Distributed Intrusion Detection System Using P2P Agent Mining ...

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.netThese problems are highlighted below after a taxonomicreview of existing works based on data sharing, the nature ofthe data analysis, and security and trust features.2.1 Data SharingIn a distributed IDS system, each agent shares its data withother agents in the system. However, there are wide varietiesof sharing schemes that have been developed. These schemesinclude: centralized data reporting on one side and completelydecentralized sharing on the other. The most extremecentralization is represented by systems in which acommercial vendor collects security information from a widevariety of customers, each running the vendor’s agent software[33] [34].The vendor typically has multiple machines handling the datacollection and analysis load that this widespread deploymentincurs. When the vendor detects a possible Internet attack,customers receive alerts and advice from the professionalsecurity experts who manage the system. This approach hastwo primary shortcomings. First, the central management andprocessing of data represents a single point of failure orvulnerability. Second, it results in a scalability bottleneck, anddue to the volume of incoming data, these systems often haveslow response time to new threats. The most commondistributed IDS approach is one in which all agents report datato a central server controlled at a domain or enterprise level[7] [12].This is fundamentally the same as in the previouscentralization approach, but on a different scale, and thispossesses most of the advantages and disadvantages of theselarger-scale systems. These are usually oriented towardsenterprise security, and are generally unsuitable for use amongindependent peers on the Internet due to the central control. Toaddress the scalability problem of a centralized system, manytechniques use a hierarchical structure as in [24]. Data ispassed up a hierarchy tree and is processed at each level tosearch for intrusions and to reduce the amount of informationthat must be passed to the higher level. This helps addressscalability and allows a system to be deployed across largeenterprise-scale networks, but it limits the kinds of intrusionsthat can be detected at the highest levels.This also helps address the single point of failure problemsince the lower tiers can typically continue to function withreduced detection capabilities if a higher node in the hierarchyfails. Between the hierarchical approach and the fullydistributed approach lie projects such as [14], which uses ahybrid hierarchically-distributed approach? Each agentpublishes “interests” to the network, which are distributedthrough a hierarchical structure. Agents share data with othernodes who are interested, and all analysis occurs locally at theagent level. Instances of completely distributed solutions arerarer and not well developed. Gossiping, multicast, orsubscription-based data sharing techniques have beenproposed [17], but none of these have yet been implemented ina distributed IDS system.2.2 Nature of Data AnalysisAlthough distributed IDS systems are usually independent ofthe techniques used to detect individual security events, theways in which these security events are used can vary greatly.Since most systems work in heterogeneous environments, andsince the security relationship between, for instance, a portscan and a buffer overflow attack may not be obvious, howdoes a system turn event detection into a response? Expertsystem is a common approach [18], relying on rule sets toprocess and respond to events.These rules can attempt to define security policies, normalbehaviour, and/or anomalous behaviour, and alerts or actionsare generated based on how events match against the rules butnew attacks are poorly detected. Many systems [4] [28] usethreshold scheme. Each security event increases the globalalert level. The amount of the increase can be based on anynumber of factors, such as the particular event that wasobserved and its relation to other events in time or space.When the alert level exceeds a certain threshold, genericincreased security measures are deployed, or an administratoris alerted. However, long periods of time without securityevents can cause the alert level to decrease.Also, [1] proposed a hybrid architecture involving ensembleand base classifiers for intrusion detection. They evaluatedthree fuzzy rule-based classifiers to detect intrusions in anetwork. Results were then compared with other machinelearning techniques like decision trees, support vectormachines and linear genetic programming. Further, theymodelled Distributed Soft Computing-based IDS (D-SCIDS)as a combination of different classifiers to model lightweightand more accurate heavy weight. They demonstrated theimportance of feature reduction to model lightweight intrusiondetection systems. Agent and data mining were combined inworks which include JAM Intelligent static Association rules[29] agents Meta-Learning Classifier, Approach of Mobile andClassification algorithms [16] Static Agents Geneticalgorithms, MSAIDS Mobile agents Modified Apriori [27]algorithm and DMAS-IDS Intelligent distributed Multi-ClassSupervised [25] agents Classification algorithm.In [5], a novel distributed multi-agent IDS architecture, calledMAD-IDS was presented. MAD-IDS integrated the mobileagent methodology and the data mining techniques toaccommodate the special requirements in distributing IDS.Although, they demonstrated that the data mining techniquesand in particular the unsupervised clustering algorithm and thegeneric association rule mining are capable of discoveringanomalous connections, as well as, generating an informativesummarize but their system was not generic as it was meant todefend against probe.4