General Study of Mobile Agent Based Intrusion Detection System ( IDS )

The extensive access of network interaction has made present networks more responsive to earlier intrusions. In distributed network intrusions, there are many computing nodes that are assisted by intruders. The evidence of intrusions is to be associated from all the held up nodes. From the last few years, mobile agent based technique in intrusion detection system (IDS) has been widely used to detect intrusion over distributed network. This paper presented survey of several existing mobile agent based intrusion detection system and comparative analysis report between them. Furthermore we have focused on each attribute of analysis, for example technique (NIDS, HIDS or Hybrid), behavior layer, detection techniques for analysis, uses of mobile agent and technology used by existing IDS, strength and issues. Their strengths and issues are situational wherever appropriate. We have observed that some of the existing techniques are used in IDS which causes low detection rate, behavior layers like TCP connection for packet capturing which is most important activity in NIDS and response time (technology execution time) with memory consumption by mobile agent as major issues.


Introduction
These days' threats have become prominent.To have a better knowledge, controlling and managing cyber security risks have become utmost demand of time for the representatives of either government, or the private firms.Various organizations responses are reflected by their action.Moreover, they are stepping towards the new and innovative ideas or technologies like cloud-enabled cyber security, Big Data analytics, IDS, IPS, Firewalls and advanced authentication to reduce cyber-risks and improve cyber security programmers.Businesses are also covering up a more cooperative approach to cyber security; one way is to share the potential threats and responses with external partners.As per the recent market research worldwide spending on IT security is set to increase 4.7 percent in 2015 to $75.4 billion, and it is projected to spend $101 billion on information security in coming 2018 [1].We may expect that this cyber security market will have an exponential growth of $170 billion (USD) by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020, it has figured out from the market reports that the expertise, like the aerospace, defense, and intelligence, is likely to be the largest contributor to cyber security solutions [1].Intrusion detection system (IDS) is required, whenever the Affinity, integrity, and availability of computer resources are under attack, it will help to expose and respond completely.From all such affected nodes the evidences of intrusions have to be combined.An intruder may move in multiple nodes in the network.Due to this the root of attack is concealed [2].

Intrusion Detection System
Most necessary task of Intrusion Detection System (IDS) is the analysis on computer networks [2].Intrusion Detection Systems (IDS) is considered as one of security tools there are few other measures such as anti-virus software, firewall, digital signature scheme and access control scheme, it has widely used for enhance computer security .itcan be done in two ways: the analysis approach and the placement of this method [2] [3].IDS are of two types one is anomaly detection and the other is misuse detection.Of normal behavior model is made by anomaly detection system, and any deviation from it is automatically detected, Rendering the latter as suspect [4] abnormal behaviors and deviations from normal activities are detected by this system using methods such as statistical analysis, machine learning, neural networks, and sequential analysis.It is also efficient to identify previously unknown attacks, but also led to false alarm rates because of the anomalies.Each part of misuse detection system in a data set is designed as normal or intrusion and a learning algorithm is applied over the labeled data [4] [5].Misuse detection systems is that its use patterns of well known attacks or weak spots use this system to match and identify known intrusions, say for example we cite the network IDS SNORT.SNORT is configured by making use of database signatures which characterize network packets that have the potential of being malicious [6].SNORT monitors a network connection by using this database and marks the network packets that match any of the configured signatures.However, this techniques, in general, are not effective against novel attacks without any matched rules or patterns [6].Traditionally the IDS are classified as either network-based or host-based.Network-based systems control and monitor the network traffic and identify packet transmissions for any suspicious behavior.On the other hand Host-based systems are made for single hosts, and operate on system data of low label, such as patterns of system calls, file access, or process usage.They can monitor for suspicious behavior, or they can scan configurations to detect potential threats [6] [7].The existing IDS models have same features: (1) a database containing few thousand patterns, of different lengths, and (2) the patterns may be seen anywhere in any packet payload.For instance, Snort is an open-source (NIDS), Network-based Intrusion Detection System which has proven utility to listen in packets on a network link, characterize anomalous intruder behavior with a set of patterns, and generate logs and alerts by predefined actions [8].

Agent Based IDS
The performance of IDS can be increased by using an agent.Agent Based IDS has following advantages which are following [10]:  Decrease Network Flow: the process functions of central node to network nodes are distributed by systems and computed by agents in network nodes.Malicious data package can be identified by system and send computing result to other nodes in network if there is abnormal information in data flow. Improvement Autonomous Computing and Adaptation Capacity: Agent is autonomous independent unit.
Other agents remain effective even though a few agents do not work for some reasons. Platform Irrelevance: agent based on IDS can work in diverse environment and implement interoperation on the application layer for agents are independent of the computer and transformation layer and work in nodes with agent. Better Maintainability: Agent can response network topology dynamic changing as system can independent start and stop agent so IDS is configured dynamically.

Mobile Agent
Mobile Agent is a self-contained and easily detectable computer autonomous program, outfitted with their code, data, and execution state that can move within a heterogeneous network of computer systems [9].Such agents are useful in various industrial applications like automation of spacecraft, game playing, steering cars, medical diagnosis, robotics, language understanding and problem solving.Following are the advantages of using mobile agents in IDS [9].

Related Work
The use of mobile agent in computer networks has proved its utility and being used extensively in computer networks to detect threats.There are many present mobile agent based intrusion detection systems (IDS) are lagging behind due to its bed response time and big size [10].Description of existing mobile agent based intrusion detection system is as followed: • [11] described the prototype of an agent.This prototype used with HSA.The prototype makes use of both anomaly and misuse based models.The normal range of values for a selected set of system parameters is stored here.It also collects signatures of different attacks.At the time of scan, the agent verifies the log file and identifies the parameters which are outside the range of normal values.Then the lists of parameters which have abnormal values are matched against the signature of known attacks in order to identify the types of attack [11].• [12] represents the multi-agent design that uses distributed IDS based on ACC to identify a new and coordinated attack, and the movement of large data handling, capabilities of synchronization, the cooperation between components without the presence of centralized computing components, good detection performance to turn on warning alarm in real time.ACC is very fruitful to be applied in the method of detection of attack.
To represent large dimension of data clustering process into a two-dimensional grid space, also create chances in process of controlling to improve ACC performance further on its application in the Distributed IDS.ACC as a metaphor is able being controlled and is designed its behavior as per the needs in this case the application of DIDS.Its Ability of clustering data without guiding, movement in the unlimited search space, patterns of movement can be controlled, is used to create clusters of different types of data for normal and attack connections.• [13] proposes a multilayer technique with a Multi-agent and multilevel technique.In the 1st level the information is collected then this information is divided among the multiple agents.They have their own rule to verify this.Now in the 2nd level resulting information are gathered and pass it to the different layers such as application, session and transport.Then in the 3rd level another algorithm is detect the intrusion by agent.The benefit of multilevel detection process here is that detection is error free and all the low-level and high level intrusion is detected by the different level.In this system the attacks are completely discussed and detected.
• [14] presented a multi-agent based approach to generate an Intrusion Detection System (IDS) using data mining concept.IDSs based on Data mining have demonstrated a considerable accuracy, good generalization to novel types of intrusion, and robust behavior in an environment changing permanently.Development of IDS using the agent technology has many advantages such as add or remove the agents without changing other system components, modifying the agents to latest versions without affecting the rest of the system, the capacity of transfer information between groups of agents, obtaining more complex results than any one of them could obtain on its own.Finally intrusion detection system obtained as a result of intelligent agents and data mining techniques combination can be utilized with significant results to enhance the immunity of computer systems/networks.The framework shown here should be considered a step forward towards a complete multi-agent based system for the purpose of network security • [15] described a simple system based on multi agents for Intrusion Detection, utilized to run on general purpose devices such as web servers, this system with considerable knowledge is capable to detect port scans and "syn" attacks against a specific port, and it is capable to perform actions to prevent the suspicious attack.Also, by using its feature of mobility which is characteristics to mobile agents, the system has capability to protect several hosts in a small time frame, by triggering agents which go onto the hosts and reply the protection actions has done on the place where the attack was detected initially.• [16] proposed a mixed approach depending on the mobile agents for the detection of intrusion (HAMA-IDS).
The design of the system allows the treatment of information directly to the place where it is present via the utilization of mobile agents (aglets).Thus, the method is based on the platform Aglets for the creation and distribution of agents.These last ones can move from one post to other to analyze packets collected by the collector agents.The hybrid analysis is assured by the analyzers and redirectors agents, so that possible attacks could be detected.The proposed approach has the following postulates [16]: o The application for detection of intrusion by mobile agents for the detection of intrusion allow distribution of the Intrusion Detection system (IDS) (distinct from the centralized systems) o The use of a mixed approach make use of both type of intrusion detection (scenario and behavioral method) o The platform Aglets allow of this method to be use as a manager of the mobile agents and for their distribution.
• In [17], intrusion detection model based on multi-agents uses four kinds of agents are defined in this system, which are organized in a particular structure.The basic agents in every host or at the beginning of subnets are usually responsible for performing the simple detection and some separate coordination agents performs the response task; they are also responsible for analyzing the suspicious behavior synthetically that is not possible by lower level agents.Coordination agents are also capable to assign the task to the lower-level associated agents.Based on the hierarchical structure, the general description of the model is given.By adaptable protocols and association among some elements, this model provides dynamic adaptability to the changing environment and attacks.Apart from this the concept of coordination domain which facilitates the management of collaborative detection is also proposed.The model provides a theoretical foundation for creation of dynamically adaptive intrusion detection system.• [18] is multi-agent based technology and designs an adaptive distributed IDS model.It has good adaptive capacity and grater response and treatment on the network environment and arbitrary attack methods, also utilizes various data mining algorithm with linking detection mechanism to void the new invasion behavior.
The latest mechanism of rule library adopts LFU for the goal of elimination of pervious rules; efficiently customize the misuse detection of matching speed.Meanwhile, the source of alarm, secondary detection can effectively avoid the many times alarm phenomenon caused by the same attack, it can also reduction the rate of wrong alarms.When the system is attacked or collapsed, dynamic election algorithm of management agent with the improved algorithm Bully timely recovery system, make the simple operation of the system has good anti-destruction ability and self-restoration ability.
Based on the characteristic in the categorization of IDS using mobile agent, Table 1 summarizes analysis report of existing MA-IDSs.
From the Table 1 we can improve existing intrusion detection system using mobile agent by focusing on implementation of LSA and MSA for the agents and compare the performance of LSA, MSA.Designing IDS agent is in a distributed network, which communicates using a framework of Cooperative agent using interest.Implementations of hybrid IDS can be raise the detection rate of intrusion.Increase the full Architecture of the system, by granting fault tolerance in Control component, secured communication distribution across a network.Provide batter security of agents over network.The latest way of rule library adopts LFU for the purpose of elimination of past rules; efficiently update the misuse detection of matching speed which can be increase the efficiency of exiting intrusion detection system.

Conclusion
Literature survey of mobile agent based existing intrusion detection system using their calculative analysis and the big issues has been presented.On the basis of type of intrusion detection system, comparative analysis of various IDS using mobile agents based has been done.Different characteristics like the technique (NIDS, HIDS or Hybrid), behavior layer, detection techniques for analysis, uses of mobile agent and technology used by existing IDS, detailed comparative analysis is shown in Table 1.From Table 1 we have observed that some of the existing techniques are used in IDS which causes low detection rate, behavior layers like TCP connection for packet capturing which is the most important activity in NIDS and response time (technology execution time) with memory consumption by mobile agent as major issues.In the future we will implement a technique or suggest some specific solutions to conquer these issues.