Past and Present - Dynamic and Advanced Data Mining for Progressing Technological Development:

Mohammed M. Mazid CQUniversity, Australia A B M Shawkat Ali CQUniversity, Australia

Kevin S. Tickle CQUniversity, Australia

IntroductIon

Intrusion is a frequently used word in various sectors. As this is relating to unwanted events, users from every field have their great concern on this topic. Researchers are trying their best to define this term more elaborately and preciously. In terms of general security, intrusion is an attack that attempt from outsiders of a periphery. Intrusion in medical expression is defined as ‘a tooth is forced upward into the AbstrAct

Intrusion detection has received enormous attention from the beginning of computer network technol-ogy. It is the task of detecting attacks against a network and its resources. To detect and counteract any unauthorized activity, it is desirable for network and system administrators to monitor the activities in their network. Over the last few years a number of intrusion detection systems have been developed and are in use for commercial and academic institutes. But still there have some challenges to be solved.

This chapter will provide the review, demonstration and future direction on intrusion detection. The authors’ emphasis on Intrusion Detection is various kinds of rule based techniques. The research aims are also to summarize the effectiveness and limitation of intrusion detection technologies in the medical diagnosis, control and model identification in engineering, decision making in marketing and finance, web and text mining, and some other research areas.

bone tissue by a force outside the mouth’ (Park et al., 2005). In geology, an intrusion is a body of igne-ous rock that formed by molten magma. It cools beneath the Earth’s crust.

In terms of computer security, intrusion is a system compromise or breach of security incident re-garding computer. This involves gaining control of a computer system from the owner or an authorized administrator. This can be done by an “insider” who has permission to use the computer with normal user privileges. It can be by an “outsider” from another network or perhaps even in another country.

They exploit vulnerabilities in an unprotected network service on the computer to gain unauthorized entry and control.

There are various kinds of intrusions. Some of the examples are as follows:

Virus,

• worm, or “Trojan horse” – these are sort of programming code created for harmful purpose.

Generally these spread out through internet by downloading files, copy files form one computer to another computer, using pirated software, email, etc.

Stealing password: Password stealing is one of the notorious types of intrusions at the present

• time. Hackers steal password of bank account, email account, confidential database, etc. over the internet. Different types of tools and ways are used to steal password such as – sniffer or “shoulder surfing” (watching over someone’s shoulder while they type their password), brute-force guess-ing, password cracking software, trial and error method, etc.

Gaining illegal access: Hacker gains illegal access of terminal or steals information while users

• transferring file using less secured data transferring method such as old-style telnet, ftp, IMAP or POP email, etc.

An exploitable vulnerability in a network services like

• FTP, Apache or Microsoft IIS, SSH, a

name server, etc.

Physically accessing a computer and rebooting it to an unsecured administrative mode or taking

• advantage of other weaknesses that come from a vendor who assumes that anyone using the key-board and mouse directly is “trusted”

Another example of intrusion is “root kits”. “Root kits” gain elevated privileges on a computer. It is often installed by different types of “Trojan horse” programs. It hides the intruder’s presence on the system. A Trojan horse is a program that acts like a real program a user may wish to run, but also per-forms unauthorized actions. These Trojan horse programs will make it look like nothing at all is wrong with systems, even though it may have gigabytes of pirated software installed on it, may be flooding the network and disrupting service for everyone on local area network.

Another common post-intrusion action is to install a sniffer or password logger, perhaps by replacing the operating system’s own SSH (Secure SHell) or FTP (File Transfer Protocol) server. This exploits trust relationships that often exist with other local or university computers (e.g., the Homer or Dante clusters), other institutions and government agencies that may have a research relationship with, or even to/from people’s home computers on cable modem or DSL (Digital Subscriber Line) lines. Any one may not think about the act of logging in from one computer to another as a trust relationship, but these are indeed relationships between computers that involve a level of trust (namely secret passwords, which are the first line of defence). Intruders prey on these trust relationships to extend their reach into computer networks.

Determining whether or not an intrusion has taken place is sometimes a very difficult task. Root kits and Trojan horses make the job even more difficult and work so well because they take advantage of a

discrepancy between the knowledge level of the intruder and the system administrator and users. Often the only way to know for sure if an intrusion has occurred is to examine the network traffic external to the suspect computer system, or to examine the computer and system using trusted tools (perhaps by rebooting it from a special forensic CD-ROM or by taking the disk drive to another computer that you know is secure).

Intrusion detection system

An intrusion detection system (IDS) is a software tool to use for computer security. The goal of IDS is simply to protect the system or network from any kind of intrusions such as network packet listening, stealing information, authority abuse, unauthorized network connections, falsification of identity, etc.

However the task of detecting intrusion is not simple for many reasons which we have discussed in the following section of this chapter. Most of the time, it works as a dynamic monitoring entity of firewalls.

Generally it monitors the traffic of a network like a network sniffer or observe system log file of com-puters. Then it collects the data and searches for any abnormal behaviour. There are different types of approaches of Intrusion Detection. According to Verwoerd and Hunt (Verwoerd & Hunt, 2002), category and their subcategory of different type of IDS approaches are given below.

Conceptual outline

• • Anomaly Modelling Techniques

◦ Statistical models

Using of agent in IDS has a great significant role in improving its performance especially decision mak-ing and intrusion detectmak-ing. A basic task of an agent is to carry out some predefined job without manual

ent conditions, can make decisions intelligently and able to work with other agents and units of IDS. It works independently and observes the environment where it is deployed to act back on the environment (Weiss, 1999). IDS can be comprised of many agents with similar or dissimilar type of tasks. If one agent is affected or attacked then other agents back up affected agent to carry out the entire process without any interruption. In some agent based IDS, there is provision to manipulate agents manually in case of a typical situation such as maintenance.

An agent runs independently for IDS to monitor any violation of usual work and reports unusual or abnormal behaviours to the appropriate transceiver. Various kinds of tasks monitored by agents are password cracking and access violation, spreading of Trojan horses, interceptions, Spoofing, scanning ports and services, remote OS Fingerprinting, network packet listening, stealing information, authority abuse, unauthorized network connections, falsification of identity, information altering and deletion, unauthorized transmission and creation of data (sets), unauthorized configuration changes to systems and network services (servers), Ping flood (Smurf), Send mail flood, SYN flood, Distributed Denial of Service (DdoS), Buffer Overflow, Remote System Shutdown, Web Application attacks, etc.(Kazienko

& Dorosz, 2004) After gathering information regarding the above kind of abnormal activities, agent reports to the transceiver. In case of multiple agents based IDS, the transceiver could get a same type of notification from different agent. Based on information provided by different agents, the transceiver or monitor generates an alarm or notifies for further action.

How Agents Work in Ids

According to agents working approach, agents can be categorized two types. In first type of approach, agents use a communication infrastructure by which agents communicate with each other. This is called Agent Communication Language (ACL) (Gowadiam et al., 2005). JADE (Bellifemine et al, 2005) is a FIPA (FIPA, 2005) specified software framework by which agents can communicate with each other.

JADE offers various services such as a Directory Facilitator (DF), library of interaction protocols, and distributed agent platform to develop proper agent communication facilities. Agent platform monitors agents’ activities such as start, suspend, terminate, etc. Interaction protocols arrange interaction among agents such as request, query, subscribe, etc. and provide a series of acceptable messages and semantics for those messages. The second type of approach, agents do not communicate with each other rather they notify their findings on regular basis to a component called a transceiver. Spafford & Zamboni (2000) and Balasubramaniyan et al. (1998) have proposed such framework known as AAFID (Autonomous Agents for Intrusion Detection). In this type of framework, the transceiver resides in each host machine, collects data from agents and proceeds data for further action.

Advantages of Agents

There are different types of IDSs proposed. Of these systems, the agent based IDSs are very popular and promising for the following reasons(Slagell, 2001):

Reduction of data movement: Agents gather data on the spot and process immediately. So it reduces traffic over the network for data handling and saves time.

Flexibility: Each agent runs as an individual so it does not need help from others to perform its’

own task. If any agent is removed from the system for modification or any improvement, the IDS will continue its operation.

Load-balance: Agents can balance the workload of IDS by spreading tasks over a number of ma-chines.

Detection of distributed attacks: The use of mobile agents makes it easier to correlate and detect distributed attacks.

Fault-tolerance: As an agent can work on its own, that means if any agent of the IDS is affected or attacked and stops working, IDS will not stop. This makes IDS fault tolerant.

lIterAture reVIeW

As detection intrusion is a great concern in computer world, there are several detection systems developed since early 80’s. According to Patcha et al.(2007) there are three broad categories for the analysis and detection of intrusions. Those are Signature or Misuse Detection System, Anomaly Detection System and Hybrid or Compound Detection System. Some literature reviews on IDS are discussed as follows.

Intrusion Detection Expert System (IDES) (Denning & Neumann, 1985; Lunt et al. 1992) is one of the earliest IDS developed by Stanford Research Institute (SRI) in the early 1980’s. Later on, an enhanced version of IDES called Next-generation Intrusion Detection Expert System (NIDES) (Anderson et al.

1994; Anderson et al. 1995) has come with additional features. However, it produces a high false signal in the case of irregular distributed data.

Haystack, proposed by Smaha (1998), is another primitive IDS which uses descriptive statistics to generate a user behaviour model for few particular user groups. Limitations of Haystack are it was de-signed to work in an offline environment with manual attribute selection for good indicators of intrusive activity.

Statistical Packet Anomaly Detection Engine (SPADE) (Staniford et al. 2002) is an anomaly detec-tion system which works with a popular intrusion detecdetec-tion and prevendetec-tion software SNORT (Roesch, 1999). Because of classification of random unseen packets, it produces a high false alarm rate. Ye et al.(2002) proposed a host based anomaly IDS which is also based on statistical analysis. Hotellings T² test has been use to analyse the trail of intruders activities.

Using system call modelling and sequence analysis, Eskin et al. (2001) has developed sliding window based IDS. However this IDS has some disadvantages. For a monitoring system, computational overhead is very high. Another problem is for irregular nature of systems calls, this IDS produces a significant number of false positive alarms.

Valdes et al. (2000) has used Naïve Bayesian networks for IDS which is able to detect distributed attacks. Some weakness of this IDS are

Identical to a threshold based system

• Child node based interactions could produce inappropriate decision

•

Principal Component Analysis (PCA) based anomaly detection system developed by Shyu et al.

(2003) has reduced the dimensionality of the audit data. In this IDS, PCA has been used as an outlier detection scheme. Using the KDD CUP99 data this IDS has shown better detection rate.

Yeung et al. (2003) presents IDS using hidden Markov model with profiling system call sequences and shell command sequences. This IDS uses minimum likelihood among all training sequences to

eliminate anomalous behaviours. A disadvantage of this IDS is overlooking of unique identification of general user.

Packet Header Anomaly Detector (PHAD) (Mahoney & Chan, 2001), Learning Rules for Anomaly Detection (LERAD) (Mahoney & Chan, 2002) and Application Layer Anomaly Detector (ALAD) (Mahoney & Chan, 2002) are time-based IDS. In time based models, occurrence of an event is calcu-lated using probability of previous events. To detect intrusions, PHAD, ALAD, and LERAD monitor predefined attributes. In these IDS, multivariate problems are segmented into univariate problems which affect the efficiency of detecting attacks. Another problem of these IDS is computationally expense for large data sets.

Asaka et al. (1999) have developed an Intrusion Detection System which was named IDA (stands for the Intrusion Detection Agent system). This IDA has two eccentric characteristics which are tracing the origin of intrusion by use of agents and the other is to find out or trace specific events that may relate to intrusions instead of continuously monitoring user activities. As the authors of this paper state ‘Our goal is not to detect all intrusions precisely but to detect many intrusions efficiently’ (Asaka et al., 1999).

Many types of attack detection are not implemented in this paper such as remote attacks, attacker inside organization, etc. The performance of IDS is not tested with traditional intrusion data.

Helmer et al. (2002) have developed an agent based IDS which travel between monitored systems in a network of distributed systems, collect data from data cleaning agents, sort associated data and notify the findings to a user interface and database. Agent systems with lightweight agent support allow runtime addition of new capabilities to agents. Helmer et al. (2002) describe the design of Multi-agent IDS and show how lightweight agent capabilities allow the addition of communication and collabora-tion capabilities to the mobile agents in their IDS. While this has many facilities, experiments were only performed with ‘sendmail’ data and not tested on other intrusion detection related databases.

Balasubramaniyan et al. (1998) have developed an architecture for a distributed Intrusion Detection System based on multiple independent entities. These entities, called autonomous agents, work collec-tively. This approach solves some of the problems such as configurability, scalability or efficiency. In this paper, the authors many IDS’s desirable characteristics such as fault tolerance, resistance to sub-version, minimal overhead of the system, minimal human supervision, graceful degradation, dynamic reconfiguration, etc. But their proposed architecture is not implemented practically. So the performance of IDS is uncertain.

Barrus and Rowe (1998) propose a distributed architecture with autonomous agents to monitor security-related activity within a network. Each agent operates cooperatively yet independently of the others, providing for efficiency, real-time response and distribution of resources. This architecture provides significant advantages in scalability, flexibility, extensibility, fault tolerance, and resistance to compromise. They also propose a scheme of escalating levels of alertness, and a way to notify other agents on other computers in a network of attacks so they can take primitive or reactive measures. They design a neural network to measure and determine alert threshold values. A communication protocol is proposed to relay these alerts throughout the network. Manual intervention and inability to handle huge data are major two deficiencies of this IDS.

Crosbie and Spafford (1998) have developed prototype architecture of a defence mechanism for computer systems. Many intrusion detection problems, their key aspects and a few solutions have been explained in this paper. Instead of earlier footsteps of single monolithic module of intrusion detection systems, this IDS has implemented small and independent agents to monitor the system and distinguish

the abnormal behaviour. The authors claimed that this IDS has more flexibility, scalability and resilience of the agent. But this IDS needs human interaction and system wait for human decision in complex situations. Detecting intrusion inside the organization is one of the major aspects of IDS which is not discussed in this paper. Performance of the IDS has also not been tested.

Carver et al. (2000) have emphasized Intrusion Response (IR) because delayed response to attack extends an opportunity to attackers. If IR is delayed by ten hours, a skilled attacker will be 80% success-ful and for thirty hours, the attacker is almost 100% successsuccess-ful. Research by (Cohen, 2008) indicates that the success of an attack is dependent on the time gap between detection and response. So Carver et al. (2000) presented a window of vulnerability based on the time when intrusion is detected and action is taken. Assorted number of software agents work collectively to deal with this window by providing automated response to any abnormal actions. While the approach of this IDS is effective, it is not tested with any intrusion related data, and hence there are questions about its performance. Tracing of the source of intrusion is an important feature of IDS but it is not discussed in this paper.

Bernardes and Santos(2000) offers the use of mobile agent mechanisms. A number of mobile agents move constantly within an organization internal information ways. The basic tasks of these independent small agents are to monitor the communication paths of the organization. Unfortunately, an efficiency test was not done for the IDS and continuous communication among agents could overhead the system.

Sometimes many agents with a dissimilar assessment of a same issue could be time consuming for a final decision.

Immunity-based agents are deployed Dasgupta and Gonzalez (2002) in their IDS approach. These agents travel from machine to machine and observe different types of intrusion related or any other abnormal activities in the network. Agents follow a hierarchy for communicating with each other and for executing actions which threaten security. These agents can learn and adapt to their environment dynamically and can detect both known and unknown intrusions. However, there is no discussion on how to reduce network overhead caused by agents roaming around in network and the IDS does not have an intruder tracing system.

Autonomous software agents, especially when equipped with mobility, promise an interesting design approach for intrusion detection. Krugel and Toth(2001) evaluate the implications of applying mobile agent technology and present taxonomy to classify different architectures. Sparta, an actual implementa-tion of a mobile agent based system is described well.

Brian and Dasgupta (2001) has implemented a distributed agent architecture for intrusion detection and response in networked computers. Unlike conventional IDS, this security system attempts to emulate mechanisms of the natural immune system using Java-based mobile software agents. These security agents monitor multiple levels (packet, process, system, and user) of networked computers to determine

Dans le document Dynamic and Advanced Data Mining for Progressing Technological Development: (Page 89-127)