Network intrusion detection through Adaptive Sub-Eigenspace Modeling in multiagent systems

Recently, network security has become an extremely vital issue that beckons the development of accurate and efficient solutions capable of effectively defending our network systems and the valuable information journeying through them. In this article, a distributed multiagent intrusion detection system (IDS) architecture is proposed, which attempts to provide an accurate and lightweight solution to network intrusion detection by tackling issues associated with the design of a distributed multiagent system, such as poor system scalability and the requirements of excessive processing power and memory storage. The proposed IDS architecture consists of (i) the Host layer with lightweight host agents that perform anomaly detection in network connections to their respective hosts, and (ii) the Classification layer whose main functions are to perform misuse detection for the host agents, detect distributed attacks, and disseminate network security status information to the whole network. The intrusion detection task is achieved through the employment of the lightweight Adaptive Sub-Eigenspace Modeling (ASEM)-based anomaly and misuse detection schemes. Promising experimental results indicate that ASEM-based schemes outperform the KNN and LOF algorithms, with high detection rates and low false alarm rates in the anomaly detection task, and outperform several well-known supervised classification methods such as C4.5 Decision Tree, SVM, NN, KNN, Logistic, and Decision Table (DT) in the misuse detection task. To assess the performance in a real-world scenario, the Relative Assumption Model, feature extraction techniques, and common network attack generation tools are employed to generate normal and anomalous traffic in a private LAN testbed. Furthermore, the scalability performance of the proposed IDS architecture is investigated through the simulation of the proposed agent communication scheme, and satisfactory linear relationships for both degradation of system response time and agent communication generated network traffic overhead are achieved.

[1]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[2]  Eugene H. Spafford,et al.  Intrusion detection using autonomous agents , 2000, Comput. Networks.

[3]  Alex Pentland,et al.  View-based and modular eigenspaces for face recognition , 1994, 1994 Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.

[4]  Byrav Ramamurthy,et al.  Distributed hybrid agent based intrusion detection and real time response system , 2004, First International Conference on Broadband Networks.

[5]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[6]  D. Dasgupta,et al.  Mobile security agents for network traffic analysis , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[7]  Munindar P. Singh A Social Semantics for Agent Communication Languages , 2000, Issues in Agent Communication.

[8]  Hiroshi Motoda,et al.  Feature Extraction, Construction and Selection , 1998 .

[9]  V. Rao Vemuri,et al.  Detecting And Visualizing Denial-of-Service And Network Probe Attacks Using Principal Component Analysis , 2005 .

[10]  Wayne A. Jansen,et al.  Intrusion detection with mobile agents , 2002, Comput. Commun..

[11]  Tomás Aluja,et al.  Book review: Multiple correspondence analysis and related methods. Greenacre, M. and Blasius, J. Chapman & Hall/CRC, 2006. , 2006 .

[12]  Julius T. Tou,et al.  Pattern Recognition Principles , 1974 .

[13]  Vasant Honavar,et al.  Lightweight agents for intrusion detection , 2003, J. Syst. Softw..

[14]  Ray Hunt,et al.  Intrusion detection techniques and approaches , 2002, Comput. Commun..

[15]  Hiroshi Motoda,et al.  Feature Extraction, Construction and Selection: A Data Mining Perspective , 1998 .

[16]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD 2000.

[17]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[18]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[19]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[20]  Shu-Ching Chen,et al.  A Distributed Agent-Based Approach to Intrusion Detection Using the Lightweight PCC Anomaly Detection Classifier , 2006, SUTC.

[21]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[22]  Mia Hubert,et al.  Robust classification of high-dimensional data , 2004 .

[23]  R. Clarke,et al.  Theory and Applications of Correspondence Analysis , 1985 .

[24]  Huan Liu,et al.  Active Feature Selection Using Classes , 2003, PAKDD.

[25]  Akira Shimazu,et al.  The State of the Art in Agent Communication Languages , 2000, Knowledge and Information Systems.

[26]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[27]  David D. Clark,et al.  Rethinking the design of the Internet , 2001, ACM Trans. Internet Techn..

[28]  M. Hubert,et al.  Robust classification in high dimensions based on the SIMCA Method , 2005 .

[29]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[30]  Latifur Khan,et al.  Support Vector Machines , 2008 .

[31]  M. Greenacre,et al.  Multiple Correspondence Analysis and Related Methods , 2006 .

[32]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[33]  Mohammad Zulkernine,et al.  DIDMA: a distributed intrusion detection system using mobile agents , 2005, Sixth International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing and First ACIS International Workshop on Self-Assembling Wireless Network.

[34]  Peter M. Hooper Reference Point Logistic Classification , 1999 .