You are on page 1of 21

ACO BASED DISTRIBUTED INTRUSION DETECTION SYSTEM

Bogdan Ivascu, SSA bogdan.ivascu@cti.pub.ro

About the paper

ACO based Distributed Intrusion Detection System Authors: S. Janakiraman1, V. Vasudevan2


1 PSR

Engineering College, Sivakasi, India 2 A.K. College of Engineering, Krishnankoil, India

International Journal of Digital Content Technology and its Applications, Volume 3, Number 1, March 2009

Contents

Intrusion detection Distributed Intrusion Detection Systems ACO algorithm Experimental results Conclusions

Intrusion detection (1)

Problem: exposing sensitive information to intruders


compromise

confidentiality denial of resources unauthorized use of resources

Solution: Intrusion Detection Systems (IDS)


identifies

all possible intrusions and recommends actions to stop the attacks

Intrusion detection (2)

Techniques in traditional IDS


log

files network traffic

Must develop fast machine learning based intrusion detection algorithms


high

detection rates low false alarm rates

Ideal response: stop the activity

Intrusion detection (3)

IDS Classification (1)

Misuse intrusion detection


uses

signatures or rules that describe undesirable events perform some action when the pattern matches an event or data

Anomaly intrusion detection


detect

general misuse and attacks for which no signature exists constructs a model according to the statical knowledge about the normal activity

IDS Classification (2)

Network-based system (NIDS)


individual

packets flowing through a network are

analyzed are placed at a strategic points within the network to monitor traffic to and from all devices

Host-based system (HIDS)


examines

all the activity on each individual computer (host) analyzes host activities: system calls, application logs, file-system modifications etc.

IDS Classification (3)

Passive system
detect

a potential security breach, logs the information and signal an alert alerts are sent to the administrator and it is up to them to take action

Reactive system
IDS

respond to the suspicious activity

log

off a user reprogram the firewall to block network traffic from the suspected malicious source

IDS Requirements

Adaptability Concurrency Efficiency and Reliability Escalating Behavior Extensibility Flexibility Manual Control Recognition Resistance to compromise Software Response Scalability

Distributed Intrusion Detection Systems

Communication architecture

Ant Colony Optimization (1)

Ants are capable of finding the shortest path from a food source to their nest. They are adaptive to changes in the environment for finding a new shortest path once the old path is no longer feasible. On the way ants deposit pheromone to mark the route taken. The concentration of pheromone on a certain path is an indication of the paths length.

Ant Colony Optimization (2)

Route selection

ACO Algorithm
input: an instance x of a Combinatorial Optimization problem while termination conditions not met do Schedule Activities Ant based Solution Construction() Pheromone Update() Daemon Actions() end Schedule Activities Sbest best solution in the population of solutions end while output: Sbest , candidate to optimal solution for x

Experimental results (1)

Dataset: 1998 DARPA intrusion detection evaluation program by MIT Lincoln Labs 6 features are used in ACO algorithm:

connection duration, protocol, source port, destination port, source IP address and destination IP address

24 attack types 22,000 attack data records & and 10,000 normal data records are prepared for training 22,000 attack instances and 10,000 normal data are selected as testing data

Experimental results (2)

Experimental results (3)

Experimental results (4)

Conclusions

Meta-heuristic DIDS architecture for scalable intrusion detection and prevention in distributed networks

Ant based DIDS can significantly improve the overall performance of existing DIDS
High

detection rate Low false positive rate can recognize normal network traffic

Thank you!