The Agents scrutiny at Protocol Stack in NIDS by ijcsiseditor


									                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                           Vol. 10, No. 7, July 2012

                    The Agents scrutiny at Protocol Stack in NIDS

                               Mr.M.Shiva Kumar, 2Dr.K.Krishnamoorthy
                 Research Scholar/Dept. of CSE/Karpagam University/Coimbatore/T.N,
               Professor & Head/Dept. of CSE/ Kuppam Engineering College/Kuppam/A.P.
                                 email :

The Research on the betterment of IDS and IPS
is an avalanche process wherein each footstep
paves way for new research work. In this
regard This paper is a survey sheet on my
research with respect to the implementation of
Agents in the NIDS, first the paper depicts the
OSI, later the impact of NIDS and the
implementation of Agents in NIDS and it give a
overview of the role of Agents in Basic Security
Model and OSI reference and TCP/IP Model

                                                                    Figure 1. OSI and TCP/IP Model
                                                            The OSI model and transmission control
                                                            protocol (TCP)/IP model show how each
     1. An Overview of the Open Systems
                                                            layer stacks up. (See Figure 1.) Within the
         Interconnection Model
                                                            TCP/IP model, the lowest link layer controls
 A NIDS is placed on a network to analyze
                                                            how data flows on the wire, such as
 traffic in search of unwanted or malicious
                                                            controlling        voltages       and       the      physical
 events. Network traffic is built on various
                                                            addresses of hardware, like mandatory access
 layers; each layer delivers data from one point
                                                            control (MAC) addresses. The Internet layer
 to another.
                                                            controls address routing and contains the IP
                                                            stack. The transport layer controls data flow
                                                            and checks data integrity. It includes the TCP
                                                            and user datagram protocol (UDP). Lastly, the

                                                                                      ISSN 1947-5500
                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                         Vol. 10, No. 7, July 2012

most complicated but most familiar level is               device.but more specifically, the physical
the application layer, which contains the                 components usually include the sensor,
traffic used by programs. Application layer               management sever, database server, and
traffic includes the Web (hypertext transfer              console—
protocol [HTTP]), file transfer protocol                            Sensor—The sensor or agent is the
(FTP), email, etc. Most NIDSs detect                                NIDS component that sees network
unwanted traffic at each layer, but concentrate                     traffic     and          can     make      decisions
mostly on the application layer.                                    regarding        whether          the     traffic      is
                                                                    malicious.          Multiple        sensors         are
   2. Component Types                                               usually placed at specific points

Two main component types comprise a                                 around a network, and the location of

NIDS: appliance and software only. A NIDS                           the sensors is important. Connections

appliance is a piece of dedicated hardware: its                     to the network could be at firewalls,

only function is to be an IDS. The operating                        switches, routers, or other places at

system (OS), software, and the network                              which the network divides.

interface cards (NIC) are included in the                           Management                     server—As            the

appliance. The second component type,                               analyzer, a management server is a

software only, contains all the IDS software                        central location for all sensors to send

and sometimes the OS; however, the user                             their results. Management servers

provides the hardware. Software-only NIDSs                          often      connect         to    sensors         via a

are often less expensive than appliance-based                       management network; for security

NIDS because they do not provide the                                reasons, they often separate from the

hardware; however, more configuration is                            remainder           of     the    network.          The

required, and hardware compatibility issues                         management               server         will      make

may arise.                                                          decisions based on what the sensor

With an IDS, the “system” component is vital                        reports.       It        can      also         correlate

to efficiency. Often a NIDS is not comprised                        information from several sensors and

of one device but of several physically                             make decisions based on specific

separated components. Even in a less                                traffic in different locations on the

complicated NIDS, all components may be                             network.

present but may be contained in one

                                                                                    ISSN 1947-5500
                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                             Vol. 10, No. 7, July 2012

         Database server—Database servers
         are the storage components of the
         NIDS. From these servers, events
         from sensors and correlated data from
         management servers can be logged.
         Databases are used because of their
         large storage space and performance
         Console—As the user interface of the
NIDS, the console is the portion of the NIDS
at which the administrator can log into and
configure the NIDS or to monitor its status.                           Figure 2. NIDS PLACEMENT

The console can be installed as either a local                          Inline—An inline NIDS sensor is
program on the administrator’s computer or a                  placed between two network devices, such as
secure    Web      application    portal.   Traffic           a router and a firewall. This means that all
between the components must be secure and                     traffic between the two devices must travel
should    travel      between    each   component             through the sensor, guaranteeing that the
unchanged and unviewed. Intercepted traffic                   sensor can analyze the traffic. An inline
could allow a hacker to change the way in                     sensor of an IDS can be used to disallow
which a network views an intrusion.                           traffic through the sensor that has been
                                                              deemed malicious. Inline sensors are often
   2.1 NIDS Sensor Placement                                  placed between the secure side of the firewall
Because a sensor is the portion of the NIDS                   and the remainder of the internal network so
that views network traffic, its placement is                  that it has less traffic to analyze.
important for detecting proper traffic. Figure                          Passive—A passive sensor analyzes
2 offers an example of how to place a NIDS                              traffic that has been copied from the
sensor and other components. There are                                  network versus traffic that passes
several ways to connect a NIDS sensor to the                            through it. The copied traffic can
network—                                                                come from numerous places—

                                                                                        ISSN 1947-5500
                                          (IJCSIS) International Journal of Computer Science and Information Security,
                                          Vol. 10, No. 7, July 2012

       Spanning port—Switches often allow                  scan, an attacker tries to open connections on
       all traffic on the switch to be copied to           every port of a server to determine which
       one port, called a spanning port.                   services are running. Reconnaissance attacks
       During times of low network load, this              also include opening connections of known
       is an easy way to view all traffic on a             applications, such as Web servers, to gather
       switch; however, as the load increases,             information about the server’s OS and
       the switch may not be able to copy all              version. NIDS can also detect attacks at the
       traffic. Also, if the switch deems the              network, transport, or application layers.
       traffic malformed, it may not copy the              These attacks include malicious code that
       traffic at all; the malformed traffic that          could be used for denial of service (DoS)
       may be the type the NIDS sensor must                attacks and for theft of information. Lastly,
       analyze.                                            NIDS can be used to detected less dangerous
       Network tap—A network tap copies                    but nonetheless unwanted traffic, such as
       traffic at the physical layer. Network              unexpected services (i.e., backdoors) and
       taps are commonly used in fiber-optic               policy violations.
       cables in which the network tap is
       inline and copies the signal without                     3. Prevention
       lowering the amount of light to an                  Although the detection portion of an IDS is
       unusable level. Because network taps                the most complicated, the IDS goal is to make
       connect    directly   to    the   media,            the network more secure, and the prevention
       problems with a network tap can                     portion of the IDS must accomplish that
       disable an entire connection.                       effort. After malicious or unwanted traffic is
                                                           identified, using prevention techniques can
   2.2 Types of Events                                     stop it. When an IDS is placed in an inline
A NIDS can detect many types of events,                    configuration, all traffic must travel through
from benign to malicious. Reconnaissance                   an IDS sensor. When traffic is determined to
events alone are not dangerous, but can lead               be unwanted, the IDS does not forward the
to dangerous attacks. Reconnaissance events                traffic to the remainder of the network. To be
can originate at the TCP layer, such as a port             effective, however, this effort requires that all
scan. Running services have open ports to                  traffic pass through the sensor. When an IDS
allow legitimate connections. During a port                is not configured in an inline configuration, it

                                                                                     ISSN 1947-5500
                                            (IJCSIS) International Journal of Computer Science and Information Security,
                                            Vol. 10, No. 7, July 2012

must end the malicious session by sending a                       4.   Related work - Application of Agents to
reset packet to the network. Sometimes the                             NIDS

attack can happen before the IDS can reset the
                                                             As per the ongoing Research , the concept of
connection. In addition, the action of ending
                                                             Agent as seen in SMTP, sounds better in case
connections works only on TCP, not on UDP
                                                             of NIDS, either for Prevention or Detection,
or internet control message protocol (ICMP)
                                                             here I propose the application of Agents as
connections. A more sophisticated approach
                                                             shown in figure 3. ( Agents Role in Basic
to IPS is to reconfigure network devices (e.g.,
                                                             Security Model )
firewalls, switches, and routers) to react to the
traffic. Virtual local area networks (VLAN)
can be configured to quarantine traffic and
limit its connections to other resources.

                                  Figure 3. Basic Security Model

                                                                                       ISSN 1947-5500
                                                 (IJCSIS) International Journal of Computer Science and Information Security,
                                                 Vol. 10, No. 7, July 2012

As in figure 3. We can find the IDS located in all              Since      NIDS         mainly      concentrates          on       the
the layers of the security channel, wherein it                  Application layer ,here my research clearly shows
sounds or creates hazards in distributed networks               the merits of IDs when implemented at each
paving way for the intruders.                                   layer. Wherein individual agents with AIDS &
                                                                NIDS work autonomously at each layer for each
Accordingly the implementation of Mobile
Agents in the network monitors the network, here
the agents work based on the NIDS that supports                 In case of TCP, if Three way handshaking is to be
Anomaly Intrusion Detection Procedure, thereby                  considered, there is a possibility of attack during
the multiplicity of the IDS servers can be                      the time interval period in receiving the SYN
reduced.                                                        from the receiver, with the invent of agents in the
                                                                TCP/IP Protocol suite, it overcomes the misuse of
Further the figure 4 depicts the impact of agents
in OSI and TCP/IP Model

                                                                In this Paper I have just proposed a novel
                                                                approach for implementing the Agents at the
                                                                Protocol        Stack,        further        enhancing             the
                                                                performance of NIDS, more importance to be
                                                                given      to     the     authentication           features        by
                                                                implementing the Agents at KERBEROS.

                                                                                      Mr.M.ShivaKumar,           Research
                                                                                      Scholar, Department of CSE, 
 Figure 4. OSI Reference Model and TCP/IP                                             Karpagam Universty, Coimbatore,
                                                                                      T.N, India. having        published
                    with Agents.                                                      papers in various conferences
                                                                                      (National & international)
The Role of Agents as depicted in the figure                                          With good academic line of
                                                                                      experience, Presently working has
clearly shows the performance of the NIDS work                  Associate Professor & head , in the Department of CSE,
                                                                PNS        INSTITUTE         OF         TECHNOLOGY,
in all the layers at the protocol stack level.                  Nelamangala,Bangalore,Karnatka, india.

                                                                                            ISSN 1947-5500
                                                       (IJCSIS) International Journal of Computer Science and Information Security,
                                                       Vol. 10, No. 7, July 2012

                     Dr.K.KrishnaMoorthy,       Professor,            Proceedings of the 2003 International Conference on
                     Department of CSE, Sona College of               Computational Science and Its Applications (ICCSA).
                     Technology, Salem, T.N, India, has
                                                                      Springer Verlag, LNCS 2668, May 2003
                     vast Experience and published papers
                     in various conferences (National &               [8] Kong, J., Luo, H., Xu, K., Gu, D., Gerla, M., and Lu,
                     international)                                   S.,“Adaptive Security for Multi-layer Ad-hoc Networks,”
                                                                      Special Issue of Wireless Communication and Mobile
                                                                      Computing, 2002.
[1] M. Eid, “A New Mobile Agent-Based Intrusion                       [9] Wenke Lee, Salvatore J. Stolfo. A framework for
detection System Using distributed Sensors”, In proceeding            constructing features and models for intrusion detection
of FEASC, 2004.                                                       systems. ACM Transactions on Information and System
                                                                      Security (TISSEC) Vol. 3, Issue 4 Nov 2000
[2] G. Hulmer, J. S.K. Wong, V. Honavar, L. Miller, Y.
                                                                      [10]GUIDE        TO     INTRUSION          DETECTION               AND
Wang, “Lightweight Agents for Intrusion Detection”,
                                                                      PREVENTION            (IDP)       SYSTEMS           (DRAFT)          -
Journal of Systems and Software 67 (03), pages 109-122,
                                                                      Recommendations of the National Institute of Standards
                                                                      and Technology - Karen Kent & Peter Mell
[3] M. Benattou and K. Tamine, “Mobile Agents                         [11]NIST SP 800-92 (DRAFT), Guide to Computer Security
Community For Distributed Intrusion Detection System”,                Log       Management,         which        is      available        at
accepted for publication in proceeding of International     
conference on Computing, Communication and Control                    [12]The     Cryptographic      Module      Validation      Program
Technologies, Austin, USA, July 2005.                                 (CMVP) at NIST coordinates FIPS testing; the CMVP Web
                                                                      site is located at
[3] B. Mukherjee, L.Todd Heberlein, and Karl N. Levitt.
                                                                      [13] for information on
Network Intrusion Detection. IEEE Network,May/June
                                                                      FIPS-approved symmetric key algorithms.
                                                                      [14] N Thanthry, M.S. Ali, and R Pendse, “Security, Internet
                                                                      Connectivity and Aircraft Data Networks,” IEEE Aerospace and
[4] R. Janakiraman, M. Waldvogel, and Qi Zhang. Indra: a
                                                                      Electronic System Magazine, November 2006
peer-to-peer approach to network intrusion detection and
prevention. Twelfth IEEE International Workshops, Jun 9-
11, 2003
[5] Fayyad, U., Piatetsky-Shapiro, G., and Smyth, P. 1996.
The KDD process of extracting useful knowledge from
volumes of data. Commun. ACM 39, 11, 27-34
[6] Zhou, L. and Haas Z.,“Securing Ad Hoc Networks,”
IEEE Network Magazine, vol. 13, no. 6,
November/December 1999.
[7] S. Puttini, J-M. Percher, L. Mé, O. Camp, R. de Sousa
Jr., C. J. Barenco Abbas, L. J. Garcia Villalba. A Modular
Architecture   for   Distributed   IDS   in   MANET.     In

                                                                                                  ISSN 1947-5500

To top