International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org
Volume 3, Issue 3, March 2014
ISSN 2319 - 4847
Study of Active Network Intrusion Detection
System
Mr.Ranjeet .A.Tijare1, Prof.Monika Rajput
1
2
ME (CSE) Scholar,First Year,Department of CSE, P.R.Pote(Patil) College of Engineering and Techonlogy,Amravati.
Sant Gadgebaba Amravati University,Amarvati,Maharashtra,India - 444602
2
Assitantant Professor, Department of CSE, P.R.Pote(Patil) College of Engineering and Techonlogy,Amravati.
Sant Gadgebaba Amravati University,Amarvati,Maharashtra,India - 444602
Abstract
The Internet has changed the way people think, do business, and communicates with each other. By means of computer networks,
we can shop, research, and conduct financial business online. The network security is getting more important due to the widespread computer viruses and increasing network attacks. Nowadays, more and more security mechanisms, such as firewalls and
intrusion detection systems (IDS), are introduced to protect the network from malicious attacks. . One of the most promising
recent advances in the area of intrusion detection system (IDS).The system propose the solution to different problem and attract
different researcher to work in this area. .This paper proposes an agent based intrusion detection and response system for
network. In contrast to a traditional passive network, an active network gives the nodes programmable ability to exercise various
active network technologies. The intrusion response, service deployment, and mechanisms are centred on this technology. The
proposed model of intrusion detection and response system (IDRS) catches network attacks and responses to stop the attacks at the
first time to reduce the damage. Detecting, reporting, and responding capabilities are all embedded and integrated in the proposed
system. A prototype system is developed using a novel data mining technology (the support vector machine) to enhance the
detection function. In addition, several experiments were conducted to verify the system and results showed that the system was
able to effectively identify the intrusions and respond promptly. Experiments also showed that the support vector machine
outperforms the competitive neural networks in identifying the intrusions.
Keywords: Active Network, Intrusion Detection, Computer Network Security.
1. INTRODUCTION
Large spread of internet, various kinds of internet services have been developed, such as e-commerce and web services.
These services have motivated numerous network activities. While network activities become more popular, network
security is getting more important for and more concerned by service providers and consumers. A report [1] from the
CERT (Computer Emergency Response Team) Coordination Center of Carnegie Mellon University has states that the
sophistication of network attacks is dramatically increased, where a single attack usually involves several intrusion stages.
Firewalls protect a system from external attacks, but it cannot evolve to cope with new types of attacks. In contrast, an
intrusion detection and response system (IDRS), acting as an advance network defence mechanism, is much more
dynamic. Traditional IDRSs are mostly developed from passive network models, simply focusing on intrusion detecting
and alerting. Most of them are static and lack the capabilities of new feature implementation and adaptive system
configuration. To effectively avoid destructive attacks, solid network architecture is required and is a must. Adoption of
active networks is a novel approach to constructing a secured network architecture, where the nodes of the network
execute customized computations and operations on the networking messages flowing through them [2]. Active networks
should be established for the need of a tightly secured networking environment. This paper proposes a scalable intrusion
detection and response system based on the network modelling technology. The system dynamically evolves to tailor
proper detection mechanisms to the security needs of the network. When advanced functionalities are needed, the system
will automatically replace the mechanisms with improved ones. Current IDRSs simply emphasize on detecting attacks
and suffer from capability- limited detecting/responding mechanisms. The time delay in alerting the system administrator
and the delay in responding to attacks usually result in unexpected damages. To remedy this, an autonomic and adaptive
IDRS is necessary [3]. Responding in time and taking appropriate estimation and actions can make the system immune
from emerged attacks and endless threats [4].Unlike a traditional network, which only passively transforms data packets,
an active network allows the network node to execute mobile code carried in packets. The proposed IDRS combines
distributed monitoring techniques (through individual host and LAN monitors) and data mining methods to analyze the
threats of the incoming data and respond to the intrusions effectively (which is achieved by an intrusion detection
center).Active network [5-13] is a novel approach to constructing network architecture, where various network nodes,
such as switches, routers, hubs, bridges, gateways are connected. The network nodes constantly perform various
customized computations on the packets flowing through them [14]. The essential feature of the active network approach
is the programmability. New network features and services can be dynamically added to the network infrastructure on
demand. Note that active networks are different from programmable networks [15-18]. Active networks have executable
Volume 3, Issue 3, March 2014
Page 282
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org
Volume 3, Issue 3, March 2014
ISSN 2319 - 4847
and mobile code carried within packets, while programmable networks rely on standard programming interfaces to
network control. Intrusion detection is the process of monitoring and analyzing events occurred in a computer or network
and presenting the results to the administrator [19, 20]. The related research on intrusion detection started in the early
1980’s. It has continued through several major projects and other Government programs. In the beginning of the 1990s,
intrusion detection became a hot research topic and commercial IDRS started to emerge [21] when the internet era
emerge.
2. ACTIVE NETWORK-BASED INTRUSION DETECTION AND RESPONSE SYSTEM
This paper presents a model of intrusion detection and response system and mechanisms for detecting both well-known
and unknown intrusive behaviours. The system consists of at least one intrusion detection node, a management center
(MC), and an intrusion detection center (IDC). The relationship among them is shown in Fig. 1. Note that the Intrusion
Detection System (IDS) consisting of software modules and agents is installed in the Intrusion detection node.
Fig. 1. Agent and service based intrusion detection and response system.
Fig. 2. System architecture of an active network.
When suspicious activity is discovered, the detection node will sent the intersected information to the IDC for further
analysis, using the active networking services pro- vided by the MC. Management center dispatches different service
agents to the detection nodes according to their specific needs and different execution environments. The MC provides
and deployed services to detection nodes to update their detection models to enhance their detection capabilities. The
overall architecture is shown in Fig. 2. Each management center is responsible for serving a subnet by deploying and
updating the active networking services for detection nodes. On the other hand, the IDC provides and deployed effective
detection models to detection nodes, using mobile agents to cross different platforms.
2.1 Intrusion Detection Node
Agent techniques and software components were heavily used in the proposed IDRS. The intrusion detection node
consists of a node manager, hosting and monitoring an agent activity platform, and an intrusion detection system (IDS),
performing intrusion detection and response actions. In addition, a network management agent is installed to integrate
our IDRS with network management system.
2.1.2 Node Manager
The node manager resides at the intrusion detection node, hosting a platform for the transient agents to perform their
tasks. The manager monitors the activities of the transit agents on the platform. In general, the node manager coordinates
all agents with respect to agent behavior regulations specified by the user, which is defined in the system con- figuration.
The primary tasks of the node manager are
 Identify the default (user-specified) system configuration and internet service information (e.g., types of the
operating system and WWW server),
Volume 3, Issue 3, March 2014
Page 283
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org
Volume 3, Issue 3, March 2014
ISSN 2319 - 4847
 Broadcast to other nodes with active packets to request or update services,
 Send service requests to the management center,
 Receive mobile agents dispatched from the intrusion detection center to accommodate their services.
2.1.3 Network Management Agent
One aim of the proposed IDRS is to integrate the IDS and active network management system (NMS) using techniques of
source auditing, packet analysis, and network deployment strategies (e.g., IP or port blocking). This integration task is
delegated to the network management agent (NMA). The integration of the IDS and NMS provides the system
administrator (the user) a comprehensive view of the network security status to facilitate the security management.
The IDS is actually a set of software modules and agents, consisting of an active network monitor, and an intrusion
detection agent, an intrusion response agent. The architecture of the IDS is shown in Fig. 3.
Fig. 3. Agents and Software modules of the IDS in an intrusion detection node.
2.1.4 Active Network Monitor
The active network monitor (ANM) is a programmable traffic monitor. It captures the incoming packets with the user
specified network type from the internet, such as TCP, UDP, IPv6, etc. The types of packets passed through the monitor
are remotely and indirectly controlled by the intrusion detection center (IDC). Therefore, the packet types can be
dynamically changed (e.g. blocked or filtered) when the detection system responds to network attacks. The system
administrator can obtain network traffic information, such as the transmitting quality and intrusion logs, from the
monitor.
2.1.5 Intrusion Detection Agent
The intrusion detection agent (IDA) implements neural network-based and support vector machine-based data mining
techniques to classify the incoming packets into nor- mal class or attack class. The detected results are then forwarded to
the intrusion response agent for further process. Therefore, the intrusion detection agent is responsible for the actual
intrusion detection. There are two kinds of intrusion detection agents implemented in our prototype system to conduct
either a service-specified mode or a general mode of intrusion detection, as shown in Fig. 4.
Fig. 4. The two intrusion detection modes.
2.1.6 Intrusion Response Agent
Intrusion response agent (IRA) is the chief commander of the IDS. It is responsible for deciding what actions should be
taken when receiving an intrusion detection report from the intrusion detection agent. It dispatches response commands
resulted from the user specified security policy. For ordinary, well-known, or identified intrusions, it takes necessary
actions (e.g., reconfiguring the filter rules) immediately to disconnect the intrusions. If no processing knowledge or action
rules are available, it wraps up the intrusion message in a standard format and sends it to the IDC.
2.2 Management Center
Management center (MC) is responsible for service deployments and service up- dates. The tasks conducted are servicedomain independent and the center performs these tasks without knowing the details of the service being processed. An
MC is similar to a software warehouse that hosts agents and mobile code, which are deployed as network services. If the
Volume 3, Issue 3, March 2014
Page 284
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org
Volume 3, Issue 3, March 2014
ISSN 2319 - 4847
proposed IDRS or other active applications (e.g., active video conference software and network management systems)
intend to update the agents, they just send revised or new agents to the management center. The center will replace,
update, or retrieve and destroy the corresponding client software, following the instructions of the service update
commands. The tasks of a management center include
 Deploys and updates active network services based on the needs and environments of the active nodes,
 Follows the order of the intrusion detection center to update the detection mode,
 Maintains and monitors the service agents deployed to the active nodes.
2.3Intrusion Detection Center
When the intrusion detection node detects unidentified suspicious activities, the intrusion response agent sends related
information to the intrusion detection center (IDC) for further analysis. The intrusion report is forwarded to an event
manager of the center first. The action of appropriate responses will be made based on the information, such as the attack
types and priorities. At first, the intrusion information is sent to an identification module for pattern recognition with
known patterns. If the pattern is indistinct, advanced experts are incorporated to identify whether it is a normal activity or
an intrusion. For normal patterns, no intrusion response is necessary. For known intrusion patterns, the identification of
intrusion is confirmed and returned to the IRS for proper responses. However, if it is identified as a new intrusion pattern,
the IDC will update the knowledge base with this new pattern and the related information. Consequently, the new
intrusion is recognized and returned for disconnection responses.
2.4Programming Model
This paper presents a programming model based on the discussed architecture to support the development of a general
active network, as shown in Fig. 5. The model uses ANEP [22] as the basic transformation protocol to comply with
industrial standards. The programming model is dedicated to the Java programming language, and thus is operating
system independent when it is runtime executed. Software artifacts developed from this model can execute their
functionalities on different platforms seamlessly. As shown in Fig. 5, basic network service modules defined in the model
include Active Packet, Active Service Base, AN Application, and A Daemon. Customized protocols and services can be
developed based on these modules. This model serves as a design pattern for constructing active network-based services.
Users can define their own data packet classes by extending Active Packet and implementing the interface functions to
construct a user-defined communication mechanism. As a result, user-defined active packets can execute pre-defined
actions on the active nodes while traveling on the network
Fig. 5. The programming model of the proposed IDRS
2.5 Communication Protocols
Three standard communication protocols are used between agents and active soft- ware components in our prototype
system. First, the Active Network Encapsulation Protocol (ANEP) [22] is used to establish interoperability between nodes
on the active net- work. Second, the Intrusion Detection Message Exchange Format (IDMEF) [23] is used as a message
format between our intrusion detection agents and other agents. The ID- MEF is an XML formatted definition developed
by the Intrusion Detection Exchange Format Working Group (IDWG) [24] of the Internet Engineering Task Force
(IETF). The task force is an IETF working group aiming at defining common data formats and ex- changing protocols for
information sharing between intrusion detection and response systems and management systems. Third, the Simple
Network Management Protocol (SNMP) is used between the network management agent, management center, and
intrusion detection center. The SNMP is a popular network management protocol that facilitates the exchange of
management information between network devices, which is also a part of the TCP/IP protocol suite. The SNMP enables
a manager to remotely monitor and configure devices on the network.
3. MECHANISM OF INTRUSION DETECTION AND RESPONSE
In previous discussion, the IDRS defines two detection modes for intrusion detections: the general detection mode and the
service-specified mode. The first mode deals with general intrusion cases, where the detection is independent of the
Volume 3, Issue 3, March 2014
Page 285
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org
Volume 3, Issue 3, March 2014
ISSN 2319 - 4847
system environment. On the other hand, the second is dedicated to cases with services particularly specified. For instance,
the attack approach to the MS IIS (Microsoft Internet Information Ser- vice) servers is quite different from that to Apache
web servers. If a node does not host any web server, web attack detection service is not needed. Different web servers
serving on different platforms acquire detection services in different formats or modes. The intrusion detection center of
our IDRS has installed three web intrusion detection modules specifically for the IIS, Apache, and other servers.
3.1 Detection Algorithm
Although the two different detection modes are implemented in our IDRS, both of them share the same detection
algorithm:
Step 1: Receive a network connection packet.
Step 2: Analyze the packet and construct a feature vector according to the mode profile, as shown in Fig. 6.
Step 3: Classify this feature vector using data mining algorithms, such as a well-trained neural network or a support
vector machine.
Step 4: If the connection is identified as an intrusion, the related information will be forwarded to the intrusion response
agent to handle the intrusion event. Otherwise, no responding action is required and the node simply passes the packet to
the receiver.
Fig 6. The generation of the feature vector.
3.2 Intrusion Response Mechanism
Our prototype system defines and implements several passive and active responses. An alarm response is a common
passive response that simply informs the message receiver when the attack is detected. In addition, detailed information
about the attack, such as the source and target IPs, the suspicious activities, and the event priority, is included in the
message. In contrast, active responses are actions taken by the IDRS. Actions in responding to the intrusion are
automatically triggered when suspicious behaviors are detected and con- firmed. In a high security disciplined IDRS,
numerous alarms could be issued and most of them might be false alarms, which will waste system resources and easily
lose packets in heavy traffic. Despite this unexpected behavior, the system can collect more information about the
suspicious attacks and the profiles of the intruder. The additional information can help the system to deal with malicious
and wily attacks or new types of intrusions. Another active response is stopping the attack in progress by blocking the
subsequent access to the system from the intruder. The presented prototype system disconnects the intruders and notifies
routers and firewalls to block packets from this intruder. When an attack occurs, the system should respond as fast as
possible to avoid or reduce the damage. Once an intrusion is identified and confirmed, the prototype system starts tracing
the activities of the intruder. The intrusion response agent will follow the user specified security policy to take actions in
respond to the intrusion and to report its status to the network administrator. The network management agent of the
intrusion detection node is responsible for sending SNMP traps and messages to post alarms to the central console of the
network management system.
4. CONCLUSIONS
This paper proposes active network model of an agent-based intrusion detection and response system. The proposed
model is powered by mobile agent techniques, which make the system flexible and scalable. Therefore, software
components are physically light-weighted and highly updateable. Automated response mechanism can effectively cope
with evolving network attacks with the help of intelligent mechanisms. A general detection mode and specified mode of
intrusion detections are proposed for practical application developments. Numerical experiments shows that the intrusion
detection accuracies of using support vector machine are higher than those of the neural network.
REFERENCES
[1] CERT coordination center, http://www.cert.org/.
[2] V. Y. Roman, “Human computer interaction based intrusion detection,” in Proceedings of the International
Conference on Information Technology, 2007, pp. 837-842.
Volume 3, Issue 3, March 2014
Page 286
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org
Volume 3, Issue 3, March 2014
ISSN 2319 - 4847
[3] Y. Zhenwei, J. P. T. Jeffrey, and W. Thomas, “An automatically tuning intrusion detection system,” IEEE
Transactions on Systems, Man and Cybernetics − Part B, Vol. 37, 2007, pp. 373-384.
[4] Y. Seungyong, K. Byoungkoo, and O. Jintae, “High-performance state full intrusion detection system,” in
Proceedings of International Conference on Computational Intelligence and Security, Vol. 1, 2006, pp. 574-579.
[5] L. T. David and J. W. David, “Towards an active network architecture,” ACM Computer Communications Review,
Vol. 26, 1996, pp. 5-17.
[6] D. Wetherall, D. Legedza, and J. Guttag, “Introducing new internet services: Why and how,” IEEE Network
Magazine, Vol. 12, 1998, pp. 12-19.
[7] D. L. Tennenhouse and D. J. Wetherall, “Toward an active network architecture,” in Proceedings of Multimedia
Computing and Networking, 1996, pp. 2-16.
[8] D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, and G. J. Minden,“A survey of active network
research,” IEEE Communications Magazine, Vol. 35, 1997, pp. 80-86.
[9] K. Psounis, “Active networks: Applications, security, safety, and architectures,”IEEE Communications Surveys and
Tutorials, Vol. 2, 1999, pp. 1-16.
[10] A. T. Campbell, H. G. de Meer, M. E. Kounavis, K. Miki, J. B. Vicente, and D. Villela, “A survey of programmable
networks,” ACM Computer Communications Review,Vol. 29, 1999, pp. 7-23.
[11] N. Achir, M. S. P. Fonseca, M. Y. G. Doudane, N. Agoulmine, and A. Mehaoua, “ Active networking system
evaluation: A practical experience,” Networking and InformationSystem Journal, Vol. 3, 2000, pp. 431-448.
[12] D. S. Alexander, M. Shaw, S. M. Nettles, and J. N. Smith, “Active bridging,” in Proceedings of the ACM Conference
on Applications, Technologies, Architectures, and Protocols for Computer Communication, 1997, pp. 101-111.
[13] K. L. Calvert, S. Bhattacharjee, E. Zegura, and J. Sterbenz, “Directions in active networks,” IEEE Communications
Magazine, Vol. 36, 1998, pp. 72-78.
[14] S. Surat, “Integration soft computing approach to network security,” Modeling and Simulation, 2007, pp. 159-164.
[15] R. Keller, J. Ramamirtham, T. Wolf, and B. Plattner, “Active pipes: Service composition for programmable
networks,” in Proceedings of IEEE Conference on Military Communications, Vol. 2, 2001, pp. 962-966.
[16] A. Kulkarni, G. Minden, R. Hill, Y. Wijata, S. Sheth, H. Pindi, F. Wahhab, A. Gopinath, and A. Nagarajan,
“Implementation of a prototype active network,” in Proceedings of IEEE Open Architectures and Network
Programming, 1998, pp. 130-142.
[17] L. Peterson, Y. Gottlieb, M. Hibler, P. Tullmann, J. Lepreau, S. Schwab, H. Dandekar, A. Purtell, and J. Hartman,
“An OS interface for active routers,” IEEE Journal on Selected Areas in Communications, Vol. 19, 2001, pp. 473487.
[18] J. Gao, P. Steenkiste, E. Takahashi, and A. Fisher, “A programmable router architecture supporting control plane
extensibility,” IEEE Communications Magazine, Vol. 38, 2000, pp. 152-159.
[19] F. Chuan, P. Jianfeng, Q. Haiyan, and W. R. Jerzy, “Alert fusion for a computer host based intrusion detection
system,” in Proceedings of the 14th Annual IEEE International Conference and Workshops on the Engineering of
Computer-Based Systems, 2007, pp. 433-440.
[20] W. Rensheng and V. N. Jeffrey, “Search strategy optimization for intruder detection,” IEEE Sensors Journal, Vol. 7,
2007, pp. 315-316.
[21] J. G. Tront and R. C. Marchany, “Internet security: Intrusion detection and prevention in mobile systems,” in
Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007, pp. 162-162.
[22] D. S. Alexander, B. Braden, C. A. Gunter, A. W. Jackson, A. D. Keromytis, G. J. Minden, and D. Wetherall, “Active
network encapsulation protocol (ANEP),” Active Networks Group, 1997.
[23] D. Curry and H. Debar, “Intrusion detection message exchange format extensible markup language (XML) document
type definition,” draft-ietf-idwg-idmef-xml-03, 2001.
[24] Intrusion Detection Exchange Format (idwg), http://www.ietf.org/html.charters/idwg- charter.html
AUTHORS
Mr.Ranjeet.A.Tijare, ME (CSE) Scholar,First Year,Department of CSE, P.R.Pote(Patil) College of Engineering and
Techonlogy,Amravati,Sant Gadge Baba Amravati University,Amarvati,Maharashtra,India – 444602
Prof.Monika Rajput Department of CSE, P.R.Pote(Patil) College of Engineering and Techonlogy,Amravati, Sant Gadge
Baba Amravati University,Amarvati,Maharashtra, India - 444602
Volume 3, Issue 3, March 2014
Page 287