Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Intrusion Forecasting System


{LANG_NAVORIGIN} Intrusion Detection
By: Surya Kumari Govindu, 03/15/2005



Abstract



Security is a challenging issue for any organization. Malicious users are developing new techniques of intrusion, while the software that guards against them remains rooted in traditional centralized techniques, presenting an easily targeted single point of failure. This paper discusses the present state of Intrusion Detection Systems and their drawbacks. It highlights the need of developing an Intrusion Forecasting System, which is the future of intrusion detection systems. It also explores the possibility of bringing intelligence to the Intrusion Forecasting System by using mobile agents that move across the network and uses forecasting techniques to predict the behavior of the user. The paper also discusses our proposed intrusion forecasting system and the techniques to be used in implementing the system.

Key Terms: Intrusion Forecasting Systems, Intelligent Mobile Agents, Markov model and forecasting techniques.


1. Introduction



An Intrusion Detection system, as the name suggests, detects possible intrusions [1]. An IDS installed on a network is like a burgular alarm system installed in a house. Through various methods, both detect when an intruder/attacker/burgular is present. Both systems issue some type of warning in case of detection of presence of burglar/intrusion. IDSs are usually classified [2] as host-based or network-based. Host-based systems base their decisions on information obtained from a single host (usually audit trails), while network based systems obtain data by monitoring the trace of information in the network to which the hosts are connected.

There are two general methods of detecting intrusions to computer and network systems: anomaly detection and signature recognition [1-9]. Anomaly detection techniques establish a profile of the subject’s normal behavior (norm profile), compares the observed behavior of the subject with its norm profile, and signals intrusions when the subject’s observed behavior differs significantly from its norm profile. Signature recognition techniques recognize signatures of known attacks, matches the observed behavior with those known signatures, and signals intrusions when there is a match.


2. Present State of art



It is impossible to completely protect a network from attacks. Not every system administrator always installs every security patch on every computer. Even heavily defended networks are sometimes penetrated, and an IDS is a key component and an important tool in computer and network security.

Drawbacks of intrusion detection systems available are
  1. Most of the present Intrusion Detection Systems are passive and static. It is difficult to reconfigure or add capabilities to the IDS. Changes and additions are usually done by editing a configuration file, adding an entry to a table or installing a new module. The IDS usually has to be restarted to make the changes take effect.
  2. Network security is typically assigned to a single central security monitor. The failure of this central security monitor will render the system unable to perform security testing and vulnerable to attack [5,6]. If an intruder can somehow prevent it from working (for example, by crashing or slowing down the host where it runs), the whole network is without protection.
  3. Scalability is limited. Processing all the information at a single host implies a limit on the size of the network that can be monitored. After that limit the central analyzer becomes unable to keep up with the flow of information. Distributed data collection can also cause problems with excessive data traffic in the network.

2.1 Intrusion Prevention System


An intrusion Prevention system is like an armed burgular alarm system. As IPS are active and protect the system from an attack rather than just detecting the attacks. Nowadays IDSs are being replaced by IPSs. As each packet comes into the system, it is deeply analyzed and a “go/no-go” decision is made as to whether it should be allowed to continue on to its destination. If the packet is malicious, it is dropped and is never even seen by the victim. Software based heuristic approach, Sandbox approach, Hybrid approach and Kernel based protection approach [7] are some of the approaches being used in IPS.

There are drawbacks of IPS. If they detect an abnormal behavior from a network, they also block legitimate traffic coming from the network. In a passive configuration, the IPS sees the attack at the same time that the victim does, so the damage is often already done by the time the reset is sent [8]. One of the defining actions of an intrusion prevention is it actively blocks actions it determines to be malicious. What if the action was actually a valid action by your application? It would cause the application to malfunction or fail. For example, the very action of blocking system calls can prevent systems from properly operating, especially if the systems are very dynamic in nature. Another downside to the intrusion prevention movement is the cost. Many of these tools cost a lot more than their intrusion detection cousins. These tools are more advanced and represent a more significant investment in research and development [9].

A simple question that will arise is how can an Intrusion Prevention System possibly detect every single unknown attack? Hence the future of intrusion detection lies in developing an Intrusion Forecasting System. Continuing with the analogy we have been using so far in this paper, Intrusion Forecasting System is like giving pictures of lists of criminals to an armed burgular alarm system.

Intrusion Forecasting Systems of the future must be able to forecast the probability of intrusions using intelligent agents. Prediction techniques can protect the systems from new security breaches that can result from unknown methods of attack. In an attempt to develop such a system, we propose architecture of an intrusion Forecasting System using Mobile intelligent Agents.


3. Proposed Architecture Of Our Intrusion Forecasting System





The architecture of Intrusion Forecasting Systems shows that the system consists of a Security Policy Manager, which specifies the security rules of the network. If a user violates any security rule defined, the policy manager ensures that the server agent updates the user profile mentioning a violation of security rules and forecasts an attack on the system depending on the severity of the violation.

The server agents have a predictor, which predicts the user behavior for the next session using statistical methods. Here, we use markov model to forecast the behavior of user for the next session. It communicates with the mobile agents using communication threads. The mobile agent has a sensor that monitors the various software applications being run by the user. The sensor also collects information about user’s activities. The profile reader fetches user history profile from the server.

Agents move from one node to another in the network, carrying data and security relevant information. As agents are mobile, they reside only on a particular node at any point of time and agent proxies represent agents on the other nodes. Agents can travel to nodes based on the time of their last visit or a predefined schedule, based on the network load, a host's computational load, or based on messages received from another agent. Agents can also decide on their own, what path to take and what actions to perform as they gather data from the nodes they visit. If an intruder blocks the hosting capability of a node, then the agent can go to another host and report the problem. Cooperating agents can help reconfigure the network to deny network services to certain nodes until they have been confirmed to be in a safe state. Agents can monitor network events and cooperate with other agents. For example, if an agent detects suspicious activity on one computer and notifies the rest of the network, the other computers may decide to challenge the suspicious node by not giving it the rights to mount some files it previously had rights to, or by denying it certain network services, or by reconfiguring the network until the suspicious node returns to a safe state. The ability of mobile agents to travel, cooperate and communicate makes it much more difficult for an intruder to disable or circumvent security monitoring and the network is not vulnerable to single point failure. Here we use application usage for prediction. The methods used can be easily applied to any monitor. Here, the system provides a one-step prediction, where based on the current behavior, the system’s state is predicted for the next fixed time interval.




More Intrusion Detection tutorials and guides













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
7800 Views
3.93/5 Rating
15 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact