Computer Science, School of System and Technology, UMT
Abstract—In past few years, technology has
been much accessed. It has been noticed that many online services are available
and the number is increasing day by day. Due to this much advancement in the
technology, hacking tools and new technologies for intrusion into the systems
has been developed. So there is a need to make a perfect intrusion detection
system which can help in protecting the services and the data or information in
them. This paper basically is a review of the techniques and architectures that
are available in the market. Moreover, I have proposed an architecture which is
based on dynamic agents.
detection; Network Security; Intelligent Agents; Dynamic agent Approach; Web
Now a day’s technology has become so much portable and
easy to use that almost every company whether it’s a small or multinational
firm, they are trying to provide services to their customers via web and internet
3. So in this way more and more customers are being attracted towards
internet services. So keeping this thing mind someone with malicious aim may
try to access the customer’s data. He may try to access company’s data on the
internet and by accessing he may make it unavailable or make any unwanted
changes in it, which may result into loss for the company or individual.
Networks are becoming complex day by day due to which it
is hard to identify the unwanted intrusions that are being done in various
ways. So for this purpose Intrusion detection systems are developed. IDS were
not on developed to detect the intrusions but also to make suitable actions on
them. But with the passage of time, new ways of implementing networks and to
make them easy to use are introduced. And we know that whenever the new
technology is introduced, there are chanced of security breaches. While
providing services via internet security is one of the main concern for the
companies and organizations. Day by day new and intelligent intrusion detection
systems are being developed and on the other hand intrusion detection is also
becoming increasingly difficult. There is a need of efficient intrusion
detection system to be made which can detect and resist the unwanted activities
on their own.
Keeping these features and requirements in mind, agent
based system are very much acknowledged and very much appreciated. Agents based
detection is very much-needed technology and could be an alternative for
intrusion detection system. 5
A lot of work has been done related to agent based
intrusion detection approach. One thing we should keep in mind that not all the
issues are addressed by single architecture. Every single architecture is best
in certain way. Also, this is very hot
topic in the field of network security and information security due to there
are numerous papers written to deal with it.
So section 2 contains literature review of the current work
in which I have discussed few but very important techniques. In section 3 I
have proposed or we can say I have introduced an idea about an architecture. I
have concluded and gave future directions in section 4 and 5 respectively and
section 6 and 7 consist of acknowledgment and references.
In this section, I am focusing on the potential work that
has been done in order to detect and resist intrusions. There are many proposed
solutions and architectures out there as many researchers are working on this.
With the passage of time different concerns are arising which motivates the
researchers to wok more in this area.
1Multi agent based IDS is basically an autonomous agent
which is being used for intrusion detection. This consists of different agents
in which detection agent, response agent, evidence agent, prevention agent and
interface agents are included. Their functionality can be determine by their
names. Detection agent is used to detect the malicious activities around the hosts.
After detection of the intrusion, its core responsibility of the response agent
to perform actions on it. Same intrusions may occur repeatedly so various
evidences such as deletion of data, modification of data, how the intrusion was
done, and all these things are collected as evidence by evidence agent to train
the agent and prevent in the future.
Prevention is the task of prevention agent and to take care of the
interface its task of the interface agent. All these agents’ works together in
order to avoid intrusions.
2 Another architecture for autonomous agents has been
explained in another paper, which consist of agents, transceiver and monitors.
Here the task for agents are to keep an eye on different aspects of host. It
looks for malicious behavior that may result into any attack. After identifying
anything like it, agent reports it to the transceiver. Now transceiver has the
most important role during this process. It collects the reports from agents
and then evaluate them and generated the alarm if needed. Monitors also have
the control and data processing role but the main difference between the
monitors and transceivers is that monitors can control the objects which are
present in several host while on the other hand transceivers can only work at
local level hosts. Below figures explains it very well.
3In another paper a distributed intrusion detection
system using mobile agents has been introduced. It basically uses a software
entities or we can call it mobile agents. There way of working is that it moves
from one host to another and work on aggression and correlation strategy. It is
named as DIDMA architecture. This architecture is made by keeping the
portability, scalability and
flexibility. The components of DIDMA are as follows: Static Agents (SA), Mobile
Agents (MA), Mobile Agents Dispatcher (MAD), VHL, Alerting Agent (AA) and IDS
console. The VHL is a sub component of the MAD.
4 In another paper researchers proposed a new approach
and the reason was to develop a fully distributed and decentralized intrusion
detection and response system. It is also called IDReAM. This system works on
the principle of solutions that are present in natural life.
III. Proposed work
order to understand the proposed architecture we need to understand few things
which are as follows.
Agent rules: Number of rules/intrusions to find abnormal behavior
in the network to detection an intrusion or response to the intrusion.
Agent Goals: List of goals of the agent. It could be long term and
Agent Clustering: Agents are assigned to specific cluster to
detect/response of intrusion.
Data model: It is like database of whole network which saves the
history of intrusions in the network, goals of the agents, rules for the agents
and the instructions that are being updated with the passage of time and
environmental changes etc.
This architecture is based on dynamically changing
clusters (one cluster has number of hosts) based on probability intrusion
detection/response on each host. This will help us to dynamically increase
decrease agents on clusters based on intrusion detection/response probability.
This architecture has data model which save rules, goals
of agents. Each cluster activity save on data model then data model updates the
goals and rules of finding detection or giving response to the intrusion in the
this literature survey, a number of intrusion detection mechanisms and
techniques have been discussed with different perspectives. Intrusion is done
using different methods. So it is obvious that there should be different
methods to detect these different types of intrusions. No single detection
method works best for every situation.
As it has been shown in the previous sections, intrusion
detection is nowadays a hot research issue in the Network and information
security world opening new problems and investigation threads. Also, intrusion
detection pose new challenges in the web application world because of the
amount and the complexity of data to be processed.
V. Future Directions
my architecture, actions are done using the knowledge that is already present.
Agent cannot work on its own and this could be something on which I would like
to work. Also, my architecture can access all the information which includes unwanted
information and this is now a good approach.
I would like to thank old class fellow who
helped me when needed. Moreover, there were some confusions which were cleared
by my colleagues. I would also like to thank Dr. Usman Hashmi, Professor at
Superior University for preparing me for this much effort and I can say that
without his it would not be possible for me to write this paper. Mudassir
Hamid, IT Head at Din News also helped me a lot with his knowledge and experience
and I’m thankful for his time and effort for me.
1 P. Kannadiga
and M. Zulkernine, “DIDMA: a distributed intrusion detection system using
mobile agents,” in Sixth International Conference on Software Engineering,
Artificial Intelligence, Networking and Parallel/Distributed Computing and
First ACIS International Workshop on Self-Assembling Wireless Network, 2005,
2 G. Helmer,
J. S. K. Wong, V. Honavar, L. Miller, and Y. Wang, “Lightweight agents for
intrusion detection,” Journal of Systems and Software, vol. 67, no. 2, pp.
109–122, Aug. 2003.
3 J. S.
Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. Spafford, and D.
Zamboni, “An architecture for intrusion detection using autonomous agents,” in
Proceedings 14th Annual Computer Security Applications Conference (Cat.
No.98EX217), 1998, pp. 13–24.
4 N. Foukia,
“IDReAM: Intrusion Detection and Response Executed with Agent Mobility
Architecture and Implementation,” in Proceedings of the Fourth International
Joint Conference on Autonomous Agents and Multiagent Systems, New York, NY,
USA, 2005, pp. 264–270.
5 E. Mosqueira-Rey, A. Alonso-Betanzos, B.
Guijarro-Berdinas, D. Alonso-Rios, and J. Lago-Pineiro, “A Snort-based agent
for a JADE multi-agent intrusion detection system,” International Journal of
Intelligent Information and Database Systems, vol. 3, no. 1, pp. 107–121, Jan.