Novel Intrusion Detection System using Mobile Agents and Data Mining Approaches

Intrusion Detection has been investigated for many years and the field reached the maturity. Nevertheless, there are still important challenges, e.g., how an Intrusion Detection System (IDS) can detect new and complex distributed attacks. To tackle this problem, we propose a novel distributed intrusion detection system, based on the desirable features provided by the mobile agent methodology. Our approach rely on: (i) a misuse detection mobile agent to detect known attacks, (ii) an anomaly detection mobile agent to detect novel kinds of attacks. Based on data mining techniques, this agent provides a high accuracy for predicting different behaviors in network computers. Carried out experiments showed the efficiency of data mining approaches integrated with mobile agent technology.

With the rapid growth of Internet, the security-relevant incidents have being increased. In addition, cracking technology has evolved into complex approach such as coordinated attack and cooperative attack. Under these circumstances, there is a great need for software tools that can automatically detect a variety of intrusions. As an important gatekeeper of network, Intrusion Detection Systems (IDS) must have the ability to detect and defend intrusions more proactively in shorter period. Basically, two intrusion detection strategies can be distinguished: anomaly detection and misuse detection [3]. Anomaly detection systems monitor the system and try to decide whether its behavior is normal or not. This is achieved by keeping a normal user profiles. To detect abnormal activity, the predefined profiles are compared with the actual ones in use. The deviation will activate an alarm. In fact, the anomaly detection techniques can be effective against unknown or novel attacks since no prior knowledge about specific intrusion is required. However, they tend to generate more false alarms because an anomaly can just be a new behavior. Otherwise, misuse detection systems search for known attack signatures. A signature is a trail of a known attack. For example, it may be a specific series of bits in the header of an IP packet. A weakness of these systems is that they are not effective against novel attacks that have no matched signatures. In addition, once a new attack is discovered and its signature developed, often there is a substantial latency in its deployment.

Free download research paper