Professional Documents
Culture Documents
International Journal of Digital Content Technology and its Applications, Volume 3, Number 1, March 2009
Contents
Intrusion detection Distributed Intrusion Detection Systems ACO algorithm Experimental results Conclusions
signatures or rules that describe undesirable events perform some action when the pattern matches an event or data
general misuse and attacks for which no signature exists constructs a model according to the statical knowledge about the normal activity
analyzed are placed at a strategic points within the network to monitor traffic to and from all devices
all the activity on each individual computer (host) analyzes host activities: system calls, application logs, file-system modifications etc.
Passive system
detect
a potential security breach, logs the information and signal an alert alerts are sent to the administrator and it is up to them to take action
Reactive system
IDS
log
off a user reprogram the firewall to block network traffic from the suspected malicious source
IDS Requirements
Adaptability Concurrency Efficiency and Reliability Escalating Behavior Extensibility Flexibility Manual Control Recognition Resistance to compromise Software Response Scalability
Communication architecture
Ants are capable of finding the shortest path from a food source to their nest. They are adaptive to changes in the environment for finding a new shortest path once the old path is no longer feasible. On the way ants deposit pheromone to mark the route taken. The concentration of pheromone on a certain path is an indication of the paths length.
Route selection
ACO Algorithm
input: an instance x of a Combinatorial Optimization problem while termination conditions not met do Schedule Activities Ant based Solution Construction() Pheromone Update() Daemon Actions() end Schedule Activities Sbest best solution in the population of solutions end while output: Sbest , candidate to optimal solution for x
Dataset: 1998 DARPA intrusion detection evaluation program by MIT Lincoln Labs 6 features are used in ACO algorithm:
connection duration, protocol, source port, destination port, source IP address and destination IP address
24 attack types 22,000 attack data records & and 10,000 normal data records are prepared for training 22,000 attack instances and 10,000 normal data are selected as testing data
Conclusions
Meta-heuristic DIDS architecture for scalable intrusion detection and prevention in distributed networks
Ant based DIDS can significantly improve the overall performance of existing DIDS
High
detection rate Low false positive rate can recognize normal network traffic
Thank you!