Intrusion Detection Based on Active Networks

3 downloads 9550 Views 1MB Size Report
such as firewalls and intrusion detection systems (IDS), are introduced to protect the ... This paper proposes a scalable intrusion detection and response system ..... detection system,” IEEE Transactions on Systems, Man and Cybernetics − Part B, .... Research Fellow Awards (2009) from National Science Council, Taiwan ...
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 25, 843-859 (2009)

Intrusion Detection Based on Active Networks HAN-PANG HUANG1,2, FENG-CHENG YANG1, MING-TZONG WANG1 AND CHIA-MING CHANG2 1

Graduate Institute of Industrial Engineering 2 Department of Mechanical Engineering National Taiwan University Taipei, 106 Taiwan E-mail: {hanpang; iefcyang}@ntu.edu.tw

The network security is getting more important due to the wide-spread computer viruses and increasing network attacks. Nowadays, more and more security mechanisms, such as firewalls and intrusion detection systems (IDS), are introduced to protect the network from malicious attacks. This paper proposes an agent and service based intrusion detection and response system for active network. In contrast to a traditional passive network, an active network gives the nodes programmable ability to exercise various active network technologies. The intrusion response, service deployment, and service update mechanisms are centered on this technology. The proposed model of intrusion detection and response system (IDRS) catches network attacks and responses to stop the attacks at the first time to reduce the damage. Detecting, reporting, and responding capabilities are all embedded and integrated in the proposed system. A prototype system is developed using a novel data mining technology (the support vector machine) to enhance the detection function. In addition, several experiments were conducted to verify the system and results showed that the system was able to effectively identify the intrusions and respond promptly. Experiments also showed that the support vector machine outperforms the competitive neural networks in identifying the intrusions. Keywords: active network, intrusion detection, SVM, BPNN, network security

1. INTRODUCTION With the wide spread of internet, various kinds of internet services have been developed, such as e-commerce and web services. These services have motivated numerous network activities. While network activities become more popular, network security is getting more important for and more concerned by service providers and consumers. A report [1] from the CERT (Computer Emergency Response Team) Coordination Center of Carnegie Mellon University has states that the sophistication of network attacks is dramatically increased, where a single attack usually involves several intrusion stages. Firewalls protect a system from external attacks, but it cannot evolve to cope with new types of attacks. In contrast, an intrusion detection and response system (IDRS), acting as an advance network defense mechanism, is much more dynamic. Traditional IDRSs are mostly developed from passive network models, simply focusing on intrusion detecting and alerting. Most of them are static and lack the capabilities of new feature implementation and adaptive system configuration. To effectively avoid destructive attacks, solid network architecture is required and is a must. Adoption of active networks is a novel Received July 23, 2007; revised October 17, 2007; accepted November 22, 2007. Communicated by Tsan-sheng Hsu.

843

844

HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG AND CHIA-MING CHANG

approach to constructing a secured network architecture, where the nodes of the network execute customized computations and operations on the networking messages flowing through them [2]. Active networks should be established for the need of a tightly secured networking environment. This paper proposes a scalable intrusion detection and response system based on the active network modeling technology. The system dynamically evolves to tailor proper detection mechanisms to the security needs of the network. When advanced functionalities are needed, the system will automatically replace the mechanisms with improved ones. Current IDRSs simply emphasize on detecting attacks and suffer from capabilitylimited detecting/responding mechanisms. The time delay in alerting the system administrator and the delay in responding to attacks usually result in unexpected damages. To remedy this, an autonomic and adaptive IDRS is necessary [3]. Responding in time and taking appropriate estimation and actions can make the system immune from emerged attacks and endless threats [4]. Unlike a traditional network, which only passively transforms data packets, an active network allows the network node to execute mobile code carried in packets. The proposed IDRS combines distributed monitoring techniques (through individual host and LAN monitors) and data mining methods to analyze the threats of the incoming data and respond to the intrusions effectively (which is achieved by an intrusion detection center). Active network [5-13] is a novel approach to constructing network architecture, where various network nodes, such as switches, routers, hubs, bridges, gateways are connected. The network nodes constantly perform various customized computations on the packets flowing through them [14]. The essential feature of the active network approach is the programmability. New network features and services can be dynamically added to the network infrastructure on demand. Note that active networks are different from programmable networks [15-18]. Active networks have executable and mobile code carried within packets, while programmable networks rely on standard programming interfaces to network control. Intrusion detection is the process of monitoring and analyzing events occurred in a computer or network and presenting the results to the administrator [19, 20]. The related research on intrusion detection started in the early 1980’s. It has continued through several major DARPA projects and other Government programs. In the beginning of the 1990s, intrusion detection became a hot research topic and commercial IDRS started to emerge [21] when the internet era arrived.

2. ACTIVE NETWORK-BASED INTRUSION DETECTION AND RESPONSE SYSTEM This paper presents a model of intrusion detection and response system and a prototype system for detecting both well-known and unknown intrusive behaviors. The system consists of at least one intrusion detection node, a management center (MC), and an intrusion detection center (IDC). The relationship among them is shown in Fig. 1. Note that the Intrusion Detection System (IDS) consisting of software modules and agents is installed in the Intrusion detection node.

INTRUSION DETECTION BASED ON ACTIVE NETWORKS

845

Fig. 1. Agent and service based intrusion detection and response system.

Local Area Network Intrusion Detection Center (IDC)

Local Area Network

Intrusion Detection System

Ethernet Intrusion Detection System

Intrusion Detection System

Management Center

Ethernet

Management Center

Intrusion Detection System

Intrusion Detection System

Fig. 2. System architecture of an active network.

When suspicious activity is discovered, the detection node will sent the intersected information to the IDC for further analysis, using the active networking services provided by the MC. Management center dispatches different service agents to the detection nodes according to their specific needs and different execution environments. The MC provides and deployed services to detection nodes to update their detection models to enhance their detection capabilities. The overall architecture is shown in Fig. 2. Each management center is responsible for serving a subnet by deploying and updating the active networking services for detection nodes. On the other hand, the IDC provides and deployed effective detection models to detection nodes, using mobile agents to cross different platforms. 2.1 Intrusion Detection Node Agent techniques and software components were heavily used in the proposed IDRS. The intrusion detection node consists of a node manager, hosting and monitoring an agent activity platform, and an intrusion detection system (IDS), performing intrusion detection and response actions. In addition, a network management agent is installed to integrate our IDRS with active network management system.

846

HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG AND CHIA-MING CHANG

Node Manager The node manager resides at the intrusion detection node, hosting a platform for the transient agents to perform their tasks. The manager monitors the activities of the transit agents on the platform. In general, the node manager coordinates all agents with respect to agent behavior regulations specified by the user, which is defined in the system configuration. The primary tasks of the node manager are • Identify the default (user-specified) system configuration and internet service information (e.g., types of the operating system and WWW server), • Broadcast to other nodes with active packets to request or update services, • Send service requests to the management center, • Receive mobile agents dispatched from the intrusion detection center to accommodate their services. Network Management Agent One aim of the proposed IDRS is to integrate the IDS and active network management system (NMS) using techniques of source auditing, packet analysis, and network deployment strategies (e.g., IP or port blocking). This integration task is delegated to the network management agent (NMA). The integration of the IDS and NMS provides the system administrator (the user) a comprehensive view of the network security status to facilitate the security management. The IDS is actually a set of software modules and agents, consisting of an active network monitor, and an intrusion detection agent, an intrusion response agent. The architecture of the IDS is shown in Fig. 3.

Fig. 3. Agents and software modules of the IDS in an intrusion detection node.

INTRUSION DETECTION BASED ON ACTIVE NETWORKS

847

Active Network Monitor The active network monitor (ANM) is a programmable traffic monitor. It captures the incoming packets with the user specified network type from the internet, such as TCP, UDP, IPv6, etc. The types of packets passed through the monitor are remotely and indirectly controlled by the intrusion detection center (IDC). Therefore, the packet types can be dynamically changed (e.g. blocked or filtered) when the detection system responds to network attacks. The system administrator can obtain network traffic information, such as the transmitting quality and intrusion logs, from the monitor. Intrusion Detection Agent The intrusion detection agent (IDA) implements neural network-based and support vector machine-based data mining techniques to classify the incoming packets into normal class or attack class. The detected results are then forwarded to the intrusion response agent for further process. Therefore, the intrusion detection agent is responsible for the actual intrusion detection. There are two kinds of intrusion detection agents implemented in our prototype system to conduct either a service-specified mode or a general mode of intrusion detection, as shown in Fig. 4. The detailed intrusion detection procedures of the modes will be discussed in section 3.

Fig. 4. The two intrusion detection modes.

Intrusion Response Agent Intrusion response agent (IRA) is the chief commander of the IDS. It is responsible for deciding what actions should be taken when receiving an intrusion detection report from the intrusion detection agent. It dispatches response commands resulted from the user specified security policy. For ordinary, well-known, or identified intrusions, it takes necessary actions (e.g., reconfiguring the filter rules) immediately to disconnect the intrusions. If no processing knowledge or action rules are available, it wraps up the intrusion message in a standard format and sends it to the IDC. The whole response mechanism of the IDRS is further discussed in details in section 3. 2.2 Management Center Management center (MC) is responsible for service deployments and service updates. The tasks conducted are service-domain independent and the center performs these

848

HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG AND CHIA-MING CHANG

tasks without knowing the details of the service being processed. An MC is similar to a software warehouse that hosts agents and mobile code, which are deployed as network services. If the proposed IDRS or other active applications (e.g., active video conference software and network management systems) intend to update the agents, they just send revised or new agents to the management center. The center will replace, update, or retrieve and destroy the corresponding client software, following the instructions of the service update commands. The tasks of a management center include • Deploys and updates active network services based on the needs and environments of the active nodes, • Follows the order of the intrusion detection center to update the detection mode, • Maintains and monitors the service agents deployed to the active nodes. 2.3 Intrusion Detection Center When the intrusion detection node detects unidentified suspicious activities, the intrusion response agent sends related information to the intrusion detection center (IDC) for further analysis. The intrusion report is forwarded to an event manager of the center first. The action of appropriate responses will be made based on the information, such as the attack types and priorities. At first, the intrusion information is sent to an identification module for pattern recognition with known patterns. If the pattern is indistinct, advanced experts are incorporated to identify whether it is a normal activity or an intrusion. For normal patterns, no intrusion response is necessary. For known intrusion patterns, the identification of intrusion is confirmed and returned to the IRS for proper responses. However, if it is identified as a new intrusion pattern, the IDC will update the knowledge base with this new pattern and the related information. Consequently, the new intrusion is recognized and returned for disconnection responses. 2.4 Programming Model This paper presents a programming model based on the discussed architecture to support the development of a general active network, as shown in Fig. 5. The model uses ANEP [22] as the basic transformation protocol to comply with industrial standards. The programming model is dedicated to the Java programming language, and thus is operating system independent when it is runtime executed. Software artifacts developed from this model can execute their functionalities on different platforms seamlessly. As shown in Fig. 5, basic network service modules defined in the model include Active Packet, Active Service Base, AN Application, and AN Daemon. Customized protocols and services can be developed based on these modules. This model serves as a design pattern for constructing active network-based services. Users can define their own data packet classes by extending Active Packet and implementing the interface functions to construct a user-defined communication mechanism. As a result, user-defined active packets can execute pre-defined actions on the active nodes while traveling on the network. Likewise, new services can be developed by extending (inheriting) the Service Base module. Accordingly, the proposed active network-based intrusion detection system is therefore developed based on this programming model.

INTRUSION DETECTION BASED ON ACTIVE NETWORKS

849

Fig. 5. The programming model of the proposed IDRS.

2.5 Active Network Model for the IDRS A prototype of the proposed IDRS is developed based on the presented programming model. Primary software classes of this implementation are IDRSPacket, IDRSInfoPacket, IDRSControlPacket (extended from Active Packet), IDRSBase (extended from Active Service Base), and IDRSApplicatopn (extended from AN Application). The intrusion detection and response functions of the proposed IDRS are implemented as web services to attain a cross-platform paradigm. IDRSPacket, IDRSInfoPacket, and IDRSControlPacket Classes Fig. 6 depicts the data format of an Active Packet. The System ID attribute defined in the static portion is the identity of the IDRS that the packet belongs to. Services ID indicates the type of service carried by this packet. Services Type is the type of the www services. Class ID is used to identify the type of this Active Packet, whose entries are listed in Table 1. On the other hand, the Variable Portion of the data format stores the user defined information, which may be executable code or only data depending on the type of packet. If it contains executable code, the user can execute the code through instances of the IDRSBase and IDRSApplication classes.

ANEP Header

System ID

Static Portion Service ID Service Type

Class ID

Variable Portion

Fig. 6. Data format of an Active Packet.

Table 1. Specified IDRS ANEP packets. Class

ID

Function

IDRS Packet

1

Carries mobile code to perform operations or deploy services. Transfer or update the detection and response policy or software modules.

IDRS InfoPacket

2

Carry information such as alert or heartbeat information.

IDRS Control Packet

3

Control or management the network activities, such as suspend, terminate, report, respond, etc.

850

HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG AND CHIA-MING CHANG

IDRSBase Class IDRSBase class extends an abstract class ANBase, which is designed based on Active Service Base. IDRSBase provides the service infrastructure for active network applications (derived from IDRSApplicaion) to execute their code. It provides the networking APIs that are required by these applications for efficient code execution. IDRSApplcation Class IDRSApplication class is developed on the basis of AN Applicaiton. The discussed active network monitor, the intrusion detection agent, the intrusion response agent, and the network management agent residing on an intrusion detection node are implemented in IDRSApplication. The node manager software installed on a detection node is implemented as an instance of the IDRSBase class, providing execution infrastructure for instances of the IDRSApplication class. The node manager can then monitor and control the agents or components of the IDRSApplication. Supported by the infrastructure, agents and active network software component can communicate with each other to perform their tasks. Note that the creation of an instance of IDRSApplication requires a service base instance of ANBase and both of them are controlled by the node manager. 2.6 Communication Protocols Three standard communication protocols are used between agents and active software components in our prototype system. First, the Active Network Encapsulation Protocol (ANEP) [22] is used to establish interoperability between nodes on the active network. Second, the Intrusion Detection Message Exchange Format (IDMEF) [23] is used as a message format between our intrusion detection agents and other agents. The IDMEF is an XML formatted definition developed by the Intrusion Detection Exchange Format Working Group (IDWG) [24] of the Internet Engineering Task Force (IETF). The task force is an IETF working group aiming at defining common data formats and exchanging protocols for information sharing between intrusion detection and response systems and management systems. Third, the Simple Network Management Protocol (SNMP) is used between the network management agent, management center, and intrusion detection center. The SNMP is a popular network management protocol that facilitates the exchange of management information between network devices, which is also a part of the TCP/IP protocol suite. The SNMP enables a manager to remotely monitor and configure devices on the network.

3. MECHANISM OF SERVICE DEPLOYMENT AND UPDATE AND MECHANISM OF INTRUSION DETECTION AND RESPONSE 3.1 Service Deployment Mechanism The programming model and the active network model facilitate a flexible, distributed, and solid service deployment architecture, as shown in Fig. 5. Based on this model, our prototype system adopts mobile agent techniques to provide active network services. Agents running or traveling on different environments can negotiate with each other to

INTRUSION DETECTION BASED ON ACTIVE NETWORKS

851

decide the data format, transmitting protocol, and parameters of service deployments. The operations of the service deployment are: Step 1: The node manager on the detection node creates a mobile agent based on the system configuration of the host. Step 2: The generated mobile agent moves to the management center and negotiates to obtain the required service. Step 3: Based on the negotiation results, the management center dispatches competent mobile agents to the detection node. Step 4: When the service agent arrives at the detection node and joins the jurisdiction of the node manager, it starts to execute the assigned tasks or services. Notice that agents can communicate with each other in these operations using the predefined protocol. The operation sequence of the service deployment is illustrated in Fig. 7. Create an agent. Agent carry parameters for services

Node Manager Migrate

Agent

Carry with specified service Intrusion Detection Node

Management Center

Agent

Execution Environment

Communication using active packets

Execution Environment

Fig. 7. Service deployment conducted by mobile agents between the intrusion detection node and the management center.

3.2 Service Update Mechanism Management center deploys services to client nodes according to their demands and saves the related information, such as system ID, service type, and agent type, to a management table. When it is necessary to update the service content, the management center can retrieve the dispatched agents from its client nodes to update or replace them with new ones. In this process, the management center searches the management table with System ID, Service ID, and Service Type to allocate and access the dispatched agents.

852

HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG AND CHIA-MING CHANG

3.3 Intrusion Detection Mechanism In previous discussion, the IDRS defines two detection modes for intrusion detections: the general detection mode and the service-specified mode. The first mode deals with general intrusion cases, where the detection is independent of the system environment. On the other hand, the second is dedicated to cases with services particularly specified. For instance, the attack approach to the MS IIS (Microsoft Internet Information Service) servers is quite different from that to Apache web servers. If a node does not host any web server, web attack detection service is not needed. Different web servers serving on different platforms acquire detection services in different formats or modes. The intrusion detection center of our IDRS has installed three web intrusion detection modules specifically for the IIS, Apache, and other servers. Keywords for the Intrusion Detection Connection feature analyses on the intrusion detections of the two modes are different. The general detection mode focuses on analyzing the connection features of the intrusions. This mode uses the three groups of intrusion connection features defined by KDD Cup [25]: (1) basic features of individual TCP connection, (2) time based features, and (3) connection based features. Conversely, in the service specified mode, only the contents of the connection are of concern. General keywords and intrusion keywords targeted for data mining in our IDRS are listed in Tables 2 and 3. Table 2. Common keywords used in WWW servers that are targeted for the service specified mode. General Keywords

System, winnt, Html ,GET, HEAD, Host, HTTP, scripts , www, Exe, Connection, Close, Accept, DLL, IIS, MICROSOFT, Content, Server, Ranges, Windows

Table 3. Intrusion keywords that are selected for data mining. Intrusions WEB-IIS ISAPI .ida attempt EXPERIMENTAL WEB-IIS .asp HTTP header buffer overflow attempt WEB-IIS cmd.exe access WEB-MISC cross site scripting attempt WEB-MISC Transfer-Encoding: chunked WEB-IIS CodeRed v2 root.exe access

Keywords Ida, GetTickCount, LoadLibraryA SmartSaver, abch, MSOFFICE Lwrite, msadc,cmd mute, Src, Compatible PHP, Powered, Transfer MSADC, Root, c+dir

Note that, only three keywords are selected for each known intrusion. The words in the list are the keywords of an intrusion connection document that have the higher inverse document frequency (IDF). For a keyword Wi that appears in an intrusion connection document d, the inverse document frequency is

INTRUSION DETECTION BASED ON ACTIVE NETWORKS

⎛ DF (Wi , d ) ⎞ ⎟, ⎝ DF (Wi ) ⎠

IDF (Wi , d ) = log ⎜

853

(1)

where DF(Wi) is the number of connections that Wi appears in the training connections, DF(Wi, d) is the number of connections that Wi appears in the specified intrusion d. Intuitively, the inverse document frequency of a word is low if the word found in many connections but only few times found in the intrusion document d. It reaches the highest value if all of the connections are intrusion connections. Intrusion Detection Neural networks and support vector machines are used in our IDRS to classify network connections to identify the intrusions. The neural network has been constructed and trained in advance before the service is deployed to the detection node. Five-fold cross validations are conducted in the training of the neural network. The content of a connection from a client to the server is regarded as a document. Keywords embedded in the document contain connection features. Therefore, a feature vector can be constructed to represent the connections. The feature vector of connection is then fed into the neural network and support vector machine to classify the connection for intrusion identification. In other words, text categorization techniques of data mining are used in our IDRS for intrusion detection. Detection Algorithm Although the two different detection modes are implemented in our IDRS, both of them share the same detection algorithm: Step 1: Receive a network connection packet. Step 2: Analyze the packet and construct a feature vector according to the mode profile, as shown in Fig. 8. Step 3: Classify this feature vector using data mining algorithms, such as a well-trained neural network or a support vector machine. Step 4: If the connection is identified as an intrusion, the related information will be forwarded to the intrusion response agent to handle the intrusion event. Otherwise, no responding action is required and the node simply passes the packet to the receiver.

Fig. 8. The generation of the feature vector.

854

HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG AND CHIA-MING CHANG

3.4 Intrusion Response Mechanism Our prototype system defines and implements several passive and active responses. An alarm response is a common passive response that simply informs the message receiver when the attack is detected. In addition, detailed information about the attack, such as the source and target IPs, the suspicious activities, and the event priority, is included in the message. In contrast, active responses are actions taken by the IDRS. Actions in responding to the intrusion are automatically triggered when suspicious behaviors are detected and confirmed. In a high security disciplined IDRS, numerous alarms could be issued and most of them might be false alarms, which will waste system resources and easily lose packets in heavy traffic. Despite this unexpected behavior, the system can collect more information about the suspicious attacks and the profiles of the intruder. The additional information can help the system to deal with malicious and wily attacks or new types of intrusions. Another active response is stopping the attack in progress by blocking the subsequent access to the system from the intruder. The presented prototype system disconnects the intruders and notifies routers and firewalls to block packets from this intruder. When an attack occurs, the system should respond as fast as possible to avoid or reduce the damage. Once an intrusion is identified and confirmed, the prototype system starts tracing the activities of the intruder. The intrusion response agent will follow the user-specified security policy to take actions in respond to the intrusion and to report its status to the network administrator. The network management agent of the intrusion detection node is responsible for sending SNMP traps and messages to post alarms to the central console of the network management system.

4. PROTOTYPE SYSTEM TESTING AND EXPERIMENTAL RESULTS We compared different data mining methods and data processing techniques in identifying intrusions, using the presented prototype IDRS. Numerical results were compared with benchmarks. 4.1 Performances Measures Several experiments were conducted to verify the accuracy of general and service specified detection modes. First, we tested the data used in the DARPA KDD Cup and compare the results with that from the champion. Second, the detection accuracy of the service specified detection mode was tested by measuring the alarm rate. We tested neural network and support vector machine based data mining methods to compare their results. In the implementation, the SVM kernel was constructed using the LIBSVM [26]. 4.2 Experimental Results General Detection Mode For the general detection mode, our experiment results were compared with those from the winner of the KDD Cup [25], where the intrusion predictor is an ensemble of a

INTRUSION DETECTION BASED ON ACTIVE NETWORKS

855

50 × 10 C5 decision tree [25]. Note that we adopted the data mining techniques of neural networks and SVM in our prototype system for intrusion identification. Notice that the SVM is insensitive to the size of the dataset but its performance is easily deducted in cases of small feature space dimension [27]. Several researches had used SVM [28-30] to implement their detection systems. Reports showed that their systems possess high accuracy and low training time. However, their results were inferior to that of the winner of the KDD Cup. This is because that SVM rearranges the source dataset and the new dataset only has two classes: either an intrusion or a normal connection. Therefore, several experiments using SVM to deal with a multi-class dataset used in the KDD Cup were conducted. This dataset, which belong to the general intrusion mode, has three classes to be identified: probe, normal, and DOS. Connection information of these classes has similar attributes and is system independent. The kernel function of our SVM is the radial basis function. Parameter values used: gamma is 0.00001 and cost is 55. On the other hand, a neural network data mining technique based intrusion detector was constructed and tested. Forty hidden nodes were constructed in a three-layer neural network. Tables 4 and 5 show the result comparison between the winner of the KDD Cup, our SVM, and our NN models. As indicated, SVM has the best accuracy in probe detection, while NN is the inferior. In addition, the accuracy and false alarm rate of SVM and the winner of the cup are close. In general SVM has better performance over other methods. Table 4. Classification accuracies of different methods for the KDD Cup 99 dataset. Class normal probe DOS

Winner 99.47% 83.30% 97.10%

SVM 99.50% 86.89% 97.09%

NN 99.34% 73.26% 97.07%

Table 5. False alarm rate of different methods for the KDD Cup 99 dataset. Class normal probe DOS

Winner 8.79% 31.16% 0.11%

SVM 9.99% 6.8% 0.25%

NN 10.25% 8.44% 0.45%

Service Specified Mode Similarly, text categorized techniques using the NN and SVM were employed in the implementation of the service specified intrusion detection mode. In the tests, a large number of suspicious activities were detected by Snort. However, only high priority intrusions were collected in the training and testing datasets. Table 6 shows that both results from the SVM and NN are good. However, although the known intrusions were detected, whether new intrusions can be detected is not guaranteed. Further evaluation and experiment designs are required, which is out of the scope of this paper.

856

HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG AND CHIA-MING CHANG

Table 6. Testing results of the service specified mode with different methods. Method SVM NN

False Negatives Rate 100% 100%

False Positive Rate 0 0

5. CONCLUSIONS This paper proposes an active network model of an agent-based intrusion detection and response system. In addition, a prototype of IDRS based on this model is developed. The proposed model is powered by mobile agent techniques, which make the system flexible and scalable. Dynamic services are deployed by an active service update mechanism. Therefore, software components are physically light-weighted and highly updateable. Automated response mechanism can effectively cope with evolving network attacks with the help of intelligent service update. A general detection mode and a service specified mode of intrusion detections are proposed for practical application developments. Numerical experiments shows that the intrusion detection accuracies of using support vector machine are higher than those of the neural network.

REFERENCES 1. CERT coordination center, http://www.cert.org/. 2. V. Y. Roman, “Human computer interaction based intrusion detection,” in Proceedings of the International Conference on Information Technology, 2007, pp. 837-842. 3. Y. Zhenwei, J. P. T. Jeffrey, and W. Thomas, “An automatically tuning intrusion detection system,” IEEE Transactions on Systems, Man and Cybernetics − Part B, Vol. 37, 2007, pp. 373-384. 4. Y. Seungyong, K. Byoungkoo, and O. Jintae, “High-performance stateful intrusion detection system,” in Proceedings of International Conference on Computational Intelligence and Security, Vol. 1, 2006, pp. 574-579. 5. L. T. David and J. W. David, “Towards an active network architecture,” ACM Computer Communications Review, Vol. 26, 1996, pp. 5-17. 6. D. Wetherall, D. Legedza, and J. Guttag, “Introducing new internet services: Why and how,” IEEE Network Magazine, Vol. 12, 1998, pp. 12-19. 7. D. L. Tennenhouse and D. J. Wetherall, “Toward an active network architecture,” in Proceedings of Multimedia Computing and Networking, 1996, pp. 2-16. 8. D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, and G. J. Minden, “A survey of active network research,” IEEE Communications Magazine, Vol. 35, 1997, pp. 80-86. 9. K. Psounis, “Active networks: Applications, security, safety, and architectures,” IEEE Communications Surveys and Tutorials, Vol. 2, 1999, pp. 1-16. 10. A. T. Campbell, H. G. de Meer, M. E. Kounavis, K. Miki, J. B. Vicente, and D. Villela, “A survey of programmable networks,” ACM Computer Communications Review, Vol. 29, 1999, pp. 7-23. 11. N. Achir, M. S. P. Fonseca, M. Y. G. Doudane, N. Agoulmine, and A. Mehaoua, “Ac-

INTRUSION DETECTION BASED ON ACTIVE NETWORKS

12. 13. 14. 15. 16.

17. 18. 19.

20. 21. 22. 23. 24. 25. 26. 27.

857

tive networking system evaluation: A practical experience,” Networking and Information System Journal, Vol. 3, 2000, pp. 431-448. D. S. Alexander, M. Shaw, S. M. Nettles, and J. N. Smith, “Active bridging,” in Proceedings of the ACM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, 1997, pp. 101-111. K. L. Calvert, S. Bhattacharjee, E. Zegura, and J. Sterbenz, “Directions in active networks,” IEEE Communications Magazine, Vol. 36, 1998, pp. 72-78. S. Surat, “Integration soft computing approach to network security,” Modelling and Simulation, 2007, pp. 159-164. R. Keller, J. Ramamirtham, T. Wolf, and B. Plattner, “Active pipes: Service composition for programmable networks,” in Proceedings of IEEE Conference on Military Communications, Vol. 2, 2001, pp. 962-966. A. Kulkarni, G. Minden, R. Hill, Y. Wijata, S. Sheth, H. Pindi, F. Wahhab, A. Gopinath, and A. Nagarajan, “Implementation of a prototype active network,” in Proceedings of IEEE Open Architectures and Network Programming, 1998, pp. 130-142. L. Peterson, Y. Gottlieb, M. Hibler, P. Tullmann, J. Lepreau, S. Schwab, H. Dandekar, A. Purtell, and J. Hartman, “An OS interface for active routers,” IEEE Journal on Selected Areas in Communications, Vol. 19, 2001, pp. 473-487. J. Gao, P. Steenkiste, E. Takahashi, and A. Fisher, “A programmable router architecture supporting control plane extensibility,” IEEE Communications Magazine, Vol. 38, 2000, pp. 152-159. F. Chuan, P. Jianfeng, Q. Haiyan, and W. R. Jerzy, “Alert fusion for a computer host based intrusion detection system,” in Proceedings of the 14th Annual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems, 2007, pp. 433-440. W. Rensheng and V. N. Jeffrey, “Search strategy optimization for intruder detection,” IEEE Sensors Journal, Vol. 7, 2007, pp. 315-316. J. G. Tront and R. C. Marchany, “Internet security: Intrusion detection and prevention in mobile systems,” in Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007, pp. 162-162. D. S. Alexander, B. Braden, C. A. Gunter, A. W. Jackson, A. D. Keromytis, G. J. Minden, and D. Wetherall, “Active network encapsulation protocol (ANEP),” Active Networks Group, 1997. D. Curry and H. Debar, “Intrusion detection message exchange format extensible markup language (XML) document type definition,” draft-ietf-idwg-idmef-xml-03, 2001. Intrusion Detection Exchange Format (idwg), http://www.ietf.org/html.charters/idwgcharter.html. Winning the KDD99 Classification Cup, http://www.ai.univie.ac.at/~bernhard/kddcup 99.html. LIBSVM − A Library for Support Vector Machines, http://www.csie.ntu.edu.tw/~cjlin /libsvm/index.html. J. Thorsten, “Estimating the generalization performance of an SVM efficiently,” in Proceedings of the 17th International Conference on Machine Learning, 2000, pp. 431-438.

858

HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG AND CHIA-MING CHANG

28. S. Mukkamala and A. H. Sung, “Feature ranking and selection for intrusion detection systems using support vector machines,” in Proceedings of International Conference on Information and Knowledge Engineering, 2002, pp. 503-509. 29. S. Mukkamala, G. Janoski, and A. Sung, “Intrusion detection using neural networks and support vector machines,” in Proceedings of International Joint Conference on Neural Networks, 2002, pp. 1702-1707. 30. S. Mukkamala and A. H. Sung, “Intrusion detection using support vector machines,” in Proceedings of High Performance Computing Symposium, 2002, pp. 178-183. Han-Pang Huang (黃漢邦) received the Ph.D. degree in Electrical Engineering from The University of Michigan, Ann Arbor, in 1986. Since 1986 he has been with the National Taiwan University, where he is currently a Professor in the Department of Mechanical Engineering, and Graduate Institute of Industrial Engineering. He has been elected as a Life Distinguished Professor of the National Taiwan University since August 2006. He has served as the Director of the Robotics Lab since 1986. He is the Advisor of the Ministry of Education Advisory, the Ministry of Education. He was the Director of the North-East Region Flat Panel Display Resource Center, founded by the Ministry of Education (2005-2007), the President of the Chinese Institute of Automation Engineers (2004-2008), and the Board Member of the National RFID Promotion Board (2004-2008). He was the Vice Chairperson of the Mechanical Engineering Department from August 1992 to July 1993, the Director of Semiconductor Industry Teaching Resource Center from January 2001 to December 2001, the Director of CIM Education Center, Taiwan IBM and Yen Tjing Ling Industrial Research Institute from August 1989 to July 1996, the Director of Manufacturing Automation Technology Research Center from August 1996 to July 1999, and the Program Director of Automation Division of National Science Council from December 2003 to December 2006. He was served as the Associate Dean of the College of Engineering, National Taiwan University from August 2000 to July 2005, the Director of the Graduate Institute of Industrial Engineering from August 2002 to July 2007, and the Chairperson of Mechanical Engineering from August 2007 to July 2008. His research interests include machine intelligence, network-based manufacturing systems, intelligent robotic systems, prosthetic hands, nano manipulation and nonlinear systems. Dr. Huang holds several patents on dexterous hands, robotics, real-time communication control and semiconductor manufacturing. Dr. Huang received the Ford University Research Award (1996-1998), and was awarded the 2006 Best Paper Award, Chinese Institute of Industrial Engineers. He has received three-time Distinguished Research Awards (1996-2002), twice Research Fellow Awards (2002-2008), and Distinguished Research Fellow Awards (2009) from National Science Council, Taiwan R.O.C. He was named in Who’s Who in the World 2001, 2002, and Who’s Who in the R.O.C. 2002.

INTRUSION DETECTION BASED ON ACTIVE NETWORKS

859

Feng-Cheng Yang (楊烽正) received the Bachelor’s degree in Mechanical Engineering from National Taiwan University, in 1980, and the Ph.D. degree in Mechanical Engineering from the University of Iowa, USA, in 1991. He is currently an associate professor of the Graduate Institute of Industrial Engineering at National Taiwan University. Present research interests cover various soft computing and heuristics techniques for solving industrial optimization problems. Currently, his focus is the newly developed Water Flow-like Algorithm for both continuous and discrete optimization problems. He has developed several object-oriented software systems covering various meta heuristics: the ant colony optimization algorithms, electromagnetism-like mechanism, genetic algorithms, wrapped-round self-organizing maps, etc. These systems were developed to facilitate academic research and teaching. Frequently used benchmark problems for new algorithm verification are extensively included in these systems. Readers are welcome to download these systems for their interests. The URL is http://www.calab.ie.ntu.edu.tw/. Ming-Tzong Wang (王銘宗) received the B.S. degree of Mechanical Engineering from National Taiwan University in 1980, the M.S. of Industrial and Systems Engineering form the Ohio State University in 1987, and the Ph.D. of Industrial Engineering from Purdue University in 1990. Since 1994 he has been with the National Taiwan University, where he is currently an Associate Professor of the Graduate Institute of Industrial Engineering. His research interests include TQM, knowledge management, logistics.

Chia-Ming Chang (張家銘) received the M.S degrees in mechanical engineering from National Taiwan University in 2003. Since 2004 he has been work with the Industrial Technology Research Institute, where he is the engineer in System Control Research Laboratory, Power Control and Sensing Technology Division. He joined the projects about digital home and energy saving technology. His research interests include machine intelligence, home network, and embedded system.