D-SCIDS: Distributed soft computing intrusion detection system
Introduction
An intrusion is defined as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. Intrusion detection is classified into two types: misuse intrusion detection and anomaly intrusion detection (Mukkamala et al., 2005). Misuse intrusion detection uses well-defined patterns of the attack that exploit weaknesses in system and application software to identify the intrusions. These patterns are encoded in advance and used to match against the user behavior to detect intrusion. Anomaly intrusion detection uses the normal usage behavior patterns to identify the intrusion. The normal usage patterns are constructed from the statistical measures of the system features. The behavior of the user is observed and any deviation from the constructed normal behavior is detected as an intrusion (Denning, 1987; Summers, 1997). In Distributed Intrusion Detection System (DIDS) conventional intrusion detection system are embedded inside intelligent agents and are deployed over a large network. In a distributed environment, IDS agents communicate with each other, or with a central server. By having these co-operative agents distributed across a network, incident analysts, network operations, and security personnel are able to get a broader view of what is occurring on their network as a whole. Distributed monitoring allows early detection of planned and coordinated attacks, thereby allowing network administrators to take preventive measures. DIDS also helps to control the spreading of worms, improves network monitoring and incident analysis, attack tracing and so on. It also helps to detect new threats from unauthorized users, back-door attackers and hackers to the network across multiple locations, which are geographically separated (Abraham and Thomas, 2005). In a DIDS it is important to ensure that the individual IDS are lightweight and accurate.
Data mining approaches for intrusion detection were first implemented in mining audit data for automated models for intrusion detection (Barbara et al., 2001; Cohen, 1996; Lee et al., 1999). Several data mining algorithms are applied to audit data to compute models that accurately capture the actual behavior of intrusions as well as normal activities. Audit data analysis and mining combine the association rules and classification algorithm to discover attacks in audit data. Soft Computing (SC) is an innovative approach to construct computationally intelligent systems consisting of artificial neural networks, fuzzy inference systems, approximate reasoning and derivative free optimization methods such as evolutionary computation, etc. (Zadeh, 1998). This paper introduces three fuzzy rule-based classifiers (Abraham et al., 2004) and compares its performance with Linear Genetic Programming (LGP) (Abraham, 2004), Support Vector Machines (SVM) (Vapnik, 1995) and Decision Trees (DT) (Brieman et al., 1984; Peddabachigari et al., 2004). Further, we modeled Soft Computing (SC)-based IDS (SCIDS) (Abraham et al., 2004) as a combination of different classifiers to model lightweight and more accurate (heavy weight) IDS. The rest of the paper is organized as follows. Section 2 provides a brief overview of the research on distributed intrusion detection systems. Soft computing for intrusion detection is introduced in Section 3 followed by the importance of attribute reduction (important feature selection) in Section 4. Experimental results are also presented in Section 4 followed by conclusions in Section 5.
Section snippets
Distributed intrusion detection system (DIDS)
A number of IDSs have been proposed for a networked or distributed environment. Early systems included ASAX (Mouinji et al., 1995), DIDS (Snapp et al., 1999) and NSTAT (Kemmerer, 1997). These systems require the audit data collected from different places to be sent to a central location for analysis. NetSTAT (Vigna and Kemmerer, 1999) is another example of such a system. In NetSTAT attack scenarios are modeled as hypergraphs and places are probed for network activities. Although NetSTAT also
Soft computing
Soft computing was first proposed by Zadeh (1998), to construct new generation computationally intelligent hybrid systems consisting of neural networks, fuzzy inference system, approximate reasoning and derivative free optimization techniques. It is well known that intelligent systems, which can provide human like expertise such as domain knowledge, uncertain reasoning, and adaptation to a noisy and time-varying environment, are important in tackling practical computing problems. In contrast
Experimental setup and results
Complex relationships exist between features, which are difficult for humans to discover. The IDS must therefore reduce the amount of data to be processed. This is very important if real-time detection is desired. The easiest way to do this is by doing an intelligent input feature selection. Certain features may contain false correlations, which hinder the process of detecting intrusions. Further, some features may be redundant since the information they add is contained in other features.
Conclusions
Effective intrusion detection and management systems are critical components of cyber infrastructure as they are in the forefront of the battle against cyber-terrorism. In this paper, we presented a framework for Distributed Intrusion Detection Systems (DIDS) using several soft computing paradigms. We also demonstrated the importance of feature reduction to model lightweight intrusion detection systems. Finally, we propose a hybrid architecture involving ensemble and base classifiers for
Acknowledgments
This research was supported by the International Joint Research Grant of the Institute of Information Technology Assessment (IITA) foreign professor invitation program of the Ministry of Information and Communication (MIC), Korea.
References (42)
- et al.
Mitigation of network tampering using dynamic dispatch of mobile agents
Comput Security
(2004) - et al.
Intrusion detection inter-component adaptive negotiation
Comput Networks
(2000) - et al.
Lightweight agents for intrusion detection
J Systems Software
(2003) - et al.
Intrusion detection using ensemble of soft computing and hard computing paradigms
J Network Comput Appl
(2005) - et al.
Design and implementation of a decentralized prototype system for detecting distributed attacks
Comput Commun
(2002) - et al.
Intrusion detection using autonomous agents
Comput Networks
(2000) Evolutionary computation in intelligent web management, evolutionary computing in data mining
- et al.
Distributed intrusion detection systems: a computational intelligence approach
- Abraham A, Jain R, Sanyal S, Han SY. SCIDS: a soft computing intrusion detection system. Sixth international workshop...
- et al.
ADAM: a testbed for exploring the use of data mining in intrusion detection
SIGMOD Rec
(2001)
Classification of regression trees
Learning trees and rules with set-valued features
An intrusion-detection model
IEEE Trans Software Eng
Computer immunology
CACM
Cited by (117)
Maximum correlation based mutual information scheme for intrusion detection in the data networks
2022, Expert Systems with ApplicationsCitation Excerpt :The data packet extracted directly from the deployed node has a predefined packet structure, and this packet parallelly contains the intrusion within them. Since the raw data obtained from any network consist of a various number of features (Abraham et al., 2007; Amiri et al., 2011; Tsai et al., 2009). And these features can be in a huge amount for even a small network.
Lightweight collaborative anomaly detection for the IoT using blockchain
2020, Journal of Parallel and Distributed ComputingCitation Excerpt :This work differs from ours in the following ways: Another approach to deploying an IDS is to distribute the detection across multiple devices [2,58,73]. In these approaches, the devices share information with one another regarding malicious traffic and the network’s state.
High Density Sensor Networks Intrusion Detection System for Anomaly Intruders Using the Slime Mould Algorithm
2022, Electronics (Switzerland)Real-time intrusion detection based on residual learning through ResNet algorithm
2022, International Journal of Systems Assurance Engineering and ManagementIntrusion Detection System Based on Hybrid Hierarchical Classifiers
2021, Wireless Personal Communications