International Journal of JOURNAL OF and Technology (IJCET), ISSN 0976INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING 6367(Print), ISSN 0976 6375(Online) Volume

e 4, Issue 1, January- February (2013), IAEME & TECHNOLOGY (IJCET)

ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), pp. 392-397 IAEME:www.iaeme.com/ijcet.asp Journal Impact Factor (2012): 3.9580 (Calculated by GISI) www.jifactor.com

IJCET
IAEME

SECURE MASID: SECURE MULTI-AGENT SYSTEM FOR INTRUSION DETECTION

Shraddha Chaurasia P.G. Student, MTech. (CSE),
Department of Computer Science & Engineering,

Lalit Dole Assistant professor,

Department of Computer Science & Engineering,

G.H. Raisoni College of Engineering, Nagpur, India

G.H. Raisoni College of Engineering, Nagpur, India

ABSTRACT In this paper, we will modify existing work of multi-agent system for intrusion detection by providing more security to the agents in this system. Firstly, we present a review on existing intrusion detection systems, and then propose a strategy for securing the agents in MASID. Previously intrusion detection was done at different levels whether it is host based intrusion detection, but the most recent advancement is multi-agent system for intrusion detection. At last, we will discuss the implementation of secure-MASID. Thus we will show how the agents in MASID could be secured using AES algorithm. Keywords: MANET, intrusion, multi-agent, distributed, AES. I. INTRODUCTION One of the most important issues in computer network is security of the data that is being transferred between the computers. Since the use of internet has been increased there are many ways through which the computer may be attacked. Some of the ways may include hacking, intrusion etc. Any activity that tries to harm your computer is known as intrusion. This activity deteriorates computers performance. Compared to wired network, Wireless network are more susceptible to attack as most of the parameter in this type of network is dynamic these parameters may include infrastructure, topology etc. There are various measures of providing security to wireless network. Such measures could be authentication, firewalls etc. When there is intrusion, intrusion detection and prevention becomes necessary.
392

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

The process of detecting suspicious activities in the computer it is known as intrusion detection. Misuse, Anomaly and specification based detection are some of the techniques for detecting intrusion. Misuse detection and anomaly detection are similar in techniques for detecting intrusion i.e. they both compare available data, but misuse detection compare the data with known attack pattern and anomaly detection compare the data with the normal pattern of data. The data that is available with these techniques is through host or network. There are various intrusion detection systems available. The most recent advancement in IDS is agent based system. An agent is any process, module or host that is capable of performing independent activities in its environment. In agent based system there is single agent used for detecting intrusion. In multi-agent system, multiple agents is being used, through the use of multiple agents intrusion detection process gets distributed. Thus this system may also be called as distributive and cooperative intrusion detection system. In multi-agent system, agents transfer intrusion detection related information between them. But it may happen that the information transferred between the agents could be attacked therefore a need arises for providing security to the information being transferred between the agents. Thus the main focus of our paper is to provide security to the information exchange between the agents. The rest of the paper is organized as follows: The following section provides a literature review of the intrusion detection systems. Section 3 describes the proposed system i.e. secure MASID. Section 4 provides the implementation of secure MASID. Section 5 finally concludes the paper by providing a brief summary of the proposed work and lastly it provides some future work that could be done. II. RELATED WORK Depending upon the techniques and architectures intrusion detection system for MANET can be broadly classified into i) Standalone IDS: Standalone means individual, independent. Thus in this type of IDS the detection process is carried individually. No information is being transferred between the nodes. Decisions are made individually by each node and there is no cooperation between the nodes. ii) Distributed and cooperative IDS: In this type of IDS, nodes cooperate with each other by exchanging information regarding intrusion. Nodes are distributed and IDS are installed on each host. iii) Hierarchical IDS: In this type, IDS is divided into multiple layers or clusters. Each cluster have a head or leader known as clusterhead who has more responsibilities than other members in clusters for ex. Routing packets from one cluster to another. iv) Agent Based System: Here intrusion detection process is divided into number of agents. Each agent performs only one specific task and these agents are distributed into each node. Not every agent is assigned with functions as it helps to reduce power consumption.

393

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

As described in [1], Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford, Diego Zamboni first introduced the concept of autonomous agent in an architecture for intrusion detection using autonomous agent is a software agent that performs some security monitoring function at a host. B.C cheng and R.Y tseng proposed an intrusion detection system known as context adaptive intrusion detection system [10]. Every system has some factors for performing its execution this system considers energy for performing intrusion. First IDS is installed on each system the intrusion detection process is carried by checking the energy factor. The nodes perform the task only if it has enough energy to perform it. But while considering IDS in MANETS, the nodes must be cooperative the nodes in this system are not cooperative. Distributive and cooperative IDS, overcomes the limitations of CAIDS. This system is designed using region based framework. There are two categories of nodes region member nodes and gateway nodes. A gateway node is one which has a connection to node in neighboring region otherwise it is called as region node. It contains two major components gateway intrusion detection and local intrusion detection. First each node runs a LID and only subset of nodes will run GID. N. Marchang and R. Datta proposed hierarchical IDS which contain two algorithms ADCLI and ADCLU.ADCLI means algorithm for detection in clique and ADCLU is algorithm for detection in cluster. Clique means set of nodes. In both algorithm during intrusion detection, the set of nodes transfers messages between them. If a particular node is suspicious, it will send wrong messages to other nodes this is an assumption. If a node is malicious nodes the other nodes may choose to isolate the malicious nodes. C. Ramachandran, S. Misra, and M. S. Obaidat [9] proposed FORK a two way strategy for intrusion detection here nodes get into a bidding process for performing intrusion detection. The nodes are allowed to get into bidding process only if they have enough resources with them. The nodes which win get into detection process. Next strategy is to build ant colony algorithm based on anomaly detection technique. III. PROPOSED WORK In this section we present secure MASID. The proposed work contains a small extension to MASID i.e. multi agent system for intrusion detection which has been developed by Leila Mechtri, Fatiha Djemili Tolba, Salim Ghanemi. This system contained number of agents for performing detection process. Mainly there are three agents i.e. detection agent, collaboration agent and response agent. Detection agent used both techniques for detection purposes i.e. misuse detection and anomaly detection. It is responsible only for detection process. Next is response agent which provides appropriate response when an intrusion occurs. Third agent is collaboration agent which is responsible for exchanging messages between these two agents. However it may happen that an attacker may attack this agent so in order to secure detection related information we will apply AES algorithm to collaboration agent i.e. whatever information is transferred between both agents, it will be encrypted and decrypted by AES algorithm.

394

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

Detection agent

AES algorithm Collaboration agent

Response agent

Fig 1. Secure MASID architecture Fig shows three agents as it was mentioned in [13] three agent have been shown. At the collaboration agent, AES algorithm is being applied because it is the main point of communication for both detection agent and response agent. The information that is being transferred between the two agents is encrypted at detection agent who is then decrypted at response agent. AES is a block cipher with a block length of 128 bits. AES allows for three different key lengths: 128, 192, or 256 bits. Most of our discussion will assume that the key length is 128 bits. Encryption consists of 10 rounds of processing for 128-bit keys,12 rounds for 192bit keys, and 14 rounds for 256-bit keys. Except for the last round in each case, all other rounds are identical. Each round of processing includes one single-byte based substitution step, a row-wise permutation step, a column-wise mixing step, and the addition of the round key.

395

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

IV. IMPLEMENTATION In order to implement secure MASID we have chosen java platform. Firstly we will implement all three agents then apply AES to it. We have taken kdd cup database as input for implementing this system. This database contains packet format which is used for detecting intrusion. In detection agent, we will first specify what will be the initial values of the parameters contained in the packet format. After taking the packet format as input we will apply K-means algorithm for clustering. There will be two clusters first will be of intrusion or attackers cluster and other will be of normal datas cluster. Clustering is done on the basis of trusted ports i.e. we have set some ports as trusted ports from the database. If the port is not trusted we will put it into attacking cluster otherwise classify as normal. Along with clustering we will also classify unknown and known attack. This is based on a condition i.e. if cluster size is greater than max intrusion (this is a variable type) then it is unknown attack, otherwise it is known attack. Here we have set the value of max intrusion as 1000 as it is the optimum value.

Packet format from Kdd cup database

Apply K-means algorithm

Check if it is attack

Put it into attack cluster

Inform other nodes

Put into normal cluster

STOP
Fig 2. DETECTION AGENT Response Agent provides response to known and unknown attack as stated earlier. When it is known attack we will check the magnitude of the attack. Magnitude is calculated as Magnitude = cluster size of intrusion detected / max intrusion i.e. if the cluster size or number of intrusion is 900 as compared to max intrusion the value of attack magnitude will be 0.9 so we will conclude that it is highest magnitude attack. Thus we will be creating rule based system which answers as to what is the magnitude of the attack. If it is unknown attack then we will try to change the strategy which means that we will run K-means algorithm once again.
396

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME V. CONCLUSION In this paper we introduced a small modification to the existing work of [13] by providing additional security to the information transferred between the agents. Security to the agents is being provided to agents using AES algorithm. We also discussed how we will implement our proposed work. Thus the main advantage of this system is that we will provide one more level of security. One area of concern would be what if the agents undergo man-in-the-middle-attack. Future work may be done in these directions. REFERENCES [1] R. Heady, G. Luger, A. Maccabe, and M. Servilla, The architecture of a network level intrusion detection system, Technical report, Computer Science Department, University of New Mexico, August 1990. [2] M. Wooldridge and N. R. Jennings, Intelligent agents: theory and practice, Knowledge Engineering Review, October 1994. [3] M. Wooldridge and N.R. Jennings. Agent theories, architectures, and languages, In Wooldridge and Jennings, eds. Intelligent Agents, Springer Verlag, 1995, pp.1-22. [4] Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford, Diego Zamboni, An Architecture for Intrusion Detection using Autonomous Agents, COAST Technical Report 98/05, Jun. 1998. [5] Y. Labrou, T. Finin, and Y. Peng, The current landscape of Agent Communication Languages, IEEE Intelligent Systems, vol. 14, number 2, March/April, 1999. [6] J. B. D. Cabrera et al. , Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables-A Feasibility Study.IEEE, 2001. [7] Tiranuch Anantvalee and Jie Wu, A Survey on Intrusion Detection in Mobile Ad Hoc Networks, Wireless/Mobile Network Security, Y. Xiao, X. Shen, and D.-Z. Du (Eds.), Springer 2006, pp. 170 196. [8] N. Marchang and R. Datta, Collaborative techniques for intrusion detection in mobile ad-hoc networks, Ad Hoc Networks, 6 (2008), pp. 508-523. [9] C. Ramachandran, S. Misra, and M. S. Obaidat, FORK: A novel twopronged strategy for an agent-based intrusion detection scheme in adhoc networks, Computer Communications 31 (2008), pp. 38553869. [10] B.-C. Cheng and R.-Y. Tseng, A Context Adaptive Intrusion Detection System for MANET, Computer Communications, 2010. [11] F. Abdel-Fattah, Z. Md. Dahalin, and S. Jusoh, Distributed and cooperative hierarchical intrusion detection on MANETs, International Journal of Computer Applications (0975-8887), Vol. 12 No.5, Dec 2010, pp. 32-40. [12] J.-H. Cho and I.-R. Chen, Performance analysis of hierarchical group key management integrated with adaptive intrusion detection in mobile ad hoc networks, Performance Evaluation 68 (2011), pp. 5875. [13] Leila Mechtri, Fatiha Djemili Tolba, Salim Ghanemi, MASID: Multi-Agent System for Intrusion Detection in MANET, IEEE 2012. [14] S. B. Patil, S. M. Deshmukh, Dr. Preeti Patil and Nitin Chavan, Intrusion Detection Probability Identification in Homogeneous System of Wireless Sensor Network International journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 2, 2012, pp. 12 - 18, ISSN Print: 0976 6367, ISSN Online: 0976 6375, Published by IAEME. [15] Syeda Gauhar Fatima, Dr. Syed Abdul Sattar and Dr.K.Anita Sheela, Energy Efficient Intrusion Detection System For Wsn International journal of Electronics and Communication Engineering &Technology (IJECET), Volume 3, Issue 3, 2012, pp. 246 - 250, ISSN Print: 0976- 6464, ISSN Online: 0976 6472, Published by IAEME.

397