Modeling an Enhanced Intrusion Detection System using Mobile Agent: A Methodological Framework Isah Olawale Mustapha R. G. Jimoh Al_Hikmah University Ilorin, Nigeria University of Ilorin, Ilorin, Nigeria salnet2002@yahoo.com jimoh_rasheed@yahoo.com ABSTRACT A number of previous researchers in the field of information Increase demand by all and sundry for internet and share network, security equally testify to the fact that information is becoming has enhanced the development of various network technology that more vulnerable [17]. Computer network consists of has linked together different people of different motives, heterogeneous entities that include all kinds of processors, consequently it has paved way for malicious and unauthorized communication devices, and different human beings with different user to intrude into information resources of organization. As a motives. Along with the heterogeneous nature of each of the result of the advantage embedded in the layered framework and entities on computer network, the entities have continuously those of signature base approach proposed by a number of earlier diversify exponentially over the years [9]. researchers, this research proposed an hybridized framework with The internet traffic together with it’s data and other resources is the use of two comparators for detection of intrusion using on the increasing trend and it is projected to maintain such trend secured, collaborative and optimum numbers of mobile agents. as far back as 2009 [9]. This is illustrated in Figure 1. The framework if implemented is expected to be of better Consequently, network overload, delay in network transmission, efficiency with respect to time of detection, storage space and insufficient storage facilities, inadequate information, insufficient reduction of network congestion. resources, traffic congestions that result to dropping of packet along the channel of transmission, increase computational bottleneck on the central processing modules of applications and CCS Concepts total coordination of network affairs become a problem [9]. • Security and privacy ➝Intrusion/anomaly detection and These factors among others are posing insecurity problem to the malware mitigation ➝ Intrusion Detection systems computer network and are creating more avenues for intrusion [21] Keywords [32] also stated that Some vital information that are disseminated Intrusion, Intrusion Detection System, Mobile Agent, Dijkstra within institutions, offices, across offices, between branches of an Algorithm. organization and different types of establishment today atimes get to the hands of an unauthorized persons who tampered with the 1. INTRODUCTION contents of the information, therefore there is need to put some Most companies, institutions and organizations today rely on security measures in place, capable of detecting intrusion attempt information for decision making [4]. Hence, other things being promptly across every network settings otherwise lots of valuable equal, the efficiency of any organization today depends on how data and other sensitive information may continue to experience well it can secure its information resources especially through the threats such as impersonation, corruption, repudiation, break-in or use of computer system [30]. Apart from that, computer system denial of services which can cause serious danger on the also responds to issues based on available resources and individual or organization that are concerned. information that are presented to it [5]. More so, resources and Insecurity as a result of intrusion has been a teething problem that information sharing are the two primary objectives of setting up a has been scaring user of computer network, despite the inevitable computer network such information and resources serve as a benefit derived from it. major factor in attaining and sustaining competitive advantage in the emerging information driven organizations [16]. On 20th Feb. 2012 there was a report by Jinshan that China”s internet security shows that network insecurity incidents are on a rising trend. This shows a global trend in the information security This among other factors, led the world into ubiquitous computing threat. with e-banking ,e-commerce, e-messages, e-training and so on as its dividend, this however does not come without its challenges as In a null shell, the problem of information and network insecurity it equally paved ways for intruder and unauthorized user to gain especially by virtue of intrusion has become more rampant, undue access to certain sensitive information [17]. prominent, complicated and dynamic along with the rapid development of network technology, and up till now the network security technology has not been able to eradicate intrusion [25]. Hence, there is need for enhancement of the current intrusion detection technologies capable of prompt detection. Such system design should not add too much load to the network and must be CoRI’16, Sept 7–9, 2016, Ibadan, Nigeria. fast for better detection. 227 to increase in network load on the part of the agent system. [14] 50000 also asserted that the main obstacle hindering the application of mobile agent to IDS is insecurity on the part of the agent. This 45000 reveals that if mobile agent is highly secured, the performance of IDS will be improved. The question here is that if such performance is improved through the enhancement of mobile 40000 agent security, would there be any significant effect on the network traffic and network load?. 35000 [28] also enlisted some shortcoming of mobile agent in the area of insecurity that has affected the usability and performance of IDS. Usage 30000 In a recent study of mobile agent security threats, it was stated Usage that lots of security issues of mobile agent needs to be addressed and such issues include inter mobile agent collaboration, and 25000 mutual authentication between host and mobile agents [1]. [25] also claimed that agents’ security, management, coordination, 20000 and collaboration are important problems for effective identification of distributed attack in a system. The fact here is 15000 that when agents are highly secured and well collaborated, better detection of attack by the agent’s system can be achieved. In such scenario, how can secured agents be achieved to mutually address 10000 intrusions with little or no effect on system usability and efficiency ? 5000 What enhancement can be done on agents such that there will be little or no effect on processor’s load , processing time and 0 network traffic ? 2005 2006 2007 2008 2009 2010 2011 2012 Year 3. METHODOLOGY As a result of the need to make effective usage of mobile agents Figure 1. Internet Usage Trend (Holz, David, & Timoteo, and to take advantage of their inevitable characteristics for 2011) intrusion detection, this research is aimed at proposing an enhanced intrusion detection model with the use of more secured and collaborative mobile agents. Since mobile agent is central to 2. PROBLEM STATEMENT the proposed model for intrusion detection then the idea is to As much as the use of computer network even internet is improve their safety, collaborative ability and reduce their inevitable in the emerging information driven world, rapid response time such that the agent system usability and efficiency development and increase demand for internet has pave way for can be improved. malicious user to illegally intrude into computer network [27]. To this end, this research work proposed an improvement on the Day in day out, number of attackers is increasing, and the framework of [11] where mobile agents were used to detect user technologies and the targets of attacks are diversified [18]. These anomalities (i.e model of normal behaviour) in two level: user among other insecurity issues has led to various researches and activities and program operations. The model uses two approaches development of IDS with the use of different technologies that which include misuse detection approach (model of abnormal include data mining, multi agent, Honey pot, multiclass, mobile behaviour base on experience) and anomaly approach, this agent etc. hybridized approaches is proposed to enhance effectiveness of the Up till today, previous research work reveals that, the technology detection. It will also give room for Network Administrator to of mobile agent can still be enhanced to reduce the dynamism and make a decision on the suspected intrusion so as to avoid False mutative rapid development of hacker technology and that the Positive Alarm to some extent. It gives room for mobile agents to benefit of using mobile agents in detecting intrusion cannot be collaborate by triggering and communicating on any detected denied, however securing the agent itself still poses a great intrusion then store the characteristics of such intrusion attempt, challenge in the information security domain [28]. Therefore, this also enhance fast detection when such attempt is made again. mobile agent effectiveness in IDS depends on some factors relating to the agent itself [15]. 3.1 Modified Hybrid Framework The architecture of this proposed model consists of two According to [15], mobile agent portability, and security affect comparators being handled by mobile agent as shown below: agent system’s usability and efficiency in intrusion detection. Hence, attempt to improve on the security of mobile agent result 228 EN D User Profile First Administrato Block Access Repositor y Comparator r & Transfer Check Response Characteristics To Store Deviation Process Profile Interface Profile N O Detected Intrusions Characteristics From [Second Comparator]. Store the Other AGENTs & characteristics of detected Networks intrusions & compare it with the present Users profile User & Process Ye Authentication s User Block Access or Host Figure 2. Propose Framework for the Hybridized Architecture Mobile agent will perform the function of comparing profile in the solution to security problem of mobile agent, there will be severe first and second comparators. It will gather information and data impediment on IDS. Therefore, the following principles of relating to user and process profile of its domain from repository, mobile agent need to be applied to guarantee safety of the agents this task is performed on timely basis or based on an event [11]: occurrence. 1. Participants cannot be assumed to trust each other by default. Each agent will have an access to relay the 2. Any agent-critical decisions should be made on trusted hosts. characteristics of detected intrusion within its domain to other agents outside its domain and within some other network for 3. Unchanging components of the state should be sealed future detection (collaboration). Such characteristics may include cryptographically. recorded user activities, start time, speed of input, system resource Therefore, this research design has proposed to look at used, energy consumption, and some other expected deviance security issues of mobile agents from four different perspectives behavior of user and process detail for comparism purpose. Here, of threat as follows matching algorithm can be used by agent. Agent to platform threat. Platform to agent threat. 3.2 Mobile Agent Security Enhancement Agent to agent threat. Since security is also a key factor in ensuring the efficiency, ease Platform to platform threat [1] of use and wide spread deployment of intrusion detection application base on mobile agent technology. Without proper 229 Some of those threats that can cause insecurity include Alteration, transmission, network traffic congestion and on computational Eavesdropping, Repudiation, Denial of service, Unauthorized and processing time of the central processor. Hence, to improve Access, Masquerading etc. the performance of the proposed design as regard to fastness and i. Masquerading is away of impersonating legitimate network traffic, we propose the use of Dijkstra Algorithm as user, it gives room for extraction of sensitive follows: information by the fake agent. In line with Dijkstra algorithm, G is propose to be a ii. Unauthorized access exist by way of illegal graph which will represent the network of nodes in a domain and interference with a platform or when agents invoke is going to have two sets associated with it. the public method of another agent. The first set is N which represents all nodes in the domain. iii. Denial of service as to do with exhausting The second set is C which represents all connections between resources so that others can be deprived of it. nodes in the domain. iv. Repudiation attack refers to threat that involve For each c ϵ C, we have d(c) ≥ 0, which represents the delay of preventing agent from participating in edge c. communication or transaction. The symbol σ will be used to represent the delay of the shortest v. Alteration is a threat that has to do with undetected path from one node to another node within the domain. change of code or data of an agent. Having defined these symbols we can formally define our mobile vi. Eavesdropping is a passive attack that involves the agent placement method as follows: interception and monitoring of secret Given G = (N, C) where each c ϵ C, d(c) > 0 , select a communication. node v ϵ V, such that the maximum σ from node v to all other It may be concluded by close assessment and analysis of some of nodes in the domain, will be the minimum. This will be the the above listed threats, that agents may be safe to certain level if location for an agent to be placed. (i.e minmum of the maximum delay) i. Their privacy and integrity is assured. Alternatively we can say that the node with min{max {σ(v, vi v ) ii. Agent to platform or server authentication is for i v ϵ V}for j ϵ V } will be the location for an agent to be ensured. place within the domain. iii. Authorization and access control is highly Hence for practical purpose, we shall examine the delay observed [11]. from a node to all other nodes within a domain and pick the maximum delay for all the available nodes and store it in an array In a null shell, to provide security for mobile agents in this model call MAXARRAY. Then from MAXARRAY we shall pick the against all or some of the above mentioned threats, this research node with the smallest and place our Mobile Agent there. work proposed to employ some of the following techniques: The diagram and table below shows an instance of this: i. During collaboration between agent from other domain for exchange of intrusion characteristics, agent and platform will be design to authenticate themselves (i.e verification of each other identity). Implementation of this is proposed to use digital signature and password protection strategies. ii. To enhance high level of agent data and behavioural privacy, encryption and cloning is proposed. iii. Agent communication and security related transactions is proposed to be recorded so that auditing and tracing of non participating agent can be fish out. iv. Platform will be structured in such away that it can control concurrent and simultaneous access to data and services. It must also be a good manager of dead lock. v. A platform or agent will also be design to signal the administrator in case any agent belonging to a domain has been changed or not, by monitoring a code that has been tempered, or whose state has been changed or whose execution flow has been redirected. vi. Some other proposed mobile agent security mechanism for this model includes hash function, range checker, execution tracing and cryptography that allows detection of attack against code manipulation. 3.3 Placement and Distribution Enhancement It is not an overemphasis, to say that too much of mobile agents in many intrusion detection application have an effect on data 230 As an instance, the domain in the above diagram has five nodes Atimes increasing the number of agents in the network will allow and the weight of the delay from node to node is has shown intrusions, anomalies and other security issues to be detected above. Therefore, N = 5 and for the connection between node a faster as well as spread the workload out across the network. to node e We have the following alternative connections together with their Suppose we have a very large network consisting of network of respective delay, networks, in which case there is a need to use more than a single agent in the agent system (i.e the proposed intrusion detection p1=< a, b, c, e > and it”s weighted delay system) for effective intrusion detection. = w( a, b ) + w( b, c ) + w( c, e ) Therefore in such scenario, we propose the following strategies = 1+2+1=4 inline with the above MAXARRAY list for selection and assignment of mobile agent to various domain within a large also network. As an instance, suppose the outcome of our SORTED MAXARRAY is as follows: p2=< a, d, c, e > and it”s weighted delay = w( a, d ) + w( d, c ) + w( c, e ) = 3 + 2 + 1 = 6. Table 4: SORTED MAXARRAY Table 1: shows the list of shortest delay from node to node for the above sample network. NODE MAXIMUM DELAY NODE a b C d e C 3 A 0 1 3 3 4 A 4 B 1 0 2 4 3 C 3 2 0 2 1 B 5 D 3 4 2 0 1 D 5 E 4 3 1 1 0 E 5 Table 2: MAXARRAY shows the maximum delay from each node to other nodes as follows. Here it imply that if we wish to assign two agents, they are preferably better placed in Node c and Node a. If we pick all the NODE MAXIMUM weighted delays of Node a and Node c to all other nodes within DELAY the network from Table 1, we can come out with the following A 4 two dimensional array: B 4 Table 5: Multiple Agents Assignment Table [ MAAT ] C 3 D 4 NODE a b C d e A 0 1 3 3 4 E 4 C 3 2 0 2 1 Hence from MAXARRAY, NODE C is the appropriate node to Consequently, Table 5 clearly indicates that if we are to assign place the mobile agent such that the IDS can be more efficient by two agents, they should be place in Node a and Node c. Apart virtue of less workload. This is to say that Node C alone may be from that , mobile agent in Node a should be responsible for node assigned an agent rather than assigning agents to every nodes a and node b while mobile agent in Node c should be responsible within the domain. for Node c, Node d, and Node e. Hence this kind of assignment strategy is proposed for this research design so as to use minimum We can also have a SORTED MAXARRAY as shown in Table 3 mobile agents that can respond to every other nodes efficiently in below case of any intrusion to our network. Table 3: SORTED MAXARRAY 3.4.1 Algorithm for Placement and Distribution of Mobile Agent. NODE MAXIMUM DELAY Single mobile agent placement algorithm for small network C 3 i) Input all the available nodes delay A 4 ii) Apply Dijkstra Algorithm to get all shortest distance from node to node B 4 iii) For each node, select the highest delay out of all the available shortest delay from a node to D 4 all other nodes. iv) Tabulate all the highest delay with their corresponding node. E 4 v) Sort the table in ascending order vi) Output the node with the smallest delay in the table 231 [8] Ganapathy, S., Yogesh, P., & Kannan, A. (2012). 3.4.2 Multiple Mobile Agent Placement Algorithm Intelligent Agent-Based Intrusion Detection System Using. for Large Network. Computational Intelligence and Neuroscience . i. Input the max(min(delay)) for each node. [9] Holtz, M. D., David, B. M., & Timoteo, R. (2011). ii. Arrange and tabulate them in ascending order. Building Scalable Distributed Intrusion Detection System iii Select the number of node you need in line Based on the MapReduced Framework . REVISTA with tabulated order. Ziv Create your TELECOMUNICACOES , 22-31. multiple agent assignment table [10] Jabez, J., & Muthukumarb, B. (2015). Intrusion Detection v Determine and pick which of the nodes has a System (IDS): Anomaly Detection using Outlier. minimum delay to the selected node International Conference on Intelligent Computing, vi Output the selected node with those node for Communication & Convergence (pp. 338 – 346). India: which they have minimum delay. Procedia Computer Science Press. [11] Jaisankar, N., Saravanan, R., & Swamy, K. D. (July 2009). Intelligent Intrusion Detection System Framework Using Mobile. International Journal of Network Security & Its 3.5 Experimental Data: Applications (IJNSA) , Vol 1, No 2., 72-88. This research work proposed to use randomly generated data to [12] Jansen, W. A. (2003). Intrusion Detection With Mobile evaluate the efficiency of the research model through a series of Agents. USA: NIST Special Publication 800-. experimental simulation. The randomly generated data shall be [13] Jansen, W., & Karygiannis, T. (october, 2000). Privilege used to evaluate the resources required to operate the IDS model Management of Mobile Agents. Twenty-third National on a computer in term of memory usage, network traffic, network Information Systems Security Conference (pp. pp.362- load and processing load. 370). USA: NIST Special publication. [14] Jansen, W., Mell, P., Karygiannis, T., & Marks, D. (1999). 4. CONCLUSION Applying Mobile Agents to Intrusion Detection and Response. National Institute of Standards , 1-46. This paper has presented a proposed research framework which is aimed at faster detection of attack, reduction of network [15] Jianxiao, L., & Lijuan, L. (2009). Research of Distributed congestion and bottle neck in packet processing. After Intrusion Detection System Model Based. International implementation, it stand to be robust by it’s ability to receive Forum on Information Technology and Applications , 53- characteristics of known attack from other network user and it’s 57. hybridized usage of user activity, and program operation [16] Jimoh, R. G. (2013). Knowledge Management monitoring for intrusion detection. Functionality by Information Technology in Adeleke, B. L., Abdus-Salam, N. & [17] Kabiri, P., & Ghorbani, A. A. (2005). Research on 5. REFERENCES Intrusion Detection and Response:. International Journal [1] Amro, B. (2013). Mobile Agent Systems, Recent Security of Network Security, , 84-102. Threats and Counter Measures. Journal of ResearchGate. [18] Lee, D.-h., Kim, D.-y., & Jung, J.-i. (2008). Multi-Stage Pages 160-167. Intrusion Detection System Using Hidden Markov Model [2] Ande, A. T. (2013) (ed), History and Philosophy of Algorithm. International Conference on Information Science in General Studies, General Studies Science and Security , 72-77. Division, University of Ilorin, ISBN: 978-36284-0-2 [19] Lee, W., & Stolfo, S. (2001). Real time data mining-based [3] Bernardes and Moreira (2000), Implementation of an intrusion detection. Proceedings of DARPA Information , Intrusion Detection System Based on Mobile Agent. pp. 89 -100. international symposium on software engineering for parallel and distributed systems IEEE Computer Society, [20] Minar, N., Kramer, K. H., & Maes, P. (n.d.). www.media.mit.edu/~nelson/research/routes/. Retrieved [4] Chapke, P. P., and Raut, A. B. (2012). Intrusion Detection 11 03, 2014, from System using Fuzzy logic and Data Mining Technique. www.media.mit.edu/~nelson/research/routes/: International Journal of Advanced Research in Computer http://www.media.mit.edu/~nelson/research/routes/ Science and Software Engineering , Pages 152-154. [21] Mohammed, H. A. (2015). HYBRID INTELLIGENT [5] Cichonski, P., Millar, T., Grance, T., & Scarfone, K. ( APPROACH FOR NETWORK. MALAYSIA. 2012). Computer Security Incident Handling Guide. USA: Special Publication 800-61 Revision 2. [22] ntrusion-detection-system-group.co.uk. (n.d.). Retrieved march 15, 2015, from intrusion-detection-system-group: [6] Corporate White Paper. "Deploying and Tunning Network http://www.intrusion-detection-system-group.co.uk Intrusion Detection System." intrusion .com White Paper 2001 (2004): 3 [23] Pages 158-164. [7] Ehimen, O. R., & Oyakhilome, I. (2009). Development of [24] Pathak, H. (2011). Hybrid Security Architecture (HSA) for a Software Based Firewall System for Computer Network. Secure Execution. International Journal of Information Leonardo Electronic Journal of Practices and Technology , 499-502. Technologies , 75-80. [25] Ran, Z. (2012). A Model of Collaborative Intrusion Detection System based on Multi-agents. International 232 Conference on Computer Science and Service System , [29] Verwoerd, T., & Hunt, R. (2003). Intrusion Detection 789-792. Techniques and Approaches. [26] Scarfone, K., & Mell, P. (2007). Guide to Intrusion [30] Whitman, Michael E., Townsend, Anthony M., and Detection and Prevention Systems. National Institute of Hendrickson, Anthony R. “Cross-National Differences in Standard and Technology . Computer-Use Ethics: A Nine Country Study.” The [27] Tian, -r. L., & Pan, W.-m. (2005). Intrusion Detection Journal of International Business Studies 30, no. 4 (1999): System Based on New Association Rule Mining Model. 673–687. 512-515. [31] Yanxin W.(2004). An hybrid intrusion detection system [28] Trushna, T., Patil1, K., & Banchhor, C. (2013). (Unpublished dissertation). Iowa State University, Ames. Distributed Intrusion Detection System using. Retrieved from UMI Microform 3145689 International Journal of Advanced Research in Computer [32] Zirra, P. B., & Wajiga, G. M. (2011). Cryptographic and Communication Engineering , 1901-1903. algorithms for Secure data Communication. International Journal of computer science and Security , 227-243. 233