CIDS: An agent-based intrusion detection system

12
COSE115_proof 3 March 2005 1/12 UNCORRECTED PROOF CIDS: An agent-based intrusion detection system D. Dasgupta *, F. Gonzalez, K. Yallapu, J. Gomez, R. Yarramsettii Intelligent Systems Research Laboratory, Division of Computer Science, The University of Memphis, Memphis, TN 38152, United States Received 1 July 2003; revised 6 October 2004; accepted 21 January 2005 KEYWORDS Security agents; Cougaar; Plugin; Intrusion detection; Decision support Abstract The paper describes security agent architecture, called CIDS, which is useful as an administrative tool for intrusion detection. Specifically, it is an agent- based monitoring and detection system, which is developed to detect malfunctions, faults, abnormalities, misuse, deviations, intrusions, and provide recommendations (in the form of common intrusion detection language). The CIDS can simultaneously monitor networked-computer activities at multiple levels (user to packet level) in order to find correlation among the deviated values (from the normal or defined policy) to determine specific security violations. The current version of CIDS (CIDS 1.4) is tested with different simulated attacks in an isolated network, and some of those results are reported here. Ó 2005 Elsevier Ltd. All rights reserved. Introduction With the growing use of Internet applications and automated scripts, it has become very difficult to keep track of all cyber activities. While it is hard to track each and every application, in particular most exploitable ones such as Active scripting (Jscript, VBScript), ActiveX, Outlook, Outlook Express, etc. it is possible to monitor their effects on the system and its resources. Moreover, it is necessary to efficiently analyze monitored network data for faster attack detection and response. Intrusion/anomaly detection (Anderson, 1980; Denning, 1987; Dunlap and Dasgupta, 2002; Kru ¨gel and Toth, 2001; Roesch, 1999; Chari and Cheng, 2003) is an important part of network security. There are many intrusion detection systems (IDS) commercially available. A detailed survey and taxonomy of practical IDSs may be found in the literature (Allen et al., 2000; Debar et al., 1999). Some are anomaly based and others are signature based. Security researchers also formed working groups to develop common framework, methodolo- gy and description language for intrusion detection systems (Lee and Stolfo, 2000; Porras et al., 1998; 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 * Corresponding author. E-mail address: [email protected] (D. Dasgupta). ARTICLE IN PRESS 0167-4048/$ - see 1 front matter Ó 2005 Elsevier Ltd. All rights reserved. doi: 2 10.1016/j.cose.2005.01.004 DTD 5 Computers & Security (2005) - , - e - www.elsevier.com/locate/cose

Transcript of CIDS: An agent-based intrusion detection system

3

4

5

67

8

91011121314

15161718192021222324

ARTICLE IN PRESS

12

DTD 5

Computers & Security (2005) -, -e-

www.elsevier.com/locate/cose

ECTEDPROOF

CIDS: An agent-based intrusiondetection system

D. Dasgupta*, F. Gonzalez, K. Yallapu, J. Gomez, R. Yarramsettii

Intelligent Systems Research Laboratory, Division of Computer Science,The University of Memphis, Memphis, TN 38152, United States

Received 1 July 2003; revised 6 October 2004; accepted 21 January 2005

KEYWORDSSecurity agents;Cougaar;Plugin;Intrusion detection;Decision support

Abstract The paper describes security agent architecture, called CIDS, which isuseful as an administrative tool for intrusion detection. Specifically, it is an agent-based monitoring and detection system, which is developed to detect malfunctions,faults, abnormalities, misuse, deviations, intrusions, and provide recommendations(in the form of common intrusion detection language). The CIDS can simultaneouslymonitor networked-computer activities at multiple levels (user to packet level) inorder to find correlation among the deviated values (from the normal or definedpolicy) to determine specific security violations. The current version of CIDS (CIDS1.4) is tested with different simulated attacks in an isolated network, and some ofthose results are reported here.� 2005 Elsevier Ltd. All rights reserved.

R

252627282930313233343536373839

UNCOR

Introduction

With the growing use of Internet applications andautomated scripts, it has become very difficult tokeep track of all cyber activities. While it is hard totrack each and every application, in particularmost exploitable ones such as Active scripting(Jscript, VBScript), ActiveX, Outlook, OutlookExpress, etc. it is possible to monitor their effectson the system and its resources. Moreover, itis necessary to efficiently analyze monitored

* Corresponding author.E-mail address: [email protected] (D. Dasgupta).

COSE115_proof � 3 M

0167-4048/$ - see front matter � 2005 Elsevier Ltd. All rights resedoi:10.1016/j.cose.2005.01.004

network data for faster attack detection andresponse.

Intrusion/anomaly detection (Anderson, 1980;Denning, 1987; Dunlap and Dasgupta, 2002; Krugeland Toth, 2001; Roesch, 1999; Chari and Cheng,2003) is an important part of network security.There are many intrusion detection systems (IDS)commercially available. A detailed survey andtaxonomy of practical IDSs may be found in theliterature (Allen et al., 2000; Debar et al., 1999).Some are anomaly based and others are signaturebased. Security researchers also formed workinggroups to develop common framework, methodolo-gy and description language for intrusion detectionsystems (Lee and Stolfo, 2000; Porras et al., 1998;

arch 2005 � 1/12

rved.

4041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192

93949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126

127

128129130131132133134135136137138139140141142143144145146

ARTICLE IN PRESSDTD 5

2 D. Dasgupta et al.

UNCORREC

Intrusion Detection Message Exchange Format). Re-cent works on building next generation intrusiondetection systems highlight new areas of research,which include artificial intelligence (Dasgupta andGonzalez, 2002;Gomez and Dasgupta, 2002; Laneand Brodley, 1999; Warrender et al., 1999), datamining (Lee et al., 2000; Lee and Stolfo, 1998),statistical techniques (Denning, 1987; Porras andNeumann, 1997), agent frameworks (Asaka et al.,1999a; Helmer et al., 2002), etc. There are manyapproaches used in agent technologies such asautonomous agents (Balasubramaniyan et al.,1998; Barrus and Rowe, 1998; Crosbie and Spaf-ford, 1995), intelligent agents (Carver et al., 2000;Helmer et al., 1998) and mobile agents (Asakaet al., 1999b; Bernardes and Santos, 2000; Das-gupta, 1999; Jansen et al., 1999; Jansen et al.,2000; Jazayeri and Lugmayr, 2000; Krugel andToth; Queiroz et al., 1999; Brian and Dasgupta,2001) for distributed intrusion detection.

For example, an intrusion detection using au-tonomous agents uses hierarchical architecture,called AAFID (Balasubramaniyan et al., 1998). Thisarchitecture is composed of agents at the lowestlevel, which perform data collection and analysistasks e transceivers and monitors constitute themajor components of the IDS. Each host has anagent performing the monitoring activity andreporting any abnormality to the transceivers.Transceivers are used to control these agents andthey report the results to the monitors. Thesemonitors then perform high-level correlationamong several hosts and thus to the entire net-work. An extension to AAFID work uses intelligentagents, and is capable of detecting attacks ina timely manner.

Work reported in (Brian and Dasgupta, 2001)applies mobile agents for network traffic analysis.It describes the mobile agent architecture, whichis used in a project called SANTA. Here, theapplication of agents can be seen at several levelsdown the hierarchy. Each agent performs individ-ual tasks. The IDS uses on-line learning and sub-sequent detection of different kinds of attacks.Also, it describes the application of ART-2 neuralnetworks for decision support modules needed tomake appropriate decisions. One of the mobileagents collects the data from the network, whichis used to analyze the network traffic by SANTA.

This paper describes an autonomous agent sys-tem (called CIDS), which uses intelligent decisionsupport modules for robust detection of anomaliesand intrusions. The CIDS (Cougaar1-based intrusion

1 COUGAAR stands for cognitive agent architecture, which isopen source software available at www.cougaar.org.

COSE115_proof � 3 Mar

TEDPROOF

detection System) provides a hierarchical securityagent framework, where a security node consistsof four different agents (manager agent, monitoragent, decision agent and action agent). However,the activities of these agents are coordinatedthrough the manager agent during sensing, com-municating and generating responses. Each agentperforms unique functions in coordination to ad-dress various security issues of the monitoredenvironment.

The decision agent consists of multiple intelli-gent decision support modules (such as fuzzyinference module, classifier system, knowledgebase) and a bidding system in order to take a robustdecision in case of any abnormalities/intrusions.Since the differences between the normal andabnormal activities are not distinct, but ratherfuzzy, the Fuzzy Inference module can reducefalse alarms in determining intrusive activities.So the purpose of the fuzzy inference module is touse imprecise and heuristic knowledge to deter-mine appropriate response.

In our current implementation, the action agentreports the state of the monitored environment inidmef (Intrusion Detection Message Exchange For-mat). Accordingly, the action agent generatesidmef objects that represent intrusion/anomalousstate, diagnosis and recommended actions. Thepurpose is to send these objects to other systemmanagement agents in order to take necessaryaction, which may include: killing a process, dis-abling the access to a user who is a potentialintruder, alerting the administrator about the in-trusion, etc.

Cougaar: a cognitive agent architecture

The Cougaar software was initially developed un-der DARPA sponsorship for the purpose of MilitaryLogistics and is now available as open source(Cougaar). Cougaar is an excellent software archi-tecture that enables building distributed agent-based applications in a manner that is powerful,expressive, scalable and maintainable. Cougaar isa large-scale workflow engine built on component-based, distributed agent architecture. The agentscan communicate with one another througha built-in asynchronous message passing protocol.Cougaar agents cooperate with one another tosolve a particular problem, storing the sharedsolution in a distributed fashion across the agents.Cougaar agents are composed of related functionalmodules, which are expected to dynamically andcontinuously rework the solution as the problemparameters, constraints, or execution environ-ment change.

ch 2005 � 2/12

147148149150151152153154155156157158159160161162163164165166167168169170

171172

173174

175176177178179180181182183184185186187188189190191192193194195

196

197198199200201202203

ARTICLE IN PRESSDTD 5

CIDS: An agent-based intrusion detection system 3

Agents are the prime components in the Cou-gaar architecture. An agent consists of two majorcomponents: a distributed blackboard (calledPlan) and Plugins. Each blackboard contains ele-ments such as tasks, assets and plan elements.Plugins are self-contained software components(compute engine) that can be loaded dynamicallyinto agents. Plugins interact with the agent in-frastructure according to a set of rules and guide-lines (as binders), and provide unique capabilitiesand behavior to complete given tasks. Pluginscome and talk to the plan through the blackboardto perform agent operations and operate bypublishing and subscribing objects on the plan.Plugins bring functionality to the agent, while thesociety of agents (Node) provides structure andorder of operations. Agents can also have specialPlugins called plan service plugins (PSP). Program-mers can develop HTML/standalone JAVA userinterfaces that communicate with PSPs. Althoughin the latest cougaar versions, the PSPs arereplaced with servlets. Also in the new versionsof cougar, the communication among the agents isencrypted making it secure.

Cougaar-based security agentinfrastructure

The Cougaar framework provides a nice baseagent architecture, which we used to develop

C

COSE115_proof � 3 M

TEDPROOF

a distributed security agent system, called CIDS.In CIDS, a security node consists of four differentagents (as shown in Fig. 1), Manager agent, MonitorAgent, Decision Agent and Action Agent, wherea number of such nodes conform a security com-munity. The advantage of having an individualagent for each functional module is to make futuremodifications easy. According to software engi-neering principles, it is advisable to have differentfunctionalities modularized in a way for simplifieddevelopment of a large software project.

In each node, the control flow mainly occurs be-tween theManager and subordinate agents to assigntasks and feedback accomplishments, while thedata flow occur among subordinate agents to trans-fer data. The control flow and data flow withina node and among various nodes use the same mes-sage passing mechanism that is provided by Cou-gaar. In the Java implementation, a particular classof objects is reserved for control flowandadifferentclass of objects is reserved for the data flow.

Security node society

The communication among communities is accom-plished through Manager Agents. The purpose ofthese connections is to share information amongdifferent security nodes in a network (Fig. 2). Thecommunications among various nodes use thesame message passing mechanism that is providedby the cougaar framework.

UNCORRE

Servlet

CoordinatorPlugIn

TakeDecision

Get Info Exe.

DataCollector

Servlet

AnomalyDetection

PlugIn

MessageReceiver/Server

PSPPlugIn

Action1

Actionn

Action2

PSPPlugIn

ClassifierDecision

Control

Information

Manager Agent

MessageReceiver/Server

MessageReceiver/Server

Monitor Agent ActionAgentMessage

Receiver/Server

Decision Agent

ActiveMultilevel

DomainKnowledge

FuzzyControllerDecision

BiddingSystem

Figure 1 Security node with four agents.

arch 2005 � 3/12

204205206207208209210211212213214

215

216217218219220

221222

ARTICLE IN PRESSDTD 5

4 D. Dasgupta et al.

ROOF

Manager

Node 2

Node 1 Node 3

ManagerManager

Figure 2 Security agent community with three nodes.

4041

42434445

UNCORRE

Fig. 2 shows a symmetric arrangement of mul-tiple security nodes, where one security node(with four agents) may be placed in each host inthe subnet. However, the flexible security agentarchitecture may also allow asymmetric configu-rations, in particular, putting a Monitor agent inone host and the remaining three agents indifferent hosts(s). The purpose may be to reducethe load on the crucial monitored machine and/ordepending on the need and preference of theorganization.

Sequence of operations

In order to explain the operation of the multi-agent security system, we consider three differentscenarios to illustrate the sequence of activationof these four agents under various operatingconditions.

Example scenario

1. The user makes a request to start monitoringthrough the web interface (PSP in the ManagerAgent). The Manager Agent receives the userrequest and sends the command (task) to theMonitor Agent (Fig. 3).

2. The Monitor Agent starts collecting multi-levelinformation from the target system and tries todetect deviations from the normal.

3. If any deviation is detected, information ondeviated parameters are sent to the DecisionAgent.

COSE115_proof � 3 Ma

CTEDP

4. The Decision Agent processes the anomaliesand uses fuzzy inference engine to classifydifferent anomalies/attacks through rules(generated previously using normal profile).

5. The Action Agent receives the messages andcreates appropriate IDMEF objects.

2Detailed description and2implementation

2We implemented the proposed security agent2community on cougaar framework, where each2node consists of four agents to accomplish security2mission.

Decision ActionMonitor

Manager

Diagnosis and Recommendation

TARGET SYSTEM

IDMEFObjects

AnomalyDetected

User Interaction

Start

1

2

3 4

5

Figure 3 Example scenario e sequence of activationof different agents.

rch 2005 � 4/12

246

247248249250251252253254255256257258259260261262263264265266267268269270

271

272273

74757677787980818283848586878889909192939495

96

979899000102

ARTICLE IN PRESSDTD 5

CIDS: An agent-based intrusion detection system 5

Manager (or master) agent

This agent coordinates the work of other securityagents. It sends tasks to subordinate agents, andsynchronizes the information flow. The ManagerAgent also coordinates with other nodes (in thesecurity society). The manager agent is integratedby a sender messenger Plugin and a coordinatorPlugin to communicate with other manager agentsin the community, we also developed a HTML/JAVAuser interface that sends and receives informationfrom outside (Fig. 1). The messaging functionalityis implemented by the sender messenger Pluginthat sends the commands to the intended Plugin ina specified agent.

This agent is responsible for controlling theother three agents and also to be in touch withother agents in other nodes. The manager in onenode may be asked to perform a particular task bya manager in another node. In current implemen-tation, it can send START/STOP signals to theMonitor Agent, commands to set the buffer sizeof the components in the different agents or setthe desired action level in the Action Agent. Asnapshot of the Manager agent control panel isshown in Fig. 4.

Monitor agent

This agent collects information from the targetsystem at multiple levels: packet level, process

C

COSE115_proof � 3 M

TEDPROOF

2level and system level and determines the corre-2lation among the observed parameters in order to2determine intrusive activities (Bass, 1999). For2example, at user level e searches for an unusual2user behavior pattern; at system level e looks at2resource usage such as CPU, memory, I/O use etc.;2at process level e checks for invalid or unauthen-2ticated processes and priority violations; at packet2level e monitors number, volume, and size of2packets along with source and type of connections.2This allows the detection module to characterize2the normal behavior and detect anomalies or2deviations from the normal profile and report them.2The Monitor agent is responsible for collecting2the data from the system at regular intervals and2analyzes them to detect deviations. The data2collection is done by running shell scripts and2checking various system files. Two Plugins imple-2ment the monitor agent functionality: Data Col-2lector and Anomaly Detection. A PSP Monitor and2a Messenger Plugin provide communication capa-2bilities with other agents and the user.

2Decision agent

2This agent is involved in making decisions based on2the information received from other (specifically,2Monitor Agent) agents. In particular, it determines3the type of security violations that may occur3based on underlying security policies and recom-3mends what to do when violations are detected.

UNCORRE

Figure 4 Snapshot of Manager agent control panel.

arch 2005 � 5/12

303304305306307308309310311312313314315316317

318319320321322323324325326327328329330331

332333334335336

337338339340341342343344345346347348349350351352353354355356357358359360

ARTICLE IN PRESSDTD 5

6 D. Dasgupta et al.

Specifically, there are different decision sup-port modules, which are specialized in dealingwith various anomalous situations. To accomplishthis task, the agent uses decision modules (imple-mented by Plugins) such as Fuzzy Classifier System(FCS) and Knowledge Base (KB). In order to decidethe final response, a bidding system is imple-mented, where each module generates a bid alongwith its suggested action; the action with thelargest bid is selected. It may be possible to useweight vector to differentiate the importance androle of each module. Also the bid value mayrepresent the confidence of the decision in takinga particular response. However, the final decisionis passed to the Action/Response agent.

Domain knowledge PluginThis Plugin provides a knowledge base of knownattacks, which are stored as a set of conditioneaction rules. The rules represent the expert andcommon sense knowledge as well as some systemlevel policies. The Decision Agent receives thestate of the system represented by the parametervalues sent by the monitor, whenever a deviationoccurs. It also receives control signal from themanager agent.

A classifier system is an adaptive learningsystem that evolves a set of action selection rulesto cope with the environment. The conditioneaction rules are coded as fixed length strings

COSE115_proof � 3 Mar

TEDPROOF

(classifiers) and are evolved using a genetic search.These classifiers are evolved based on the securitypolicy e this rule set forms a security model withwhich the current system environment needs to becompared.

Fuzzy inference PluginAs the difference between the normal and theabnormal activities are not distinct, but ratherfuzzy, this module can reduce the false signal indetermining intrusive activities. The purpose ofthis Plugin is to use imprecise and heuristicknowledge to generate appropriate response. Theimprecise knowledge is represented using fuzzylogic; this allows representing vague concepts as‘small’, ‘high’, etc. A fuzzy knowledge base anda fuzzy inference engine provide the followingfunctionalities of this Plugin.

The Fuzzy Inference Plugin receives the moni-tored parameters and deviation indicators fromthe monitor agent. The values for these parame-ters are normalized between 0.0 and 1.0. Thefuzzy knowledge is kept in XML files (such as fuzzymembership functions, fuzzy variables and fuzzyrules). The fuzzy engine loads fuzzy knowledgebefore it starts the reasoning process. The fuzzyreasoning applies the fuzzy rules over the moni-tored values and deviation indicators and producesa diagnosis and recommendation, which are thensent to the action agent.

UNCORREC

Figure 5 Display of different views of the fuzzy decision module. This interface has three panels: decision, rule, anddata.

ch 2005 � 6/12

361362363364365366367368369

ARTICLE IN PRESSDTD 5

CIDS: An agent-based intrusion detection system 7

OF

Figure 6 Illustration of affect of attacks on monitored parameters.

C

O389

390391392393394395396397398399400401402403404405406407408

CORRE

The fuzzy inference component uses a set ofrules (knowledge base) to identify the kind ofanomaly and suggests a possible response. Also,the fuzzy inference module provides a set of toolsthat makes the knowledge specification processeasier: linguistic variables definition with differentmembership functions, arbitrary complex condi-tions for the rules and the possibility of evolvingthe rules from training data (Fig. 5).

Fuzzy rules:Rules:

R1: IF x is HIGH and y is LOW THEN action3R2: IF x is MEDIUM HIGH and y is MEDIUM THENaction3R3: IF x is MEDIUM and y is MEDIUM LOW THENaction1

Variables values: x is 0.7 and y is 0.3Degree of Membership:

x in HIGH is 0.2, x in MEDIUM HIGH 0.7 and, xin MEDIUM is 0.3y in LOW is 0.4, y in MEDIUM LOW is 0.8 and, yin MEDIUM is 0.4

Rules truth values: R1Z 0.2, R2Z 0.4 and,R3Z 0.3

COSE115_proof � 3 M

TEDPRChosen Rule: R3

Conclusion: action3

Action/response agent

The Action Agent receives the diagnosis of anomalyfrom the Decision Agent. It uses this information tobuild IDMEF objects that represent the state of thesystem, the diagnosis of the anomaly and recom-mends a possible course of action. These IDMEFobjects have the information, which is useful forsecurity administration while taking an appropri-ate response.

Whenever there is an anomaly in the monitoredenvironment, the Action Agent currently providesstatus (like CurrentState, Recommended actionetc.) to the administrator in the form of an IDMEFobject so that necessary action can be takenagainst the intrusive activities.

The User Interface (HTML/JAVA) in the ActionAgent shows the logical representation of theIDMEF objects at a given time. Here is an exampleof Heartbeat Object that is a specific kind of IDMEFobject that reports the current state of the system

UN

Table 1 Monitored parameters in CIDS

Network level Process level System level

LOCAL_SENT_BYTES REMOTE_RECIEVED_PACKETS PROCESSES_ZOMBIEDLOCAL_RECEIVED_BYTES PROCESSES USED_PHYSICAL_RAMLOCAL_SENT_PACKETS PROCESSES_ROOT USED_SWAP_RAMLOCAL_RECEIVED_PACKETS PROCESSES_USER LOGINSREMOTE_SENT_BYTES PROCESSES_BLOCKED FAILED_LOGINSREMOTE_RECEIVED_BYTES PROCESSES_RUNNING REMOTE_LOGINSREMOTE_SENT_PACKETS PROCESSES_WAITING CPU_USERS

arch 2005 � 7/12

409

410411412

ARTICLE IN PRESSDTD 5

8 D. Dasgupta et al.

PROOF

Figure 7 Statistical values collected by CIDS after 1000 s (100 samples).

C1314151617181920212223

24

25262728293031323334

U

NCORRE

Experimentation and evaluation of CIDS

The implementation process started with a verybasic structure and progressively became the fullyfunctional system. A number of prototypes were

COSE115_proof � 3 Marc

TED 4developed with added capabilities. The current

4version of CIDS (CIDS 1.4) is built on Cougaar 8.84and compatible with Java 1.3, which can monitor4machines in LINUX/UNIX environment. In order to4test the performance of CIDS 1.4, we conducted4a number of experiments with various port scans4and simulated attacks.4The CIDS allows the monitoring parameters at4different levels (process, user, network) of target4several computer networks (Fig. 6). Table 1 shows421 parameters that can be monitored using CIDS.

4Testing

4Two attacks were performed on the target host,4a PRB (probe) attack using the nmap scan tool and4U2R (user-to-remote) attack by using a secure shell4(ssh) hacking tool. The total number of data4samples collected was 1800 (300 for the PRB attack4and 400 for the U2R attack). Fig. 7 shows the4statistical values of the data collected by CIDS4after 1000 s (100 samples).4The training data were preprocessed i.e., the4collected data were normalized, and the fuzzy

Table 2 Binarization class ordering used in the CIDSexperimentation

Index Class

1 PRB2 U2R3 Normal

h 2005 � 8/12

435436437438439440441442

ARTICLE IN PRESSDTD 5

CIDS: An agent-based intrusion detection system 9

PROOF

Figure 8 GUI showing the monitored parameters and the graph for test1.

C

448449450451452453454455456457458459460

R

E

space shown in Fig. 5 was used for all monitoredparameters. Different classes of attack in the datawere sorted, and Table 2 shows the binarizationordering applied to the training classes.

Method: using a simple port scanner writtenwith )nix sockets at time of run the networktraffic is 14e19 K. The test scanned the first 6000ports on the target machine (Fig. 8).

StartZ 13:06:52, EndZ 13:07:35

Found ports 22, 80, 111, 1024, 1115, 1117, 5555,5556, 5557, 5558, 6000 open

COSE115_proof � 3 M

TEDIn this case, we noticed that during the scan-

ning, the number of received packets is spiking andthe number of send packets is also spiking at thesame time. This is a clear indication of port scan.

The fuzzy rules for the evolutionary algorithmparameters were fixed as shown in Table 3, and thenumber of samples used per individual was fixed to100%. This percentage is appropriated becausedata samples are very small (1800).

The proposed approach evolved the classifiersystem shown in Table 3 in a sample run. Theexperimental results reported here correspond tothis classifier system.

UNCOR

Table 3 Evolved classifier system in a sample run

Classifiersystem

Fuzzy rules

PRB General IF REMOTE_RECIEVED_PACKETS is high AND CPU_USERS is low OR USED_SWAP_RAM is mediumTHEN RECORD is PRBIF LOCAL_SENT_BYTES is low OR REMOTE_RECIEVED_PACKETS is not high THEN RECORD is notPRB

PRB Checking IF PROCESSES_BLOCKED is low OR PROCESSES_WAITING is not high THEN RECORD is PRBIF PROCESSES_BLOCKED is high AND DEVIATION is low THEN RECORD is not PRB

U2R General IF PROCESSES_RUNNING is medium-low OR PROCESSES_ROOT is medium THEN RECORD is U2RIF (PROCESSES_RUNNING is not medium-low OR CPU_USERS is medium) AND PROCESSES_ROOT isnot medium THEN RECORD is Normal

U2R Checking IF PROCESSES_ROOT is not medium AND PROCESSES_RUNNING is medium-low THEN RECORD isNormalIF PROCESSES_ROOT is medium OR REMOTE_RECIEVED_PACKETS is high ORPROCESSES_RUNNING is not medium-low THEN RECORD is Normal

arch 2005 � 9/12

C

461462463464465466467468469470471472473474475476477478479480481482483484485

486487488489490491

492

493494495496497498

ARTICLE IN PRESSDTD 5

10 D. Dasgupta et al.

We calculated the effectiveness of the evolvedclassifier over the training dataset as shown inTable 4.

The detection rate is low (compare to the kdd-cup data set) because the training data set was notcleaned, i.e., there were some samples that wereclassified in the training data set as attack classesbut they correspond to normal behavior (when theattack was stopped temporarily to distribute theattack in time) or because they belong to the fuzzyregion of normaleabnormal (when the attack isstarting or ending). Amazingly the false alarmsrate was zero.

When CIDS was executed with the classifiersystem evolved the results were amazing. Undernormal conditions the systems did not generatesfalse alarms. Fig. 9 shows the decision moduleunder normal conditions.

When attacks are launched, the decision mod-ule raises an alarm. Table 3 shows the rules used todetect PRB and U2R attacks. Clearly, the fuzzy rulecorresponds with the behavior shown for theparameters monitored. When the U2R attack wasexecuted, the decision module raise an alarm andshows the rule used to detect the attack. Fig. 9

Table 4 Performance of the evolved classifier overthe training data set

Performance (%)

Detection rate 83.33False alarms rate 0.0

COSE115_proof � 3 Marc

TEDPROOF

shows the monitoring and decision modules underan U2R attack. Although this attack is hard todetect, the monitored parameters under thisattack behave almost the same as under normalconditions, the classifier system was able to detectit in almost the 90% of the cases.

Conclusions

In this paper, we described the design and imple-mentation of an agent-based system (called CIDS)for intrusion detection. We reported some exper-imental results which can detect a wide variety ofanomalies and intrusive activities. The importantfeatures of the CIDS include the following:

� A four-agent security node infrastructure isimplemented on Cougaar framework withunique functionality for each agent.

� The CIDS is a modular design, which allows easyinclusion of new detection, decision and actionPlugins, independently.

� A swing based GUI provides a user-friendlyinterface that can run on the same computer orremotely. The monitored parameters, thenormalized values and the detected deviationsare displayed in textual and graphical forms. Italso provides tools to generate automaticallythe normal profile (of the monitored environ-ment) and for updating the knowledge base ofthe decision module.

UNCORRE

Figure 9 CIDS decision module under normal behavior.

h 2005 � 10/12

C

525

526

527

528529530531532533

534

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

56456566567568569705715725735747557657778579805815828358458558687588589905915929359495596597598996006010260360460506607608096106116126131461561661761819620621622236246252662762829630

ARTICLE IN PRESSDTD 5

CIDS: An agent-based intrusion detection system 11

UNCORRE

� The tool can be used not only as an anomaly/intrusion detection tool, but also as a monitor-ing tool, since the data gathering and visuali-zation can help to evaluate the behavior of anymonitored network.

� Experiments with the current prototype showthat it could detect various types of probingand DoS attacks successfully. However, theseare only example tests, they are neitherexhaustive nor demonstrate the capabilitiesof a full-fledged CIDS.

Uncited reference

Axelsson et al., 1996

Acknowledgements

This work was supported by the Defense AdvancedResearch Projects Agency (no. F30602-00-2-0514).The views and conclusions of this work in no wayreflect the opinions or positions of the DefenseAdvanced Research Projects Agency or the U.S.Government.

References

Allen J, et al. State of the practice of intrusion detectiontechnologies. Technical report (no. CMU/SEI-99-TR-028);January 2000.

Anderson JP. Computer security threat monitoring and surveil-lance. Technical report. James P Anderson Co., FortWashington, PA; April 15, 1980.

Asaka M, Taguchi A, Goto S. The implementation of IDA: anintrusion detection agent system. In: Proceedings of the11th FIRST Conference; June 1999a.

Asaka M, Okazawa S, Taguchi A, Goto S. A method of tracingintruders by use of mobile agents. INET’99; June 1999b.

Axelsson S, Lindqvist U, Gustafson U, Jonsson E. An approach toUNIX security logging. Technical report, IEEE Network; 1996.

Balasubramaniyan J, Fernandez JO, Isacoff D, Spafford E,Zamboni D. An architecture for intrusion detection usingautonomous agents, COAST. Technical report 98/5. PurdueUniversity; June 1998.

Barrus J, Rowe NC. A distributed autonomous-agent network-intrusion detection and response system. Proceedings of thecommand and control research and technology symposium,Monterey, CA; June 1998.

Bass T. Multisensor data fusion for next generation distributedintrusion detection systems. Invited paper, 1999 IRISnational symposium on sensor and data fusion. The JohnsHopkins University Applied Physics Laboratory; 24e27 May1999.

Bernardes MC, dos Santos Moreira E. Implementation of anintrusion detection system based on mobile agents. In:

COSE115_proof � 3 M

TEDPROOF

International symposium on software engineering for paral-lel and distributed systems; 2000 p. 158e64.

5Brian H, Dasgupta D. Mobile security agents for network trafficanalysis. In: Proceedings of the second DARPA InformationSurvivability Conference and Exposition II (DISCEX-II),Anaheim, California; June 13e14, 2001.

5Carver CA, Hill JMD, Surdu JR, Pooch UW. A methodology forusing intelligent agents to provide automated intrusionresponse. IEEE Systems, Man, and Cybernetics InformationAssurance and Security Workshop, West Point, NY; June2000.

5Chari SN, Cheng P-C. BlueBox: a policy-driven host-basedintrusion detection system. ACM Transactions on Informationand System Security May 2003;6(2):173e200.

5Cougaar: a cognitive agent architecture. Open source softwareavailable from the website (www.cougaar.org).

5Crosbie M, Spafford E. Defending a computer system usingautonomous agents. Proceedings of the 18th nationalinformation systems security conference; October 1995.

5Dasgupta D. Immunity-based intrusion detection systems:a general framework. Proceedings of the 22nd national in-formation systems security conference (NISSC). !http://issrl.cs.memphis.edu/nissc-99.pdfO; October 18e21, 1999.

5Dasgupta D, Gonzalez F. An immunity-based technique tocharacterize intrusions in computer networks. IEEE Trans-actions on Evolutionary Computation June 2002;6(3).

5Debar H, Dacier M, Wepspi A. A revised taxonomy for intrusiondetection systems. Technical report, Computer Science/Ma-thematics; 1999.

5Denning DE. An intrusion-detection model. IEEE Transactions onSoftware Engineering February 1987;Se-13(2):222e32.

5Dunlap GT, Dasgupta D. An administrative tool for distributedsecurity task scheduling. Proceedings of the third annualinternational systems security engineering association con-ference, Orlando; March 13e15, 2002.

5Gomez J, Dasgupta D. Evolving fuzzy classifiers for intrusiondetection. In: Proceeding of third annual informationassurance workshop; June 17e19, 2002.

6Helmer GG, Wong JSK, Honavar V, Miller L. Intelligent agents forintrusion detection. In: Proceedings of IEEE informationtechnology conference, Syracuse, NY; September 1998. p.121e4.

6Helmer GG, Wong JSK, Honavar V, Miller L. Lightweight agentsfor intrusion detection. Journal of Systems and Software;November 27, 2002. submitted for publication.

6Intrusion Detection Message Exchange Format. ExtensibleMarkup Language (XML) Document Type Definition. IntrusionDetection Working Group. IETF Internet Draft ‘draft-ietf-idwg-idmef-xml-01.txt’. By David A. Curry (Internet SecuritySystems, Inc.). 2000-07.

6Jansen W, Mell P, Karygiannis T, Marks D. Applyingmobile agents to intrusion detection and response. NationalInstitute of Standards and Technology ComputerSecurity Division, NIST Interim Report (IR) e 6416; October1999.

6Jansen, W, Mell P, Karygiannis T, Marks D. Mobile agents inintrusion detection and response. Proceedings of the 12thannual Canadian information technology security sympo-sium, Ottawa, Canada; June 2000.

6Jazayeri M, Lugmayr W. Gypsy: a component-based mobileagent system. In: Eighth euromicro workshop on parallel anddistributed processing, Greece; January 2000.

6Krugel C, Toth T. Applying mobile agent technology to intrusiondetection distributed systems group. Technical UniversityVienna, Argentinierstrasse 8, A-1040 Vienna, Austria.

6Krugel C, Toth T. Sparta e a security policy reinforcement toolfor large networks, submitted to I-NetSec 01, 2001.

arch 2005 � 11/12

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

47484950515253545556575859606162

ARTICLE IN PRESSDTD 5

12 D. Dasgupta et al.

Lane T, Brodley CE. Temporal sequence learning and datareduction for anomaly detection. ACM Transaction onInformation and System Security August 1999;2(3).

Lee W, Stolfo SJ. Data mining approaches for intrusiondetection. In: Proceedings of the seventh USENIX securitysymposium. USENIX; 1998.

Lee W, Stolfo S. A framework for constructing features andmodels for intrusion detection systems. ACM Transactions onInformation and System Security November 2000;3(4).

Lee W, Stolfo S, Mok K. Adaptive intrusion detection: a datamining approach. Artificial Intelligence Review December2000;14(6):533e67. Kluwer Academic Publishers.

Porras PA, Neumann PG. Emerald: event monitoring enablingresponses to anomalous live disturbances. In: Proceedings ofthe twentieth national information systems security confer-ence; October 1997.

UNCORRE

COSE115_proof � 3 Mar

F

6Porras P, Schnackenberg D, Staniford-Chen S, Stillman M, Felix6Wu. The common intrusion detection framework architec-6ture (CIDF). Position paper at the Information survivability6workshop, Orlando FL; October 1998.6Queiroz JD de, Costa Carmo LFR da, Pirmez L. An autonomous6mobile agent system to protect new generation networked6applications. In: Second annual workshop on recent advan-6ces in intrusion detection, Rio de Janeiro, Brazil; September61999.6Roesch M. Snort: lightweight intrusion detection for networks.6Proceedings of LISA ’99: 13th systems administration6conference, Seattle, Washington, USA; November 7e12,61999.6Warrender C, Forrest S, Pearlmutter B. Detecting intrusions6using system calls: alternative data models. In: Proceedings6of the IEEE symposium on security and privacy; May 1999.

CTEDPROO

ch 2005 � 12/12