The system that monitors the events occurring in a computer system or a network and analyzes the events for sign of intrusions is known as intrusion detection system. The performance of the intrusion detection system can be improved by combing anomaly and misuse analysis. This chapter proposes an ensemble multi-agent-based intrusion detection model. The proposed model combines anomaly, misuse, and host-based detection analysis. The agents in the proposed model use rules to check for intrusions, and adopt machine learning algorithms to recognize unknown actions, to update or create new rules automatically. Each agent in the proposed model encapsulates a specific classification technique, and gives its belief about any packet event in the network. These agents collaborate to determine the decision about any event, have the ability to generalize, and to detect novel attacks. Empirical results indicate that the proposed model is efficient, and outperforms other intrusion detection models.
Top1. Introduction
Heavy reliance on the Internet has greatly increased the potential damage that can be inflicted by remote attacks launched over the Internet. It is difficult to prevent such attacks by security policies, firewalls, or other mechanisms. The computer system and the applications always contain unknown weaknesses or bugs attackers continually exploit them. Intrusion Detection Systems (IDS) are designed to detect attacks, which inevitably occur despite security precautions. A powerful IDS is flexible enough to detect novel attacks (i.e. it has the ability to generalize). The accuracy of the IDS depends on the false positive rate and the false negative rate measuring criteria. False positive rate calculates the rate of events that are considered to be intrusions where they are in fact normal events. However, false negative rate measures the rate of intrusions that are considered to be normal where they are in fact intrusion events.
Signature based Intrusion Detection (SID) uses specific known patterns of suspicious behavior to detect subsequent similar patterns, such patterns are called signatures. A good example for SID is a signature that can be as simple as a specific pattern that matches a portion of a network packet. For instance, packet header content signatures can indicate unauthorized actions. Once an intrusion action is detected, it triggers an alert or takes the initiative to do the proper action against the source of the attack (i.e. forward the traffic back to its source). The main disadvantage of this type of detection is that it cannot detect new signature attacks. It suffers also from the problem of signature updating. Snort is a well known example of SID (Roesch, 1999) on the other hand, Anomaly based Intrusion Detection (AID) identifies the normal usage behavior in advance and anything that does not match such behavior will be considered as suspicious actions. AID has the ability to generalize and to detect novel anomalies but cannot determine if the anomaly is caused by intrusive behavior or not. Hence, it generates higher false rate. USAID is an example of AID (Zhuowei et. al., 2005).
Several machine learning paradigms including Neural Networks (NN) (Mukkamala et. al., 2003), Linear Genetic Programming (LGP) (Mukkamala et. al., 2004), Support Vector Machines (SVM) (Mukkamala et. al., 2004), Bayesian Networks (BN) (Feng et. al., 2009), Multivariate Adaptive Regression Splines (MARS) (Mukkamala et. al., 2004), Decision Tree (DT) (Sandhya et. al., 2007), and Fuzzy Inference Systems (FISs) (Shah et. al., 2004) have been investigated for the design of the IDS.