International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org Volume 3, Issue 3, March 2014 ISSN 2319 - 4847 Study of Active Network Intrusion Detection System Mr.Ranjeet .A.Tijare1, Prof.Monika Rajput 1 2 ME (CSE) Scholar,First Year,Department of CSE, P.R.Pote(Patil) College of Engineering and Techonlogy,Amravati. Sant Gadgebaba Amravati University,Amarvati,Maharashtra,India - 444602 2 Assitantant Professor, Department of CSE, P.R.Pote(Patil) College of Engineering and Techonlogy,Amravati. Sant Gadgebaba Amravati University,Amarvati,Maharashtra,India - 444602 Abstract The Internet has changed the way people think, do business, and communicates with each other. By means of computer networks, we can shop, research, and conduct financial business online. The network security is getting more important due to the widespread computer viruses and increasing network attacks. Nowadays, more and more security mechanisms, such as firewalls and intrusion detection systems (IDS), are introduced to protect the network from malicious attacks. . One of the most promising recent advances in the area of intrusion detection system (IDS).The system propose the solution to different problem and attract different researcher to work in this area. .This paper proposes an agent based intrusion detection and response system for network. In contrast to a traditional passive network, an active network gives the nodes programmable ability to exercise various active network technologies. The intrusion response, service deployment, and mechanisms are centred on this technology. The proposed model of intrusion detection and response system (IDRS) catches network attacks and responses to stop the attacks at the first time to reduce the damage. Detecting, reporting, and responding capabilities are all embedded and integrated in the proposed system. A prototype system is developed using a novel data mining technology (the support vector machine) to enhance the detection function. In addition, several experiments were conducted to verify the system and results showed that the system was able to effectively identify the intrusions and respond promptly. Experiments also showed that the support vector machine outperforms the competitive neural networks in identifying the intrusions. Keywords: Active Network, Intrusion Detection, Computer Network Security. 1. INTRODUCTION Large spread of internet, various kinds of internet services have been developed, such as e-commerce and web services. These services have motivated numerous network activities. While network activities become more popular, network security is getting more important for and more concerned by service providers and consumers. A report [1] from the CERT (Computer Emergency Response Team) Coordination Center of Carnegie Mellon University has states that the sophistication of network attacks is dramatically increased, where a single attack usually involves several intrusion stages. Firewalls protect a system from external attacks, but it cannot evolve to cope with new types of attacks. In contrast, an intrusion detection and response system (IDRS), acting as an advance network defence mechanism, is much more dynamic. Traditional IDRSs are mostly developed from passive network models, simply focusing on intrusion detecting and alerting. Most of them are static and lack the capabilities of new feature implementation and adaptive system configuration. To effectively avoid destructive attacks, solid network architecture is required and is a must. Adoption of active networks is a novel approach to constructing a secured network architecture, where the nodes of the network execute customized computations and operations on the networking messages flowing through them [2]. Active networks should be established for the need of a tightly secured networking environment. This paper proposes a scalable intrusion detection and response system based on the network modelling technology. The system dynamically evolves to tailor proper detection mechanisms to the security needs of the network. When advanced functionalities are needed, the system will automatically replace the mechanisms with improved ones. Current IDRSs simply emphasize on detecting attacks and suffer from capability- limited detecting/responding mechanisms. The time delay in alerting the system administrator and the delay in responding to attacks usually result in unexpected damages. To remedy this, an autonomic and adaptive IDRS is necessary [3]. Responding in time and taking appropriate estimation and actions can make the system immune from emerged attacks and endless threats [4].Unlike a traditional network, which only passively transforms data packets, an active network allows the network node to execute mobile code carried in packets. The proposed IDRS combines distributed monitoring techniques (through individual host and LAN monitors) and data mining methods to analyze the threats of the incoming data and respond to the intrusions effectively (which is achieved by an intrusion detection center).Active network [5-13] is a novel approach to constructing network architecture, where various network nodes, such as switches, routers, hubs, bridges, gateways are connected. The network nodes constantly perform various customized computations on the packets flowing through them [14]. The essential feature of the active network approach is the programmability. New network features and services can be dynamically added to the network infrastructure on demand. Note that active networks are different from programmable networks [15-18]. Active networks have executable Volume 3, Issue 3, March 2014 Page 282 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org Volume 3, Issue 3, March 2014 ISSN 2319 - 4847 and mobile code carried within packets, while programmable networks rely on standard programming interfaces to network control. Intrusion detection is the process of monitoring and analyzing events occurred in a computer or network and presenting the results to the administrator [19, 20]. The related research on intrusion detection started in the early 1980’s. It has continued through several major projects and other Government programs. In the beginning of the 1990s, intrusion detection became a hot research topic and commercial IDRS started to emerge [21] when the internet era emerge. 2. ACTIVE NETWORK-BASED INTRUSION DETECTION AND RESPONSE SYSTEM This paper presents a model of intrusion detection and response system and mechanisms for detecting both well-known and unknown intrusive behaviours. The system consists of at least one intrusion detection node, a management center (MC), and an intrusion detection center (IDC). The relationship among them is shown in Fig. 1. Note that the Intrusion Detection System (IDS) consisting of software modules and agents is installed in the Intrusion detection node. Fig. 1. Agent and service based intrusion detection and response system. Fig. 2. System architecture of an active network. When suspicious activity is discovered, the detection node will sent the intersected information to the IDC for further analysis, using the active networking services pro- vided by the MC. Management center dispatches different service agents to the detection nodes according to their specific needs and different execution environments. The MC provides and deployed services to detection nodes to update their detection models to enhance their detection capabilities. The overall architecture is shown in Fig. 2. Each management center is responsible for serving a subnet by deploying and updating the active networking services for detection nodes. On the other hand, the IDC provides and deployed effective detection models to detection nodes, using mobile agents to cross different platforms. 2.1 Intrusion Detection Node Agent techniques and software components were heavily used in the proposed IDRS. The intrusion detection node consists of a node manager, hosting and monitoring an agent activity platform, and an intrusion detection system (IDS), performing intrusion detection and response actions. In addition, a network management agent is installed to integrate our IDRS with network management system. 2.1.2 Node Manager The node manager resides at the intrusion detection node, hosting a platform for the transient agents to perform their tasks. The manager monitors the activities of the transit agents on the platform. In general, the node manager coordinates all agents with respect to agent behavior regulations specified by the user, which is defined in the system con- figuration. The primary tasks of the node manager are Identify the default (user-specified) system configuration and internet service information (e.g., types of the operating system and WWW server), Volume 3, Issue 3, March 2014 Page 283 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org Volume 3, Issue 3, March 2014 ISSN 2319 - 4847 Broadcast to other nodes with active packets to request or update services, Send service requests to the management center, Receive mobile agents dispatched from the intrusion detection center to accommodate their services. 2.1.3 Network Management Agent One aim of the proposed IDRS is to integrate the IDS and active network management system (NMS) using techniques of source auditing, packet analysis, and network deployment strategies (e.g., IP or port blocking). This integration task is delegated to the network management agent (NMA). The integration of the IDS and NMS provides the system administrator (the user) a comprehensive view of the network security status to facilitate the security management. The IDS is actually a set of software modules and agents, consisting of an active network monitor, and an intrusion detection agent, an intrusion response agent. The architecture of the IDS is shown in Fig. 3. Fig. 3. Agents and Software modules of the IDS in an intrusion detection node. 2.1.4 Active Network Monitor The active network monitor (ANM) is a programmable traffic monitor. It captures the incoming packets with the user specified network type from the internet, such as TCP, UDP, IPv6, etc. The types of packets passed through the monitor are remotely and indirectly controlled by the intrusion detection center (IDC). Therefore, the packet types can be dynamically changed (e.g. blocked or filtered) when the detection system responds to network attacks. The system administrator can obtain network traffic information, such as the transmitting quality and intrusion logs, from the monitor. 2.1.5 Intrusion Detection Agent The intrusion detection agent (IDA) implements neural network-based and support vector machine-based data mining techniques to classify the incoming packets into nor- mal class or attack class. The detected results are then forwarded to the intrusion response agent for further process. Therefore, the intrusion detection agent is responsible for the actual intrusion detection. There are two kinds of intrusion detection agents implemented in our prototype system to conduct either a service-specified mode or a general mode of intrusion detection, as shown in Fig. 4. Fig. 4. The two intrusion detection modes. 2.1.6 Intrusion Response Agent Intrusion response agent (IRA) is the chief commander of the IDS. It is responsible for deciding what actions should be taken when receiving an intrusion detection report from the intrusion detection agent. It dispatches response commands resulted from the user specified security policy. For ordinary, well-known, or identified intrusions, it takes necessary actions (e.g., reconfiguring the filter rules) immediately to disconnect the intrusions. If no processing knowledge or action rules are available, it wraps up the intrusion message in a standard format and sends it to the IDC. 2.2 Management Center Management center (MC) is responsible for service deployments and service up- dates. The tasks conducted are servicedomain independent and the center performs these tasks without knowing the details of the service being processed. An MC is similar to a software warehouse that hosts agents and mobile code, which are deployed as network services. If the Volume 3, Issue 3, March 2014 Page 284 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org Volume 3, Issue 3, March 2014 ISSN 2319 - 4847 proposed IDRS or other active applications (e.g., active video conference software and network management systems) intend to update the agents, they just send revised or new agents to the management center. The center will replace, update, or retrieve and destroy the corresponding client software, following the instructions of the service update commands. The tasks of a management center include Deploys and updates active network services based on the needs and environments of the active nodes, Follows the order of the intrusion detection center to update the detection mode, Maintains and monitors the service agents deployed to the active nodes. 2.3Intrusion Detection Center When the intrusion detection node detects unidentified suspicious activities, the intrusion response agent sends related information to the intrusion detection center (IDC) for further analysis. The intrusion report is forwarded to an event manager of the center first. The action of appropriate responses will be made based on the information, such as the attack types and priorities. At first, the intrusion information is sent to an identification module for pattern recognition with known patterns. If the pattern is indistinct, advanced experts are incorporated to identify whether it is a normal activity or an intrusion. For normal patterns, no intrusion response is necessary. For known intrusion patterns, the identification of intrusion is confirmed and returned to the IRS for proper responses. However, if it is identified as a new intrusion pattern, the IDC will update the knowledge base with this new pattern and the related information. Consequently, the new intrusion is recognized and returned for disconnection responses. 2.4Programming Model This paper presents a programming model based on the discussed architecture to support the development of a general active network, as shown in Fig. 5. The model uses ANEP [22] as the basic transformation protocol to comply with industrial standards. The programming model is dedicated to the Java programming language, and thus is operating system independent when it is runtime executed. Software artifacts developed from this model can execute their functionalities on different platforms seamlessly. As shown in Fig. 5, basic network service modules defined in the model include Active Packet, Active Service Base, AN Application, and A Daemon. Customized protocols and services can be developed based on these modules. This model serves as a design pattern for constructing active network-based services. Users can define their own data packet classes by extending Active Packet and implementing the interface functions to construct a user-defined communication mechanism. As a result, user-defined active packets can execute pre-defined actions on the active nodes while traveling on the network Fig. 5. The programming model of the proposed IDRS 2.5 Communication Protocols Three standard communication protocols are used between agents and active soft- ware components in our prototype system. First, the Active Network Encapsulation Protocol (ANEP) [22] is used to establish interoperability between nodes on the active net- work. Second, the Intrusion Detection Message Exchange Format (IDMEF) [23] is used as a message format between our intrusion detection agents and other agents. The ID- MEF is an XML formatted definition developed by the Intrusion Detection Exchange Format Working Group (IDWG) [24] of the Internet Engineering Task Force (IETF). The task force is an IETF working group aiming at defining common data formats and ex- changing protocols for information sharing between intrusion detection and response systems and management systems. Third, the Simple Network Management Protocol (SNMP) is used between the network management agent, management center, and intrusion detection center. The SNMP is a popular network management protocol that facilitates the exchange of management information between network devices, which is also a part of the TCP/IP protocol suite. The SNMP enables a manager to remotely monitor and configure devices on the network. 3. MECHANISM OF INTRUSION DETECTION AND RESPONSE In previous discussion, the IDRS defines two detection modes for intrusion detections: the general detection mode and the service-specified mode. The first mode deals with general intrusion cases, where the detection is independent of the Volume 3, Issue 3, March 2014 Page 285 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org Volume 3, Issue 3, March 2014 ISSN 2319 - 4847 system environment. On the other hand, the second is dedicated to cases with services particularly specified. For instance, the attack approach to the MS IIS (Microsoft Internet Information Ser- vice) servers is quite different from that to Apache web servers. If a node does not host any web server, web attack detection service is not needed. Different web servers serving on different platforms acquire detection services in different formats or modes. The intrusion detection center of our IDRS has installed three web intrusion detection modules specifically for the IIS, Apache, and other servers. 3.1 Detection Algorithm Although the two different detection modes are implemented in our IDRS, both of them share the same detection algorithm: Step 1: Receive a network connection packet. Step 2: Analyze the packet and construct a feature vector according to the mode profile, as shown in Fig. 6. Step 3: Classify this feature vector using data mining algorithms, such as a well-trained neural network or a support vector machine. Step 4: If the connection is identified as an intrusion, the related information will be forwarded to the intrusion response agent to handle the intrusion event. Otherwise, no responding action is required and the node simply passes the packet to the receiver. Fig 6. The generation of the feature vector. 3.2 Intrusion Response Mechanism Our prototype system defines and implements several passive and active responses. An alarm response is a common passive response that simply informs the message receiver when the attack is detected. In addition, detailed information about the attack, such as the source and target IPs, the suspicious activities, and the event priority, is included in the message. In contrast, active responses are actions taken by the IDRS. Actions in responding to the intrusion are automatically triggered when suspicious behaviors are detected and con- firmed. In a high security disciplined IDRS, numerous alarms could be issued and most of them might be false alarms, which will waste system resources and easily lose packets in heavy traffic. Despite this unexpected behavior, the system can collect more information about the suspicious attacks and the profiles of the intruder. The additional information can help the system to deal with malicious and wily attacks or new types of intrusions. Another active response is stopping the attack in progress by blocking the subsequent access to the system from the intruder. The presented prototype system disconnects the intruders and notifies routers and firewalls to block packets from this intruder. When an attack occurs, the system should respond as fast as possible to avoid or reduce the damage. Once an intrusion is identified and confirmed, the prototype system starts tracing the activities of the intruder. The intrusion response agent will follow the user specified security policy to take actions in respond to the intrusion and to report its status to the network administrator. The network management agent of the intrusion detection node is responsible for sending SNMP traps and messages to post alarms to the central console of the network management system. 4. CONCLUSIONS This paper proposes active network model of an agent-based intrusion detection and response system. The proposed model is powered by mobile agent techniques, which make the system flexible and scalable. Therefore, software components are physically light-weighted and highly updateable. Automated response mechanism can effectively cope with evolving network attacks with the help of intelligent mechanisms. A general detection mode and specified mode of intrusion detections are proposed for practical application developments. Numerical experiments shows that the intrusion detection accuracies of using support vector machine are higher than those of the neural network. REFERENCES [1] CERT coordination center, http://www.cert.org/. [2] V. Y. Roman, “Human computer interaction based intrusion detection,” in Proceedings of the International Conference on Information Technology, 2007, pp. 837-842. Volume 3, Issue 3, March 2014 Page 286 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org Volume 3, Issue 3, March 2014 ISSN 2319 - 4847 [3] Y. Zhenwei, J. P. T. Jeffrey, and W. Thomas, “An automatically tuning intrusion detection system,” IEEE Transactions on Systems, Man and Cybernetics − Part B, Vol. 37, 2007, pp. 373-384. [4] Y. Seungyong, K. Byoungkoo, and O. Jintae, “High-performance state full intrusion detection system,” in Proceedings of International Conference on Computational Intelligence and Security, Vol. 1, 2006, pp. 574-579. [5] L. T. David and J. W. David, “Towards an active network architecture,” ACM Computer Communications Review, Vol. 26, 1996, pp. 5-17. [6] D. Wetherall, D. Legedza, and J. Guttag, “Introducing new internet services: Why and how,” IEEE Network Magazine, Vol. 12, 1998, pp. 12-19. [7] D. L. Tennenhouse and D. J. Wetherall, “Toward an active network architecture,” in Proceedings of Multimedia Computing and Networking, 1996, pp. 2-16. [8] D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, and G. J. Minden,“A survey of active network research,” IEEE Communications Magazine, Vol. 35, 1997, pp. 80-86. [9] K. Psounis, “Active networks: Applications, security, safety, and architectures,”IEEE Communications Surveys and Tutorials, Vol. 2, 1999, pp. 1-16. [10] A. T. Campbell, H. G. de Meer, M. E. Kounavis, K. Miki, J. B. Vicente, and D. Villela, “A survey of programmable networks,” ACM Computer Communications Review,Vol. 29, 1999, pp. 7-23. [11] N. Achir, M. S. P. Fonseca, M. Y. G. Doudane, N. Agoulmine, and A. Mehaoua, “ Active networking system evaluation: A practical experience,” Networking and InformationSystem Journal, Vol. 3, 2000, pp. 431-448. [12] D. S. Alexander, M. Shaw, S. M. Nettles, and J. N. Smith, “Active bridging,” in Proceedings of the ACM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, 1997, pp. 101-111. [13] K. L. Calvert, S. Bhattacharjee, E. Zegura, and J. Sterbenz, “Directions in active networks,” IEEE Communications Magazine, Vol. 36, 1998, pp. 72-78. [14] S. Surat, “Integration soft computing approach to network security,” Modeling and Simulation, 2007, pp. 159-164. [15] R. Keller, J. Ramamirtham, T. Wolf, and B. Plattner, “Active pipes: Service composition for programmable networks,” in Proceedings of IEEE Conference on Military Communications, Vol. 2, 2001, pp. 962-966. [16] A. Kulkarni, G. Minden, R. Hill, Y. Wijata, S. Sheth, H. Pindi, F. Wahhab, A. Gopinath, and A. Nagarajan, “Implementation of a prototype active network,” in Proceedings of IEEE Open Architectures and Network Programming, 1998, pp. 130-142. [17] L. Peterson, Y. Gottlieb, M. Hibler, P. Tullmann, J. Lepreau, S. Schwab, H. Dandekar, A. Purtell, and J. Hartman, “An OS interface for active routers,” IEEE Journal on Selected Areas in Communications, Vol. 19, 2001, pp. 473487. [18] J. Gao, P. Steenkiste, E. Takahashi, and A. Fisher, “A programmable router architecture supporting control plane extensibility,” IEEE Communications Magazine, Vol. 38, 2000, pp. 152-159. [19] F. Chuan, P. Jianfeng, Q. Haiyan, and W. R. Jerzy, “Alert fusion for a computer host based intrusion detection system,” in Proceedings of the 14th Annual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems, 2007, pp. 433-440. [20] W. Rensheng and V. N. Jeffrey, “Search strategy optimization for intruder detection,” IEEE Sensors Journal, Vol. 7, 2007, pp. 315-316. [21] J. G. Tront and R. C. Marchany, “Internet security: Intrusion detection and prevention in mobile systems,” in Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007, pp. 162-162. [22] D. S. Alexander, B. Braden, C. A. Gunter, A. W. Jackson, A. D. Keromytis, G. J. Minden, and D. Wetherall, “Active network encapsulation protocol (ANEP),” Active Networks Group, 1997. [23] D. Curry and H. Debar, “Intrusion detection message exchange format extensible markup language (XML) document type definition,” draft-ietf-idwg-idmef-xml-03, 2001. [24] Intrusion Detection Exchange Format (idwg), http://www.ietf.org/html.charters/idwg- charter.html AUTHORS Mr.Ranjeet.A.Tijare, ME (CSE) Scholar,First Year,Department of CSE, P.R.Pote(Patil) College of Engineering and Techonlogy,Amravati,Sant Gadge Baba Amravati University,Amarvati,Maharashtra,India – 444602 Prof.Monika Rajput Department of CSE, P.R.Pote(Patil) College of Engineering and Techonlogy,Amravati, Sant Gadge Baba Amravati University,Amarvati,Maharashtra, India - 444602 Volume 3, Issue 3, March 2014 Page 287