (october, 2000). Privilege
used to evaluate the resources required to operate the IDS model
Management of Mobile Agents. Twenty-third National
on a computer in term of memory usage, network traffic, network
Information Systems Security Conference (pp. pp.362-
load and processing load.
370). USA: NIST Special publication.
[14] Jansen, W., Mell, P., Karygiannis, T., & Marks, D. (1999).
4. CONCLUSION Applying Mobile Agents to Intrusion Detection and
Response. National Institute of Standards , 1-46.
This paper has presented a proposed research framework which is
aimed at faster detection of attack, reduction of network [15] Jianxiao, L., & Lijuan, L. (2009). Research of Distributed
congestion and bottle neck in packet processing. After Intrusion Detection System Model Based. International
implementation, it stand to be robust by it’s ability to receive Forum on Information Technology and Applications , 53-
characteristics of known attack from other network user and it’s 57.
hybridized usage of user activity, and program operation [16] Jimoh, R. G. (2013). Knowledge Management
monitoring for intrusion detection. Functionality by Information Technology in Adeleke, B.
L., Abdus-Salam, N. &
[17] Kabiri, P., & Ghorbani, A. A. (2005). Research on
5. REFERENCES Intrusion Detection and Response:. International Journal
[1] Amro, B. (2013). Mobile Agent Systems, Recent Security of Network Security, , 84-102.
Threats and Counter Measures. Journal of ResearchGate. [18] Lee, D.-h., Kim, D.-y., & Jung, J.-i. (2008). Multi-Stage
Pages 160-167. Intrusion Detection System Using Hidden Markov Model
[2] Ande, A. T. (2013) (ed), History and Philosophy of Algorithm. International Conference on Information
Science in General Studies, General Studies Science and Security , 72-77.
Division, University of Ilorin, ISBN: 978-36284-0-2 [19] Lee, W., & Stolfo, S. (2001). Real time data mining-based
[3] Bernardes and Moreira (2000), Implementation of an intrusion detection. Proceedings of DARPA Information ,
Intrusion Detection System Based on Mobile Agent. pp. 89 -100.
international symposium on software engineering for
parallel and distributed systems IEEE Computer Society, [20] Minar, N., Kramer, K. H., & Maes, P. (n.d.).
www.media.mit.edu/~nelson/research/routes/. Retrieved
[4] Chapke, P. P., and Raut, A. B. (2012). Intrusion Detection 11 03, 2014, from
System using Fuzzy logic and Data Mining Technique. www.media.mit.edu/~nelson/research/routes/:
International Journal of Advanced Research in Computer http://www.media.mit.edu/~nelson/research/routes/
Science and Software Engineering , Pages 152-154.
[21] Mohammed, H. A. (2015). HYBRID INTELLIGENT
[5] Cichonski, P., Millar, T., Grance, T., & Scarfone, K. ( APPROACH FOR NETWORK. MALAYSIA.
2012). Computer Security Incident Handling Guide. USA:
Special Publication 800-61 Revision 2. [22] ntrusion-detection-system-group.co.uk. (n.d.). Retrieved
march 15, 2015, from intrusion-detection-system-group:
[6] Corporate White Paper. "Deploying and Tunning Network http://www.intrusion-detection-system-group.co.uk
Intrusion Detection System." intrusion .com White Paper
2001 (2004): 3 [23] Pages 158-164.
[7] Ehimen, O. R., & Oyakhilome, I. (2009). Development of [24] Pathak, H. (2011). Hybrid Security Architecture (HSA) for
a Software Based Firewall System for Computer Network. Secure Execution. International Journal of Information
Leonardo Electronic Journal of Practices and Technology , 499-502.
Technologies , 75-80. [25] Ran, Z. (2012). A Model of Collaborative Intrusion
Detection System based on Multi-agents. International
232
� Conference on Computer Science and Service System , [29] Verwoerd, T., & Hunt, R. (2003). Intrusion Detection
789-792. Techniques and Approaches.
[26] Scarfone, K., & Mell, P. (2007). Guide to Intrusion [30] Whitman, Michael E., Townsend, Anthony M., and
Detection and Prevention Systems. National Institute of Hendrickson, Anthony R. “Cross-National Differences in
Standard and Technology . Computer-Use Ethics: A Nine Country Study.” The
[27] Tian, -r. L., & Pan, W.-m. (2005). Intrusion Detection Journal of International Business Studies 30, no. 4 (1999):
System Based on New Association Rule Mining Model. 673–687.
512-515. [31] Yanxin W.(2004). An hybrid intrusion detection system
[28] Trushna, T., Patil1, K., & Banchhor, C. (2013). (Unpublished dissertation). Iowa State University, Ames.
Distributed Intrusion Detection System using. Retrieved from UMI Microform 3145689
International Journal of Advanced Research in Computer [32] Zirra, P. B., & Wajiga, G. M. (2011). Cryptographic
and Communication Engineering , 1901-1903. algorithms for Secure data Communication. International
Journal of computer science and Security , 227-243.
233
�