Distributed Agent Based Model for Intrusion Detection ...

Distributed Agent Based Model for Intrusion Detection System Based on Artificial Immune System Farhoud Hosseinpour, Sureswaran Ramadass, Andrew Meulenberg, Payam Vahdani Amoli,Zahra Moghaddasi

Distributed Agent Based Model for Intrusion Detection System Based on Artificial Immune System 1

Farhoud Hosseinpour, 2Sureswaran Ramadass, 3Andrew Meulenberg, 4Payam Vahdani Amoli and 5Zahra Moghaddasi *1, 2, 3

National Advanced IPv6 Centre (NAv6),Universiti Sains Malaysia, Malaysia, {farhoud; sures; andrew}@nav6.usm.my 4 Faculty of Information Technology, University of Jyväskylä, 40100, Jyväskylä, Finland, [email protected] 5 Faculty of computer science and information technology. University of Malaya, Malaysia, [email protected]

Abstract With mounting global network connectivity, the issue of intrusion has achieved importance, promoting active research on efficient Intrusion Detection Systems (IDS). Artificial Immune System (AIS) is a new bio-inspired model which is applied for solving various problems in the field of information security. Because of its unique features, (self-learning, self-adaptation and selfimprovement), AIS has been utilized to design new anomaly base IDS. In this paper we have introduced a new distributed, agent based design of AIS based IDS. In our model detectors are distributed in each host in network while the central engine is located in server which manages the detectors and make final decision about current intrusion based on previous experience of all of the hosts in network. In our purposed model detector agents in each host is actively updated and synchronized with detector agents of other hosts through our IDS’s central engine. Keywords: AIS, IDS, Distributed, Agent, Danger Theory

1. Introduction Artificial Immune System (AIS) is a new bio-inspired model which is applied for solving various problems in the field of information security. AIS is defined as [3] “Adaptive systems, inspired by theoretical immunology and observed immune functions, principles and models, which are applied to problem solving.” Akin to other bio-inspired models such as genetic algorithms, neural networks, evolutionary algorithms and swarm intelligence [1], AIS is inspired from human immune system (HIS) which is a system of structures in human body which recognizes the foreign pathogens and cells from human body cells and protects the body against diseases [2]. The unique features of dynamic, diversity, distributed, parallel management, self-organization, self-learning and self adaptation [4,7,10] encourage the researchers to employ these techniques in a variety of applications. One basic and significant feature of AIS is self and non-self discrimination [9, 10] which makes it a precise technique to be used for anomaly detection in intrusion detection systems. Like HIS which protects the human body against the foreign pathogens, the AIS suggests a multilayered protection structure [12, 14] for protecting the computer networks against the attacks. Consequently it has been focused by network security researchers to utilize and optimize the new generation of IDS. In this paper we propose a distributed framework for intrusion detection system based on artificial immune system by utilizing genetic algorithm to enhance the secondary immune response. In this framework after training the detectors using negative algorithm, they are distributed to each host as an agent of main IDS engine. This facilitates the detection process and increases the detection performance by decreasing the processing load in the IDS central engine, contrary to centralized mode. The uniqueness of this work is the distribution of both of primary and memory cell detectors to each host while using the genetic algorithm for evolution of the memory cells. The rest of the paper is organized as the following. In section 2, a brief history of AIS is presented, in section 3, we review the related works. In section 4, we describe our proposed framework and all its components and finally there is conclusion in section 5.

2. Related Works Different frameworks have been presented by several authors in utilization of AIS in intrusion detection systems. There are essentially two approaches for applying AIS. One approach is classical

International Journal of Digital Content Technology and its Applications(JDCTA) Volume7,Number9,May 2013 doi:10.4156/jdcta.vol7.issue9.26

206


self/non-self discrimination and another one is the application of danger theory as a substitute to previous approach [8].

2.1. Self/non-Self Discrimination The artificial immune system has the capability to differentiate between the self (the cells which are owned by the system) and non-self space (foreign entities to the system) obtained by T-cells which are a set of non-self reactive detectors. A negative Selection algorithm is proposed by Forrest [9] which presents a framework to discriminate between self and non-self entities. In this algorithm, at first a set of detectors are produced and then are compared with a set of normal sets (self), to make sure that none of the detectors are reactive to self-data. If any of detectors are matched with any self entity, the system will eliminate them and the rest will be kept [9]. Hofmeyr and Forrest [10] developed the first lightweight intrusion detection system (LISYS) based on AIS. They believe that “unlike the other immunology’s rhetorical model AIS typically constructed as agent-based models (ABM).” LISYS is a network IDS which utilizes the negative selection algorithm. In these IDS, TCP connections are inspected and categorized to normal and anomalous connections. They simulate the chemical bound which are made between the protein chains as fixed length binary strings for self and non-self discrimination in AIS. Kannadiga and Zulkernine [15] utilized mobile agents for developing a distributed IDS. This innovation leads to reduction of the network bandwidth usage by migrating the detectors and computational entities to each suspected host. Tan et al. [14] proposed a multi-layered structure which consists of detection, defense and user layers. Divyata Dal et al. [17] developed an IDS by utilizing the genetic algorithm for evolution of the detectors to form the primary Immune Response to generate the memory cells. They tried to enhance the Forrest and Hofmeyr’s work by applying Genetic algorithm for enhancing the secondary immune response of the AIS without human involvement. Their proposed model was basically a centralized network based on IDS with the capability of anomaly detection. This work has the disadvantage of central processing for massive processes of each packet passing through network. In this paper we proposed a distributed multi-layered framework to enhance the detection performance and efficiency of the IDS.

2.2. Danger Theory As a substitute to self/non-self discrimination, Danger Model was proposed by Matzinger [11, 18]. According to this hypothesis the main cause of an immune response is that a photogene harms the system and thus it is dangerous and not being unknown to the system. The Danger Model works on the premise that the main director of the immune system includes the body’s tissues and not the immune cells. The chemical danger signals are released by the distressed tissues to rouse the immune response whereas the calming or self signals are released by healthy tissues which provide the tolerance for the immune system [19]. The idea of utilizing the Danger Theory Model for constructing the next generation of artificial immune system based on IDS was proposed by Aickelin et al. [21]. They stated that in IDS paradigm the danger is sensed and measured automatically after some number of intrusions because of the damage that is caused by attack. Once a danger signal is detected, it will be transmitted to the nearest artificial antigens around the danger area. Fu and his followers [12] proposed a four-layer model based on DT and AIS: “Danger sense layer (DSL), danger computing layer (MCL), immune response layer (IRL) and spot disposal layer (SDL).”In this model, each layer works independently while cooperating with other layers. Ou et al. [22] proposed a model based on multi-agent structure by utilizing danger theory for IDS. They use agents as entities with an ability to intelligently communicate and detect intrusions.

3. Proposed IDS Framework and Components Proper IDS design is essential to improve the performance of the IDS. Failure of an appropriate design will lead to reduction of detection capability of the IDS. Our proposed architecture essentially is a distributed multi-agent based design for IDS, which utilizes the genetic algorithm for evolving memory cell detectors. Figure 2, shows the fundamental design of our proposed AIS-based IDS, which consists of two main components: IDS central engine and detection sensors. IDS Central Engine is located in the

207


gateway of each LAN and Detection Sensors are located in each host in the network. Each of these components is composed of some agents that correlate with each other in order to detect the anomalies and intrusions. Our design goal is to decrease the detection time for each connection by distributing the detectors to each host. Consequently, the processing overhead will be divided between each host and each host will be responsible for its own traffic. Thus, instead of checking all passing traffic, which would impose a high processing overhead and detection time, the central engine will only be responsible for analyzing the reposted information.

Figure 2. Architecture overview of proposed IDS

3.1. IDS Central Engine The Central Engine is composed of two main modules, Training and Detection modules, which carry out four main tasks:    

Training the primary detectors Analyzing the reported data Generating Memory Cell detectors Distributing and synchronizing the detector sets in each host

Each module consists of some software agent that performs a special task. The training module, composed of Convertor Agent and Trainer Agent, has responsibility of training the primary random detectors in the early stage of a system’s running time. The detection module is composed of an Analyzer Agent and a Dispatcher Agent. The former analyzes the reported data from each host and, under some conditions, generates memory cells by evolving primary activated detectors. The latter distributes and synchronizes the detector sets in each host.

3.1.1. Convertor Agent The data used to evaluate the system is DARPA 1998, a standard dataset from Lincoln Laboratory off-line intrusion detection evaluation. This set includes real instances of attack sessions that are used to evaluate intrusion detection systems. Prior to the evaluation, a set of training data is used to configure intrusion detection system and to set the parameters. This includes a set of self and non-self data that are used to train and test the IDS. In order to process the network packets, we need to convert the information of all packets to binary strings as the packet profiles. This information includes: Destination IP Address, Source IP Address, Destination Port Number, Duration, Protocol, and Source Port Number [17]. This information is

208


extracted from packets and converted to binary strings of 112 bits. Table 1 shows the valid value of each field together with their maximum binary length.

3.1.2. Trainer Agent After converting all training data sets to binary strings, they are passed to the Trainer Agent to be used for training the detectors. Negative Selection algorithm is used for training the primary detectors. At first, a number of randomly generated strings, called immature detectors, are created and checked with all self-training data sets. If any immature detector matches any of the self packets, then the system will discard it and generate another one in its place. After checking all immature detectors with all self packets, the remaining detector sets undergo the next step of negative-selection algorithm and become ‘mature’ detectors. Each mature detector will be checked with all non-self packets from training data. If any detector fails to match with some non-self packet, the system will discard this detector; otherwise this detector will be added to our final detector set. This process will continue until all non-self packets are matched with at least three mature detectors. R-Contiguous bit [20] matching role is used to check the matching between two strings. Thus, two bit strings, with the same length, match if they had at least r contiguous identical bits. The process of training the primary detectors is shown in figure 2. Table 1. Depiction of fields in packets profile strings [17] Name of the Field

Minimum and Maximum Value 0.0.0.0 - 255.255.255.255 0.0.0.0 - 255.255.255.255 0 – 65535 0 – 65535 seconds 0 – 65535 0 – 65535

Destination IP Address Source IP Address Destination Port No Duration Protocol Source Port No

Binary Strings Length 32 bits 32 bits 16 bits 12 bits 4 bits 16 bits

3.1.3. Dispatcher Agent After training, all detectors must be sent to all hosts in the network. This is done using a dispatcher agent that has the responsibility to communicate with all hosts and synchronize them according to new changes in detector sets and memory cell detectors. Dispatcher agent also receives the reported signals from sensors and forwards them to the Analyzer Agent to be investigated.

3.1.4. Analyzer Agent Once an intrusion happens in any host, the detectors will be triggered by matching with the suspected packet. Thus, information about the intrusion, e.g., the number of triggered sensors and their affinity with suspected packet, together with their profile, will be sent to IDS center to be analyzed and acted upon. This will be done by an Analyzer Agent in a detection module. If the number of triggered detectors exceeds a threshold, an intrusion alert is given and they will undergo for generation of memory cell detectors. A genetic algorithm is applied to calculate and generate memory cells with improved ability to detect particular kinds of anomalies. At the same time, the analyzer agent will inform the firewall to block this packet. Also, if the number of triggered detectors is less than a threshold, the packet is marked as suspected packet for the future investigations. After generation of memory cells, they will be passed to the dispatcher agent to send and synchronize the new detectors to sensor agents in each host. When the triggered detectors are sent to the analyzer agent for genetic algorithm, the genetic operation of selection is applied to determine which of the detectors must be cloned to make a primary population. Therefore, a cloning threshold is set by following formula [17]:

∑

“n” is total number of activated detectors.

209


Those activated detectors having a fitness value greater than or equal to the cloning threshold undergo cloning. The number of clones to be generated for the candidate detectors is determined by the following formula [17]:

10

Once the process of cloning is complete, the first population for genetic algorithm will be produced. These detectors constitute winner detectors and will be subject to Mutation, Crossover, and Reproduction operations of the genetic algorithm. This process continues until a substantial number of generations is completed. In each generation, the fitness of the whole population is calculated. Once a detector with fitness value higher than that of a winner detector is generated, the genetic algorithm is stopped. The selected detector then becomes a Memory Cell Detector and is added to the Memory Cell Detector set to be sent to each host. If, after a substantial number of generations, no memory cell is generated, then the detector with greatest fitness among winner detectors is selected to become a Memory Cell Detector.

3.2. Host-Side Sensors In order to enhance the detection mechanism and attain higher performance of IDS, the detector sensors are distributed to all hosts in the network. This will also help the IDS to be robust and extendable. Two types of detectors are present in each host: Detector Agents and Memory Cell Agents. A convertor agent also is used in each host to convert profile of packets to binary strings.

3.2.1. Detector Agent Detector agents comprise a set of trained detectors that have the ability to discriminate between self and non-self packets. All incoming packets will be checked with these detectors. If any detector matches with any packet with an effective affinity then an anomaly will be reported to IDS Center to be investigated. The number of triggered detectors, the fitness of each detector with a suspected packet, and the packet profile are all needed for the analysis in IDS central engine. The concept of a threshold, Ta, is introduced to improve accuracy of detection. If the number of activated detectors is more than threshold Ta, then the session will be closed by local firewall. This can help the IDS to reduce the false-positive errors.

3.2.2. Memory Cell Agent Memory Cell Agent constitutes the adaptive immune response function for AIS. It is composed of a set of detectors that have been generated in the analyzer agent using its genetic algorithm. The analyzer agent has imbued detectors with more ability and accuracy for detection of some kind of intrusion. Using memory cell detectors will help the system to reduce the detection time and take more rapid action for previously seen intrusions. This also will enhance the performance of the IDS by reducing the processing overhead. Memory cell detectors are an effective way to reduce false-positive and falsenegative errors. Once an anomaly is introduced into a host, and any memory cell detector triggered, the packet will be blocked and detail of intrusion will be reported to IDS Central Engine. The whole analyze and detection process, which is conducted in both server and host sides, is shown in Figure 4.

3.3. Multi-layer structure of purposed architecture In order to obtain a feasible model to divide a gigantic problem into sub problems that can be solved independently and to enable the intrusion detection system to perform efficiently, intrusion detection is performed in a multilayer mode. Each layer has its own responsibility and detection mechanism that correlates with upper and lower layers to respond automatically to an intrusion. As illustrated in Figure 3, the multilayer architecture consists of three layers [6, 8].

3.3.1. Primary Immune Response Layer (PIR) A network firewall is the outermost protection layer of this architecture; it is also the first barrier to prevent network intrusion by attackers. However, not all attacks are detected and prevented by the firewall. It is located in the network gateway and has access to all packets passing from network. It

210


controls incoming and outgoing traffic according to the roles that have been set. In one role, it correlates with other layers, which detect intrusions, and receives command from them to block a packet.

3.3.2. Innate Immune Response Layer (IIR) Innate immune system performs its function in the early period of infection [2]. It is used to detect intrusion behaviors and mark the attacking packets. Innate immunity has anomaly-nonspecific defense mechanisms that a host uses for immediate response to suspected packets. This layer consists of convertor and detector agents in host side and analyzer and alert agents in server side. This helps to reduce the processing overhead by responding to an intrusion in local hosts instead of forcing a server to be responsible for all hosts traffic. As a result, it provides effective and high-speed intrusion detection.

3.3.3. Adaptive Immune Response Layer (AIR) The adaptive immune Response Layer is composed of distinctive and systemic detectors, called Memory Cell Detectors. This layer has great ability to detect and eliminate the previously seen intrusions. It has anomaly-specific defense mechanisms to detect and block a specific intrusion. Consequently, the Memory Cell Detectors will act as a proactive defense for our IDS .

Figure 3. Training of the detectors

Figure 5. Multilayered Architecture of IDS Figure 4. Detection procedure flowchart

211


4. Experimental Setup As discussed earlier, R-Contiguous matching bit algorithm is used to refine the data against the nonself connections. The fitness value of “rc” is defined to determine the minimum affinity of two given strings. The different number of “rc” is examined during the evaluation of the prototype. According to our experiment, for any value less than or equal to 13, in detection stage, a considerable number of self-packets are matched with trained detectors resulting in a high false-positive rate in detection. In addition, for any value lower than 17, the efficiency of the IDS is decreased because most non-self packets fail to match with detectors and result in a high false-negative rate. So the specific value of “rc” equal to 17 is chosen in R-Contiguous matching bit algorithm. For any amount less than 3 for Ta, IDS blocks some self-connections, so the false-positive rate is increased. Besides, for any amount more than 3 for Ta, some non-self connections fail to trigger enough detectors. Therefore, the activation threshold Ta, for detectors is set to 3 detectors, meaning the minimum of three detectors must be activated for any incoming request to be categorized as anomaly. If the number of activated detectors is less than Ta, an alert will be reported to administrator. By testing the genetic algorithm for generation of memory cells, in different conditions, the probabilities of genetic operations of Crossover, Mutation, and Reproduction have been fixed to 30%, 40% and 30% respectively.

5. Simulation Results By performing the experiment on testing data using trained detectors in each host, we illustrated that the performance of the system is improved by adding new Memory Cell detectors in hosts. In order to analyze the performance of the model, the experiment has been done in 5 different hosts in 10 intervals. Each testing data includes self and non-self connections. The system automatically calculates the falsepositive rate, false-negative rate, and detection rate based on the detection results. The experiment indicates the accuracy of detection is improved in each new round. This is because of generation of new memory cells and their dynamic synchronization and distribution to all of the hosts. Figure 7 illustrates that the detection rate is increased in successive rounds and reaches a relatively stable level at 88.5 percent. It is evident that, by detecting new anomalies and building new memory cells based on the detections, the detection rate is improved. The diagram shows that the detection rate in last rounds reaches a stable level because of limited or no new memory cell generation due to absence of any new type of anomalies in our test data. This can be illustrated in figure 7 that shows the number of memory cells before each round start. In our experiment, we have noticed that the detection rate has dropped in some hosts when the number of anomalies in that round is higher. This problem is reduced in later rounds by the increased number of memory cells.

Figure 6. IDS detection rates in 5 hosts with sequential exposures

212


Figure 7. Number of generated memory cells with sequential exposures

6. Conclusion During the last few years, the need for additional protection of computer networks from the outside world is evident. Intrusion Detection Systems is the last line of defense of any organization. Recently, Artificial Immune System has attracted more attention by computer security researchers as a new hotspot of biologically inspired computational intelligence. In this study, we presented a new architecture for AIS based IDS. In the resulting model, after generation and training of initial detectors, they are sent to each host as detector agents of this IDS. Memory cells of newly detected anomalies by each host are generated and sent to all hosts to synchronize them. The simulation result shows that numbers of memory cell detectors are dynamically increased and system learns more about new types of anomalies. This gives the system the ability to detect new types of attack.

7. References [1] J. Timmisa, A. Honec, T. Stibord and E. Clarka, “Theoretical advances in artificial immune systems”.In: Theoretical Computer Science.science direct.2008. 403(1): 11-32. [2] K.W. Yeom, J.H. Park: An Immune System Inspired Approach of Collaborative Intrusion Detection System Using Mobile Agents in Wireless Ad Hoc Networks. CIS (2) 2005: 204-211 [2005] [3] L.N. de Castro, J. Timmis. “Artificial Immune Systems: A New Computational Intelligence Approach” Springer, 2002. [4] Yang, J., Liu, X., Tao, L., Liang, G. and Liu, S. Distributed agents model for intrusion detection based on AIS. Knowledge-Based Systems. 2009. 22(2): 115–119. [5] J. D. Farmer, N. H. Packard, and A. S. Perelson. The immune system, adaptation and machine learning. Physica D, 22:187–204, 1986. [6] Hosseinpour.F., Abu Bakar.K., “Design of a New Distributed Model for Intrusion Detection System Based on Artificial Immune System” ., 2nd International Conference on Data Mining and Intelligent Information Technology Applications, ISBN: 978-1-4244-8599-4, 2010 [7] Feixian, S. and G. Gaiwen, Research of Immunity-based Anomaly Intrusion Detection and Its Application for Security Evaluation of E-government Affair Systems. JDCTA: International Journal of Digital Content Technology and its Applications, 2012. 6(20): p. 429 - 437. [8] Hosseinpour.F., Abu Bakar.K., Hatami.A. Kazemi,N., “survey on Artificial Immune System as a Bio-Inspired Technique for Anomaly Based Intrusion Detection Systems” 2nd international conference on intelligent networking and collaborative systems 2010. 978-0-7695-4278-2/10 $26.00 © 2010 IEEE - DOI 10.1109/INCOS.2010.40

213


[9] S. Forrest, A.S. Perelson, L. Allen, R. Cherukuri, Self–nonself discrimination in a computer, in: Proc. IEEE Symposium on Research Security and Privacy, 1994, pp. 202–212. [10] S. Hofmeyr, S. Forrest, Architecture for an artificial immune system, Evolutionary Computation 7 (1) (2000) 1289–1296. [11] Matzinger, P. The Danger Model: A Renewed Sense of Self. In: Science. 2002. 296: 301–305. [12] Fu, H., Yuan, X. and Hu, L. Design of a four-layer model based on danger theory and AIS for IDS. International Conference on Wireless Communications, Networking and Mobile Computing. IEEE. 2007. [13] Xishuang, D., et al., Multi-word-Agent Autonomy Learning Based on Adaptive Immune Theories. JDCTA: International Journal of Digital Content Technology and its Applications, 2013. 7(3): p. 723-745. [14] Tan, M., Yu, H., Zhao, Z., Liu, Z. and Liu, F. An artificial immunity-based proactive defense system. International Conference on Robotics and Biomimetics. IEEE. 2008. [15] Zulkernine, M., and Kannadiga, P. DIDMA: A Distributed Intrusion Detection System Using Mobile Agents. Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing and First ACIS International Workshop on Self-Assembling Wireless Networks. IEEE. 2005. [16] Chen, G., Y. Wang, and Y. Yang, Community Detection in Complex Networks Using Immune Clone Selection Algorithm. JDCTA: International Journal of Digital Content Technology and its Applications, 2011. 5(6): p. 182-189. [17] Dal, D., Abraham, S., Abraham, A., Sanyal, S. and Sanglikar, M. (2008). Evolution Induced Secondary Immunity An Artificial Immune System based Intrusion Detection System. In: 7th Computer Information Systems and Industrial Management Applications. IEEE. [18] Matzinger, P. The Danger Model in Its Historical Context. In: Scandinavian Journal of Immunology. 2001. 54: 4–9. [19] Fanelli, R. L. A Hybrid Model for Immune Inspired Network Intrusion Detection.In: Artificial Immune Systems. Phuket, Thailand. 107-119. 2009. [20] Stibor, S. (2008). Foundations of r-contiguous matching in negative selection for anomaly detection. Springer Science, Business Media B.V. [21] Aickelin, U., Bentley, P., Cayzer, S., Kim, J., and McLeod, J. (2003). Danger theory: The link between AIS and IDS? In: 2nd International Conference in Artificial Immune Systems Edinburgh, UK: Springer. 147–155. 2003 [22] Ou, C. M., and Ou, C. R. Multi-Agent Artificial Immune Systems (MAAIS) for Intrusion Detection:Abstraction from Danger Theory. In: Agent and Multi-Agent Systems: Technologies and Applications. Berlin: Springer. 11-19; 2009. [23] Kim, J. W. Integrating Artificial Immune Algorithms for Intrusion Detection. PhD thesis, University College London, 2002. [24] Kim, J., Bentley, P. J., Aickelin, U., Greensmith, J., Tedesco, G. and Twycross, J. Immune System Approaches to Intrusion Detection: A Review. Natural Computing, Springer. 2007. 6: 413-166 [25] Braun, P., and Rossak, W., Mobile Agents: Basic Concepts, Mobility Models, and the Tracy Toolkit. Heidelberg, Germany: Elsevier Inc. (USA) and dpunkt.verlag (Germany)

214