Review of Intrusion Detection Systems ( IDS ) and Agents Based IDS

Abstract

Since last decade in network security research area, security of mobile ad hoc networks and computer network is becoming important in every individual’s day-to-day life. There are many tools and methods presented by various authors to protect wired and wireless networks from different kinds of security threats. These tools are working for defending the networks from such intrusions and attacks. In this paper our main aim is to present the survey over the concepts of intrusion detection, anomaly detection, and detailed history over the same. In addition to this we are taking the review of different intrusion/anomalies detection methods taxonomy. The goal of this survey paper is heading toward the future direction into agent based security methods for both wireless as well wired networks. Finally the agents in intrusion detection systems are presented with their advantages and disadvantages. Keywords– Intrusion detection, Security, SNORT, wireless networks, wired networks I. INTRODUCTION The approach used is the distributed or the agent based computing approach in which not only the workload will be divided between the individual processors, but also the IDS will be able to obtain an overall knowledge of the network’s working condition. Having an overall view of the network will help the IDS to detect the intrusion more accurately and at the same time it can respond to the threats more effectively. In this approach, servers communicate with one another and generate alarm. In order to respond to an attack, sometimes it can be sufficient enough to disconnect a subnet. In this type of system in order to contain a threat, the distributed IDS can order servers, routers or network switches to disconnect a host or a subnet. One of the concerns with this type of system is the extra workload that the IDS will enforce on the network infrastructure. The communication between the different hosts and servers in the network can produce a significant traffic in the network. The distributed approach can increase the workload of the network layers within the hosts or servers and consequently it may slow them down. There are two approaches in implementing an agent-based technology. In the first approach, autonomous distributed agents are used to monitor the system and communicate with the agents in the network. Zhang et al.[46] report implementing a multi-agent based IDS where they have considered four types of agents: Basic agent, Coordination agent, Global Coordination agent, and Interface agents. Each one of these agents performs a different task and has its own subcategories. For example, the basic agent includes: Workstation agents, Network segment agents and Public server agents. These subcategoryagents respectively work on the workstations of the network, as well as, the subnet level and public server level (Mail agent or FTP agent). In this way, the complex system breakdown into much simpler systems and will become easier to manage. In the second approach, mobile agents are used to travel through the network and collect information or to perform some tasks. Foo et al.[16] report an IDS development work [17] using mobile agents. They use the Mitsubishi’s Concordia platform in their work to develop a mobile agent based IDS. Using the mobile agent, the IDS perform both the port scanning and it checks the integrity on the critical files of the system. The proposed agent based IDS will raise the alarm if it detects any alteration on the critical files of the system. Mobile agents can be sent to other systems to monitor health of the target system and to collect information. Luo et al.[18] introduce a new Mobile Agent Distributed IDS (MADIDS). Authors address number of deficiencies that exist in distributed IDSs: “The overload of data transmission”, “The computation bottleneck of the central processing module” and “The delay of network transmission”. Paper reports that one of the main goals of the system is to improve the performance of the IDS in regard to speed and network traffic. In a work reported by Ramachandran et al. [19] the idea of neighborhood-watch is implemented for the network security. There are RESEARCH ARTICLE OPEN ACCESS International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 International Conference on Industrial Automation And Computing (ICIAC-12 th &13 th April 2014) Jhulelal Institute of Technology, Nagpur 71|P a g e three different types of agents in three different layers. All the agents are defined in PERL (Practical Extraction and Report Language). In the front line (bottom layer) there is a Cop agent that is a mobile agent. There are different types of Cop agents dependent on their assignments. A Cop agent is responsible for collecting data from various sites and reporting them to its respective detective agent. In this system, each site will store all the important security information about its neighbors. This information includes checksum of critical data files and system binaries, etc. It will also store a list of its neighbors in the neighborhood. There are neighbors (hosts) within each neighborhood (subnet) who can be inspected by the mobile agents called Cops. By voting among themselves, neighbors will decide on the course of action they intend to follow. II. REVIEW OF INTRUSION DETECTION SYSTEM (IDS) The 
 Intrusion detection system complements the firewall security in a similar way. The firewall protects an organization from malicious attacks from the Internet and the Intrusion detection system detects if someone tries to break in through the firewall or manages to break in the firewall security and tries to have access on any system in the trusted side and alerts the system administrator in case there is a breach in security [8]. 2.1 Architecture of General IDS 2.2 Stateful vs. Stateless A Stateful server loses all its volatilestate in a crash. It restores the state using a recovery protocol that is based on a dialog with clients, or abort operations that were underway when the crash occurred. Server needs to be aware of client failures in order to reclaim space allocated to record the state of crashed client processes (orphan detection and elimination). With stateless server, the effects of server failure and recovery are almost unnoticeable. A newly reincarnated server can respond to a self-contained request without any difficulty. 2.3 Cost vs. Benefit 
 Costs related to computer securityare often difficult to assess, in part because accurate metrics have been inherently unrealistic. Of those costs that can be measured, the largest in terms of monetary value typically involve theft of proprietary information or financial fraud. Others that are more difficult to quantify but have resulted in severe loss of use or productivity include viruses and malware, Web server denial-of-service attacks, abuse of access privileges, and equipment vandalism or outright theft. We see the results of surveys of organizations providing estimates as to breach incidents (supposedly affecting 90% of large corporations and government agencies in 2002, according to the Computer Security Institute), security expenditures (projected at more than $3 billion in 2004 by International Data Corp.), and malicious code (worldwide loss estimates by Computer Economics exceeded $13 billion in 2001 alone), and so on, with numbers continuing to reflect dramatic growth each year. However, lacking any way to translate such statistics into expenditures and losses per organization, per computer, or per user, the true impact of these figures remains uncertain [7]. 2.4 False Positives and False Negatives: A false positive occurs when the scanning reports finding a virus when there is in fact no virus present. The chances of this occurring depend on the type of virus checking being done, and also on the general quality of the software. Scanners that use virus definition files don't report false positives very often; software that looks for "virus-like behavior" will report false positives constantly, because they are only guessing at what "might be" viruses (such as updates to program files, etc., which can be quite legitimate in some cases.) 2.5 Detection vs. Prevention 
 Intrusion Prevention Systems (IPS),also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets; resetting the connection and/or blocking the traffic from the International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 International Conference on Industrial Automation And Computing (ICIAC-12 th &13 th April 2014) Jhulelal Institute of Technology, Nagpur 72|P a g e offending IP address [9]. 2.6 Signature-Based Detection 
 This method of detection utilizes signatures, which are attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit th