Efficient and Accurate Collaborative Intrusion Detection System to detect DDOS attacks

Efficient and Accurate Collaborative Intrusion Detection System to detect DDOS attacks

Introduction

An IDS is a well coordinated system that monitors suspicious activities, network traffic and alerts the specified network administrator or the system. The IDS makes responses in some cases involving anomalous traffic through specifying actions inclusive of the user blockage, or the sourcing IP address from network accessibility. IDS constitute variety types with differing detection approaches to the involved suspicious traffic. These includes host based (HIDS) and network based (NIDS) intrusion detection. It is significant to maintain security at higher levels to ascertain that information communication is secure and trustworthy in various organizations. The IDS ensures that security of date during the specified communication over the internet from misuses and intrusions (Shimonski, 2003).

The progression of system components with algorithm (GA) is for efficient detection of the various network intrusions. The evolution processes and parameters for the algorithm involved in the implementation apply the evolution theory to information evolution. This enables the filtration of traffic data hence reduces the complexity of the specified information communication. KDD99 benchmark dataset is applicable in the implementation and measurement of the system performance to obtain a reasonable rate of detection (Shimonski, 2003).

The design factors considered in the implementation of the IDS includes proprietary logging factor that enables the prevention of the system form possible accessibility and interpretation of its log. The second is the creativity if the work force putting the entire system together for specified functionality including the analyst assigned to access and uses the system. Naturally, if the approved system cannot correctly monitor the specified logs of the system, implementation hope is not considerable. The design factors with the flexible and the custom design nature of the IDS with the model applicable, the general process involved specifies the actual technology for implementation (Di & Mancini, 2008).

With the system architecture, the IDS system has a design that enables an integration and implementation with the use of any technology into the main system. It converts and encodes the received data into the main storage, which involves extreme care when designing the stage. Following the design factors considered during implementation, the system has to be located in a single position to enable automatic generation of metrics within the logs which is significant at aggregated multiple levels for the provision of cognitive aid to implementation. Data privacy involves the consideration of aggregate reports on the new log entries to visualizations, analysis tools basing on the alarm engine readily build in the system (Di & Mancini, 2008).

1. IDS classification based on architecture

IDS detection that base on known threats specified signatures exist with similarities to the detection procedure of antivirus software and protection against any malware. Other IDS bases their detection on traffic comparison of patterns against anomalies. There are IDS that perform the action of monitoring and make alerts in response to specified threats (Shimonski, 2003).

1.1 Single IDS

The IDS architecture is a considerable perfect tool for detecting attacks that do not have distributable nature. This means that there is a guarantee of affective result in detection. This includes detection of attacks such as DoS and port scanning. For the majority of the imminent attacks inclusive of distributed service denial attacks (DDoS), the single IDS are not capable of giving higher rates of accuracy. Therefore, a collaborative IDS architecture is presentable for the detection of these attacks. The Single IDS is capable of adding a greater integrity degree to the rest of the system infrastructure to point every entry impact point. The implementation of the Single IDS is as shown in the flowchart with the normal operations of the generic algorithm implemented into the system (Cox & Gerg, 2004).

 

 

 

 

Initial population

 

Selection

Yes

Old population                                                     new population

 

 

 

 

 

 

 

 

The elements involved in the intrusion detection by single IDS include primary assumptions that involve observable system activities, distinct evidence of intrusive and normal activities. The components of the system from the algorithmic perspective include features that capture audit data evidence of intrusion evidence and models with infer attack. From the perspective of architecture system, the system involves knowledge base, audit data processor, alarm generation, decision engine and responses (Di & Mancini, 2008). The characteristics of the single IDS is as shown in the following diagram

Detection method: this forms the analyzer characteristics

Detection behavior: IDS response to imminent attack

Audit source location: input information that is analyzed by the IDS

Detection paradigm: the mechanism of detection

Usage frequency: off-line or real-time

1. Collaborative IDS

The growing number of computer attack has resulted to the need for a tightened security especially for bigger organization having network of computers. This has made the proposal of collaborative IDS that involves many organizations sharing alert information because of the belief that this can help in accurately detecting computer attacks. It allows the various systems to share information about security threats making the detection of attacks be easy. The main purpose of the collaborative IDS is to enable sharing of information across administrative domains through protecting the privacy, confidentiality and integrity of messages (Mishra, 2011). The system also proposes for a peer-to-peer architecture that allows for appropriate scaling. It lies on the mechanism of combining efforts against common enemies, which in this case are computer attacks. This method meets the needs for detection because the involved organization can implement prevention actions against the attacks that they could not have known about them. The collaborative IDS allows for detection of distributed attacks within six exchange periods without the use of unacceptable amount of bandwidth (Mishra, 2011). The federation nodes also make the IDS suitable since it allows for exchange of alert information at any given period. It also allows for the computation on the distributed network while simplifying the process of correlation. It may involve the use of DOMINO, which acts as a cover for network making use of chord 20 protocol enable it distribute alert information (Mishra, 2011). This information usually bases on a hash of the source IP address allowing effective detection of threats across many organizations (Mishra, 2011). The collaborative IDS also incorporate the use of Bloom filters and scheduling algorithm for the distributed correlation. Collaborative IDS constitutes three architectures, which help in achieving the needs for detection of distributed denial of service attacks (DDoS) : Hierarchial IDS (HIDS), distributed IDS (DIDS) and centralized IDS (CIDS).

B.1 Hierarchical IDS (HIDS)           

It acts as a cluster-based method, which improves the efficiency of the system in relation to memory usage and network overhead (Mamun & Kabir, 2010). The HIDS performs security detection through its two layers of cluster member layer and cluster head layer.

Mechanism

The intrusion detection using the HIDS is in division of different agents that connect the cluster member and the clusters head. There is data collection agent (DCA) which helps in monitoring the functioning of the cluster member layer. The DCA collects any abnormal characteristics in the system nodes. The transmission Agent (TA), which performs the task of passing information from the cluster member layer to the cluster head layer, which will, is valuable for the Intrusion Detection Agent (IDA) (Mamun & Kabir, 2010). The IDA helps in detecting intrusion, in addition to identifying the attacker with subsequent sending of alarm to the involved cluster members. The Network Response Agent acts as the initiator of additional response to the cluster members besides fixing the devices.

Advantages and disadvantages

The advantage of HIDS is that it allows for the detection of attacks as member-nodes could potentially reroute (Mamun & Kabir, 2010). The use of cluster heads helps in modifying or droping packests during transmission. Further, all the cluster-heads can work in the presence of the central base station which in turn forms the world IDS. The hierarchical model allows the system to operate effectively because of the structuring in its operation. However, the user of this method is often expensive because of the additional cost in setting up network.

Existing system

MANET is an example of the existing system that uses HIDS in offering detection of intrusion.

B.2 Distributed IDS (DIDS)

This consist of a number of multiple Intrusion Detection System over a wider network with each connected to exchange information. Always a central server helps in monitoring network while also analyzing incident instant attack data (Forootaninia & & Ghaznavi-Ghoushchi, 2012). This makes it easy for the security personnel to get adequate information about what is going on in their network. It allows the involved company to centralize its attack thereby managing the different incident analysis resources.

Mechanism of distributed IDS system

The system incorporates the central analysis server and the co-operative Agent Network. The Central Analysis Server consists of a database in the company of a Web server which allows interactive querying of attack data for analysis as a well as a useful Web interface thereby allowing the security personnel to identify with the current attack status (SURFnet, 2006). Through the central analysis, server allows effective performance of attack aggregation while also helping in gathering statistics. This helps in identifying the pattern of attacks besides performing analysis of statistics that are rudimentary from a specific Web interface. The co-operative agent network forms a crucial part of the operation of central IDS. Agent acts as software, which reports information on any attacks, carried on the central analysis server. The use of many agents allows the incident analysis team to have a wider view of any attack. In ideal situations, the security personnel always places the agents on separate segments of the network while also considering the location according to geography (Dastjerdi & Bakar, 2008). The agents can also occur in various physical locations allowing the incident team to detect attacks across many corporate locations. The following diagram shows how a corporate Agent Network works.

 

Advantages

It presents the security personnel with the opportunity of detecting patterns of attacks across a connected network, whereby the geographic location separates the time zones. This allows for early detection of any planned attack against the organization. Further, the distributed IDS allow for the detection of internet worm that is attacking the corporate network. The resulting information can then help in identifying and cleaning system experiencing worm infection with subsequent prevention on the further attack by the worms. This helps in lowering the cost that would have incurred.

Disadvantages

The distributed IDS bases on client serve approach who (client) acts as a sensor. The sensor should always be upgradeable in order to ensure there is presence of future honey pots and signatures (SURFnet, 2006). At times, the distributed IDS may prompt false alerts leading to unnecessary actions of the system. Another disadvantage is that the installation and the operation of the sensor is always complex hence requires expertise.

An example of existing system is the SURFnet which functions in connecting the networks of Dutcch universities, colleges and other institutions to one another and to other networks across the globe (SURFnet, 2006).. It handles much system security whereby the SURFnet client can act as victim or a suspect.

 

B 3 Centralized IDS (CIDS)

The system characterizes of centralized analysis and a distributed audit collection. Majority of the audit data collection is through individual systems with report following to the centralized system where analysis performance of the intrusion detection takes place. The components of the intrusion detection on the host systems have the responsibility of for the system information collection and converts into a homogenous form passable to the centralized analyzer. Examples of the IDS include Intrusion Reporter, Network State Transition Analysis and the Network Anomaly Detection. The system also experiences two common problems inclusive of failure central point. The component of central analysis forms the single point of failure with a specified single attack on the target. Another problem is the increment of network workload due to massive audit data passing. The limits are the basic disadvantages that limit Centralized IDS (CIDS) ability of handling larger network with scale up efforts (Cox & Gerg, 2004).

Centralized IDS (CIDS) has no limitations to incoming network traffic inspections. Its noticeable advantages include no effect on the performance of the host. It is transparent and is capable of monitoring a multiple of hosts figuratively with tamper resistant nature. The centralized IDS are capable of detecting attacks on the network system not visible from specified single hosts. The system also has disadvantages including the difficulty in deployment and configuring of details. It has problems with channels encrypted and needs to cope up with details in vast volumes. The system cannot guarantee the provision of automated solution and manage failures of the hardware. An example of an existing system is the CSM that enables component analysis with the IP traffic and sniff packets to indicate of any possible misuse (Cox & Gerg, 2004).

1.2.2 Attack correlation

This process involves the reception of fusion alerts following an attack and correlates the alerts with the application of correlation rules. Attack correlation has a variety of range from simple to elegant following a partial or complete intrusion scenario. The two principal techniques applicable in correlating attacks alarms includes distributed correlation involving quadratic increment in data exchange and the correlation scheduling. This involves the dissolution and controllable formation of nodes and gropes relations in the specified network (Michael et al, 2012).

Following the constant monitoring of networks, coordinated attacks occur simultaneously in the system hence difficult to detect with the use of IDS. Correlation algorithms involved in the process after receiving fusion alerts correlates to alarm system. The two principle techniques enables the generation of scenario alert. This is because of the complete intrusion correlating to the fusion process of the attack (Di & Mancini, 2008). User information, accessibility to network with firewall measures has active updates through the distributed correlation. This enables the system to have higher customization for accommodating needs of a client. Quadratic increment in data exchange and the correlation scheduling enables the administrator to custom build the specified network security for monitoring activities highly individualized. This is from evident attack on the network system for the examination of specified activity patterns forming a masquerade outside the network system security. The system is capable of monitoring all the activities of outside threats of the network and behavior patterns that constitute active operating threats (Di & Mancini, 2008).

2.1 Host Based IDS.

What is this?

Host based IDS serves as a detection checker that examines the internal system of the computing machine. The host based IDS manage the performance of a computing structure, prevent, and check all the incoming documents in the computer. These enables the host based IDS to keep the computer safe from the external attacks. The IDS scrutinizes the entire external device, which holds data before accessing the computer (Malik, 2003). Host based IDS maintains the security checks and ensures all the documents in it are stored safely from attacks. It would not allow other user’s password to open the same links thus keeping ones documents saved in the computer safe. Intruders in this case are easily traceable from the application.

Where it can be used?

Users and network managers benefit from this application since when run on servers, it is able to detect malarware and various security attacks .Even after a computer formats or loses some of the saved documents or files, the data retrieval is in the same way saving occurred. The host based IDS have also helped in the protection of a computer from any attacks because of the antivirus factor that protects the computer (Khadraoui & Herrmann, 2007). Host based IDS protect the computer from access by attacks and a hacker since it has the passwords to every files in a computer. If the passwords in the machine do not match with the ones in the memory then there will be no entry to the saved data.

Advantages and disadvantages

A host based IDS prevents documents access and infiltration anywhere in the computer, in the files or in RAM. The host based IDS may be used in different ways and different machines for instance, they may be used at workstations, notebook or server computers. They enhance security at these areas because more people in the public mostly use them. At workstations everyone should have his or her own privacy and thanks to the host based IDS they help in privatizing the stored documents in the computer (Hay, Cid & Bray, 2008).

Host based IDS remembers every action that has taken place on the computer. The details and works saved remains in the computer’s memory by the help of the host based IDS. They make the computer a safe place for confidential documents storage. Host based IDS also certify that saved documents in the computer are not altered and if done so the host based IDS saves a sample document with details such as the dates and sizes and when it was last modified. These makes it effective since one can tell if the document has been interfered (Hay, Cid & Bray, 2008).

The host based IDS also have some limitations since they only detect the interference of a document if it is aware of the intrusion. This is because if a new intruder does interfere with any document not updated, it might not detect the intruder. The problem of illegal access to data is solved in a way that the user keeps on updating his or her computer regularly to detect the new intruder. The IDS in the computer in some cases are attacked since they go in hand with the documents the intruders may want to destroy and they may end up destroying the entire security system.

            The Host based IDS serves in the detection processes of both the DoS and DDoS consequently protecting the computer system from any intrusion. Most of the security breaking attempts usually occur within the organizations. In establishing the Host based Intrusion detection System, the intrusion are detected in specified time interval. The node using the computerized system in the organization is in most cases checked along with the neighbor organization nodes. This ensures that no transfusion of intrusions from the adjacent computer to the main server in the firm occurs. For this reason, there is reduction of the number intrusion entering the system to zero levels (Hay, Cid & Bray, 2008). The Host based IDS also uses the Bloom filter vital in sieving the information sent to the main server.

2.2 Network Based IDS

What is this?

Network based IDS are kinds of security system in a computer enacted to protect within a network or many more set off networks. Just as the host based IDS, they tend to perform similar activities. In this case the host based IDS only secures software and the users activities on a host (Brenton & Hunt, 2002). A NIDS competence may require one or several servers for executive functions, sensors to scrutinize package interchange and one or more managing consoles for individual border. To analyze the traffic patterns users need to involve the sensor, the running server, or a permutation of the two to curb any abnormality in the system.

Where it can be used

The NIDS is used as a link to the earlier security system and single host intrusion detection to a multiple hosts. The NIDS links up with the communication network of a computing system. Recently NIDS has developed to detect major network problems such as the graph based intrusion detection system that detects attacks on the large network system. The result upon looking at the graph proves differences flanked by the attacks. EMERALD is a system that has a special outlay that tends to give scales intrusion detection in large networks (Canavan, 2001).

 

Advantages and disadvantages

NIDS has some advantages similar to those of the HIDS .They both hinder security attacks from accessing files on a system. The intrusion processes ensures employees are checked and prevents the firm’s top secrets from any access. NIDS keep security and saves data that enables the detection of the intruder’s identity. It entails many activities that show any action accessing or leaving the network. This IDS determines everything done across the networks, for instance one may tell what the other person at the end of the room is doing on the computer if they are on one network.

NIDS also have some disadvantages in that a computer system with this software requires frequent updates to enhance its security system. After sometime, the intruders may get access to the computer and go without notice because the computer is not aware of the malpractice (Brenton & Hunt, 2002). The device used to store the collected information has limited space and thus some of the information required may disappear when limited storage space is available. Intrusion detection systems are unable to detect from accidental activities and may lead to stalling of the whole systems network. They are also difficult to build up and install the software to the computers.

            The Network based IDS is vital in selecting the traffic of information received in the computerized systems. In most cases, the sensor configurations installed checks the information sent to the computer before the computer user accessed in the data. This prevents most of the viruses found hanging in the internet from damaging the computer packages. Some of the dangerous attacks prevented by the Network based IDS encompass of the Trojans and worms. Preventing the computer system from the Trojans and worms plays a chief role in preservation and maintenance of the data in the computer (Brenton & Hunt, 2002).

Some existing systems

There are two types of working systems namely inline and passive. An inline sensor monitors the interchanges that pass through the sensor. Obtaining this may be through the combination of devices such as NIDS or firewall and does not need extra hardware to perform (Canavan, 2001). A passive sensor manages an interchange and it does not pass through the system. Passive system is more efficient compared to the inline system does not require the combination of any other gadget enabling it to reduce delays in the passage of information.

Data privacy

            In most of the organization, data privacy plays a major role in contribution of the competitive advantage. The organization stores secretive information that is confidential. For this reason, some employees in the organization share private details with other intruders. Installation of the Network based IDS in the computer systems in the firm assist in the reduction of the unauthorized access. The Network based IDS does not permit all the employs in the organization to access the private and secretive details concerning the management strategies in use (Canavan, 2001). The Network based IDS is vital in the implementation process of private data in the computerized systems.

 

References

Brenton, C., & Hunt, C. (2002). Mastering network security. San Francisco, Calif: SYBEX

Canavan, J. E. (2001). Fundamentals of network security. Boston [u.a.: Artech House..

Cox, K., & Gerg, C. (2004). Managing security with Snort and IDS tools: [intrusion detection       with open source tools]. Beijing [u.a.: O’Reilly.

Dastjerdi, A., & Bakar, K. (2008). A Novel Hybrid Mobile Agent Based Distributed Intrusion Detection System. Proceedings Of World Academy Of Science: Engineering &             Technology, 47116-119.

Deb, N., Chakraborty, M., & Chaki, N. (2011). The Evolution Of Ids Solutions In       Wireless Ad-Hoc Networks To Wireless Mesh Networks. International     Journal Of       Network Security & Its Applications, 3(6), 39-58.             doi:10.5121/ijnsa.2011.3603

Di, P. R., & Mancini, L. V. (2008). Intrusion detection systems. Boston, MA: Springer.

Forootaninia, A. A., & Ghaznavi-Ghoushchi, M. B. (2012). An Improved Watchdog    Technique Based On Power-Aware Hierarchical Design For Ids In Wireless Sensor Networks. International Journal Of Network Security & Its Applications, 4(4), 161-     178. doi:10.5121/ijnsa.2012.4411

Hay, A., Cid, D., & Bray, R. (2008). OSSEC host-based intrusion detection guide. Burlington,         Mass: Syngress Pub.

Khadraoui, D., & Herrmann, F. (2007). Advances in enterprise information technology security.     Hershey PA: Information Science Reference SURFnet, (2006). A Distributed Intrusion       Detection System based on passive sensors. Utrecht:          SURFnet, Postbus 19035.        Retrieved          from: http://ids.surfnet.nl/downloads/abstract-            DIDS.pdf

Malik, S. (2003). Network security principles and practices: [expert solutions for securing            network infrastructures and VPNs ; CCIE professional development]. Indianapolis, Ind:       Cisco Press.

Mamun, M., & Kabir, A. (2010). Hierarchical Design Based Intrusion Detection           System For Wireless Ad Hoc Sensor Network. International Journal Of      Network          Security & Its Applications, 2(3), 102-117. doi:10.5121/ijnsa.2010.2307.

Mishra, M., Pattanayak, B., Jagadev, A., & Nayak, M. (2011). Collaborative Intrusion            Detection System (CIDS) for Application-Specific Ad Hoc Networks. European            Journal Of Scientific Research, 66(1), 55-67.

Michael E. Lecasto, Janak J. Parekh, Sal Stolfo, Angelos D. Keromyntis, Tal Malkin and Vishal            Misra. (2012). Collaborative distributed intrusion detection. Department of computer         science, Columbia University. Retrieved from:             http://www.cs.columbia.edu/techreports/cucs-012-04.pdf

Shimonski, R. (2003). Building DMZs for Enterprise networks. Rockland, Mass: Syngress Pub.

Yu, Z., & Tsai, J. J.-P. (2011). Intrusion detection: A machine learning approach.   London: Imperial College Press.