ACO BASED DISTRIBUTED INTRUSION DETECTION SYSTEM

Bogdan Ivascu, SSA

bogdan.ivascu@cti.pub.ro

About the paper

ACO based Distributed Intrusion Detection System

Authors: S. Janakiraman1, V. Vasudevan2

1 PSR Engineering College, Sivakasi, India 2 A.K. College of Engineering, Krishnankoil, India

International Journal of Digital Content Technology and its Applications, Volume 3, Number 1, March 2009

Contents

Intrusion detection

Distributed Intrusion Detection Systems

ACO algorithm

Experimental results

Conclusions

Intrusion detection (1)

Problem: exposing sensitive information to intruders compromise confidentiality denial of resources unauthorized use of resources

Solution: Intrusion Detection Systems (IDS) identifies all possible intrusions and

recommends actions to stop the attacks

Intrusion detection (2)

Techniques in traditional IDS log files network traffic

Must develop fast machine learning based intrusion detection algorithms high detection rates low false alarm rates

Ideal response: stop the activity

Intrusion detection (3)

IDS Classification (1)

Misuse intrusion detection uses signatures or rules that describe

undesirable events perform some action when the pattern

matches an event or data Anomaly intrusion detection

detect general misuse and attacks for which no signature exists

constructs a model according to the statical knowledge about the normal activity

IDS Classification (2)

Network-based system (NIDS) individual packets flowing through a network

are analyzed are placed at a strategic points within the

network to monitor traffic to and from all devices

Host-based system (HIDS) examines all the activity on each individual

computer (host) analyzes host activities: system calls,

application logs, file-system modifications etc.

IDS Classification (3)

Passive system detect a potential security breach, logs the

information and signal an alert alerts are sent to the administrator and it is

up to them to take action Reactive system

IDS respond to the suspicious activity log off a user reprogram the firewall to block network traffic

from the suspected malicious source

IDS Requirements

Adaptability Concurrency Efficiency and Reliability Escalating Behavior Extensibility Flexibility Manual Control Recognition Resistance to compromise Software Response Scalability

Distributed Intrusion Detection Systems

Communication architecture

Ant Colony Optimization (1)

Ants are capable of finding the shortest path from a food source to their nest.

They are adaptive to changes in the environment for finding a new shortest path once the old path is no longer feasible.

On the way ants deposit pheromone to mark the route taken.

The concentration of pheromone on a certain path is an indication of the path’s length.

Ant Colony Optimization (2)

Route selection

ACO Algorithm

input: an instance x of a Combinatorial Optimization problem

while termination conditions not met do Schedule Activities

Ant based Solution Construction() Pheromone Update() Daemon Actions()

end Schedule Activities Sbest← best solution in the population of solutions end while

output: Sbest , candidate to optimal solution for x

Experimental results (1)

Dataset: 1998 DARPA intrusion detection evaluation program by MIT Lincoln Labs

6 features are used in ACO algorithm: connection duration, protocol, source port,

destination port, source IP address and destination IP address

24 attack types 22,000 attack data records & and 10,000

normal data records are prepared for training 22,000 attack instances and 10,000 normal

data are selected as testing data

Experimental results (2)

Experimental results (3)

Experimental results (4)

Conclusions

Meta-heuristic DIDS architecture for scalable intrusion detection and prevention in distributed networks

Ant based DIDS can significantly improve the overall performance of existing DIDS High detection rate Low false positive rate – can recognize

normal network traffic

Thank you!