The Agents scrutiny at Protocol Stack in NIDS

Shared by: ijcsiseditor

Categories

Technology > Computers & Internet

Stats

views:: 50
posted:: 8/19/2012
language:: English
pages:: 7

Public Domain

Document Sample

(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

The Agents scrutiny at Protocol Stack in NIDS

1
Mr.M.Shiva Kumar, 2Dr.K.Krishnamoorthy
1
Research Scholar/Dept. of CSE/Karpagam University/Coimbatore/T.N,
2
Professor & Head/Dept. of CSE/ Kuppam Engineering College/Kuppam/A.P.
email : shivasparadise@gmail.com

Abstract
The Research on the betterment of IDS and IPS
is an avalanche process wherein each footstep
paves way for new research work. In this
regard This paper is a survey sheet on my
research with respect to the implementation of
Agents in the NIDS, first the paper depicts the
OSI, later the impact of NIDS and the
implementation of Agents in NIDS and it give a
overview of the role of Agents in Basic Security
Model and OSI reference and TCP/IP Model

Figure 1. OSI and TCP/IP Model
Keywords : IDS,IPS,NIDS,TCP,IP,OSI.
The OSI model and transmission control
protocol (TCP)/IP model show how each
1. An Overview of the Open Systems
layer stacks up. (See Figure 1.) Within the
Interconnection Model
TCP/IP model, the lowest link layer controls
A NIDS is placed on a network to analyze
how data flows on the wire, such as
traffic in search of unwanted or malicious
controlling voltages and the physical
events. Network traffic is built on various
addresses of hardware, like mandatory access
layers; each layer delivers data from one point
control (MAC) addresses. The Internet layer
to another.
controls address routing and contains the IP
stack. The transport layer controls data flow
and checks data integrity. It includes the TCP
and user datagram protocol (UDP). Lastly, the

51 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

most complicated but most familiar level is device.but more specifically, the physical
the application layer, which contains the components usually include the sensor,
traffic used by programs. Application layer management sever, database server, and
traffic includes the Web (hypertext transfer console—
protocol [HTTP]), file transfer protocol Sensor—The sensor or agent is the
(FTP), email, etc. Most NIDSs detect NIDS component that sees network
unwanted traffic at each layer, but concentrate traffic and can make decisions
mostly on the application layer. regarding whether the traffic is
malicious. Multiple sensors are
2. Component Types usually placed at specific points

Two main component types comprise a around a network, and the location of

NIDS: appliance and software only. A NIDS the sensors is important. Connections

appliance is a piece of dedicated hardware: its to the network could be at firewalls,

only function is to be an IDS. The operating switches, routers, or other places at

system (OS), software, and the network which the network divides.

interface cards (NIC) are included in the Management server—As the

appliance. The second component type, analyzer, a management server is a

software only, contains all the IDS software central location for all sensors to send

and sometimes the OS; however, the user their results. Management servers

provides the hardware. Software-only NIDSs often connect to sensors via a

are often less expensive than appliance-based management network; for security

NIDS because they do not provide the reasons, they often separate from the

hardware; however, more configuration is remainder of the network. The

required, and hardware compatibility issues management server will make

may arise. decisions based on what the sensor

With an IDS, the “system” component is vital reports. It can also correlate

to efficiency. Often a NIDS is not comprised information from several sensors and

of one device but of several physically make decisions based on specific

separated components. Even in a less traffic in different locations on the

complicated NIDS, all components may be network.

present but may be contained in one

52 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

Database server—Database servers
are the storage components of the
NIDS. From these servers, events
from sensors and correlated data from
management servers can be logged.
Databases are used because of their
large storage space and performance
qualities.
Console—As the user interface of the
NIDS, the console is the portion of the NIDS
at which the administrator can log into and
configure the NIDS or to monitor its status. Figure 2. NIDS PLACEMENT

The console can be installed as either a local Inline—An inline NIDS sensor is
program on the administrator’s computer or a placed between two network devices, such as
secure Web application portal. Traffic a router and a firewall. This means that all
between the components must be secure and traffic between the two devices must travel
should travel between each component through the sensor, guaranteeing that the
unchanged and unviewed. Intercepted traffic sensor can analyze the traffic. An inline
could allow a hacker to change the way in sensor of an IDS can be used to disallow
which a network views an intrusion. traffic through the sensor that has been
deemed malicious. Inline sensors are often
2.1 NIDS Sensor Placement placed between the secure side of the firewall
Because a sensor is the portion of the NIDS and the remainder of the internal network so
that views network traffic, its placement is that it has less traffic to analyze.
important for detecting proper traffic. Figure Passive—A passive sensor analyzes
2 offers an example of how to place a NIDS traffic that has been copied from the
sensor and other components. There are network versus traffic that passes
several ways to connect a NIDS sensor to the through it. The copied traffic can
network— come from numerous places—

53 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

Spanning port—Switches often allow scan, an attacker tries to open connections on
all traffic on the switch to be copied to every port of a server to determine which
one port, called a spanning port. services are running. Reconnaissance attacks
During times of low network load, this also include opening connections of known
is an easy way to view all traffic on a applications, such as Web servers, to gather
switch; however, as the load increases, information about the server’s OS and
the switch may not be able to copy all version. NIDS can also detect attacks at the
traffic. Also, if the switch deems the network, transport, or application layers.
traffic malformed, it may not copy the These attacks include malicious code that
traffic at all; the malformed traffic that could be used for denial of service (DoS)
may be the type the NIDS sensor must attacks and for theft of information. Lastly,
analyze. NIDS can be used to detected less dangerous
Network tap—A network tap copies but nonetheless unwanted traffic, such as
traffic at the physical layer. Network unexpected services (i.e., backdoors) and
taps are commonly used in fiber-optic policy violations.
cables in which the network tap is
inline and copies the signal without 3. Prevention
lowering the amount of light to an Although the detection portion of an IDS is
unusable level. Because network taps the most complicated, the IDS goal is to make
connect directly to the media, the network more secure, and the prevention
problems with a network tap can portion of the IDS must accomplish that
disable an entire connection. effort. After malicious or unwanted traffic is
identified, using prevention techniques can
2.2 Types of Events stop it. When an IDS is placed in an inline
A NIDS can detect many types of events, configuration, all traffic must travel through
from benign to malicious. Reconnaissance an IDS sensor. When traffic is determined to
events alone are not dangerous, but can lead be unwanted, the IDS does not forward the
to dangerous attacks. Reconnaissance events traffic to the remainder of the network. To be
can originate at the TCP layer, such as a port effective, however, this effort requires that all
scan. Running services have open ports to traffic pass through the sensor. When an IDS
allow legitimate connections. During a port is not configured in an inline configuration, it

54 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

must end the malicious session by sending a 4. Related work - Application of Agents to
reset packet to the network. Sometimes the NIDS

attack can happen before the IDS can reset the
As per the ongoing Research , the concept of
connection. In addition, the action of ending
Agent as seen in SMTP, sounds better in case
connections works only on TCP, not on UDP
of NIDS, either for Prevention or Detection,
or internet control message protocol (ICMP)
here I propose the application of Agents as
connections. A more sophisticated approach
shown in figure 3. ( Agents Role in Basic
to IPS is to reconfigure network devices (e.g.,
Security Model )
firewalls, switches, and routers) to react to the
traffic. Virtual local area networks (VLAN)
can be configured to quarantine traffic and
limit its connections to other resources.

Figure 3. Basic Security Model

55 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

As in figure 3. We can find the IDS located in all Since NIDS mainly concentrates on the
the layers of the security channel, wherein it Application layer ,here my research clearly shows
sounds or creates hazards in distributed networks the merits of IDs when implemented at each
paving way for the intruders. layer. Wherein individual agents with AIDS &
NIDS work autonomously at each layer for each
Accordingly the implementation of Mobile
protocol.
Agents in the network monitors the network, here
the agents work based on the NIDS that supports In case of TCP, if Three way handshaking is to be
Anomaly Intrusion Detection Procedure, thereby considered, there is a possibility of attack during
the multiplicity of the IDS servers can be the time interval period in receiving the SYN
reduced. from the receiver, with the invent of agents in the
TCP/IP Protocol suite, it overcomes the misuse of
Further the figure 4 depicts the impact of agents
services.
in OSI and TCP/IP Model
Conclusion

In this Paper I have just proposed a novel
approach for implementing the Agents at the
Protocol Stack, further enhancing the
performance of NIDS, more importance to be
given to the authentication features by
implementing the Agents at KERBEROS.

Biography
Mr.M.ShivaKumar, Research
Scholar, Department of CSE,
Figure 4. OSI Reference Model and TCP/IP Karpagam Universty, Coimbatore,
T.N, India. having published
with Agents. papers in various conferences
(National & international)
The Role of Agents as depicted in the figure With good academic line of
experience, Presently working has
clearly shows the performance of the NIDS work Associate Professor & head , in the Department of CSE,
PNS INSTITUTE OF TECHNOLOGY,
in all the layers at the protocol stack level. Nelamangala,Bangalore,Karnatka, india.

56 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

Dr.K.KrishnaMoorthy, Professor, Proceedings of the 2003 International Conference on
Department of CSE, Sona College of Computational Science and Its Applications (ICCSA).
Technology, Salem, T.N, India, has
Springer Verlag, LNCS 2668, May 2003
vast Experience and published papers
in various conferences (National & [8] Kong, J., Luo, H., Xu, K., Gu, D., Gerla, M., and Lu,
international) S.,“Adaptive Security for Multi-layer Ad-hoc Networks,”
Special Issue of Wireless Communication and Mobile
References
Computing, 2002.
[1] M. Eid, “A New Mobile Agent-Based Intrusion [9] Wenke Lee, Salvatore J. Stolfo. A framework for
detection System Using distributed Sensors”, In proceeding constructing features and models for intrusion detection
of FEASC, 2004. systems. ACM Transactions on Information and System
Security (TISSEC) Vol. 3, Issue 4 Nov 2000
[2] G. Hulmer, J. S.K. Wong, V. Honavar, L. Miller, Y.
[10]GUIDE TO INTRUSION DETECTION AND
Wang, “Lightweight Agents for Intrusion Detection”,
PREVENTION (IDP) SYSTEMS (DRAFT) -
Journal of Systems and Software 67 (03), pages 109-122,
Recommendations of the National Institute of Standards
2003.
and Technology - Karen Kent & Peter Mell
[3] M. Benattou and K. Tamine, “Mobile Agents [11]NIST SP 800-92 (DRAFT), Guide to Computer Security
Community For Distributed Intrusion Detection System”, Log Management, which is available at
accepted for publication in proceeding of International http://csrc.nist.gov/publications/nistpubs/.
conference on Computing, Communication and Control [12]The Cryptographic Module Validation Program
Technologies, Austin, USA, July 2005. (CMVP) at NIST coordinates FIPS testing; the CMVP Web
site is located at http://csrc.nist.gov/cryptval/.
[3] B. Mukherjee, L.Todd Heberlein, and Karl N. Levitt.
[13]http://csrc.nist.gov/cryptval/des.htm for information on
Network Intrusion Detection. IEEE Network,May/June
FIPS-approved symmetric key algorithms.
1994
[14] N Thanthry, M.S. Ali, and R Pendse, “Security, Internet
Connectivity and Aircraft Data Networks,” IEEE Aerospace and
[4] R. Janakiraman, M. Waldvogel, and Qi Zhang. Indra: a
Electronic System Magazine, November 2006
peer-to-peer approach to network intrusion detection and
prevention. Twelfth IEEE International Workshops, Jun 9-
11, 2003
[5] Fayyad, U., Piatetsky-Shapiro, G., and Smyth, P. 1996.
The KDD process of extracting useful knowledge from
volumes of data. Commun. ACM 39, 11, 27-34
[6] Zhou, L. and Haas Z.,“Securing Ad Hoc Networks,”
IEEE Network Magazine, vol. 13, no. 6,
November/December 1999.
[7] S. Puttini, J-M. Percher, L. Mé, O. Camp, R. de Sousa
Jr., C. J. Barenco Abbas, L. J. Garcia Villalba. A Modular
Architecture for Distributed IDS in MANET. In

57 http://sites.google.com/site/ijcsis/
ISSN 1947-5500